In the vault: The Coastal Bank and IronKey
In the vault: The Coastal Bank and IronKey
Headquartered on Johnson Square in the heart of Savannah, Ga., The Coastal Bank has served The Peach State for 56 years. With over $430 million in assets, this community bank, which is locally owned and operated, provides a range of financial services, specializing in small business and consumer banking, mortgage solutions and lending services.
Six branches are spread throughout the greater Savannah area, into Rincon and Hinesville, as well as an operations center in Pooler, Ga.
Like any other financial institution, one potential issue The Coastal Bank faced was cybercrime and fraudulent attacks on its customers and the bank, which, if successful, could result in personal information and money being stolen. It was also looking to find a way to adhere to a new set of guidelines from the Federal Financial Institutions Examination Council (FFIEC) that must be implemented by Jan. 2012. The supplement to the FFIEC "Authentication in an Internet Banking Environment" guidance, first issued in Oct. 2005, puts in place requirements for customer authentication, layered security and other controls in the online environment.
"It was important to The Coastal Bank to not only find a way to successfully meet the FFIEC requirements, but to also implement a program that was easy to use," says Adam Montgomery (left), director of marketing at The Coastal Bank.
He says the executives at the bank realized they needed to be proactive and get in front of the threat to protect customers from ever-changing malware and keep their money and personal information safe.
The bank's IT staff, consisting of four people, began a search for a solution.
"Our director of IT initially reviewed most of the current software solutions implemented by other financial institutions and found them to be insufficient, cumbersome and, most important, already proven compromised," says Montgomery.
The bank's director of IT, director of operations, and director of marketing and products made the initial decision to implement the IronKey Trusted Access product. An extended team that included the chief banking officer, chief financial officer and the director of retail services were included for final analysis and sign off.
"After a complete review and analysis of the IronKey Trusted Access product, we felt it was the only solution that could meet and exceed the FFIEC requirements," says Montgomery. The bank staff spent close to six months testing and reviewing the product, as well as conducting focus groups to determine what would best fit its customers' online security needs.
Unlike competing approaches, IronKey Trusted Access delivers a safe, separate and dedicated secure web browser only for online banking (or sites approved by a bank), says Kevin Bocek, vice president of marketing at IronKey. ZeuS, SpyEye, OddJob and other trojans prey on users accessing sites on their computers. Instead of relying on an infected browser or potentially tampered network connection, Trusted Access provides an application that users know is just for financial transactions. And, because Trusted Access is a dedicated app, it does not hog resources by looking to detect each new attack or monitor user's behavior and website access everywhere they go, says Bocek.
Trusted Access for Banking does not rely on potentially compromised and vulnerable applications on the user's host computer, Montgomery adds. Instead, a secure, encrypted connection to online banking is made through the IronKey Trusted Network. "It allows us to provide a level of security previously only available to the U.S. government and military," he says. "It provides our clients with an unprecedented level of security when performing financial transactions."
The Trusted Access Secure Browser is as easy to use as any other web browser, says Bocek. However, unlike a standard browser, users are kept safe from keylogging, transaction tampering, website redirection and other attacks used today to steal money, he says.
Today, there are almost as many unique virus signatures as there are online banking users in the United States, Bocek says. Current detection rates for common trojans designed to steal money, like SpyEye, are only 25 percent. "That means 75 percent of attacks go undetected by today's most popular anti-malware solutions. It's a losing game trying to detect and block each new attack." Instead, Trusted Access focuses on protecting users in a safe environment from known and unknown attacks.
Being the only bank with the product in the markets it serves has created a tremendous market advantage, he says, and has allowed the institution to attract new customers and bring customers over from other banks. "Customers want to bank where their money is the most secure," Montgomery says.
Deployment went smoothly
Deployment of the IronKey tool was very smooth, Montgomery says. "We spent six weeks performing education and training among all of our staff, and also invited six customers to participate in our beta program so that we could have their reactions and make any minor adjustments well in advance of our official launch."
The bank is well ahead of its goals for adoption rate. And, Montgomery says it is very easy to manage and operate on the backend, and even easier for customers to use and understand.
"The product has met or exceeded all of our expectations thus far," he says.
In addition to meeting FFIEC guidelines, the IronKey Trusted Access meets NACHA [the electronics payments association] and FBI recommendations for safe online banking by providing a dedicated, isolated and secure browser environment, says Montgomery. "And the secure browser approach is recognized by Gartner as one of the five critical security controls for preventing online banking fraud," he adds.
The tool does not require network integration to the bank in any form as it is standalone and creates an access portal that is only accessible to the bank's customers. Yet, it touches the entire company.
All employees of the bank have personal sales and referral goals, Montgomery explains. Internal materials were designed with each department in mind to help make it easier for them to relate to the IronKey product, and how it can be best applied to their clients' needs. The Coastal Bank provided all of its employees with an IronKey product and has made wearing the device part of the company uniform. This prompts people to ask questions and has facilitated additional units being deployed.
