Risk is with us, whether physical or online, says Doug Johnson, American Bankers Association. James Hale reports.
From Bill Doolin’s Wild Bunch of the 1890s through Depression-era gangsters Alvin “Creepy” Karpis and the Barker Gang, up to David Scott Ghantt, who made off with $17.3 million from Loomis Fargo in 1997, banks have been tempting targets for those desiring fast cash. Today, banks still beckon, but the crooks have traded dynamite, the Tommy gun and insider know-how for digital weapons.
Today, banks still beckon, but the crooks have traded dynamite, the Tommy gun and insider know-how for digital weapons.
“Threats to our industry are not going away,” says Doug Johnson, vice president, risk management policy with the Washington, D.C.-based American Bankers Association (ABA). “Risk is always with us, but the focus has expanded from physical security to cyber security.”
The type and sophistication of cyber attacks on the financial services sector are shifting, too, say those who observe it closely, and so are the people launching the attacks.
“It started out with individuals infecting bank computer networks with viruses, but then we saw the criminal element get involved,” says Bill Nelson, president and CEO of Financial Services-Information Sharing and Analysis Center (FS-ISAC), which was created by the financial services industry in 1999. In 2011, he says, there was an increase in denial-of-service attacks by hacktivists, like Anonymous, and, more recently, foreign-based cyber criminals have targeted automated clearing house (ACH) transfers and used diversionary denial-of-service (DoS) to attempt account takeovers.
“Over the past five years, we have witnessed some big changes,” says Matt Riley, group president of ProfitStars, a division of Jack Henry & Associates, an information processing company headquartered in Monett, Mo. “Today’s cyber criminal is much more robust and opportunistic. If you have enough money you can get into it.”
There are websites where you can buy the tools you need, says Nelson. In fact, users can purchase 100,000 fraudulent bank cards that are guaranteed to work. “There’s a real marketplace out there.”
He adds that the targets are not limited to the United States, noting that online fraud attempts have jumped significantly in Europe and Asia as well.
Just as banks continue to be targets for criminals looking for big scores, the crooks are not deterred when some tighten their defenses. They just move on to other banks. And just as bank robbers of the past were reticent to give up techniques that worked, today’s thieves are reluctant to develop new tools.
“The Zeus family of malware is still the gold standard,” says Dennis Schwarz (left), research analyst for Arbor Networks, a network security company based in Burlington, Mass., referring to the trojan horse botnet that came to light in 2007.
A related strain of malware that Schwarz has studied – Citadel – is the latest to use the so-called man-in-the-browser to attack the financial sector. It attracted attention in 2012 when it was used extensively in Spain and parts of central Europe to steal transaction authentication credentials, and Schwarz believes it still has the potential to wreak havoc in North America.
Also on some analysts’ radar are DoS attacks that are combined with swarms of fake telephone calls that tie up voice servers and unauthorized wire transfers – the vehicle that actually removes funds from the bank.
Sean Martin, operations center manager for CSI – a Paducah, Ky.-based company that offers ACH, mobile banking technology solutions and other services – also points to the growth of watering-hole attacks that target bank employees and consumers.
“We are seeing a proliferation of this use of compromised or fake servers, and it has largely replaced the use of spear phishing to get individuals to divulge confidential data.”
As well, cyber criminals are recognizing that customers are easier targets than the banks themselves, says Johnson, who adds that the ease of online banking has lulled some consumers into a false sense of security.
“When you can shuffle over to your computer in your bunny slippers and move large sums of money around, there is a tendency to let your guard down.”
But, people are still the weakest link in any defense against bank fraud, says Riley, who adds that that has not changed in the 15 years that he has been in the security industry.
While there is general consensus that the largest of the approximately 6,000 banks and 8,000 credit unions in the U.S. have succeeded in training staff and implementing advanced defensive measures, there is also the realization that cyber criminals have found some fissures in the security structures of smaller institutions.
“As the major banks have gotten better, the attackers have started to focus on low-hanging fruit in more remote areas,” says Schwarz.
CSI’s Martin makes the point that technological advances have started to tip the balance in favor of the bad guys when it comes to smaller banks. “With some carriers introducing fiber to the premises in communities, and the attendant increase in bandwidth, it is not unusual now to see single users have greater capacity than a small bank or credit union. So, now, you could see an individual have the bandwidth to overcome a bank’s network.”
As a result, an increasing number of financial institutions have been moving their transactional traffic to cloud providers and there has been a subsequent rise in niche providers that are meeting the new demand.
“Layered security is also a must for any institution that is doing online banking,” says Nelson, who adds that the ability to detect anomalous transactions is essential.
