Case study: SunTrust Bank and Trusteer

One of the nation's largest banking organizations determined to help its clients protect themselves against online fraud, reports Greg Masters.

The notorious outlaw Jesse James and his gang are said to have committed one of the first armed bank robberies in the United States on Feb. 13, 1866. A 19-year-old student was shot in the melee and the robbers escaped with $60,000 from the Clay County Savings Association in Liberty, Mo.

Unfortunately, escapades like this continue to occur occassionally, but criminals increasingly have migrated to methods that involve nothing so reckless as a physical confrontation. And that, of course, is cyber crime, where their exploits are carried out while sitting at computers. Whether allied together in so-called cyber gangs, or working with a small group or acting solo, today's bank robbers are a more sophisticated bunch than were the Confederate bushwhackers comprising the James gang. With all the tools they need easily available for sale on the online black market – including malicious software (malware) solely created to survey computer systems or networks for data related to financial transactions – cyber thieves today can put their schemes into practice behind a veil of anonymity, and reap big rewards without pointing a gun at anyone.

In fact, cybercriminal groups have narrowed their focus to attacking the client and its machines directly. This allows them to develop advanced malware that can carry out difficult-to-block man-in-the-middle and man-in-the-browser attacks. These types of attack involve a criminal gaining control of a computer user's machine so as to intercept communications. With this increasing prevalence of sophisticated financial malware on the internet, one of the nation's largest banking organizations determined to help its clients protect themselves against online fraud.

SunTrust Banks serves a broad range of consumer, commercial, corporate and institutional clients. Its primary businesses include deposit, credit, trust and investment services, and through various subsidiaries the company provides mortgage banking, insurance, brokerage, investment management, equipment leasing and investment banking services. Headquartered in Atlanta, the company operates throughout the Southeast and Mid-Atlantic states with branches and a full array of ATM channels.

"Online fraud is a constant and increasing issue for the financial industry and its clients," says Adam Miller (left), assistant vice president, client authentication at SunTrust Bank. In fact, according to a recent survey conducted by the Association for Financial Professionals, 73 percent of AFP members polled said they either encountered attempted or experienced actual payments fraud.

"With the incidence of fraud increasing, SunTrust wanted to further help our clients secure their computers against man-in-the-middle, man-in-the-browser and phishing attacks, and protect data exchanged when clients are using SunTrust's Online Treasury Manager," says Miller. This is a service to commercial and institutional clients so they can manage their business accounts anytime and anywhere.

SunTrust's client authentication team continually evaluates emerging threats and partners with the bank's treasury and payment solutions product partners. With the threats attacking clients' systems, SunTrust wanted to help clients implement protection where the threat was, says Miller.

He and his team reviewed several security solutions before selecting Trusteer's Rapport as part of its overall defense strategy. Other solutions with different client experiences, such as those that reside on flash drives or other external devices, were evaluated, but ultimately SunTrust selected Trusteer Rapport due to what they determined was the effectiveness of the solution and the client experience for a successful implementation.   

"We selected Trusteer Rapport because we found it provides some of the most advanced financial malware protection on the market, is easy for our clients to install, operates transparently to users, and complements our other security features, such as dual approval, dual administration and transaction limits that we already have in place to protect our clients," says Miller.

Specifically, there were two main capabilities that led to Miller's decision to select Trusteer. The first was risk assessment. "Trusteer has an extensive network of many financial institutions around the world and tens of millions of endpoint devices reporting suspicious financial malware activity," says Miller. The intelligence gathered by the Trusteer network is used to take adaptive steps within the Trusteer Rapport endpoint protection product to block new attacks, she says. This continuously updated protection is handled transparently by Trusteer, without any intervention by SunTrust's IT department or end-users.

The second factor was layered security. "Trusteer's architecture is capable of detecting and stopping certain financial malware at different points and using different technologies," says Miller. The tool uses several layers of security to protect endpoint devices from becoming infected with financial malware and to protect login credentials, financial information and transactions from being captured or tampered with, he says.

"Trusteer Pinpoint sits on our web application and is capable of monitoring logins and transactions for abnormal behavior associated with malware activity," Miller says. "Combined, these two layers of security can effectively detect and block sophisticated attacks on a client's computer."

Trusteer Rapport is a lightweight security application that bank customers can easily download and install on their PC, Mac or mobile device, says Amit Klein, CTO of Trusteer, a privately held corporation based in Boston. "Rapport operates in the background, protecting the browser, online transactions and the private customer information from being accessed, copied or stolen by advanced malware that might be present on the customer's computer."

