Breaking into online banking systems is not a job for amateurs; therefore, neither is blocking such break-ins. "It's typically a completely organized operation where they collect intelligence, study the bank carefully, and gather data on the bank's systems; the entire operation requires a lot of expertise," says Mickey Boodaei, CEO Of Trusteer, a company that makes security software that banks such HSBC ask their customers to download to detect and eradicate malware. Boodaei spoke to Bank Systems & Technology in an interview last week. Often a single financial institution is targeted by two or three groups of criminals that specialize in building and recruiting real bank accounts and understanding the security systems and procedures the bank uses, he says.
Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and according to the FDIC, it rose to over $120 million in the third quarter of 2009 alone. Almost all of the incidents reported to the FDIC related to malware on online banking customers' PCs.
But banks, Boodaei says, tend to have poor visibility into the fraud attacks they're hit with and the malware that cause them. "This is a very basic requirement when trying to figure out your security strategy, in order to use the right security layers, you have to realize how you're being attacked and how malware bypasses your current security mechanisms," he says.
Trusteer is announcing a service today called Flashlight that lets banks analyze their customers' computers for signs of foul play. When a customer contacts the bank to complain about fraud, the bank asks the customer to download Trusteer Rapport security software. Once that download is completed, the bank can ask the customer to click on buttons that generate a report about the attack that's sent directly to bank. If the software detects a new brand of malware, that report goes to Trusteer, which reverse-engineers the mechanism used by the malware to commit fraud so that the bank can block further attacks.
Flashlight has two pricing options, banks can pay per incident or pay a flat monthly fee. Banks will end up paying $500 to $1000 for the service, Boodaei estimates.
In the U.K., where HSBC and RBS offer Rapport to their customers, five million people have downloaded the software. "That's an impressive number that covers almost half the online banking population in the U.K.," Boodaei says.