SAN FRANCISCO -- Overall cyberfraud losses at financial institutions have declined in recent years, but ACH fraud and wire fraud losses are on the rise, according to an examiner and cyberfraud specialist at the Federal Deposit Insurance Corporation.
While overall losses to financial institutions from hacking, account takeovers and credit card fraud have trended downward from 2006 thanks to increased PCI DSS enforcement and other factors, losses related to fraudulent electronic funds transfers (EFTs) have increased, said David Nelson, an examination specialist with the FDIC Cyber Fraud and Financial Crimes Section. According to his analysis, small and midsize businesses and their financial institutions suffered about $120 million in losses due to fraudulent EFTs in the third quarter of 2009, up from about $85 million in the third quarter of 2007.
"A lot of small businesses and nonprofits have been hit," he said in a presentation Friday at the RSA Conference.
The increase in wire and ACH fraud on SMBs indicates an overreliance on authentication, Nelson said. While the FFIEC's 2005 guidance on authentication was one of the factors that helped to reduce overall cyberfraud losses, criminals have learned how to defeat strong authentication.
"It seems all kinds of authentication methods were being defeated," Nelson said. "You can't rely on any one control when it comes to these new sophisticated attacks."
The Zeus Trojan, which cybercriminals have used to steal banking credentials, has the ability to circumvent two-factor authentication. Zeus botnets target small and midsize businesses that originate ACH and wire transfers, Nelson said.
To combat the rise in fraudulent EFTs, there are a number of alerts financial institutions can refer to for guidance, such as the bulletin NACHA issued in December, Nelson said. Also, federal banking regulators are revisiting their authentication guidance, and will hold a symposium on corporate accounts in May to discuss best practices.
Financial institutions need to work with ISPs and others to shut down botnets, and should leverage their anti-money laundering software to detect unusual activity on customers' accounts, Nelsons advised.
Fighting cyberfraud requires layers of controls, he said: "Strong authentication is still appropriate as long as it's not the only control."
Nelson compiles a quarterly report on cyberfraud trends based on publicly available and confidential intelligence sources. The reports are used by examiners in their examinations and for training purposes.