The solution does not change the way customers interact online with the bank, they simply see the Rapport icon in their web browser's address bar turn bright green when they navigate to a protected website, Klein says. This is a visible indication to the customer that Rapport is securing their online banking session.

Trusteer has developed a unique adaptive and layered approach toward cybercrime prevention, which is based on deep insight into how malware commits fraud and data theft, says Klein. "Malware incorporates a set of behaviors designed to bypass a bank's security measures, steal sensitive information, tamper with transactions, and steal funds. These behaviors taken together represent Crime Logic. Trusteer's layered and intelligence-based security model, called the Trusteer Cybercrime Prevention Architecture (TCPA), is able to quickly detect emerging Crime Logic and block new attacks by adapting security mechanisms within Trusteer Rapport and Trusteer Pinpoint."

The adaptive protection within the TCPA is made possible by the combination of Trusteer's vast cybercrime prevention network, which gathers attack information from hundreds of organizations and tens of millions of endpoints, and the Trusteer Intelligence Center, Klein explains. Data gathered by the cybercrime prevention network is compiled and analyzed by analysts in the Trusteer Intelligence Center on a 24/7 basis. They subsequently develop and distribute updates to Trusteer Rapport endpoints to block new attacks. This intelligence is also provided to Trusteer's bank customers so it can be fed into their fraud prevention and security systems. Rapport clients are updated around the world within minutes of an emerging threat.

Trusteer can detect financial malware activity on a user's computer before they login to an online banking application, and implement automated preventative measures before fraud can occur. As well, Trusteer can remove malicious files on a machine and prevent the malware from ever loading again. It can also prevent malware on a machine from hijacking online banking sessions and stealing information entered and presented in the browser, says Klein.

Trusteer Rapport provides protection against the root cause of most fraud – financial trojan malware, keylogging, man in the middle, man in the browser and phishing, he adds. It is designed to prevent malware from installing on endpoints, and will attempt to remove malware that is present on the device. If malware is detected but cannot be removed, Trusteer Rapport will flag the machine as a “high risk user,” which allows the bank to block or limit access to online banking until the machine is disinfected. Trusteer Flashlight, another component in the TCPA, can be used to remotely investigate and deconstruct the malware.

SunTrust's Miller says that Trusteer Rapport was deployed quickly and his team was extremely pleased with the deployment timeline. "We were initially concerned that Trusteer Rapport might cause unintended problems with our clients' browsers and environments, but limited problems surfaced," he says. "Of the few support calls we've had, most of them were able to be resolved in a short time by Trusteer's support group. Overall, it has been a great experience for us and our clients."
Plus, his IT staff does not have to manage Trusteer Rapport on an ongoing basis. Updates that adapt to and block new threats are silently pushed out to Rapport endpoints by Trusteer without requiring user intervention.

"This is extremely valuable to SunTrust and its clients, because clients are automatically protected when using Online Treasury Manager after Rapport has pushed to an end-user an update against new threats that may attack clients of other financial institutions first – without any intervention from our IT staff," says Miller.

Trusteer also gives the bank access to management reports and metrics to see the number of Rapport downloads and other statistics. Once installed, Trusteer Rapport can determine which PCs are infected with malware, remove or disable it and send alerts to the bank's IT staff.

"This allows SunTrust to reach out to clients one-on-one to talk to them about possible malware threats on their machines. Trusteer Rapport has exceeded our expectations," says Miller.

Additionally, Trusteer's services deploy quickly, dynamically adapt to changing threats, and do not require any changes in end-user behavior, he adds.

Compliance regulations

On the risk assessment front, Trusteer gathers malware activity intelligence from its network of financial institutions around the world and tens of millions of endpoint devices, says Klein. This intelligence can be used by Trusteer to continuously take adaptive steps within the Trusteer Rapport endpoint protection product to block new attacks, without any intervention by SunTrust's IT department or end-users.

"This capability can provide us with better information in connection with our risk assessment supervisory expectation," says the bank's Miller.

And, he says this is valuable as the bank is seeing sophisticated new attacks directly against clients that are designed to steal two-factor authentication credentials in real-time, and that can redirect SMS messages to fraudsters' phones, and even defeat transaction-signing protection using social engineering methods.

"Because of these continuing advances in fraud techniques, SunTrust continually looks for ways to implement both layered and adaptive security technologies," says Miller. "Trusteer Rapport is a good example of this new approach. By gathering intelligence about new attacks as they emerge, and then adapting their different protection layers to block them, Rapport allows us to help our clients stay ahead of new threats and minimize fraud."

For reprints of this case study, contact Elton Wong at [email protected] or 646-638-6101. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.