The FBI’s top anti-cyber crime official today said the agency is planning a law enforcement action against so-called “money mules,” individuals willingly or unwittingly roped into helping organized computer crooks launder money stolen through online banking fraud.

Patrick Carney, acting chief of the FBI’s cyber criminal section, said mules are an integral component of an international crime wave that is costing U.S. banks and companies hundreds of millions of dollars. He said the agency hopes the enforcement action will help spread awareness that money mules are helping to perpetrate crimes.

“We want to make sure that public understands this is illegal activity and one of the best ways we can think of to give that message is to have some prosecutions,” Carney said at a Federal Deposit Insurance Corporation (FDIC) symposium in Arlington, Va. today on combating commercial payments fraud. “We realize it’s not going to make the problem go away, but it should help raise awareness and send a signal.”

Money mules typically are first contacted by e-mail, usually with a greeting that claims the prospective employer found the recipient’s resume on Careerbuilder.com, Monster.com, or some other job search site. The fraudsters usually represent themselves as international finance or tax companies that are looking to hire “financial agents” to help customers move their money abroad speedily. Candidates often are told the position is a work-at-home job, that no experience is necessary, and that they need only have access to a computer with an Internet connection.

The mule recruitment process can be very convincing: Some scammers go through the trouble of conducting phone interviews, following those up with a barrage of online questionnaires. At some point in the recruitment process, however, the fictitious company will require the recruit to hand over their bank account numbers, so that the erstwhile employer can deposit their clients’ funds. The employees eventually receive checks, wire transfers or automated clearing house (ACH) payments, and are asked to pull the money out of their bank in cash and wire the money overseas through establishments like Western Union and Moneygram. The typical “commission” for each transfer (most money mules get a single transfer before they’re fired) is about 8 percent, minus the fees for wiring the money.

I have interviewed more than 150 money mules in the course of my investigations over the last year into this type of fraud. I can safely say that most mules fit into one of two camps: Those that are simply not the sharpest crayons in the box and really did get bamboozled (at least up to a point); and those who are out of a job, laid off, or otherwise in need of money and simply aren’t asking themselves or anyone else too many questions about the whole process.

I find most mules fit into the latter group, and you can usually tell because these individuals often will admit to having set up a new account for the job – separate from where they keep their meager savings or checking. When pressed as to why they did this, if they’re honest most will say they weren’t sure about the whole arrangement and wanted to protect their investments just in case their employers turned out to be less-than-honest.

Organized cyber criminals stole more than $25 million from small to mid-sized businesses in brazen e-banking heists in the 3rd quarter of 2009 alone, federal regulators said last week. In contrast, traditional stick-up artists hauled less than $9.5 million out of U.S. banks over that same time period last year.

Speaking at the RSA Security Conference in San Francisco last week, David Nelson, an examination specialist with the Federal Deposit Insurance Corporation (FDIC), said online banking attacks against small businesses of the sort I have chronicled countless times over the past year netted thieves $25 million between July and September of 2009.

I wondered how that stacked up against real-life bank robbers here in the U.S., so I had a look at the FBI‘s published bank crime statistics for that same time period last year. Turns out, traditional bank robbers committed a total of 1,184 bank robberies during those three months, netting slightly more than $9.4 million (including $3,071 in travelers checks).

In fact, real-life bank robbers stole a total of just over $30 million in the first three quarters of 2009, just $5 million more than cyber crooks did in the third quarter of last year alone.

Small wonder that the haul from cyber bank robberies has overtaken that of physical heists:  Cyber thieves take far fewer risks to life, liberty and limb than do real-life bank robbers. In that same three month period last year, the FBI says bank robberies at bricks-and-mortar institutions caused five deaths — all them perpetrators of the crime.

What’s more, the perpetrators of these incessant attacks against small businesses banking online for the most part reside in countries that are traditionally beyond the reach and influence of U.S. law enforcement. Sure, bank robbers occasionally kill people (more often themselves) while they’re stealing your money, instead of silently lifting it out of your bank account from afar like cyber thieves. That alone makes them a more emotional high-value target for the feds. But let’s face it: Traditional stick up artists are a lot easier to collar. For one thing, by necessity they are all here in the United States.

In addition, while traditional bank robbers are limited to the amount of money they can physically carry from the scene of the crime, cyber thieves have a seemingly limitless supply of accomplices to help them haul the loot, by hiring so-called money mules to carry the cash for them.

