As far back as 2005, the Federal Financial Institutions Examination Council issued guidelines to banks on implementing stronger authentication for online transactions. Among other things, the Authentication in an Internet Banking Environment report called on banks to upgrade current single-factor authentication processes -- typically based on user name and passwords -- by adding a stronger, second form of authentication by the end of 2006.
The unceasing attacks on small business accounts shows that many banks, especially small community banks, have still not deployed such controls, said Avivah Litan, a Gartner Inc. analyst.
"The good news is there are plenty of effective fraud detection and authentication solutions that can and are thwarting these attacks when employed by the banks." she said. "The bad news is that many banks are not using these solutions and the bank regulators are not paying adequate attention to this."
Regulators such as the FDIC and the federal Office of the Comptroller of the Currency have so far not enforced their own recommendations for strong authentication. "The bank examiners are really behind the 8-ball on this," Litan said.
Paul Smocer, vice president of security at BITS, an industry consortium representing the 100 largest financial institutions in the U.S, said there's been a "real uptick in sophistication" in cyberattacks targeting commercial accounts over the past six months or so.
Such attacks are seriously testing token-based authentication measures used by banks for many years, Smocer said.
"Until fairly recently, token-based authentication was considered to be very strong," he said. However, as banking malware get increasingly sophisticated, "token methodology is not as strong as it has been historically."
Smocer said there is a rapidly increasing need for context-aware and out-of-band authentication tools as well as monitoring tools that are capable of detecting fraud by comparing current transaction patterns against historical behavior. "We are starting to see a lot of our members move in that direction," he said.
BITS has started advising members on ways to identify accounts where so-called "money mules" have moved to transfer stolen money to overseas bank accounts. "By working with law enforcement we are seeing patterns beginning to emerge with regard to the nature of the activity that mules often engage in," Smocer said.
The attacks are pushing bodies such as the American Bankers Association to ask members to review internal security controls.
In a February alert, for example, the ABA asked banks to be on the alert for funds-transfer fraud involving small and medium-sized businesses. The alert specifically cited "large-value" payments to previously unknown payees, unusual international payments and new accounts "with high-value, high-volume transactions [and] previously unfunded accounts with large-value incoming funds that are cashed out as soon as funds are cleared."
Sign up for Computerworld eNewsletters.