The goal is to complete its initial deployment within the company and to make sure it has deployed the product to its highest risk clients. "We are also making the product available to everyone whether or not they are a customer of the bank," Montgomery says. "Malware and cybercrimes are a major threat to everyone, and we feel that as a community bank it is our duty to make it available to everyone in the communities we serve."
A continuous process
But, the sanctity of protecting financial assets is a continuous process. The bank has introduced many new multifactor authentication systems along with significant detection capabilities to ensure its customers' transactions are safe, secure, authentic and verifiable, Montgomery says.
"The greatest risk facing The Coastal Bank and our online banking customers today is the security of their own PCs and networks," he says. "Criminals are using the path of least resistance and using client information to take over their computers to cause financial harm to the customer and the bank. With IronKey Trusted Access we offer our customers a way to conduct online banking on a dedicated, secure and isolated platform that's simple and convenient for them to use."
The Coastal Bank is further differentiating its client-focused services with Trusted Access, because it isolates clients' online access in a safe, bank-managed environment that is independent of the PC, Montgomery says. IronKey protects online banking customers even if their PC has been compromised with financial malware, including keyboard loggers, man-in-the-browser or ‘backconnect' trojans.
"Our customers want to know that they are protected from these threats," says Montgomery. "It is equally important to them and The Coastal Bank to know that all activity through IronKey is safe and secure, eliminating the extra risks and security concerns present in today's online banking environment.
The Secure Browser is just one layer of security provided by the Trusted Access Platform, says IronKey's Bocek. Support for smartphone-based authentication has already been announced and additional analytics to detect and prevent fraudulent transactions is planned. The platform allows banks to start with secure browsing and add additional layers of security later.
Policy and setting updates are pushed automatically to end-users after administrators change settings, Bocek says. All policy changes are digitally signed. Software updates are made available to bank administrators first. Administrators can test software updates in a controlled environment. Once accepted, administrators can push software updates to end-users automatically. All software updates are digitally signed and only updated files are downloaded.
The Coastal Bank is one of the first institutions in the country to offer Trusted Bookmarks, a new feature of Trusted Access for Banking allowing members to safely access popular websites using a ‘bookmark list' managed by the bank. With Trusted Access, customers know they are accessing an authentic site and their transactions are not being monitored or tampered with by crimeware.
"We are educating our customers through a number of different channels," says Adam Montgomery, director of marketing at The Coastal Bank. These steps include:
- Advertising and marketing the IronKey product in the markets it serves,
- A series of "Lunch and Learn" events where the bank invites customer to attend a quick 30-minute seminar during their lunch hour, learn about the product, and sign up for Trusted Access,
- Direct contact from the bank's cash management and commercial banking team to existing customers, informing them about the current threats against their financial security and how IronKey Trusted Access prevents this type of activity,
- Information and signage in branches, and on the bank's website,
- Ongoing discussions with key business leaders in the community,
- Providing all employees with IronKey and encouraging customers to ask them about the product.
Safeguarding the online banking experience
There are five key technologies underpinning the secure online banking experience: tamper-proof USB device, virtualization, keylogging protection, secured Trusted Network and cloud-based banking policy management.
Read-only operation: In both downloadable software and portable USB device form factors, Trusted Access is stored and operates as a read-only application with tamper-proof settings. In software, this is enforced using an encrypted file system. With a portable device, this is enforced by the device firmware and cryptochip and is designed to FIPS 140-2 Level 3 specifications.
Virtualization: Isolates online banking sessions within a fully virtualized environment. This eliminates dependencies on desktop browser software and plug-ins that are commonly attacked by criminal malware to steal credentials and hijack banking sessions. This is achieved by proprietary software on the IronKey Trusted Access device working in conjunction with the IronKey Trusted Network and Enterprise Management Service.
Keylogging protection: By encrypting keyboard input from the operating system to the virtualized environment, it stops one of the most common attack methods used by criminal malware to steal online banking credentials; this is a feature of Trusted Access on the IronKey.
Secured Trusted Network: All network access uses a separate, encrypted tunnel that connects with IronKey secured data center operations. This stops DNS poisoning and host tampering attacks, targeted URL malware activation, and man-in-the-middle attacks. This capability is shared between the IronKey end-user or admin device and the IronKey Enterprise Management Service.
Cloud-based safe banking policy management: Institutions establish their own safe banking policies including establishing website start page and URL whitelists to eliminate users visiting non-banking sites (or only those Bookmarked sites approved by the bank); banks use the cloud-based IronKey Enterprise Management Service to set policies and manage devices.
For reprints of this case study, contact Elton Wong at firstname.lastname@example.org or 646-638-6101.