Online account fraud remains prevalent, but all banks can strive to prevent it, says Rudy Wolfs of ING Direct. Dan Kaplan reports.
With court battles raging between small businesses and banks over which entity should be responsible for the massive losses that result from account fraud, ING Direct has adopted a line of thinking that not all financial institutions might agree with: Accept that the customer is going to stink at security.
“You have to assume the desktop is compromised,” says Rudy Wolfs, CIO of ING Direct, a branchless bank that operates entirely over the web. “That's a fairly significant and emerging realization for the community.”After at least four straight years of rising losses due to online account takeovers ($87.5 million in 2010), according to the Federal Deposit Insurance Corp. (FDIC), some banks appear to be learning a hard lesson.
In the most egregious cases of online fraud, a customer's computer is seeded with vicious malware, typically the data-stealing Zeus trojan, which enables the hijacking of the victim's bank account to wire out cash, bundles at a time. But, some banks are learning that counting on their customers to protect themselves from some of the most sophisticated malware ever written is a losing proposition, especially for small businesses and other entities, such as school districts and churches, which seem to be the preferred target.
“Assume the desktop is compromised and deliver a multilayered approach that not only protects against one type of attack but also protects against the next type of attack that criminals can come up with,” Wolfs adds.
That, of course, is easier said than done. For one, many small banks – typically the ones targeted in corporate account takeovers – lack the security and resources that many of their larger brethren have. Second, and more controversial, is the ongoing battle over whether banks even need to invest in such complex controls if the malware's entry point is the customer's PC. After all, when it comes to corporate accounts that suffer fraud, the burden to recoup the losses is on the customer, not the bank, according to Regulation E of the Electronic Funds Transfer Act.As story after story unfolds of small or midsize organizations losing hundreds of thousands of dollars to criminals who gained control of their accounts, the conversation over exactly which safeguards the banks need to implement and whether businesses will still remain liable for losses in the future may soon become clearer.
That is because of a potentially precedent-setting courtroom showdown between a major bank and a small metal supplier based in Michigan. In addition, the Federal Financial Institutions Examination Council (FFIEC) soon is expected to release updated customer security guidelines outlining risk management expectations for banks.
Target: Small business
Most of today's sophisticated banking trojans employ a “man-in-the-browser” method, which renders traditional security controls offered by financial institutions, such as SSL and multifactor authentication, practically useless. Entering a one-time passcode to login to one's account or transferring money via an encrypted session mean nothing if the attacker already has control of the victim's browser.
“None of the old controls work,” says Avivah Litan, vice president and distinguished analyst at Gartner. “It looks like a legitimate user inside the browser application. It's not piercing through the outside. It's on the inside.”Some of the latest iterations of Zeus, which recently merged code bases with SpyEye, are so advanced that they may send shivers down the spine of even the most hardened cybercrime fighter. One new variant targeting U.S. customers, security firm Trusteer recently revealed, actually has the ability to keep online account sessions open after customers believe they have logged off.
“None of the old controls work."
– Avivah Litan, vice president and distinguished analyst at Gartner
Dave Jevans, chairman of IronKey, a Sunnyvale-Calif. maker of financial malware protection products, says smaller banks are capable of defending their borders against attack, but they often fall short at defending against threats targeting the end-user.“The real area where we see meaningful losses is at the smaller financial institutions,” Jevans says. “They don't have the security infrastructure and teams that the big banks have. They often outsource a lot of their IT and online banking activities. They don't have a lot of direct control and they haven't invested in a lot of the security technology that the big guys have.”
But Cary Whaley, vice president of payments and technology policy at the Independent Community Bankers of America, says a recent survey his trade association conducted of some 800 community banks revealed that just five percent suffered a monetary loss due to corporate account takeover.“It's a handful of banks right now,” Whaley says. “It's not an epidemic. [But] is it on our community banks' radar screen? Absolutely. Are they battening down the hatches? Absolutely.”
Pending FFIEC guidelines
But just what type of security controls must banks offer? When the FFIEC, in 2005, released its report, Authentication in an Internet Banking Environment, phishing was the scourge of the internet. The federal guidance, among promulgating other risk-based measures, mandated that banks adopt multifactor authentication.
