About Me

My photo
I am former editor of The Banker, a Financial Times publication. I joined the publication in August 2015 as transaction banking and technology editor, was promoted to deputy editor in September 2016 and then to managing editor in April 2019. The crowning glory was my appointment as editor in March 2021, the first female editor in the publication's history. Previously I was features editor at Profit&Loss, editorial director of Treasury Today and editor of gtnews.com. I also worked on Banking Technology, Computer Weekly and IBM Computer Today. I have a BSc from the University of Victoria, Canada.

Friday 24 July 2009

Locking down the data

01 March 2007
Joy Macknight & Fabien Buliard

Banks were once perceived to be secure by the public — an impenetrable steel vault — yet security is one of the things that keep financial institutions’ chief executives awake at night. Just how big is the problem? What are the biggest threats? And is the technology helping to keep ahead of the criminals?

Data breach — two words that quicken the heart rates of financial chief executives as they try to grapple with locking down all access points of their business. Banks are the custodians of a mass amount of personal information and the problem of data security is compounded by a massive growth in internet-based technology usage. Multiple channels, such as ATMs, internet banking and the beginnings of mobile banking, coupled with multiple devices for each customer, has made the job of protecting customers harder than ever before. No one has fortressed networks anymore — the vault is no longer impenetrable.

Although direct financial loss and regulation pressures are identified as two motivating forces for banks to protect data, the overarching driver is that damage to the brand can close a bank. And what is more damaging than finding out your bank cannot protect your money? Data centre security firm Imperva estimates that data breaches can make as many as 30% of people switch banks.

“There has been a significant change in the damage that public exposure of a financial crime attack can have on an organisation,” says Rosemary Turley, director of marketing at Norkom. “If you get named in the public domain for either a compliance breach or a fraud breach, then you can expect your market price to go down by 20 base points immediately. So it has moved from just operational loss to “;we have got to stop these guys before they get us because we cannot afford these incidents to hit the public domain’. There is whole different fear factor now.”

Sweden’s largest bank Nordea is one of the latest financial institutions to suffer from a mass data breach, haemorrhaging money as well as personal data. At the start of the year, the public learned that Nordea suffered the biggest known internet fraud with the bank and police unable to stop the attacks. Security advisor McAfee reported that over £600,000 has disappeared from 250 Nordea customer accounts since September as a result of tailor-made Trojans launched by Russian criminals.

According to McAfee, the attack started by a tailor-made Trojan sent in the name of the bank to the bank’s clients. The Trojan then activates itself when users tried to log in and saves the information and displays an error message asking the client to resend the info. The criminals then have two access codes in their possession which is enough to transfer money. The police established that log in information has been sent to servers in US and then to Russia. After that, unknown criminals have logged in transferring large amounts from the bank.

External attacks such as this can come in many different forms, such as phishing, voice phishing (vishing), man-in-the-middle, and malware like Trojans, worms, viruses, botnets and spyware (see Box 1). At the end of 2006, the Financial Services Authority projected that incidents of phishing were set to rise by 90% for the second year running. Computer Associates report 2007 Internet Threat Outlook found that in 2006 Trojans accounted for 62% of all malware, worms accounted for 24%, and viruses and other types of malware accounted for the remaining 13%.

As attack methods evolve, so do the attackers. Shlomo Kramer, chief executive of data centre security firm Imperva, believes that there has been a shift in the threat landscape. “Since four years ago, when the big threat was worms, etc. attacking the infrastructure, we are now seeing a shift from ego-driven hackers to hackers looking for profit. They are now targeting specific business applications or data.” The attackers have moved out of their teenage bedrooms and into the realm of organised crime.

It is not always the same person that commits the attack that uses the information for identity theft or fraud, which makes it harder to trace the culprit and ultimately get a conviction. Chris Young, vice president and general manager of the consumer solutions business at RSA, the security division of EMC, outlines that there is now an entire value chain in regards to online fraud. “Some [criminals] write the code and gather the information with specialised bot computers and then lease access to the information to an organised crime network. Other criminals may do “cash-outs’ where they buy the information and then use it to drain accounts. Some even use “mules’, individuals similar to drug mules, to do the final withdrawal.”

The insider threat is as prevalent as the external one, but can be accidental as well as malicious. “The way in which companies reputations, their brand, is being fundamentally damaged is by the loss of back-up tapes or laptops with 20,000 or 50,000 of their customers records on them,” says Jamie Cowper, marketing manager, at specialist data encryption firm PGP. “This does not diminish external attacks, but the vast majority of breaches occur when people are trying to do their jobs and something happens purely accidental. A back-up tape goes array when being couriered to an off-site storage centre or someone emails the wrong person. It’s not overwhelmingly hacker espionage or whatever — it is the insider making a mistake.”

Nationwide Building Society was hit by such an “accident” when one of its employees’ laptop with customers’ accounts details was stolen during a burglary in August. As required by regulation, Nationwide sent a letter alerting it’s customers to this data breach, but said: “The laptop was security protected and the information on it, which was to be used for marketing purposes, cannot be used on its own to commit identity fraud. There were no PINs, passwords, account balance information or memorable data relating to any customers.” The Financial Services Authority judged that Nationwide failed to have effective systems and controls in place to manage its information security risks and fined the building society £980,000, though the damage to its reputation may be worth more than that.

