This year, the security consulting group RSA surveyed authentication and risk management professionals from the world’s leading financial institutions to see what they are doing in the area of security. Honeycomb Connect caught up with Jerry Tylman, an online authentication, fraud prevention and security expert, and one of the authors of the study, to discuss the research and its implications.
The study was intended to benchmark online security strategies and focused on three criteria in particular: where do banks stand in relation to FFIEC regulatory mandates, what type of anti-fraud counter-measures are being implemented, and what is the strategic importance of security to the financial institution.
According to the Privacy Clearing House over 97 million personal records were stolen through hack and related attacks over an 18 month period spanning February 2005 through late November 2006.
The results indicated that most banks have already made big steps in meeting compliance with many actually exceeding government guidance. A situation that is not paralleled by other industry sectors particularly in relation to information security.
“Because the government guidance in reality is kind of light,” says Tylman, who explains that banks only need add one additional step to the account log-in process to be in compliance.
Attempts to combat increasingly sophisticated professional fraudsters have led banks to buffer their security infrastructures with new layers of security which by definition exceed what the FFIEC has mandated in its guidance.
No reason to become complacent says Tylman, the issue is multi-faceted and as a result banks are required to meet the security threat on multiple levels. At the same time, banks are faced with the mounting problem of persuading their existing customers that the online channel is safe. The media, while it has done an excellent job of bringing the issue of data security into the public sphere, has simultaneously convinced some people that online banking is too risky.
“It’s easy to say that the media has overplayed the threat but I don’t think they have because if personal information is compromised then a threat exists,” says Tylman, citing data breaches at the Veterans Administration, ChoicePoint and Citibank.
“If a customer says they are moving to South Florida or the Miami area all kinds of red lights should be flashing,”
Jerry Tylman, RSA Security expert
Other research suggests that the lion’s share of people who have yet to adopt the online channel say security concerns are the reason for their hesitation. Tylman tributes credit card companies for their success in reassuring their customers that using ‘plastic’ to pay for goods and services is a safe transaction, he thinks lessons can be learned.
Take, for example, risk assessments and the ability to spot customer behavioral anomalies—this is something the credit card companies have become adept at—which make up one important component of a banks security strategy.
“If a customer says they are moving to South Florida or the Miami area all kinds of red lights should be flashing,” says Tylman.
Other components of the security strategy include, taking down phishing sites, making the log-in process more secure, and having a plan for taking care of customers victimized by fraud.
In the RSA survey, organizational issues were identified as one of the biggest challenges to meeting government guidelines.
“When you have something that has shared responsibility it’s a little tougher to move quickly,” says Tylman.
Tylman explains that European banks are ahead of their American counterparts in tackling online fraud because in Europe fraud is concentrated against a smaller number of financial institutions: whereas in the U.S., until recently, losses at individual financial institutions have been relatively low. Over the last six months there has been a spike in the number of phishing attacks against financial institutions with the majority of those attacks generally aimed at the large banks.
Small regional banks can escape the fraudster’s attention whereas large banks may face hundreds or thousands of attacks a month, says Tylman.
Despite counter measures the number of fraudulent attacks is on the rise and losses are growing, which suggests that banks are facing an increasingly sophisticated network of criminals.
In the summer of 2005 the UK Sun newspaper alleged that one of its journalists bought personal details, which could have been used to raid the accounts of victims, from a Delhi IT worker. Furthermore, the back-office processing and customer support firm HSBC Electronic Data Processing (India) Private reported in June, 2006, that an employee, as part of a larger theft ring, accessed customer debit card information and used it to defraud customers of almost half a million US dollars. And recently, the US Computer Emergency Readiness Team (US-CERT) has issued a warning of possible cyber attacks by subversive political entities aimed at US stock trading and banking websites.
No amount of external web security can prevent rogue employees from exploiting their positions in call centers to collect personal information from customers. Predictably, incidents such as the one cited above have led to criticism of the offshoring of call centers for its impact on consumer confidence. Pointedly, "The Global State of Information Security 2005," a study published by PricewaterhouseCoopers and CIO, showed that 33 percent of information security attacks originated from internal employees, while 28 percent came from ex-employees and partners.
The prospect of harvesting credentials from thousands of online banking customers, and the ensuing rewards for criminals, makes fraud an attractive prospect for some. Advances in global telecommunications technology mean that attacks can come from practically anywhere in the world. Preventing online scams is not the most pressing priority for law enforcement authorities in some parts of the world, particularly in the developing world where criminals are culturally, economically, emotionally and geographically far removed from the eventual victims of their crimes.
“You have to protect yourself beyond the boundaries of your website,” says Tylman, “we are putting up fences around the website and [the criminals] are beating us in the call center.”
Responding to the threat requires building systems which recognize that credentials can potentially be obtained through a variety of different means.
“If your systems are built predicating the notion that I have just put an extra lock on the front door then you are setting yourself up for some losses.” says Tylman.
Stricter authentication, such as challenge questions, provides additional “road bumps” that may deter some criminals but ultimately the problem persist. Secret questions can be phished and people forget them which shifts a lot of the challenge volume over to the call center which costs more, explains Tylman.
“I think legitimate customers find challenge questions frustrating, and that’s why you have to couple that challenge with a risk based assessment.”
Security strategies need to be fluid and capable of responding to the ever changing security landscape. Tylman says the biggest threat to online security today comes from complacency, in other words, believing that the problem has been solved and being unprepared for the new means of attack.
“We have organizational issues that have to be figured out and we have to stay vigilant,” he says.