I can’t help but notice one other important distinction between these two types of bank crimes: The federal government sure publishes a lot more information about physical bank robberies that it makes available about online stick-ups.

Indeed, the FBI’s bank crime stats are extraordinarily detailed. For example, they can tell you that in the 3rd quarter of last year, bank robbers were more likely to hold up their local branch between the hours of 9 a.m. and 11 a.m. on a Wednesday than at any other time or day of the week; they can tell you the number of tear gas and dye packs taken with the loot, the number of security cameras activated, the number of food stamps taken, even what percentage of suspected perpetrators had illegal drug habits at the time of the robberies. About the only thing the stats don’t tell you is what brand of jeans the perpetrators were wearing and whether the getaway car had cool vanity plates.

What do we get about e-crime statistics from the federal government? One guy from the FDIC giving a speech at the RSA conference. And as we heard from the FDIC last week, the federal regulators could start collecting (and hopefully publishing) these kinds of statistics from America’s banks, but that would require an okay from the White House.

One of the first posts that I published at krebsonsecurity.com was a story about how much time and effort I put into trying to get the government to acknowledge how much cyber crooks were stealing from small to mid-sized businesses last year in these online banking attacks. Given this latest disclosure, it’s not hard to see why the banks and feds would be reluctant to part with that information.

The FBI hasn’t yet published the 4th quarter 2009 bank crime statistics, but if the $25 million cyber heist figure is representative of a quarterly trend last year — and the first three quarters of stats from last year’s FBI stats don’t deviate much in the 4th quarter — cyber crooks will have stolen well more than twice as much as traditional bank robbers last year in the United States.

I’m quite certain that if the infamous Willie Sutton had his heyday in the present culture, Sutton’s fabled answer to the question of why he robbed online banks would have been, “Because that’s where the *easy* money is.”

Prodded by incessant reports of small- to mid-sized business losing millions of dollars at the hands of organized cyber criminals, federal regulators may soon outline more stringent steps that commercial banks need to take to protect business customers from online banking fraud and educate users about the risks of banking online.

At issue are the guidelines jointly issued in 2005 by five federal banking regulators under the umbrella of the Federal Financial Institutions Examination Council (FFIEC). The guidance was meant to prod banks to implement so-called “multifactor authentication” — essentially, to require customers to provide something else in addition to a user name and password when logging into their bank accounts online, such as the output from a security token.

The FFIEC didn’t specify exactly how the banks had to do this, and indeed it left it up to financial institutions to work out the most appropriate approach. However, many banks appear to have gravitated toward approaches that are relatively inexpensive, easy to defeat, and that may not strictly adhere to the guidance, such as forcing customers to periodically provide the answer to “challenge questions” as a prerequisite to logging in to their accounts online.

Unfortunately, as I have documented time and again, organized computer criminals are defeating these solutions with ease. Experts say part of the problem is that few of these solutions can protect customers whose systems are already infected with password-stealing malicious software. What’s more, few banks have put in place technology on their back-end systems to monitor customer transactions for anomalies that may indicate fraudulent activity, much in the way that the credit card industry sifts through data in real time and alerts the customer if a transaction or set of transactions radically deviate from that customer’s usual purchasing habits.

Last month, krebsonsecurity.com, interviewed Robert C. Drozdowski, a senior technology specialist with the Federal Deposit Insurance Corporation (FDIC). Drozdowski told me that the banking regulators recently convened a series of meetings with banks and security technology providers to figure out whether additional guidance would help banks do a better job of protecting their commercial customers. I asked him about the current state of these regulations and what we might expect from banking regulators in the months ahead on this issue. What follows is a portion of that discussion.

BK: From what I’ve been able to gather, this is a type of fraud that often does not directly impact banks, and therefore might not lead to institutions being able to document the losses from online banking fraud. Do the banking regulators have a way to measure how much companies are losing to online banking fraud?

RD: We do, but that’s not a request that we could just issue right away to the banks. If we thought this information would be valuable, we’d have to demonstrate why we need the information, and then put a request in to the [White House's] Office of Management and Budget, saying we’d like to put a survey to the industry. And then the OMB would get back to us on whether that would be okay.

