Minimizing the Risks of Online Banking
EARLIER THIS YEAR, a U.S. District Court in Michigan ordered Comerica Bank to reimburse Experi-Metal Inc. more than $500,000 after the bank approved fraudulent wire transfers of almost $2 million. U.S. District Judge Patrick J. Duggan found that the bank should have detected the fraud because the activity was so unlike Experi-Metal’s normal behavior. He wrote: “A bank dealing fairly with its customer, under these circumstances, would have detected and/or stopped the fraudulent wire activity earlier.” This is believed to be among the first major court decisions involving a corporate account takeover, and the judge’s finding in favor of the customer means that banks have to work harder at ensuring that they are doing all they can to prevent fraudsters from gaining access to customer funds.
To that end, the Federal Financial Institutions Examination Council (FFIEC) recently released a supplement to its 2005 Internet banking authentication guidance. The supplement provides an update on the types of vulnerabilities that have been exploited by online criminals in the past six years, and it makes recommendations on how banks can protect themselves against those attacks, starting with risk assessments. Compliance assessments for the new guidelines will begin in January.
Traditional attacks like spearphishing are still victimizing banking customers. However, the major change in the attacks in the last few years has been in the sophistication. So many attacks now are automated, such as Trojan viruses which aim to steal banking information by infecting people’s computers. The automation means that these are not one-off attacks—they can affect hundreds and thousands of people at a time.
“It’s not your typical college kid trying to figure out how to buy an airplane ticket [with someone else’s money] so he can go meet his girlfriend during spring break down at Daytona beach. It’s organized crime...using coordinated, sophisticated attacks that take advantage of deficiencies in browser technology or [operating system] technology through malware and other kinds of nefarious techniques. We’re seeing more and more of it,” says Reed Taussig, president and CEO of Threat-Metrix, a fraud prevention company.
Two of the major attacks in online banking right now are the Zeus Trojan virus and SpyEye. Ed Skoudis, an instructor with the SANS Institute of computer security research, says the attacks are now embedded into the computers and are becoming even more blatant in attempts to fool unwary customers. He says there is now a version of the Zeus botnet that “waits for you to do the authentication and then pops up a message that says ‘there’s a problem with your account; it was a transaction that accidentally put money into your account, and you need to undo this transaction.’ It’s a bit of social engineering where they induce the customer into trying to do a corrective transaction, for a bogus transaction, and it’s just causing the customer to engage in transactions.”
Social engineering can even go further, says Landy Dutton, vice president and operational risk manager of FirstBank in Nashville, Tennessee, which is a community bank that serves Tennessee locations. She says she’s seen people go so far as to call on the telephone or come into the branch impersonating customers to put transfers through.
Many attacks are actually targeted for a specific bank, notes Avivah Litan, vice president and distinguished analyst at technology research firm Gartner Inc. Zeus and others have also used social networking sites to gain access to victims’ computers.
And the threats just keep on coming. Panda Security’s PandaLabs reported that an average of 42 fresh strains of malware were being designed each minute between April and June of this year.
Many of the sources interviewed for this article were pleased with the new guidance’s treatment of risk assessments, which Dutton refers to as “security 101.” Julie Conroy McNelley, senior risk and fraud analyst for Aite Group, a research and advisory firm out of Boston, says the new guidance is an improvement over the 2005 assessment. “Previous guidance basically just said, ‘You have to do ongoing risk assessments,’ but they didn’t really give any type of timeframe for how [often] those risk assessments have to be done,” says McNelley. The new guidance states: “Financial institutions should review and update their existing risk assessments as new information becomes available, prior to implementing new electronic financial services, or at least every 12 months.” It goes on to list certain changes that would warrant a new assessment, such as actual incidents of security breaches.
Doug Johnson, vice president of risk management policy for the American Bankers Association (ABA), says that many institutions have not been doing what he calls a “dynamic risk assessment.” While they would go through an initial risk assessment, they would not go back to it regularly.
“That’s one thing that the [FFIEC] agencies really focused on was the need for institution to not be ‘one and done,’ for institutions to really have a dynamic process in place to evaluate the threats and change their mitigation against those threats to the extent that they need to be changed,” says Johnson.
After each assessment is done, the next step is to develop countermeasures to mitigate the exposures discovered. As with physical security, these countermeasures should be layered, thus providing numerous opportunities to thwart an attack. The new FFIEC supplement extols the importance of layered security in both retail and commercial bank accounts.
The FFIEC also recommends that the security be commensurate with the level of the risk. It notes that since the frequency and dollar amounts of retail or consumer banking transactions are generally lower than they are for commercial transactions, those accounts pose a lower level of risk.
