As I was reading some older articles here, I came across this piece by Susan Hall, where she wrote:
A new class of malicious software is directed at online security technology implemented by Bank of America and other financial institutions, reports Washington Post blogger Brian Krebs.
It thwarts the "site key" technology designed to prevent theft of user names and passwords from a victim's computer. The unique picture upon log-in is supposed to assure users that it's not a fake site, but hackers' technology has allowed them to steal the "site key" and store it with the user's sign-in information.
The article is from 2007. Nearly three years later, banks continue their uphill battle to fight hackers and other cyber bad guys, especially as e-banking transactions for both consumers and business increase. In fact, in those three years, cases of cyber attacks and fraud have been on the rise. According to the FDIC, in the third quarter of 2009, hackers stole $120 million. Small businesses are also being hit by the increase in banking cyber crimes, but their commercial deposits aren't covered by the same protections as consumer accounts.
In his ComputerWorld article, Jaikumar Vijayan wrote:
Thieves obtained a business's valid banking log-in credentials by illegal means. The hackers used the stolen credentials to send money from the accounts to overseas bank accounts via wire transfers.
Banks, by and large, have mostly contended that the thefts occurred because the victims failed to adequately protect their banking credentials.
The increase in bank crimes is due to the rise in password-stealing botnets like Zeus and more sophisticated attacks. Vijayan's article addresses the need for improved monitoring and authentication tools.
Steps are being taken. Security vendor Trusteer recently introduced its Flashlight service, which will enable bank security officials to more quickly identify malicious software programs used by customers. In a PCWorld.com article, Jeremy Kirk wrote:
The scenario under which Flashlight would be used is if a customer calls a bank to check on a possible fraud. The fraud investigation team would ask the person to install Flashlight, which can detect if the browser has been previously tampered with. The customer would be asked to send a log report, which can then be analyzed while the customer is on the phone.