High Roller Attacks: How Banks RespondLatest Fraud Threat Points to Need for Layered Controls
Do High Roller attacks represent the next big wave in banking malware that financial institutions and their wealthiest customers need to fear? Not so, some banking and security experts say. Instead, they view these cloud-based attacks as the latest in a long series of potential account takeover threats that all point toward the need for layered security controls.
Chris Silveira, manager of fraud intelligence at Guardian Analytics, one of the security firms that discovered the High Roller attacks, stresses that tailoring fraud detection to address any specific fraud trend or malware nuance is never a good idea.
"Institutions must take a layered approach to security," Silveira says. "This is why the FFIEC called for anomaly detection. ... Institutions have to know how to detect and respond."
High Roller Alert
In late June, Guardian Analytics and anti-virus application provider McAfee published a white paper describing how these new attacks, which target high-balance, "high-roller" accounts, were catching banks throughout the world off guard.
The two firms described how the attacks use conventional methods to load malware, such as Zeus or SpyEye, onto users' PCs to steal banking credentials when online banking sessions are initiated. But from there, the attacks take a turn from the norm by using virtual command-and-control servers in the cloud to automatically schedule fraudulent wire transfers.
Guardian Analytics and McAfee found that the attacks often went undetected and even defeated some forms of multifactor authentication.
Once news of these High Roller attacks broke, the European Network and Information Security Agency quickly issued guidance for European banking institutions, noting banks should assume all of their customers' PCs had already been infected.
But some U.S. banking and security leaders believe the High Roller attacks do not pose a significant new threat.
One bank executive tells BankInfoSecurity that High Roller attacks have yet to become an issue for his institution. "We're either really lucky or this is a lot of hype," says the executive, who asked to remain anonymous.
Cary Whaley of the Independent Community Bankers of America says that although any malware attack is a concern, there is nothing special about High Roller to suggest institutions should alter their approaches to fraud prevention.
"We certainly don't see any account takeover linked to High Roller becoming some sort of a breach epidemic," he says.
But the High Roller attacks, Whaley stresses, are further proof banking institutions have to invest in layers of security. Authentication alone is not enough.
"Looking for anomalies and monitoring behavior, however, can be very effective, whether the attack is cloud-based or device-based," Whaley says.
What's Different About High Roller
High Roller schemes are automatically waged from virtual command-and-control servers in the cloud, which means they can circumvent most fraud-detection systems. That's because most detection systems are designed to monitor transactions pushed from PCs, not the cloud.
"Cloud-based attacks provide fraudsters with new levels of scalability and adaptability, and this makes them harder to analyze and, therefore, to detect," Silveira says.
Additionally, High Roller attacks can circumvent multifactor authentication. Silveira says the automation of the attacks is designed to disrupt the flow of authentication. The legitimate account user never successfully authenticates any transaction once the account is taken over.
"The malware halts the user while the transaction [command-and-control] server logs in with the stolen credentials and initiates the transaction using the PIN it acquired," he says.
Once the user's PC is infected, the virtual command-and-control server alters the authentication flow when it initiates a fraudulent transaction. "Even if a financial institution requires a PIN from a key-fob for the initiation of a wire transfer, the transaction [command-and-control] server uses the malware to insert a page or pop-up to get that PIN immediately after the user submits their log-in credentials, which never get transmitted to the financial institution," Silveira says.
Fighting High Roller
Despite the malware's unique and automated methods, security experts say fighting High Roller should be viewed like fighting any other type of malware attack - by relying on layers of security.
George Tubin, a financial fraud expert with online security provider Trusteer, says the underlying problem continues to be the industry's inability to adequately fight malware.
"Layered security is critical," Tubin says. "But you have to be sure you have the right layers, and then make sure that the layers are complementary and efficient."
Those layers can include, for example, anomaly detection, out-of-band transaction authentication, updated anti-virus software, and customer and member fraud education campaigns.
End-users need to be better educated about making the most of anti-malware software, Whaley says. "But it's not an easy direction to head in. Trying to influence your customers' behavior only goes as far. ... So the more that can be done on the bank side and on the monitoring side, the more control the bank has."
ENISA pointed out in its July alert about High Roller attacks that banking institutions need to ensure they are securing all online banking devices, including mobile devices.
ENISA's insights also included:
- Two-factor authentication cannot prevent man-in-the-middle or man-in-the-browser attacks. Thus, ENISA recommended banks verify all online-initiated transactions through out-of-band methods such as SMS/text messages, telephone calls or stand-alone smartcard readers.
- As more online-banking transactions are conducted via mobile smart phones and tablets, banks must put measures in place to enhance endpoint security and device identification.
In an earlier study that reviewed the legal and regulatory aspects of information sharing and cross-border collaboration among Computer Emergency Response Teams in Europe, ENISA identified data protection, data retention and obligations to work with law enforcement as being among the greatest challenges cross-border CERTs face.
And in its 2011 Internet security roadmap ENISA noted that global interconnectedness demands more cooperation and collaboration between governments and the private sector.