Online crime is increasingly hitting small and mid-size companies in the U.S., draining those entities' bank accounts through fraudulent transfers. The problem has gotten so bad that a financial services group recently sent out a warning about the trend, and the Federal Deposit Insurance Corporation (FDIC) issued an alert today.
"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," says a bulletin sent on Aug. 21 to member financial institutions by the Financial Services Information Sharing and Analysis Center, (FS-ISAC). The FS-ISAC is part of the government-private industry umbrella working with the Department of Homeland Security and Treasury Department to share information about critical threats to the country's infrastructure. The member-only alert described the problem and told its members to implement many of the precautions and monitoring currently used to detect consumer bank and credit card fraud.
The FS-ISAC notice -- and subsequent media attention -- in turn prompted the FDIC alert to warn banking institutions about this kind of fraud. The Threat
The FDIC traces the fraud to compromised login credentials on online banking websites. Over the past year, the FDIC says, it has detected an increase in the number of reports and the amount of losses resulting from unauthorized electronic fund transfers (EFTs), such as automated clearing house (ACH) and wire transfers.
Continue Reading at Bank Info Security
Special Alert from the FDIC: (whom I think needs to learn more about our 2FA 3DES DUKPT E2EE PCI 2.x HomeATM)
August 26, 2009
|TO:||CHIEF EXECUTIVE OFFICER|
|SUBJECT:|| Fraudulent Electronic Funds Transfers (EFTs) |
The Federal Deposit Insurance Corporation is aware of an increased
number of fraudulent EFT transactions resulting from compromised login
Federal Deposit Insurance Corporation (FDIC) is alerting financial
institutions that provide Web-based payment origination services for
business customers to increased reports of fraudulent EFT transactions
resulting from compromised login credentials. Over the past year, the
FDIC has detected an increase in the number of reports and the amount
of losses resulting from unauthorized EFTs, such as automated clearing
house (ACH) and wire transfers. In most of these cases, the fraudulent
transfers were made from business customers whose online business
banking software credentials were compromised.
commercial EFT origination applications are being targeted by malicious
software, including Trojan horse programs, key loggers and other
spoofing techniques, designed to circumvent online authentication
methods. Illicitly obtained credentials can be used to initiate
fraudulent ACH transactions and wire transfers, and take over
These types of malicious code, or "crimeware," can
infect business customers' computers when the customer is visiting a
Web site or opening an e-mail attachment.
Some types of crimeware are
difficult to detect because of how they are installed and because they
can lie dormant until the targeted online banking session login is
initiated. These attacks could result in monetary losses to financial
institutions and their business customers if not detected quickly.
institutions and technology service providers can refer to the
following guidance for additional information on authentication and
information security for high-risk transactions:
FFIEC Guidance Authentication in an Internet Banking Environment
Authentication in an Internet Banking Environment Frequently Asked Questions
FFIEC Information Security Examination Handbook - PDF 866k (PDF Help)
FFIEC Retail Payment Systems Examination Handbook
FDIC Guidance on Mitigating Risks from Spyware
Consumers who want to learn more about computer security and online scams can find additional information at http://www.fdic.gov/consumers/consumer/guard/index.html and http://www.onguardonline.gov/topics/overview.aspx.
Businesses and local government agencies can find cyber security resources at http://www.us-cert.gov/.
about cyber-fraud incidents and other fraudulent activity may be
forwarded to the FDIC's Cyber-Fraud and Financial Crimes Section, 550
17th Street, N.W., Room F-4004, Washington, D.C. 20429, or transmitted
electronically to firstname.lastname@example.org.
Questions related to federal deposit insurance or consumer issues
should be submitted to the FDIC using an online form that can be
accessed at http://www2.fdic.gov/starsmail/index.asp.
For your reference, FDIC Special Alerts may be accessed from the FDIC's website at www.fdic.gov/news/news/SpecialAlert/2009/index.html. To learn how to automatically receive FDIC Special Alerts through e-mail, please visit www.fdic.gov/about/subscriptions/index.html.