Riley agrees on both counts. “Implementing dual control is essential,” he says. “A lot of customers don’t want to go through an extra security step, but it can go a long way to stemming a security breach. From the institutions’ standpoint, there is definitely a need to invest in more detective controls. They have to be able to quickly identify if large amounts of data are being exfiltrated.”
What would keep Martin awake at night, if he were a bank CSO, he says, is the rise of social media. “People are so connected now that it changes the entire paradigm. It would now be relatively easy to coordinate an attack using social media, or to set up a watering hole and just funnel out customer data or even funds.”
As jittery as an old-time bank guard – picture Deputy Barney Fife guarding Mayberry’s bank – how does a bank CSO ensure a good night’s sleep?
Dan Holden (left), director of security research at Arbor Networks, recommends weighing risk based on the specific circumstances of the institution. “You have to look at it from a custom-fit perspective,” he says. “Banks in Manhattan are not the same as those in Charlotte, N.C. You should not base risk on traditional values, but take a hard look at what you need to protect and the resources you have at your disposal.”
He dismisses the notion of following what works in other sectors – or at financial institutions with deeper pockets. “Bank security today should not be about best practices. That’s a recipe for what some people call a résumé-generating event.”
He says the bad news for financial institutions – especially the smaller ones with fewer resources – is that there are new threats all the time. “Banks have to avoid the false sense of security that can come with defeating an attack. If you are not constantly adjusting your defense, you have already lost the game.”
The cost of constantly staying one step in front of the enemy has been high, says Nelson. “From provisioning the extra bandwidth needed to counteract DoS attacks to the additional staff required, large banks have been spending millions. Smaller banks and credit unions have had to outsource a lot of it.”
He says that the financial institutions have not been alone in pouring huge amounts into security. Companies like FIS, a major technology provider to financial institutions, based in Jacksonville, Fla., and Jack Henry & Associates have been leading investors in anti-fraud intelligence, systems and software. The banking industry, says Nelson, has reaped the benefits.
From Jack Henry’s perspective, Riley says, making investments in financial-sector security is more than good business sense. It reflects a shared sense of responsibility for protecting the economic infrastructure.
“It really comes down to doing the right thing,” Riley says. “It is incumbent on the community – in the broadest sense of that term – to share responsibility and information. What one organization might see could help others, whether that organization is in the banking community or part of the overall value chain.”
In other words, he sees a parallel between the type of collaboration that is required to combat online bank fraud and crowdsourcing information.
Nelson says that collaborative approach begins with the financial industry itself. Increasingly, he says, FS-ISAC has pushed out fraud mitigation methods to its members, particularly since the 2003 presidential directive on cyber security. Its critical infrastructure notification system can push out security notifications simultaneously to its national network.
“There is nothing like a singleness of purpose to focus everyone’s attention on an issue like cyber security,” says Johnson.
He adds that information sharing is not new within the ABA’s membership, citing the way fax machines were used to distribute warnings about physical threats in the pre-internet era.
“The challenge now is to evaluate the amount of information we collect,” says Johnson. “But we have seen our relationships strengthen and evolve over the past 20 years, and we recognize that the best way to fail is not to have agreement on what we need to accomplish.”
Among his organization’s focuses during that time has been developing the tools to share information, and building partnerships that support collaboration on advocacy related to the regulatory and legislative tools required to combat cyber crime.
“We have been successful at influencing policy and we have used the lessons learned through our members’ experience to inform our advocacy.”
Equally important, he says, is that the amount of attention focused on financial cyber crime has attracted the attention of chief executives in a number of sectors.
“In our business, we have been very focused on the development of the national cyber security framework since the president signed the executive order (in February 2013), but we recognize its contents are not core to CEOs, especially outside financial services. It’s highly technical. But, all along the value chain of financial services, we need to take advantage of the interest the cyber security framework has created in the C-suite.”
Johnson believes it is incumbent on CSOs to give senior executives the tools and information they need to ask the right questions, and know when they are getting the right answers.
“We are all working through the issues right now,” he says. “Our industry is doing it and the regulatory agencies are also trying to articulate the risk. A lot of things are coming together, and if CEOs recognize security as a business imperative, they will make the resources available appropriate to the risk at hand.”
However, what is important to remember, he says, is that risk will continue to mature as cyber criminals develop new tools and strategies. With hacktivists and foreign national players joining the ranks of latter-day Bill Doolins, banks can never feel completely secure.
“Protecting the security of our financial institutions is no sprint,” says Johnson. “It is a long haul, and we need to institutionalize our risk management to succeed.”