The Great Train Robbery of 1963 netted $69 million in today’s dollars. The largest bank heists have scored more than $80 million. But “stick-’em-up” bank robberies offer high risks and low rewards: According to the FBI, the average U.S. bank heist yields just $4,200 -- and between 50 and 75 percent of perpetrators get caught.

Robbing a brick-and-mortar bank seems like petty theft compared with a new breed of cybercrime that, according to a growing number of security experts, is siphoning untold millions of dollars from banks and their customers using SSL-evading Trojans and ever more refined phishing techniques.

Every anti-virus and anti-malware vendor can report thousands of bank and e-commerce-specific Trojans designed to steal money and identities, often collectively referred to as Bancos/Banker variants. Yet given the vast investment in quelling consumers’ fears about conducting business online, it’s no surprise that few sources are anxious to provide information that highlights the severity of the problem.

Although the banking officials and security officers contacted for this article refused to be quoted on the record, all of them agreed that online bank fraud is an increasing problem. One banking regulatory security auditor told InfoWorld that in some instances, online bank fraud drains as much as 2 to 5 percent from a bank’s overall revenue.

Mark Sunner, CTO of e-mail security provider MessageLabs, thinks it will take “a single, high-value tipping-point event” to wake up the general public, which would then pressure public officials. “I think the world’s largest bank heist will soon be committed using malware,” he says.

Phishing with a hook
Phishing remains the weapon of choice for online bank theft -- and the sleight of hand that tricks users into visiting a phishing Web site continues to get more sophisticated. Phishing e-mails now show up with the user’s address, ZIP code, or account information already filled in, indicating that professional criminals are using other, previously compromised resources to gain the trust of consumers.

Yet as phishing gets slicker, users are getting smarter. As the average Joe becomes less likely to type in authentication information in response to an e-mail, more and more cybercriminals are turning to SSL-evading Trojans.

These Trojans install themselves on unsuspecting users’ PCs and either capture user log-on credentials or manipulate transactions after a successful log-on. In both cases, the SSL connection between PC and bank remains intact. The user may think the confidential online transaction is protected against mischief -- but it is not.

That shift has enormous implications. Ever since Netscape released SSL in 1996, consumers have been told that a confirmed SSL-connection icon indicates that it’s safe to conduct online business.

“The problem is,” according to one bank regulatory security auditor, “SSL isn’t broken. SSL states that the connection between your PC’s network card and the bank’s network card isn’t compromised. This is still true. Nobody is sniffing the transaction off the wire. Instead, this is a ‘man-in-the-end-point’ attack.” In other words, the Trojan is sniffing or manipulating the transaction before it is ever sent across the Internet to the bank.

Click for larger view.

According to Mitchell Ashley, CTO of network security provider StillSecure, “Traditional phishing attacks have duped end-users into clicking on a link, but in the newest evolution, even the most security-savvy can fall victim to attack. Once you’re infected, the game is up.”

Although the theft of credentials remains the biggest threat to online e-commerce, SSL-evading Trojans are quickly becoming the criminal hacker’s favorite tool, mainly because SSL-evading Trojans can bypass any authentication scheme.

Fighting the last war
Most banks and e-commerce sites fall one step behind, responding to Trojans that steal log-on credentials by creating more complex authentication schemes and implementing two-factor authentication solutions. Today, banks frequently require that users click on-screen, randomized keyboards; type in the random letters of a “magic word”; or enter information from a hardware-based cryptographic key fob. None of these solutions works against the new breed of SSL-evading Trojans.

“It’s not a problem of authentication but one of transactional authorization,” says Bruce Schneier, leading security expert and CTO of Counterpane Internet Security. “No matter how hard you make the initial authentication for the end-user or hacker, the malware can just wait until the authentication is done and then manipulate the transaction.”