Is Fraud Prevention Misguided?
2011's Attacks May Catch Banks By Surprise
"[Banks] need to start thinking about not just back-end forensic detection but also what can be done at the front-end to help the user protect themselves," Jevans says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
Jevans' career in Internet security spans more than 10 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros and Differential.
Improved communication, such as a centralized database where people are reporting fraud on one channel, is essential in preparing for the next attack. Second is cross-channel reporting, which is the ability to gather information and place it into a data warehouse and build correlation tools.
The top security threats banks are facing in 2011 include sophisticated malware, automated ACH fraud, attacks against the mobile environment and criminals figuring out back-end forensics that detect fraud.
Automation is particularly scary, Jevans says, because "that could mean very large-scale losses very quickly across multiple financial institutions." Traditionally, ACH-related fraud was happening by hand, but now an automated process could make fighting this security threat even more challenging.
On the mobile front, fraudulent applications are going to appear to be legitimate financial services applications, Jevans says. "We're going to see more and more attacks on the mobile environment, and it's interesting because you look at the mobile environment from banking and people are moving more and more to it," he says.
During this second part of a two-part interview on fraud and anti-fraud solutions, Jevans discusses:
- Evolving threats;
- The need for layered security; and
- The automation of malware.
Jevans is the founder of IronKey. His career in Internet security spans more than 10 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros and Differential. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy. He also worked in the advanced technology group at Apple and ran an engineering project involving advanced operating systems. Currently, he serves as the chairman of the Anti-Phishing Working Group, a consortium of more than 1,500 financial services companies, Internet service providers, law enforcement agencies and technology vendors dedicated to fighting e-mail fraud and identity theft online.
ACH FraudTRACY KITTEN: Going back to the survey results that I noted earlier, it's a 50/50 split when we look at financial institutions that have addressed ACH fraud versus those that have not. To what do you attribute that disconnect, and why are some waiting to address this type of fraud?
DAVE JEVANS: What you see is that the clever criminal world, particularly for ACH fraud, is relatively concentrated. There are a number of gangs that are very sophisticated. They are making a lot of money, but they will target institutions. They will target corporate banking customers. Remember how many financial institutions we have in this country. We have thousands and thousands of them. There are many institutions that just haven't been hit yet. Their customers haven't been affected. But when you get hit and it's a six-figure or seven-figure loss, especially for a smaller financial institution, it makes a big impact. They're scrambling once they've had these issues to come up with solutions. For the rest of them it's, "I haven't seen it so why should I invest? Why should I have insurance if I've never had a car accident?"
KITTEN: Until it happens, you don't realize how much you need it.
JEVANS: Exactly. It's just like seatbelts. People often times don't wear them and we have laws and fines now to make people wear their seatbelts.
KITTEN: Going back to talking about channel integration, stronger channel integration could help when it comes to identifying ACH fraud, but many institutions are addressing cross-channel fraud manually comparing online anomalies with POS and ATM red flag transactions. What would be better approaches to helping them identify some of this cross-channel fraud, rather than the manual approach?
JEVANS: There are really two approaches here that I think would help. One is better communication around incident reporting across channels, such as a centralized database where somebody reports fraud on one channel. It can actually be reported and shared with other groups that might be looking at fraud across other channels. For example, on the internet side of things you might have a customer who reports some kind of credit card fraud. Somebody took over their credit card and used it on the internet. They might want to be able to report that their account was taken over. Today the ability to share that information between IT, maybe between the ATM group, really isn't there.
The second thing is cross-channel reporting, the ability to gather all kinds of information and put it into a data warehouse and build correlation tools. Some of the more sophisticated, larger financial institutions have built systems like that and they are finding them invaluable in being able to detect at a very early stage patterns of friendly, as well as unfriendly, fraud.
Combating Malware AttacksKITTEN: Let's go back for a moment to the discussion about malware. According to a recent report from the Anti-Phishing Working Group, 54 percent of PCs are infected with some kind of malware. How can the financial industry combat growing malware attacks when consumers are logging on to online banking accounts from infected PCs?
JEVANS: This is really a new generation of how we think about security. Twenty years ago, online banking was all customized software that users would download and run from their computer. It was a customer support burden for the financial institution. When the web came around people were elated because they didn't have to manage their customers' computers anymore. They don't have to manage software. They do it over a standard browser. We are coming back to the stage where we have to take a little bit more responsibility for our end users' environment. And that's really what we are starting to see now, technologies that are relatively light-weight which can be deployed to an end user and protect against malware, provide authentication combined with isolated environments around malware and provide reports back to a financial institution about a customer's computer that might be infected. Then the financial institution can notify the customer or restrict the kind of transactions that the customer can do, because they are in a known risk environment. We're back to this stage where we want to at least provide more of a secured bubble for our customers on their end computer without all the hassles of deploying custom software. And that's what the security industry is starting to provide.
KITTEN: You've gone back and reviewed some of our survey results and supplied some information in advance, and one of the things that you noted was that antivirus tools are probably relied on too much and they are relatively ineffective when it comes to malware protection. Yet the industry continues to use them as the primary source of defense. Why are we so in the dark when it comes to proper protection, and how do we break that cycle, the cycle of continually investing in ineffective tools?
JEVANS: Antivirus tools, particularly signature based, have their place. They have been very effective in the past. The fact is that cyber criminals have figured out how to largely defeat that, primarily through polymorphic malware, meaning that every single piece of malicious software is different. Therefore signature-based approaches won't work. That is how most antivirus products work.
