Operation Emmental: Could Your Bank Get Hacked?

When you go online to bank, you probably assume the site – along with your transaction – is secure. However, a new report shows that your banking experience could be more vulnerable than you think.

Operation Emmental, cleverly named by Trend Micro to convey how full of holes online banking protections can be, is the latest threat affecting 34 banks and a yet-to-be-determined number of European consumers. While there has been considerable news coverage of this hacking scam in tech and cybersecurity circles, the story has not made it into the consciousness of mainstream America and probably wasn’t a topic of discussion at your dinner table last night. The article in the New York Times recently, “Hackers Find Way to Outwit Tough Security at Banking Sites” didn’t make the top 20 most read online articles while “French Food Goes Down” and “What Writers Can learn from ‘Goodnight Moon’” did.

So why isn’t there more interest? And more importantly, why should there be? This particular attack was extremely sophisticated and complex. Attempting to understand how this attack was so successful can cause the eyes to glaze over for anyone who is not a tech professional or cyber-enthusiast. When you consider the research paper written by Trend Micro is 20 pages long, and contains acronyms (SSL, C&C, DNS,) that many people aren’t familiar with, we begin to understand why this story isn’t on everyone’s lips. In addition, this attack has affected only European consumers and not American consumers (yet). These factors, when coupled together, give many of us the misguided perception that this problem doesn’t apply to us and there is no need to pay attention.

Consumers are constantly bombarded with scam alerts, and news on the latest threats to such a degree that, predictably, we feel the need to tune out issues we interpret as having little or no direct impact upon us. However, it’s incredibly important to pay attention to these threats because at some point, all of us will likely fall victim to a hack.

Why This Attack Is a Big Deal

So how do we begin to understand this attack (that may be coming soon to a bank near you)? Its complexity is astounding. According to JD Sherry, vice president of technology and solutions for Trend Micro, “This research sends a clear message to the entire banking industry that cyber criminals continue to orchestrate elaborate campaigns to circumvent next generation authentication mechanisms.”

This scam had the ability to circumvent the dual-factor authentication that is in use by many financial institutions. Dual-factor authentication is considered to be one of the better ways to ensure security for consumers, yet the cybercriminals found a way through it in an unexpected manner. The attack exploited what some would consider the weakest link in the chain when it comes to security — the users themselves. That’s right, the scammers circumvented any security protections that were in place at the financial institutions by going directly to the customer base.

The scam starts with a phishing email that appears to be either from the financial institution itself, or a well-known and trusted retailer. Consumers believe they are receiving a communication from an organization with which they are familiar and regularly engage.

Without getting too technical, the consumers who click on the links in the emails allow malware to be installed on their machines. The malware is so sophisticated that the changes it makes on the machine cannot be detected by the general user. The malware then deletes itself after the shenanigans are complete, thus antivirus software cannot detect it.

When the unsuspecting user visits their online banking login page, they are redirected to a phony site that is connected to a phony server. However, users don’t detect that anything is amiss on the replicated sites. The site looks just like their bank’s site and it functions just the same, so the customer enters information, such as username, account numbers passwords or pins, to login. At this point the site prompts the user to install an app on their smartphone in order to conduct the transaction. Once the app is installed, the cybercriminals have everything they need.

Two-factor authentication works because two separate channels (website, and a mobile device) are used. However, if both channels are compromised, the system breaks down and the scammers have the ability to clean out the bank account.

A False Sense of Security

The level of technological savvy required to fully understand the problem isn’t the only reason it is flying past our radars. Another reason why we aren’t getting our knickers in a knot is because this hasn’t yet impacted American consumers. Too often, we believe that since it hasn’t affected us yet, it won’t affect us at all. This is a scary misconception, and one the Identity Theft Resource Center and the professionals at Trend Micro hear all too often. “Many U.S. banks are still slow to implement multi-factor authentication, especially as it pertains to mobile banking. This should be of great concern for the entire financial community. As we see most often with sophisticated criminal campaigns such as Operation Emmental, testing will be conducted against various financial institutions across the globe to determine success rates before putting the crosshairs directly on the US financial sector,” states Sherry.

The reality is that security in Europe is, in many ways, more robust than here in the U.S. One of the reasons is our American culture does not just ask for, but demands, convenience and ease of use. Europeans have had a shift of consciousness in this area and don’t make as strong a demand for convenience over security. They are more tolerant of jumping through a few hoops to gain access to their online accounts.

All of this complexity and sophistication may cause consumers to throw up their hands and resign themselves to the fact they are powerless. This is simply not true! Remember, the lynchpin for this attack was a successful phishing email and consumers can control how they interact with their emails.

Adam Levin, Chairman and Founder of Credit.com and IDT911, has a background in consumer protection and agrees that consumers can empower themselves.

“Operation Emmental isn’t something you should take lightly,” he said. “As evidenced in breaking news, consumers are being targeted through phishing emails for the purpose of exploiting their financial information. These emails look like the real deal, and they read like the real deal. The bad guys are really good at what they do. However, this is your warning to beat them – don’t click on links from suspicious sources. Frankly, you should be wary of links from non-suspicious sources as well.”

Don’t Get Caught Off-Guard

Here are a few ways that consumers can take some control:

Do not open attachments or click on links in emails from people or organizations you don’t know or don’t do business with.
If you receive an email from your bank or a company you regularly do business with, proceed with caution. This is particularly true if you haven’t previously received emails from that company.
If you receive an email from a company that you regularly engage with, and that you have received emails from before, review the content of the email very carefully before clicking on any links. Ask yourself some questions:

Is this in response to an issue that I proactively contacted the company about?
Is it a solicitation to purchase goods or services?
If you are interested in the goods or services, or what the company is offering, go directly to the company website by using your web browser, rather than clicking on the links or downloading attachments. Can’t find the offer on the company website? That can sometimes be a red flag. Contact their customer service by email or telephone (use the email address or telephone number on the company website, NOT on the email that you received) to confirm the legitimacy of the email.

Does this take a little a more time? Yes. But in the long run it will be worth it. An extra minute of your time to increase your safety when engaging online can save you time, money and heartache. We have been getting too used to greater convenience with no concern for security. It is time for Americans to make a small shift, and do with a tiny bit less convenience and little bit more security.