Nowadays, while phishing remains a problem, commercial account takeover has become the No. 1 fraud concern of banks, Litan says. Not surprisingly, then, the next iteration of FFIEC guidance, due out soon, lays out expectations that seek to trigger reforms to today's most pressing concerns. A draft of the guidance briefly was posted in December on the National Credit Union Administration website.
“Since virtually every authentication technique can be compromised, financial institutions should not rely on any one authentication method or security technique in authorizing high-risk transactions, but rather institute a system of layered security,” according to the leaked version of the guidance.Among other measures, the guidance requires banks to have a comprehensive security program that detects and responds to suspicious activity, something credit card companies already widely practice.
But Litan says some of the other proposed requirements, including device identification and challenge questions, are not effective against advanced malware.“They're recommending things that have been beaten already,” Litan says. “But in their defense, some of the banks want more specificity. They don't want the FFIEC to give broad principles.”
Laura Mather, founder of Palo Alto, Calif.-based Silver Tail Systems and the former director of fraud prevention at eBay, says the draft guidance doesn't go far enough to require leading-edge security that the attackers haven't yet figured out how to evade.Litan agrees: “I like to compare it to the Israel airports,” she says. “I'm a big believer in profiling customers, accounts, website behavior so that, if you have a good profile on how that customer operates over time, you can see if it's abnormal. And then you can only bother with the abnormal transactions.”
At ING Direct, Wolfs does not wait for federal mandates. With 7.7 million customers, most of whom are individual account holders, the bank does not offer some of the capabilities, such as Automated Clearing House (ACH) electronic payments, that other banks with more commercial clients do. But ING Direct is well versed in the torment of keyloggers.“It's certainly an issue that affects every banking customer in the marketplace,” Wolfs says. “We've certainly seen that type of activity. One of the designs for us is through limiting functionality and adding in layers of different types of protection.”
But though its customers may not be the targets of coordinated Zeus and SpyEye attacks, they often are engaged in high-risk transactions. Part of ING Direct's secret sauce is a login PIN pad with randomly changing images – a means of authentication that would be “very difficult and expensive” to log if a criminal had control of a victim's browser – combined with a transaction risk score that is created through endpoint “fingerprinting” and complicated challenge questions.“We have hundreds of them, so we change them up all the time,” Wolfs says. “It's random questions and there's also trick questions in there. There are questions we expect people to say ‘none of the above.' There is enough variety and randomness to it to reduce the impact of a long-term malware attack.”
Additional protection measures include providing customers, at no cost, with Trusteer's Rapport plug-in that locks down the browser once users connect to their bank site. In addition, ING Direct leverages transaction monitoring technology from Silver Tail Systems to study the behavior of users' banking sessions.
“Stealing money looks different than not stealing money,” Silver Tail's Mather says.Wolfs says all banks – no matter their size – should be running the latest and greatest to detect and stop today's most innovative fraudsters. Size is not an excuse.
“Today the technology available to banks of any size is pretty significant,” Wolfs says. “The costs are not preventive. The size of your bank shouldn't have any relevance to the sophistication and quality of security. That said, the more you see, the more you learn.”But Whaley of the Independent Community Bankers Association would prefer to see the FFIEC take a risk-based approach. “If you have two business customers and tight relationships with them, do you need the same security if you have thousands or millions of customers?” he asks.
Precedent could be coming
Since the wave of corporate account takeovers began pillaging SMBs, a number have fought back in the form of lawsuits against their banks, contending that the financial institutions were the ones who should have spotted and stopped the fraud. Therefore, they say, the banks should be liable for the losses.In one highly publicized case, Experi-Metal Inc. (EMI), a Sterling Heights, Mich.-based metal supply company, sued Dallas-based Comerica Bank in December 2009, accusing the institution of failing to detect 85 wire transfers that occurred over the course of several hours on Jan. 22, 2009. Through a slick phishing scam, attackers gained access to the banking credentials of EMI to wire nearly $600,000 to money mule accounts.
The lawsuit accuses the bank of lacking the controls to detect the fraud – EMI rarely transferred money from its account – in addition to grooming its customers to expect emails from the bank that ask it to click on links and enter credentials. The case became the first of its kind to go to trial, and both sides were awaiting a verdict as of press time.“The concept of [what is] reasonable security has not really been ruled upon in court,” says Dave Navetta, partner at the InfoLawGroup, a Denver-based security, privacy and technology firm. “It could set a precedent of some sorts. [One] can make arguments that both sides were responsible. It's a difficult decision to make for a judge.”