The good news is customers have been educated that they need to take some kind of measures for security. They should probably have firewalls. They should certainly have antivirus, but the signature-based approach really only works at a very primitive level. It frankly cannot keep up with millions and millions of new pieces of Trojan malware that are released every month.
What we have to do here is change the education cycle. We have to be able to educate users that antivirus isn't enough. We need to start thinking about the different approaches, whether it's virtualization to isolate browsers or behavioral-based anti-malware. These are the types of things that the industry needs to be working with the financial services industry on, to create security programs and advice that consumers can use in a very simple way. Again, antivirus is not totally ineffective. It's useful, but it's not enough. We need to really apply the enterprise approach of layered security even to our end users.
KITTEN: Zeus is evolving. It's hitting more banking channels today then ever before, and the online channel is only part of the concern. What role will strong authentication play in helping to curve our vulnerability to Zeus? And if stronger authentication is not the answer, what is?
JEVANS: Stronger authentication is definitely needed. What we've seen is FFIEC guidance on the consumer side of things. There was a lot of activity on the retail side of the banks over the last five years to strengthen up their authentication capability and their back-end transaction anomaly reporting. That type of effort needs to be applied to the wholesale side of the bank, and with many financial institutions those are very different groups. The commercial banking side of things has not benefited necessarily from the work that has been done on the retail side. They have a lot of work to do to catch up.
The Zeus malware, and other types of malware, are evolving very quickly. They've almost opened their platforms up so there are numerous different groups that are building plug-ins into this malware. We've started to see Zeus malware on the mobile phone platform, looking at how they would affect the phone, as well as the computer, to defeat authentication. Strong authentication is definitely something that is needed and it will make it more difficult for cyber criminals to commit larger scale ACH fraud. It needs to be combined with dual authentication of transactions. For example, have somebody initiate a transaction and someone else inside the company approve the transaction. But it won't fix it completely. It will narrow the attack service and here's why. Many of the victims are small companies where there may only be a single proprietor who initiates and approves a transaction. Having dual transaction authentication for a small business, for example an electrician, carpenter or small company, they often have only person who does all the transactions. In that case, authentication can be circumvented and it's just not enough.
Top Security Threats in 2011KITTEN: In closing, I would like for you to share with our audience the top three-to-five security threats you see catching most institutions by surprise this year, and what steps they should be taking now to prepare.
JEVANS: I see a few different things here. One, we're going to see more sophistication on the malware front. It's basically a trend that we've identified for the last three-to-five years. We've seen malware evolving very rapidly in Brazil. We've seen it moving very quickly in the United Kingdom and now it's here in the United States. We're going to see real sophistication.
The next thing we're going to see is automation. This is kind of scary. To date, most of the ACH-related fraud that is driven from the cyber channel has been done by hand. Somebody will be sitting in Eastern Europe, for example, watching a user's computer as they log in to their online banking system and authenticate. They'll then create a session, hijack it and then start initiating transactions. It's done by live people in another country watching user sessions. We have evidence that is starting to move to an automated channel, where they are able to start automating transactions across multiple computers. That is scary because that could mean very large-scale losses very quickly across multiple financial institutions. That is something that we're going to see given the evidence of trial malware that we're seeing that attempts to automate already.
Another threat that we're going to see is targeting the mobile environment, targeting the tablet-type environment and the iPad environment. We're going to be seeing more of that. There's going to be malicious applications that pretend to be legitimate financial services applications. It's going to be other types of malware on "jail-broken" phones for example. We're going to see more and more attacks on the mobile environment, and it's interesting because you look at the mobile environment from banking and people are moving more and more to it. And maybe not for all their banking, but certainly to check balances, do some kind of payment, to deal with overdraft. We're seeing quite a growth in that channel. We are going to see the growth in the attacks.
KITTEN: That makes sense.
JEVANS: We're going to see two other things that folks need to think about. One is a lot of financial institutions are relying on back-end forensics to detect fraud. Clearly on the consumer channel it's crucial, and there's been decades of investment into particularly the credit card side of things, such as fraud detection and fraud prevention. It works really well. We are starting to move that to the business channel and there are simple things that work well today. For example, if a customer always makes payments into the U.S., or into the state that they're located, because they're a local business, and then suddenly they start moving ten thousand dollars at a time to the Ukraine, that's something that a fraud detection system should be able to pick up. The reality is the bad guys are figuring that out, and when they find financial institutions who built in back-end forensics for business payment that could feed that, they are going to start creating payments that are indistinguishable from legitimate payments.
We're going to see, for example, much more use of money mules in the local area so that payments will appear to be local. We're going to see cleaner web transactions that will not give away the fact that it's an automated remote bot that is initiating a payment that will look like it came from the user's computer, and it will not have signatures. That is going to take some institutions by surprise. They need to start thinking about not just back-end forensic detection but also what can be done at the front-end to help the user protect themselves, either through software or hardware combinations on their computer, to create some environment where the user can protect themselves as well as the back-end system.
Finally, the thing that will take some people by surprise is we'll see more insider collusion inside a financial institution, or social engineering of trusted insiders within institutions. We've seen some of this already where, for example, people inside are selling databases of customers and giving out e-mail addresses of customers. Again, it's not a wide spread problem but something that has happened already. We are going to see more of it. And what it will do is result in very large-scale data breaches which result in larger scale fraud.
Editor's Note: This is the second part of a two-part interview with Jevans, who follows up on his conversation about online security, adding insights about phishing and malware trends that stress the need for more channel integration and cross-channel fraud detection. Hear Part 1: Online Fraud: Heart of the Problem.