Home > Identity Theft > Operation Emmental: Could Your Bank Get Hacked?

Comments 0 Comments

When you go online to bank, you probably assume the site – along with your transaction – is secure. However, a new report shows that your banking experience could be more vulnerable than you think.

Operation Emmental, cleverly named by Trend Micro to convey how full of holes online banking protections can be, is the latest threat affecting 34 banks and a yet-to-be-determined number of European consumers. While there has been considerable news coverage of this hacking scam in tech and cybersecurity circles, the story has not made it into the consciousness of mainstream America and probably wasn’t a topic of discussion at your dinner table last night. The article in the New York Times recently, “Hackers Find Way to Outwit Tough Security at Banking Sites” didn’t make the top 20 most read online articles while “French Food Goes Down” and “What Writers Can learn from ‘Goodnight Moon’” did.

So why isn’t there more interest? And more importantly, why should there be? This particular attack was extremely sophisticated and complex. Attempting to understand how this attack was so successful can cause the eyes to glaze over for anyone who is not a tech professional or cyber-enthusiast. When you consider the research paper written by Trend Micro is 20 pages long, and contains acronyms (SSL, C&C, DNS,) that many people aren’t familiar with, we begin to understand why this story isn’t on everyone’s lips. In addition, this attack has affected only European consumers and not American consumers (yet). These factors, when coupled together, give many of us the misguided perception that this problem doesn’t apply to us and there is no need to pay attention.

Consumers are constantly bombarded with scam alerts, and news on the latest threats to such a degree that, predictably, we feel the need to tune out issues we interpret as having little or no direct impact upon us. However, it’s incredibly important to pay attention to these threats because at some point, all of us will likely fall victim to a hack.

Why This Attack Is a Big Deal

So how do we begin to understand this attack (that may be coming soon to a bank near you)? Its complexity is astounding. According to JD Sherry, vice president of technology and solutions for Trend Micro, “This research sends a clear message to the entire banking industry that cyber criminals continue to orchestrate elaborate campaigns to circumvent next generation authentication mechanisms.”

This scam had the ability to circumvent the dual-factor authentication that is in use by many financial institutions. Dual-factor authentication is considered to be one of the better ways to ensure security for consumers, yet the cybercriminals found a way through it in an unexpected manner. The attack exploited what some would consider the weakest link in the chain when it comes to security — the users themselves. That’s right, the scammers circumvented any security protections that were in place at the financial institutions by going directly to the customer base.

The scam starts with a phishing email that appears to be either from the financial institution itself, or a well-known and trusted retailer. Consumers believe they are receiving a communication from an organization with which they are familiar and regularly engage.

Without getting too technical, the consumers who click on the links in the emails allow malware to be installed on their machines. The malware is so sophisticated that the changes it makes on the machine cannot be detected by the general user. The malware then deletes itself after the shenanigans are complete, thus antivirus software cannot detect it.

When the unsuspecting user visits their online banking login page, they are redirected to a phony site that is connected to a phony server. However, users don’t detect that anything is amiss on the replicated sites. The site looks just like their bank’s site and it functions just the same, so the customer enters information, such as username, account numbers passwords or pins, to login. At this point the site prompts the user to install an app on their smartphone in order to conduct the transaction. Once the app is installed, the cybercriminals have everything they need.

Two-factor authentication works because two separate channels (website, and a mobile device) are used. However, if both channels are compromised, the system breaks down and the scammers have the ability to clean out the bank account.

A False Sense of Security

The level of technological savvy required to fully understand the problem isn’t the only reason it is flying past our radars. Another reason why we aren’t getting our knickers in a knot is because this hasn’t yet impacted American consumers. Too often, we believe that since it hasn’t affected us yet, it won’t affect us at all. This is a scary misconception, and one the Identity Theft Resource Center and the professionals at Trend Micro hear all too often. “Many U.S. banks are still slow to implement multi-factor authentication, especially as it pertains to mobile banking. This should be of great concern for the entire financial community. As we see most often with sophisticated criminal campaigns such as Operation Emmental, testing will be conducted against various financial institutions across the globe to determine success rates before putting the crosshairs directly on the US financial sector,” states Sherry.

The reality is that security in Europe is, in many ways, more robust than here in the U.S. One of the reasons is our American culture does not just ask for, but demands, convenience and ease of use. Europeans have had a shift of consciousness in this area and don’t make as strong a demand for convenience over security. They are more tolerant of jumping through a few hoops to gain access to their online accounts.

All of this complexity and sophistication may cause consumers to throw up their hands and resign themselves to the fact they are powerless. This is simply not true! Remember, the lynchpin for this attack was a successful phishing email and consumers can control how they interact with their emails.

Adam Levin, Chairman and Founder of Credit.com and IDT911, has a background in consumer protection and agrees that consumers can empower themselves.

“Operation Emmental isn’t something you should take lightly,” he said. “As evidenced in breaking news, consumers are being targeted through phishing emails for the purpose of exploiting their financial information. These emails look like the real deal, and they read like the real deal. The bad guys are really good at what they do. However, this is your warning to beat them – don’t click on links from suspicious sources. Frankly, you should be wary of links from non-suspicious sources as well.”

Don’t Get Caught Off-Guard

Here are a few ways that consumers can take some control:

  1. Do not open attachments or click on links in emails from people or organizations you don’t know or don’t do business with.
  2. If you receive an email from your bank or a company you regularly do business with, proceed with caution. This is particularly true if you haven’t previously received emails from that company.
  3. If you receive an email from a company that you regularly engage with, and that you have received emails from before, review the content of the email very carefully before clicking on any links. Ask yourself some questions:
    • Is this in response to an issue that I proactively contacted the company about?
    • Is it a solicitation to purchase goods or services?
    • If you are interested in the goods or services, or what the company is offering, go directly to the company website by using your web browser, rather than clicking on the links or downloading attachments. Can’t find the offer on the company website? That can sometimes be a red flag. Contact their customer service by email or telephone (use the email address or telephone number on the company website, NOT on the email that you received) to confirm the legitimacy of the email.