In addition to being lower-risk transactions, Dutton points out that consumer accounts are covered under FDIC’s electronic banking Regulation E. “If a fraud happens on a consumer customer, regulations require that the bank make the customer whole,” says Dutton. She adds that such is not the case in small business and larger commercial banking. Dutton says she sees small businesses particularly being taken advantage of by online fraud in areas like wire transfers and automated clearing house (ACH) transfers: “They typically have more money in their account than a consumer. And typically in the U.S., small business customers can do wires and ACH transactions through Internet banking, where a consumer customer can only do bill payment activities and internal transfers. So the thieves are really drawn to the ability to get that money out of the bank through either an ACH avenue or a wire transfer avenue.”
Dutton adds that small businesses tend to be more vulnerable than larger corporations because the bigger companies have staff members who can focus on IT and protecting the company’s data. Small businesses cannot always afford such help.
Specific measures. The following are some of the ways financial institutions can build defensive layers to prevent fraudsters from gaining access to bank accounts.
The first priority for an institution is to be able to verify that a person is who he or she claims to be. There are many ways of doing this, and they can and should be used in combination. The FFIEC recommends various means of implementing dual or multifactor authentication, combining online and offline, or out-of-band components.
Passwords. The simplest authentication measure is a password combined with a user ID, but it does not provide sufficient protection, even when users are taught to select strong, hard to crack combinations of letters and numbers, because this information is easily obtained through keyloggers, phishing, or other subterfuges.
“The biggest problem with that is the long-term nature of the access a bad guy gets if he gets your user ID and password, because few people change their password very often…. And the other problem with static user IDs and passwords is users synchronize them,” using them for multiple accounts says Skoudis.
Still, most experts agree that passwords will always be around in some form. “I don’t think the password will be supplanted completely. I think it’s going to be a factor in a multifactor authentication,” Skoudis says.
Challenge questions. Many financial institutions use challenge questions as backups during log-in or when log-in fails. The FFIEC recommends against using simple challenge questions, such as asking a person’s high school, because such information is readily available on the Internet or easy to access. But the supplement notes that a more sophisticated approach based on questions with answers that are not readily available might be effective.
“Sophisticated challenge question systems usually require that the customer correctly answer more than one question and often include a ‘red herring’ question that is designed to trick the fraudster, but which the legitimate customer will recognize as nonsensical,” writes the FFIEC.
Johnson says that this could get difficult for the end user. “You’re going to run into questions that the customer is not going to know the answer to right off the top of their head in certain instances. And so that’s a level of inconvenience.” But as more account breaches get reported in the media, customers may consider higher levels of inconvenience for increased security. Johnson stresses that it will be up to financial institutions to figure out the best combination of security measures for their customers.
Tokens. Another authentication factor is a token system that generates random one-time passwords on both ends of the transaction. Tokens have been around awhile, from companies like RSA, the security systems side of EMC Corp. Security tokens are effective security methods, says Skoudis, particularly for systems administration access and the like, because outsiders can’t run software on them.
Tokens have their own vulnerabilities, however, as was revealed by a recent data breach of RSA SecurID system, where the information stolen may have had the potential to enable thieves to access SecurID-protected systems without the tokens for secondary factor authentication. Skoudis doesn’t think the recent breach will necessarily end the use of tokens, although it might have implications as far as which tokens companies use. Another drawback to tokens is the cost, which is why the tools are not typical for consumer financial accounts.
Browser. Another security measure, which FirstBank uses, is to offer customers the option of downloading a secure browser plug-in off the bank’s Web site. This “allows us to put a bit of a secure cocoon around that browser session so that the session is protected when they’re communicating with us through our Internet banking application,” says the bank’s director of risk management, Clark Cummings, CPP. Out-of-band. The problem with any online authentication factor is that it can be intercepted. Going offline for one or more factors enhances security. Dutton says that her bank now requires some “out of band” validation of transfers in certain online banking accounts, which means validation outside of the online banking arena. For example, the bank can require confirmation via telephone or cell phone voice or text messaging (SMS). It should be noted, however, that hackers can defeat these measures by spoofing where a call or message appears to originate from or by compromising the person’s account.
Dual authentication. One of FFIEC’s examples of security layers is the use in company accounts of dual authentication through different devices. This way, the person initiating the transfer is different from the person giving final approval.
Dutton’s bank requires dual control at the company making the transaction; this means there will be separate initiation of the transaction and approval of its execution. Some ways to accomplish these validations are through faxes, alerts, and phone calls.
In addition to implementing security measures aimed at preventing breaches, banks are advised to implement detection measures. That’s one of the things that the new guidance got right; it focuses as much attention on detection as on prevention, says Skoudis. “You have to realize that some of your preventions will fail.... [A]ssume that’s going to happen and have good identification and detection,” he says.