But it can also be a mixture of both internal and external threat. Turley says that criminals are putting people in financial institutions to help them organise the attacks. “Apparently one of the highest paid pieces of information for “sleepers’ is the organisational chart so they can understand the structure, the divisions and the channels and know where to hit.” She says that criminals are looking at the business as a whole to identify weak areas — whereas the banks have no way of looking at their own business in the same way due to the way the banks have built up their business by tacking on new products and channels and through mergers and acquisitions.

David Porter, head of security and risk at Detica, says the difficulty lies in the diffuse and fragmented nature of enemy attacks. “It s almost like financial institutions are surrounded by a deadly shroud of gas, rather than a single visible assassin that you can see and touch. They are coming from all directions and they are using all kinds of technology to do it. It is the dispersed nature and also the fact that many of the perpetrators lie within the organisation. The wolf-in-sheep’s clothing scenario — there is a lot of collusion between insiders and outsiders,” he says.

Porter doesn’t believe that the fraudsters are using “sexy tools” to breach security barriers, but thinks that people inside the banks — and consumers as well — are making mistakes, cutting corners, getting bribes or being threatened. “The weak fallible human side of things should not be underestimated,” he says.

But if the perimeter is penetrable and the “wetware” is known to be weak, how can banks counter the rising sophistication of attacks? According to the 2006 CSI/FBI Computer Crime and Security Survey, the most widely used security technologies are:

  • firewalls (98%)

  • anti-virus software (97%)

  • anti-spyware software (79%)

  • access control (69%)

  • intrusion detection (63%)

Other security technologies include encryption, passwords, PKI, smart cards and biometrics. The research shows that enterprises are using a suite of technologies for a holistic security programme, yet some technologies are losing their popular appeal.

Many financial institutions are moving away from simple PINs and static passwords to multi-factor authentication (see Box 2). Speaking to security experts at the RSA Conference last month, Microsoft’s Bill Gates said that passwords were the “weakest link” and that the industry must evolve to smart cards or security certificates. Some banks, like HSBC and Lloyds TSB, have already rolled out two-factor authentication tokens to their corporate customers, but historically tokens have been considered too expensive for the consumer market.

Last month Entrust addressed the cost issue when it released a $5 one-time-password hardware token. But Pamela Fusco, ex-head of CTI global security at Citigroup, still questions the practicability of consumers toting around a number of tokens, one for each bank. “How many tokens do we have to carry in our pockets if we bank with more than one bank? It is probably the singular motivating factor for us [banks] to work together.”

Authentication is a two-way street and many banks use website authentication images — chosen by the user — to prove that the site is genuine and protect users from man-in-the-middle, phishing and other site forgery attacks. Like many other financial institutions, Bank of America relies on an onsite key, which is a visual mark that customers would have to recognise in order to know that it is the real site. Yet a recent study by Harvard and MIT questions the effectiveness of site authentication images. The research found that out of 60 BoA customers, only 2 chose not to log on with their passwords when the researchers withdrew the authentication images.

Solely protecting the perimeter with firewalls or anti-virus software is no longer seen as enough since the perimeter is known to be porous. Texas-based Bosque County Bank vice president Brent Rickles decided to not renew its anti-virus licence and instead picked SecureWave’s Sanctuary. Sanctuary “whitelists” applications so that Rickles knows exactly what is being run on the bank’s machines.

“We thought that [anti-virus] is a reactive strategy — there are people out there that are trying to get to us so we are going to throw something up and hope that it works. It is really a kind of safety net and the net has holes in it that people are trying to get through better and faster. Anti-virus is expensive and a lot of money to be spending on something that doesn’t work all that well anymore,” he says. Rickles admits that whitelisting is more labour intensive than running anti-virus software, but with only four branches to worry about, he feels that it is worth the effort.

This method may work for smaller banks, but financial institutions like JPMorgan Chase have a magnitude of greater complexity to deal with. Stan Szwalbenest, remote channel risk director, consumer risk management, JPMorgan Chase, explains the ongoing process that he and his team are going through to protect remote channels, such online, phone and credit/debit card. JPMC is using RSA’s eFraudNetwork, which shares non-sensitive information across the network, to show trends in credit card fraud as one component of an anti-fraud strategy. Szwalbenest says that JPMC is not using this method for online banking yet because it went through a 24 month process to enable multi-factor authentication. “We think we should lock the front door better first,” he says.

JPMC has a cyber crime team that looks at everything holistically and works with other law enforcement agencies, and also underground, to expose vulnerabilities and evidence of fraudsters. Szwalbenest joked that some of JPMC’s best customers are probably fraudsters as they seem to know the bank’s product line better than its customers — he used the example of a new product that was selectively launched and quickly had more transactions than participants. He emphasised that banks must always stay a step a head, but that the best defence is to understand customers’ behaviours and share data between financial institutions.

No comments:

Post a Comment