Does this take a little a more time? Yes. But in the long run it will be worth it. An extra minute of your time to increase your safety when engaging online can save you time, money and heartache. We have been getting too used to greater convenience with no concern for security. It is time for Americans to make a small shift, and do with a tiny bit less convenience and little bit more security.

More on Identity Theft:

Image: Ingram Publishing

Comments on articles and responses to those comments are not provided or commissioned by a bank advertiser. Responses have not been reviewed, approved or otherwise endorsed by a bank advertiser. It is not a bank advertiser's responsibility to ensure all posts and/or questions are answered.

Please note that our comments are moderated, so it may take a little time before you see them on the page. Thanks for your patience.

Certain credit cards and other financial products mentioned in this and other articles on Credit.com News & Advice may also be offered through Credit.com product pages, and Credit.com will be compensated if our users apply for and ultimately sign up for any of these cards or products. However, this relationship does not result in any preferential editorial treatment.

Hello, Reader!

Thanks for checking out Credit.com. We hope you find the site and the journalism we produce useful. We wanted to take some time to tell you a bit about ourselves.

Our People

The Credit.com editorial team is staffed by a team of editors and reporters, each with many years of financial reporting experience. We’ve worked for places like the New York Times, American Banker, Frontline, TheStreet.com, Business Insider, ABC News, NBC News, CNBC and many others. We also employ a few freelancers and more than 50 contributors (these are typically subject matter experts from the worlds of finance, academia, politics, business and elsewhere).

Our Reporting

We take great pains to ensure that the articles, video and graphics you see on Credit.com are thoroughly reported and fact-checked. Each story is read by two separate editors, and we adhere to the highest editorial standards. We’re not perfect, however, and if you see something that you think is wrong, please email us at editorial team [at] credit [dot] com,

The Credit.com editorial team is committed to providing our readers and viewers with sound, well-reported and understandable information designed to inform and empower. We won’t tell you what to do. We will, however, do our best to explain the consequences of various actions, thereby arming you with the information you need to make decisions that are in your best interests. We also write about things relating to money and finance we think are interesting and want to share.

In addition to appearing on Credit.com, our articles are syndicated to dozens of other news sites. We have more than 100 partners, including MSN, ABC News, CBS News, Yahoo, Marketwatch, Scripps, Money Magazine and many others. This network operates similarly to the Associated Press or Reuters, except we focus almost exclusively on issues relating to personal finance. These are not advertorial or paid placements, rather we provide these articles to our partners in most cases for free. These relationships create more awareness of Credit.com in general and they result in more traffic to us as well.

Our Business Model

Credit.com’s journalism is largely supported by an e-commerce business model. Rather than rely on revenue from display ad impressions, Credit.com maintains a financial marketplace separate from its editorial pages. When someone navigates to those pages, and applies for a credit card, for example, Credit.com will get paid what is essentially a finder’s fee if that person ends up getting the card. That doesn’t mean, however, that our editorial decisions are informed by the products available in our marketplace. The editorial team chooses what to write about and how to write about it independently of the decisions and priorities of the business side of the company. In fact, we maintain a strict and important firewall between the editorial and business departments. Our mission as journalists is to serve the reader, not the advertiser. In that sense, we are no different from any other news organization that is supported by ad revenue.

Visitors to Credit.com are also able to register for a free Credit.com account, which gives them access to a tool called The Credit Report Card. This tool provides users with two free credit scores and a breakdown of the information in their Experian credit report, updated twice monthly. Again, this tool is entirely free, and we mention that frequently in our articles, because we think that it’s a good thing for users to have access to data like this. Separate from its educational value, there is also a business angle to the Credit Report Card. Registered users can be matched with products and services for which they are most likely to qualify. In other words, if you register and you find that your credit is less than stellar, Credit.com won’t recommend a high-end platinum credit card that requires an excellent credit score You’d likely get rejected, and that’s no good for you or Credit.com. You’d be no closer to getting a product you need, there’d be a wasted inquiry on your credit report, and Credit.com wouldn’t get paid. These are essentially what are commonly referred to as "targeted ads" in the world of the Internet. Despite all of this, however, even if you never apply for any product, the Credit Report Card will remain free, and none of this will impact how the editorial team reports on credit and credit scores.

Our Owners

Credit.com is owned by Progrexion Holdings Inc. which is the owner and administrator of a number of business related to credit and credit repair, including CreditRepair.com, and eFolks. In addition, Progrexion also provides services to Lexington Law Firm as a third party provider. Despite being owned by Progrexion, it is not the role of the Credit.com editorial team to advocate the use of the company’s other services. In articles, reporters may mention credit repair as an option, for example, but we’ll also be sure to note the various alternatives to that service. Furthermore, you may see ads for credit repair services on Credit.com, but the editorial team isn’t responsible for the creation or implementation of those ads, anymore than reporters for the New York Times or Washington Post are responsible for the ads on their sites.

Your Stories

Lastly, much of what we do is informed by our own experiences as well as the experiences of our readers. We want to tell your stories if you’re interested in sharing them. Please email us at story ideas [at] credit [dot] com with ideas or visit us on Facebook or Twitter.

Thanks for stopping by.

- The Credit.com Editorial Team