Banks could not have been thrilled by the news earlier this month of the discovery of Gauss, a cyber virus unearthed in the Middle East that surveilled online banking transactions to steal users' credentials. Gauss targeted a number of Lebanese banks as well as Citibank and PayPal. And the Moscow-based lab that uncovered the virus reported an unnerving detail - that it was probably made by the same laboratories that produced the infamous Stuxnet, which attacked Iran's nuclear program a couple of years ago.
The discovery of Gauss is an example of the increasing sophistication of cyber fraud attacks, says Ben Knieff, a fraud expert at NICE Actimize, a risk and security solutions provider. Knieff compared the development of new security measures and countering fraud attacks to an arms race. "We come up with a solution, and then they overcome the barrier," he remarks. A year and a half ago fraudsters started figuring out how to overtake browser-hardening technologies. Then a year ago they learned how to ride in on a customer's session during login to bypass complex device device authentication methods. The appearance of a sophisticated malware virus aimed at gathering banking credentials that was possibly developed, like Stuxnet, by a state-sponsored lab signals a new step up in that arms race.
And the arms race is further complicated by the fact that most malware manufacturers tend to make several different "flavors" of the same software, Knieff adds. Each flavor operates differently and may have a different goal.
If there's anything positive to be gleaned from this increasing sophistication of malware attacks, Knieff says it's that attacks on banks' infrastructure seem unlikely. Reuters cited one researcher as mentioning that one module of Gauss could be used to attack infrastructure systems like Stuxnet attacked the systems that controlled Iran's centrifuges. The idea of a Stuxnet-like virus invading a bank's core systems is obviously a nightmare for banks.
But Knieff says banks have been focused for a long time on preventing attacks on their infrastructure, and fraudsters would rather go after the easier target of the customers rather than the bank itself. "Financial institutions have been focused for years on protecting against this. It's not likely that malware will attack a financial institution directly to get in to their vault," Knieff suggests. Rather than trying to attack the bank's infrastructure, like a robber trying to break into the bank's vault, fraudsters will probably continue targeting customers making online transactions, like mugging someone walking away from the ATM, he says.