The guidance refers to this as anomaly detection, and it advocates having a system in place to notice anomalous activity in initial log-in and authentication as well as during fund transfers. “Based upon the incidents the agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior,” the FFIEC document states.
However, Litan warns that sophisticated attackers can get around complex device identification and still pull off a transfer. And Skoudis points out that many individuals and organizations use various machines to do their banking, which makes the fingerprinting even more difficult.
There are also companies that provide device identification services for banks, such as ThreatMetrix. They will not look at specific transactions, but rather can determine whether someone is logging into an account under a hidden proxy or if three people in three locations are logging into the same account in a short time span, for example.
Behavior monitoring. This type of anomaly detection can be accomplished in a number of ways. Some banks handle it in-house, while others hire outside behavioral analytics companies.
With behavior analysis, an institution can create a profile of customer behavior and monitor for action outside of that profile. “So if a business typically does two wire transfers a year, and those wire transfers are typically not exceeding $15,000, but all of a sudden you see four wire transfers come through in a period of two days, and they’re attempting to transfer a million dollars to a new payee account, that’s a great indication that something’s going on and that transaction behavior needs to be stopped until somebody can contact the business,” says McNelley.
Guardian Analytics is one company that offers behavior monitoring services. It serves about 60 financial institutions now, according to Terry Austin, president and CEO of the company, which experienced a 400 percent jump in growth in one year. Austin says that when a new customer opens an account, the company uses its Fraud Map product to generate a generic risk profile and behavior profile for the customer based on the other customers of the same type and other customers at that financial institution. For existing accounts, the profile becomes much more specific, based on that user’s activity over time. Anything outside of that pattern causes an alert.
Johnson says that behavior monitoring is a potentially important tool that is becoming more widely available to different sized banks. “I see companies gravitating towards providing that service as ‘software as a service,’ in the cloud.” Johnson says that this “lowers the price points associated with it.”
Dutton says the anomaly detection piece of the guidance causes her some concern due to its 24-hour per-day requirement. She says that unless the behavior analytics software is integrated into the online banking software itself, it will be difficult to stop the high-risk logins at the front end unless you hire an outside company to monitor the log-ins (like they have companies monitor credit card activity). And even then, if an account is blocked due to a high-risk log-in, there might not be any bank personnel available to help the customer regain access if it happens on a weekend after the bank is closed.
Another layer of security is customer education and awareness, and this, too, is mentioned in the FFIEC supplement. “A lot of customers… don’t realize that weak defenses on their end could allow their online banking credentials to be compromised; they don’t understand it,” says Dutton. She says it’s particularly important for customers, including small business operators, to realize what types of fraud are and are not fully covered by government regulations.
The ABA’s Johnson says that the main challenge in this area is to develop an effective partnership between the bank and the bank customer so that they work as partners as opposed to being at odds with each other or being unaware of the threat. Customers should also be aware of regulations rather than assuming that on the business side that “the bank is going to make them whole or reimburse them for a loss when, if they’re negligent, they might not be reimbursed,” he says.
FirstBank is working with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to develop new customer awareness documents, and the bank has also ramped up customer engagement, says Cummings.
The supplement stresses that the awareness effort should be aimed at both retail and commercial customers and that it must include explanations of the bank’s protections as well as explanations of government protections for accounts and a list of alternative controls customers might implement on their own, among other things.
Some in the industry think that the prescribed security measures in the FFIEC supplement are helpful. Others, like Gartner’s Litan, say that the supplement should have left out specific types of technology and measures. “What happened in 2005, they put technical details in there, and all the banks followed those measures,” according to Litan. “Then they thought they were compliant, but they ignored the need to stay up on the threats.” She says there is potential for the same thing to happen this time. “When they start outlining measures, they get outdated before the ink’s dry. There are several measures in there already that are circumventable.”
Litan thinks the banking community would be better served by more frequent advice about technological solutions, but it should be delivered in a separate document from the online authentication guidance.
Additionally, it’s important for banks to customize their own authentication programs to fit their unique situations. “Banks will have to do a significant amount of internal due diligence to make sure that they have a solid understanding of the threat environment and understand which technologies are complementary and which technologies are redundant,” says McNelley.
There is evidence that banks are doing some things right. A survey of the banks involved in the FS-ISAC account takeover task force has provided hope, says Johnson. He says that over the last year, “the number of attacks has increased in those institutions. But the losses associated with those attacks have decreased.” Even so, banks must remain vigilant and continuously adapt to changes if they are to keep online fraudsters from reversing this positive trend.
Laura Spadanuta is an associate editor at Security Management.