It is no secret that UK businesses are under cyber attack and it is strong security technology that is keeping the bad guys out.
Jeremy Freeman, director of financial services EMEA at IronKey, looks at how organised cyber criminal gangs are gaining access to business bank accounts through clients' computers and how new technology, that isolates online banking sessions, can keep UK businesses and banks safe.
While many of the UK's businesses will be hoping to benefit from the upcoming 2012 Olympics, the rising trend in attacks on corporate online banking transactions by organised cyber criminal gangs could result in large amounts of cash being stolen from corporate bank accounts.
The recent theft of £30 million from business and government bank accounts by organised cyber criminal gangs could be just a prelude to even larger crimes. The upcoming games could attract more cyber criminals, resulting in even larger amounts of cash being stolen from business and government bank accounts.
Olympic cash cow or cyber crime wave?
According to a study for the Government by PricewaterhouseCoopers, the Olympics will boost the London economy by £5.9 billion and the rest of the UK by a further £1.9 billion. While hosting an Olympics offers great potential to increase trade and tourism for businesses within the host country, it is also an open invitation to cyber criminals. With billions being transferred and all eyes on the games criminals will be looking for easy prey.
These cyber gangs are the same criminals who successfully stole £30 million from the bank accounts of local councils, libraries, and small and medium size businesses. In the past 18 months, the bad guys in the US, Latin America and Europe have realised it is a lot easier to steal £500,000 from a corporate account in one go than it is to take £1,000 from 500 consumers.
Cyber criminals are winning the race
One of the biggest security problems facing the banking industry is online takeover of commercial bank customers' accounts, and as they increasingly come under attack, many banks and businesses are discovering they lack the resources to protect themselves.
The cyber criminals are using commercial online banking malware from a malleable framework that is constantly changing. The most popular Trojan, Zeus, is spawning over 70,000 new variants each year. Combining multiple methods of attack, Zeus thrives on live, authenticated banking sessions to defeat traditional security defences.
As the Olympics get closer, the billions pouring into business and local government will undoubtedly attract the eye of criminals. With more account transfers and payments underway, siphoning off money from business accounts will be hard to detect. A few more transfers can go unnoticed by both account holders and bank anti-fraud systems until it is too late.
Dealing with the threats
Although the threat posed to business banking is undoubtedly a global threat, as yet the only authority to issue clear advice to banks and businesses to date has been the US Electronics Payment Association, NACHA. In coordination with the Federal Bureau of Investigation (FBI), NACHA has advised that any business has separate computers for banking transactions which are not enabled for web browsing, email services or working on documents. The computers should be turned on only for banking and be running anti-virus software and install automatic software updates.
Whilst the NACHA guidelines are a step in the right direction, the reality for organisations is that each member of a company's finance team will need two computers: one for web browsing, email and documents and one for its banking transactions. This adds an unnecessary level of complexity to the employee's working day and can prove costly for an organisation.
Add the additional cost of infrastructure, the associated security protocols for setting up new computers, the need to renew the systems every three years and this becomes an increasingly costly exercise.
How to win gold
However, just as cyber criminals are using technology to commit fraud, the banking industry can make use of advances in technology to fight back. The availability of virtualisation technology, combined with portable, tamper-proof USB flash drives, allows banks and businesses to create a safe oasis for online banking.
These systems isolate online banking from the rest of a computer and potentially infected applications and because they are write protected, Trojans such as Zeus cannot infect them. When a user is finished with banking, they simply remove the USB device and all access to their account is removed.
This approach delivers on the NACHA guidelines without added complexity or cost for bank clients. It does not change the online banking system so existing security mechanisms such as one-time passwords and chip and PIN readers continue to protect access to online accounts.
At a time when the UK banking industry is concentrating on key business drivers such as fraud, compliance and retention and acquisition of profitable customers, the last thing it needs is more business and government accounts falling prey to criminals.
The £30 million stolen could look very small if cyber gangs have their way, and just like the athletes' training is key, those institutions that take the lead will clearly stand out and take the winner's podium.