A bank’s purpose is for the safekeeping of an individual funds. Securing trust between our financial institutions and their customers has never been more important since banking has migrated to digital. In 1995, Wells Fargo became the first banking institution to offer internet banking to its consumers and it was a hit. Direct deposit is commonly used to receive paychecks and these accounts funds are responsible for bills such as mortgage, electric etc. Most simple banking has moved from person-to-person interactions and updated to machine and technology based. For example, to receive your balance, transfer funds or freeze payment, you can simply use the internet or your cellular device. In order to set up banking information, an individual simply needs a username and password. Then the user will answer a few personal questions for securing login privileges to all the information concerning your account.
Although, the digitizing of banking has made it more convenient, does not mean new risks aren’t being posed. The problem with the digitizing of banking is that by making it easier for the customers to use, it has also made it easier for criminals to rob banks from their homes. Cyber-attacks are a simple way to rob online banking users of their hard-earned money with the press of a button. The simplicity of online banking has become a beacon for hackers with an affinity to financial theft or fraud. Nowadays, the exploitation can be concealed so easily, it can trick the financial institutions into believing the perpetrator does not exist. The new spywares, malwares and bots have increased the ability to tap into never-ending sources of stolen income. This is leading online bank users to question the safety of their money.
Bank fraud has always been prevalent in society, now, with today’s technological advancements, it has gone digital. In 2006, a young Russian hacker who went by the screen name of Slavik created and sold a bot net that later earned the title Zbot, short for Zeus bot. The malware was first reported to be found on a young woman’s computer and posted to an online forum for help identifying its intent. This malware was purposed to crawl into a computer quietly, search through their file, storage and browser history, in search of usernames and passwords to steal and give to its owner. The information the malware was seeking was specific to online banking information. Once the information was received, the malware would report its finding back to its owner, who would log into their accounts with their information and steal the account holder’s money. As Zeus developed and expanded, it became an even more detrimental threat to its victims. Along with financially decapitating a user’s account, the malware then turned the infected computer into a spy by connecting it to a network of infected computers, completely under the hacker’s control. Due to the nature in which the username and password were stolen, when the hacker logged in with the user’s correct information, it appeared as though there was no foul play. This virus continued to attack countless victims until May 2009, when the FBI began receiving reports large scale fraudulent transfers.
In this time of non-detection, Zeus evolved. By June, Slavik created a brand-new version with advanced capabilities. Instead of hoarding this new update, Slavik sold Zeus as a crimeware kit. The crimeware kit was sold for 3,000 dollars and there were over 5,000 different hackers using Zeus. Other hackers came up with different variations or copies of Zeus and attempted to sell it for themselves. Variations such as SpyEye could be found for a measly 400 dollars, making it more affordable to more users. New features being added eased the process of thieving by saving time. Features like notifications were added to the crimeware kit, this feature made the hacker aware of when the user was interacting with the machine with a cell phone notification. Hackers began forming teams to steal larger scales of money from infected machines. The hackers would then find scapegoats, known as money launderers, to transfer the money from account to account, making it harder to trace back to the hacker.
In total, it’s estimated that the ZeuS botnet infected 500,000 to one million computers worldwide, and 25% of those computers were in the US. The FBI reported they estimated that the US victims lost over $100 million from fraudulent bank transfers alone. Another $27 million was collected from ransomware payments when hackers informed institutions that to receive their infected devices back, they had to pay for it to be released. This aspect of finance needs new and creative ways of protecting their user’s information. As technology advances so do cyber criminals. Therefore, an increase of protection must take place to ensure these criminals are unsuccessful in their endeavors.
Suez is my solution to malware created like Zeus. Suez will be securing software, with the potential for app development. The software will work with the creation process of becoming an online bank user. The development of this software is to work as an added safeguard to secure financial information. A user would be expected to create their username and then be redirected to Suez, a third-party source for securing financial data. There, a user would specify the parameters in which their password or passphrase should exist. After answering a series of randomly generated personal questions, Suez could then populate 8,12- or 22-character passwords, depending on the specifications of the users.
In later developments of Suez, it can mock the Zeus ability to detect PowerShell interactions from remote access. By Suez detecting mirrored PowerShell, Suez would be able to detect once a device has been compromised and inform the user and the banking institution, lessening the fallout.
In creating Suez, to aid in the fight against criminals stealing information and money, this software can become a target. Suez would become a target due to the nature of the information it holds. This would mean, in order to the better protect Suez, the encryption has to be strong but flexible. The Advanced Data Encryption Standard is to be considered when designing a sustainable way to protected sensitive information of this sort. Compare the encryption to a target. The more the target moves the harder it is to hit. In cyber security, I’ve learned nothing is “unhackable”, so a contingency must also be created to decrease the chances of fallout. In the event the software is hacked, Suez would have an everchanging encryption key with no sole admin user, this way the data will continuously separate the passwords from the users. This would make it harder for the hacker to pin point whose information belongs to who, even if they were to gain access.
Protecting Suez would be extremely complex but pointless if no one trusts the software. A key barrier is going to be the consumer. This is where I’m presented with a choice, would it be better to sell the software to the banks or the individual consumer. On one hand the software could be integrated into all banking apps and online sites, putting the ownness on the banking intuitions to garner the trusts of the consumer. On the other hand, Suez could be an independent tool used by the consumer to safeguard their financial data, putting the ownness of garnered trust on the capabilities of Suez. Suez safeguarding through the banking institution is an easier way to gain the trust of user because, the rapport has already been established by the bank and their customer. Attaching Suez to the institutions establishes the credibility of the software. However, allowing Suez to be an independent protection software would present more financial gain, referring to “going public” in the later years. Keeping the software private fosters new ideas to try in an ever-growing market.
Time and number crunching is going to be paramount in knowing how successful this offensive bot does for user protection. This can be determined by a series of penetration tests. Red Hat hackers can assess how capable the bot would be in real world testing information. If it is to be successful, the software would have to be screened through time. As the software gains popularity, it should be reflected in the data collected from financial cyber crime analysis. Suez should lessen the cybercrime attacks done to steal usernames and passwords through malware for financial gain or advanced persistent threats.