Cybercriminals are increasingly looking at business rather than consumer accounts to hack as banks scramble to shore up their defenses, according to an executive from vendor IronKey.
Consumer banking has been hit hard by hackers, but some banks -- such as those in the U.K. -- have implemented stronger security controls. But business banking systems -- used to transfer much larger sums of money -- are targeted more frequently, particularly in the U.S., said Dave Jevans, CEO of IronKey and founder of the Anti-Phishing Working Group.
"I think what happened is the retail side of the bank -- the consumer side -- has spent seven years building defenses, learning about it ... and the wholesale side -- the business banking -- has done nothing," Jevans said. "Now the wholesale side of the bank is under attack."
Jevans talks with bank executives about his company's product, the IronKey, a ruggedized flash storage drive and secure access device. There are a couple of banks in the U.K. that seem to be routinely probed by hackers and sophisticated malware, said Jevans, who declined to name the banks.
The reason is that the U.K. has a wider network for retaining money mules, or people who agree either knowingly or not to accept funds into their account for immediate transfer somewhere else.
In the U.S., where consumer online bank accounts often only require a login and password, it appears that hackers have obtained more account details than they can find money mules. Law enforcement agencies have increasingly warned people about work-at-home schemes that seek to recruit people to become mules.
"There's only a certain number of thousand of mules active at one time," Jevans said "We're starting to believe that's the constraint around why aren't there billions and billions [of dollars] being moved out."
Business accounts can be a more lucrative haul. In the U.S., many accounts have been compromised through ACH (Automated Clearing House) fraud. ACH is used by institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals.
As a result, IronKey roadmap includes plans for different ways to sign transactions with its device for businesses, which is now often done by the banks by sending an SMS (Short Message Service) to a person's mobile phone with a one-time code that is entered into a Web-based form, Jevans said.
IronKey is also looking into how to build software-based secure mobile banking applications. Up to 10 percent of online banking customers in the U.S. are using mobile phone banking, and it will only be a matter of time before the number of users increase to make those platforms attractive to criminals, Jevans said.
IronKey would probably focus on the BlackBerry, Android and iPhone platforms, Jevans said.
Send news tips and comments to firstname.lastname@example.org