Another approach involves beefing up back-end fraud detection that's in use today to monitor for credit- and debit-card fraud so that it also includes e-banking and payments.
Dual-authentication, which requires at least two people to approve a transaction, also ups the security ante, Litan points out. Another approach she believes can be effective, called "positive pay," involves setting guidelines in advance on exactly who the bank is authorized to pay and the thresholds. Litan acknowledges that though it sounds simple, "positive pay" can be hard to do because business software may not already be set up for this or businesses need more flexibility than that approach allows.
Brian Krebs, an investigative journalist who has put the spotlight on the cyberheist epidemic in his online column KrebsOnSecurity, comments, "My mantra on this continues to be that any commercial banking technology that does not begin with the premise that the customer's machine may be and probably is already compromised with malicious software doesn't stand a chance of defeating today's cyber crooks."
"The criminals appear to be limited not by law enforcement or bank security, but mainly by the number of money mules they can harness at any one time to help them haul the loot from the accounts they've compromised," Krebs says, adding he's investigating whether one group is actually "contracting that process out to several different mule recruitment and cashout gangs" in order to find enough money mules.
According to an FBI report from last November about cyberheists and the role of the money mule, cybercrooks' fraudulent ACH transfers are often directed to the bank accounts of willing or unwitting individuals within the United States.
These people are often recruited through "work from home" advertisements or contacted by recruiters after placing resumes on popular employment sites. These mules are directed to open personal or business bank accounts to receive the fraudulent money transfer, and within a couple of days, or even hours, the money is deposited and the mule is directed to immediately forward a portion of the money to recipients overseas, typically in Eastern Europe, via wire-service transfers such as Western Union or Moneygram.
Compromised computers used in online banking have gotten the attention of the Financial Services Information Sharing and Analysis Center (FS-ISAC), a group whose mission is to provide a forum where its members, which include Citigroup, Bank of America, Goldman Sachs and Merrill Lynch among others, can discretely share security concerns and keep direct contact with federal officials.
FS-ISAC has gone so far as to send out a notice telling its membership to only interact with business customers via computers without browser and e-mail capability. It was an awkwardly worded recommendation that was later clarified to mean a "PC dedicated to online banking," Litan says. But she regards this as inadequate.
Sign up for Computerworld eNewsletters.