Comerica has the deep coffers to fight this tooth and nail, believing the fault is on EMI and therefore the metal supplier is not entitled to monetary relief. But while a precedent may be set if a judge rules in favor of EMI, many small banks already reimburse their customers for their losses, Whaley says.
“In most cases, community banks choose to absorb the loss,” he says. “High-profile litigation with customers is not good for business, causes reputation risk, and most community banks see this as a last resort where forensic evidence shows that relaxed procedures on the business side led to the loss.”Some commercial customers may find further help in a proposal introduced in Congress in September by Sen. Chuck Schumer, D-N.Y. The bill, which has been referred to committee, would amend Regulation E of the existing Electronic Fund Transfer Act to extend fraud liability protection to local governments and school districts. Current law only offers this protection to consumers.
A shared burden
Still, many experts say that the obligation to practice security rests on both the bank and the customer. Even though ING Direct operates with the assumption that its customers' machines already are infected, it believes they should still play a pivotal role in the chain.
“Ultimately, security does rely on the customer..."
– Rudy Wolfs, CIO of ING Direct
Part of the new FFIEC guidance speaks to customer awareness, according to the leaked draft. Among the expectations are that banks will offer their clients an explanation of protections required for electronic funds transfers and information on when they may contact them to request banking credentials.Michael Jackson, associate director of the FDIC Division of Supervision and Consumer Protection, says his office has been instrumental in promoting discussions around the problem of commercial account takeover. That includes collaborating with banks, small business trade associations, the FBI and the Financial Services Information Sharing and Analysis Center.
“The biggest thing is to get the information out,” he says. “These incidents originate outside of the banking arena, outside of the space that has always been guarded in the past.”A separate challenge for banks is that a majority of them use service providers to host their online banking portals. In many cases, these outsourcing firms provide only minimal security and the bank is responsible for the rest.
“I think the banking software companies need to offer a lot of security standard with their package,” Whaley says.
ING Direct has the luxury of size and home-grown applications, but security has been a priority since it was founded in 2001 – not surprising, considering the bank has never operated outside of the internet era.
“Anybody can stop any project on a security concern at any point,” Wolfs says. “You've got a trump card in our operation if you feel there are concerns about security.”
CASE STUDY: Symbiotic relationship
Last fall, Richard Bradfute (left), CIO of the James Polk Stone Community Bank, made the three-hour trip to two of his bank branches to meet with commercial account holders.
The meetings were called to address the continued risk of Automated Clearing House (ACH) and wire fraud, perpetrated by criminals who take control of commercial bank accounts to steal money. Small and midsize organizations across the country have been the primary target and have suffered massive losses to the tune of hundreds of millions of dollars over the past several years.
“If one of our customers gets compromised, it's not good for them,” Bradfute says. “We are in the trenches with our customers. I've literally gone to customers' homes and answered questions. We try to take very good care of them. Our success depends on their success. It's a very symbiotic relationship.”
James Polk Stone, a three-branch institution nestled among the sprawling dairy farms of eastern New Mexico, recognizes that the stealthy malware that gives crooks control of victims' PCs enters at the customer location – not the bank. Thus, educating customers on running anti-virus and firewalls and considering tactics, such as using a dedicated, non-Windows machine for online banking, is instrumental to their safety.
“Frankly, we scared the living hell out of them,” Bradfute admits, adding that each meeting had perfect attendance.
And even though only about 50 of the bank's 1,110 commercial customers use ACH transactions for functions like direct deposits, Bradfute and his team have created a custom-built program that parses payroll files, seeking out anomalies that could signal unauthorized transfers.
In addition, the bank is considering providing its customers with bootable media that they could load each time they want to access the online banking portal. The media, such as a CD or USB stick, would create a separate, read-only operating system that would not be at risk to malware. Once the media is removed, any memory is wiped, and the user can return to the normal operating system.
While none of its customers have been targeted by ACH fraud, Bradfute “guarantees it's coming.” He can only hope the bank's internal controls and user education will stop it.
“The bad guys only have to be right once,” he says. “We have to be right all the time.” – Dan Kaplan