Fraud experts are encouraged to see banks joining forces with law enforcement to fight cybercrime. But as online attackers become increasingly organized, financial institutions may find themselves fighting even tougher battles.
The latest win: In Georgia, a man has pleaded guilty for the role he played in a $1.3 million phishing scheme that targeted customers of Chase, Bank of America, ADP and Branch Bank & Trust.
Collaboration between the banks and the Federal Bureau of Investigation helped build a case against Waya Nwaki, a.k.a. Shawn Conley, who was arrested in December on charges of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorized access to computers.
According to the indictment filed with the U.S. District Court in New Jersey, Nwaki and six co-conspirators between August 2000 and June 2010 worked across three continents to launch phishing attacks through spoofed websites designed to mimic banks and payroll processors such as ADP. When online users visited the spoofed pages, they were asked to provide confidential personal and financial information, such as dates of birth, Social Security numbers, mothers' maiden names, and online account user names and passwords.
Once the hackers obtained log-in credentials and answers to commonly-asked security questions, they accessed online accounts to make unauthorized transfers to accounts they controlled and/or wired money overseas through money remittance providers such as Western Union and MoneyGram. They also viewed signatures on check images to help them forge checks and withdrawal slips, which they used to physically withdraw funds at bank branches with fake driver's licenses and IDs.
Each count to which Nwaki pleaded guilty carries a maximum sentence of 20 years in prison and a maximum fine of $250,000. Sentencing is set for Aug. 15, 2012.
Others named in the indictment include Karlis Karklins of Latvia; Charles Umeh Chidi of the United Kingdom; Alphonsus Osuala and Osarhieme Uyi Obaygbona of Atlanta; Marvin Dion Hill of College Park, Ga.; and Olani Yi Jones of Nigeria.
How Banks Helped
Because the banks and ADP experienced fraud linked to the same ring, the FBI and the U.S. Attorney's Office combined the attacks when charges were brought against the phishing perpetrators, rather than on a case-by-case basis. The banks' timely communication with local and federal law enforcement about the schemes helped authorities link the attacks to the same ring.
Also, because BofA and Chase are top-tier banking institutions with accountholders spread throughout the United States, the U.S. Attorney's Office says it considered the case from a more national perspective, rather than regional or local, which aided in the prosecution.
Aite fraud analyst Shirley Inscoe says the case illustrates the challenge banks and credit unions face when it comes to the war on phishing - but also speaks to the power of their collaboration with law enforcement.
"This type of activity is very difficult for banks to detect and protect their clients against," she says."If each (bank) had looked at their losses individually, they would have probably been too low to have law enforcement assist them with the prosecution," Inscoe says. "With the activity crossing state lines and having a Nigerian connection, that helped the FBI elevate the priority of this case as well."
One Battle in Anti-Phishing War
This case highlights a common challenge facing banking institutions: Phishing.
According to BankInfoSecurity's 2012 Faces of Fraud survey, 50 percent of respondents say their institutions suffered from phishing-related fraud in 2011. It's the third most common form of fraud, behind payment card crimes and check fraud. Yet, when it comes to fighting these socially engineered schemes, only 28 percent say they feel adequately prepared to defend against these attacks.
Robert Siciliano, a McAfee consultant and ID theft expert, says until banks enhance online authentication practices and techniques, phishing attacks will continue to prove profitable for hackers.
"The failings of username and passwords still exist in e-mail, and the invasiveness of spyware makes every bank and their clients vulnerable," Siciliano says. "The man-in-the-middle attack could be thwarted if at least a third factor, ever-changing code, was deployed."
In his plea, Nwaki admitted to using stolen log-in credentials to intercept and respond to e-mails sent by banks to customers when unfamiliar computers or IP addresses were used to access online accounts. He also admitted to impersonating payroll officers in conversations he had with ADP, which is based in New Jersey.
Siciliano says that e-mail interception proves how out-of-band authentication via mobile or home phone could significantly reduce fraud. "But the banks won't do it until the dollar amounts are high, generally because the banks' customer level of security intelligence would cause too many customer service issues," he says.
For Inscoe, the case shows how sophisticated fraud rings have become. "It is easy to see that each player had their role, and everyone worked together to pull this crime off," she says. "It was highly organized."
The attacks are becoming more difficult to spot, since phishing e-mails and spoofed websites have improved dramatically over the last three to five years. "The bad spelling and grammatical errors are largely things of the past, and the phishing e-mails really do appear and read like legitimate ones," Inscoe says.