The information provided on this website does not, and is not intended to, act as legal, financial or credit advice; instead, it is for general informational purposes only. Information on this website may not be current. This website may contain links to other third-party websites. Such links are only for the convenience of the reader, user or browser; we do not recommend or endorse the contents of any third-party sites. Readers of this website should contact their attorney, accountant or credit counselor to obtain advice with respect to their particular situation. No reader, user, or browser of this site should act or not act on the basis of information on this site. Always seek personal legal, financial or credit advice for your relevant jurisdiction. Only your individual attorney or advisor can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client or fiduciary relationship between the reader, user, or browser and website owner, authors, contributors, contributing firms, or their respective employers.
Credit.com receives compensation for the financial products and services advertised on this site if our users apply for and sign up for any of them. Compensation is not a factor in the substantive evaluation of any product.
When you go online to bank, you probably assume the site – along with your transaction – is secure. However, a new report shows that your banking experience could be more vulnerable than you think.
Operation Emmental, cleverly named by Trend Micro to convey how full of holes online banking protections can be, is the latest threat affecting 34 banks and a yet-to-be-determined number of European consumers. While there has been considerable news coverage of this hacking scam in tech and cybersecurity circles, the story has not made it into the consciousness of mainstream America and probably wasn’t a topic of discussion at your dinner table last night. The article in the New York Times recently, “Hackers Find Way to Outwit Tough Security at Banking Sites” didn’t make the top 20 most read online articles while “French Food Goes Down” and “What Writers Can learn from ‘Goodnight Moon’” did.
So why isn’t there more interest? And more importantly, why should there be? This particular attack was extremely sophisticated and complex. Attempting to understand how this attack was so successful can cause the eyes to glaze over for anyone who is not a tech professional or cyber-enthusiast. When you consider the research paper written by Trend Micro is 20 pages long, and contains acronyms (SSL, C&C, DNS,) that many people aren’t familiar with, we begin to understand why this story isn’t on everyone’s lips. In addition, this attack has affected only European consumers and not American consumers (yet). These factors, when coupled together, give many of us the misguided perception that this problem doesn’t apply to us and there is no need to pay attention.
Consumers are constantly bombarded with scam alerts, and news on the latest threats to such a degree that, predictably, we feel the need to tune out issues we interpret as having little or no direct impact upon us. However, it’s incredibly important to pay attention to these threats because at some point, all of us will likely fall victim to a hack.
So how do we begin to understand this attack (that may be coming soon to a bank near you)? Its complexity is astounding. According to JD Sherry, vice president of technology and solutions for Trend Micro, “This research sends a clear message to the entire banking industry that cyber criminals continue to orchestrate elaborate campaigns to circumvent next generation authentication mechanisms.”
This scam had the ability to circumvent the dual-factor authentication that is in use by many financial institutions. Dual-factor authentication is considered to be one of the better ways to ensure security for consumers, yet the cybercriminals found a way through it in an unexpected manner. The attack exploited what some would consider the weakest link in the chain when it comes to security — the users themselves. That’s right, the scammers circumvented any security protections that were in place at the financial institutions by going directly to the customer base.
The scam starts with a phishing email that appears to be either from the financial institution itself, or a well-known and trusted retailer. Consumers believe they are receiving a communication from an organization with which they are familiar and regularly engage.
Without getting too technical, the consumers who click on the links in the emails allow malware to be installed on their machines. The malware is so sophisticated that the changes it makes on the machine cannot be detected by the general user. The malware then deletes itself after the shenanigans are complete, thus antivirus software cannot detect it.
When the unsuspecting user visits their online banking login page, they are redirected to a phony site that is connected to a phony server. However, users don’t detect that anything is amiss on the replicated sites. The site looks just like their bank’s site and it functions just the same, so the customer enters information, such as username, account numbers passwords or pins, to login. At this point the site prompts the user to install an app on their smartphone in order to conduct the transaction. Once the app is installed, the cybercriminals have everything they need.
Two-factor authentication works because two separate channels (website, and a mobile device) are used. However, if both channels are compromised, the system breaks down and the scammers have the ability to clean out the bank account.
The level of technological savvy required to fully understand the problem isn’t the only reason it is flying past our radars. Another reason why we aren’t getting our knickers in a knot is because this hasn’t yet impacted American consumers. Too often, we believe that since it hasn’t affected us yet, it won’t affect us at all. This is a scary misconception, and one the Identity Theft Resource Center and the professionals at Trend Micro hear all too often. “Many U.S. banks are still slow to implement multi-factor authentication, especially as it pertains to mobile banking. This should be of great concern for the entire financial community. As we see most often with sophisticated criminal campaigns such as Operation Emmental, testing will be conducted against various financial institutions across the globe to determine success rates before putting the crosshairs directly on the US financial sector,” states Sherry.
The reality is that security in Europe is, in many ways, more robust than here in the U.S. One of the reasons is our American culture does not just ask for, but demands, convenience and ease of use. Europeans have had a shift of consciousness in this area and don’t make as strong a demand for convenience over security. They are more tolerant of jumping through a few hoops to gain access to their online accounts.
All of this complexity and sophistication may cause consumers to throw up their hands and resign themselves to the fact they are powerless. This is simply not true! Remember, the lynchpin for this attack was a successful phishing email and consumers can control how they interact with their emails.
Adam Levin, Chairman and Founder of Credit.com and IDT911, has a background in consumer protection and agrees that consumers can empower themselves.
“Operation Emmental isn’t something you should take lightly,” he said. “As evidenced in breaking news, consumers are being targeted through phishing emails for the purpose of exploiting their financial information. These emails look like the real deal, and they read like the real deal. The bad guys are really good at what they do. However, this is your warning to beat them – don’t click on links from suspicious sources. Frankly, you should be wary of links from non-suspicious sources as well.”
Here are a few ways that consumers can take some control:
Does this take a little a more time? Yes. But in the long run it will be worth it. An extra minute of your time to increase your safety when engaging online can save you time, money and heartache. We have been getting too used to greater convenience with no concern for security. It is time for Americans to make a small shift, and do with a tiny bit less convenience and little bit more security.
Image: Ingram Publishing
October 19, 2023
Identity Theft and Scams
May 17, 2022
Identity Theft and Scams
May 20, 2021
Identity Theft and Scams