The experts highlight the fact that financial institutions are spending large amounts of money for protecting their customers passwords, when in reality they should be focusing on other aspects of security.
The study shows that even though millions of banking credentials are stolen by bank-account-stealing Trojans, they are sold for pennies on the black market.
Florencio and Herley explain that bank account credentials that can allow a crook to access $5,000 (3,750 EUR) are sold for only $5 (3.75 EUR) because stealing the passwords is just the first step in the long and difficult process of emptying an account.
The most difficult part is carried out by money mules, who become the real victims of bank fraud in case the crimes are discovered by law enforcement agencies.
This occurs because in most cases banks reimburse customers in case of fraud, but the money is actually paid by the mules, which sometimes unknowingly participate in the scam.
Let’s take a perfect example provided by the Microsoft researchers. A fraudster steals $9,000 (6,750 EUR) from an individual with the help of a money mule. The mule keeps 10%, in this case $900 (675 EUR) and sends the rest to the mastermind of the operation.
Because the crook is usually overseas, or at least abroad, when authorities break down the operation the mule is held responsible for the damage caused and he is forced to pay the reimbursement to the account holder from his own pocket.
And because the money trail easily leads investigators to the mules, they end up being the real victims of bank fraud.
“A fixed population of hackers will almost certainly do less harm by attacking hardened targets like banks than if they applied the same energy elsewhere,” the experts explain.
“Getting in and getting out with money is a far harder problem than simply causing destruction. If the goal were mayhem and destruction rather than money-making we might be a great deal worse off.”