Cybercrooks Targeting Small Business Usage of Online Banking
One good way to tell if a topic has become mainstream is to monitor USA Today. So I wasn't terribly surprised when I found the lead in the paper's Money section on New Years Day to be focused on the latest trend in cybercrime. It seems that many cybercriminals, frustrated with the countermeasures put in place by larger banks and enterprises are now targeting smaller businesses that have adopted online banking as a way to save both money and and time.
As we all know cybercrooks like to target the weakest link in any system that might yield cash or cash equivalents. In this case, the miscreants have determined that the some of the systems banks use to support smaller businesses have material weaknesses that can be exploited. Specifically, the Automated Clearing House (ACH) systems and wire transfer systems have not kept pace with the threats they now face. As everyone's favorite banking fraud analyst, Avivah Litan, points out, the controls for these to critical pieces of financial infrastructure are decades old and were designed with a completely different set of threats in mind.
Pretty much everything about this story is standard cybercrime stock. The attack starts with a spear phishing attack aimed at a small business, a trojan is planted via email or by a corrupted website, authentication credentials are then compromised and used to move funds from the target to the perpetrator's (offshore) account.
The only thing that's a little bit different about this story is the recommendation being made by the American Banker's Association and the FBI to block the attack. Both are recommending small businesses use a dedicated desktop or laptop machine for all of their online banking that is never used for email or web browsing. While this approach would certainly work given what we know if this threat, I wonder how many small businesses can or want to set aside a dedicated online banking PC. And even if they did, just how are they supposed to get the information needed to execute those online transaction on and off that machine?
It seems to me that this might be a valid (if complicated) tactical approach, but that the real solution involves upgrading the core security in the ACH and wire transfer infrastructure to use current authentication and encryption technologies to secure both the transactions and the data they generate.