BK: That doesn’t sound like a huge hurdle…

RD: Agreed, but there are a lot of other issues that  are creating real problems for financial institutions in the area of commercial real estate that we don’t have adequate information on either. With the [losses to smaller companies through online banking fraud], we’re talking about million-dollar losses, whereas the commercial real estate losses are in the billions. The larger economic losses to financial institutions in commercial real estate is creating havoc, and that’s where the main focus is now.

BK: So, you’re saying that if the banks were actually experiencing more situations in which they lost money as a result of this epidemic of online banking fraud being perpetrated against businesses, then regulators would care more about it?

RD: It’s something that comes on our radar screen when banks start taking losses, and not just businesses associated with those entities, that’s a fair observation. But to the extent those [attacks] create risk to bank customers, we have an obligation to engage our institutions and challenge them to do better.

I should note that there are a lot of things going on behind the scenes. We have been providing information to our bank examiners that’s not public on these threats, to ask them to increase their due diligence in looking at the authentication solutions that the banks use. We also issued a retail payments examination handbook that [asks] what institutions are doing to reach out to customers to make sure they’re aware of the requirements needed to conduct security transactions online.

BK: So are there no banks that are suffering financially as as result of this type of fraud?

RD: There are banks that are suffering from it. We have situations where banks are sharing the losses with their customers in order to avoid litigation, and in order to preserve business relationships. There are tangible losses we’re able to cite that make us engage in this area. And there are some legal cases out there that may change that landscape significantly should it be determined that banks aren’t providing the level of protection pursuant to the statute.

BK: Okay, but it doesn’t seem like banks really understand what was meant by that statute. As you just mentioned, there are a few lawsuits going on right now that may ultimately determine whether banks are doing the right thing.

RD: True. That bar is pretty ambiguously defined right now. What is commercially reasonable is not well defined, and right now it’s up to case law to determine it.

BK: I’ve been told by several analysts that part of the issue here is that many commercial banks have effectively outsourced a large portion of their visibility into online money transfers to third party companies, firms like Digital Insight, Jack Henry, Fiserv and others. While these entities may offer back-end transaction monitoring and other security features, it’s not clear to what extent the banks that rely on these companies are adopting those features, or even making them available as an option to commercial customers. It’s also not easy for companies to shop around for the most secure bank, because banks don’t always disclose what they are or are not doing to secure transactions. What are the regulators doing to in this regard?

RD: I can tell you we have been reaching out to all major service providers, and have had them in over the past few months to talk about this issue and adequacy of the authentication guidance that’s now a few years old. We’ve been discussing whether we should revamp that guidance. And we know that they have the products available, and are offering them, but we also know they have not been adopted in all cases because institutions haven’t suffered the losses to justify the expenses involved.

BK: What kinds of offerings are we talking about?

RD: They all have different levels of security that they offer. In most cases it’s cafeteria-style offerings, and the institutions select those or not based on their risk tolerance. That said, you have to recognize that as you meet with these people and talk to them, that they have an incentive to sell more product to get us to support greater authentication, so we need to walk a very fine line of addressing an issue versus promoting a service. We’re cautious about laying out a scenario that would allow them merely to sell more products, so it is a fine line.

I’ve spoken with the Better Business Bureau about this, and something they’re looking to do is create awareness to challenge your institution to provide you with more secure access if they’re not already doing that, and to encourage businesses to pay for those services if they’re available. We’re hoping to get the Small Business Administration involved in this as well.

BK: So are the regulators going to update their guidance?

RD: There is a working group of all FFIEC agencies that is looking at the authentication guidance. We went through a process over the last couple of months where we brought in many of the biggest service providers, the Jack Henrys, the Digital Insights, those type players. We had an open discussions with them but in a closed-door, off-the-record meetings with banking regulators. Then we brought in individual banks of all sizes to talk about the issues. The exploratory process just concluded a couple of weeks ago. The different banking regulators are now rolling up their sleeves and asking ‘What did we learn and what do we want to do next.’

BK: But what does that mean, in practical terms, vis-a-vis the current guidance on online banking?

RD: I think there’s an an awareness that what might have been adequate security four years ago when [a bank] examiner went in and asked institutions what they are doing on dual authentication is not adequate or may not be adequate now. There is an effort to see whether or not we need to update the guidance or issue an FAQ to clarify what is or is not adequate, and perhaps give some illustrated examples of what we believe is not adequate. We’re hoping we may have something released in a few months that speaks to that. So that’s an effort that’s ongoing, and all the banking regulators are involved in it, and it is absolutely very much front-of-mind for the regulators right now.