How to Avoid Being a Victim of Multi-Channel FraudInterview with Diana Kelley, Partner, SecurityCurve
Multi-channel fraud - schemes that are launched simultaneously via telephone, Internet, in person and via mail - is a growing concern for financial institutions. And the linked crimes aren't always easy to spot.
In this exclusive interview, security expert Diana Kelley discusses:
Diana Kelley founded SecurityCurve in April of 2003. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.
Prior to returning to SecurityCurve in January 2008, she was Vice President and Service Director for the Security and Risk Management Strategies (SRMS) service at Burton Group. Diana was the Executive Security Advisor for CA's eTrust Business Unit. At CA she was responsible for advising customers on strategic security solutions and helped guide CA's security business.
She served as the Vice President of Security Technology for Safe3W, Inc (acquired by iPass), a provider of strong, two factor authentication. Representing Safe3W she was actively involved in the Technical Group for NACHA's Project Action. And she was a security industry Analyst with Baroudi Bloor, a top-tier analyst firm where she delivered strategic advice to, among others, IBM and Psionic (acquired by Cisco.)
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is multi-channel fraud, and we're talking with Diana Kelley, Partner with Security Curve. Diana, thanks so much for joining me today.
DIANA KELLEY: Oh, thanks for having me, Tom.
TOM FIELD: Now you've recently written a white paper about multi-channel fraud, and I wanted to give you just a second to tell us a bit about yourself and about Security Curve.
KELLEY: Okay, sure. Thanks. We'll I'm an 18-year veteran of IT and security, and I have a broad range of experience including being a manager and a financial service consulting at KPMG, a general manager at Symantec, and most recently I was a the vice-president and service director at Burton Group for the security and risk management strategy service. So it's you know, sort of a full background of actually having worked with vendors, worked as a SI and doing system integrations inside of large organizations, as well as looking at it from the analyst point of view for research. I'm bringing all that together with Security Curve, which is an independent research and consultant firm that provides strategic guidance to companies and vendors.
FIELD: Now you've just written this white paper on multi-channel fraud, so my question for you is what types of fraud are you seeing in the financial services market place, and then talk about multi-channel in particular, please.
KELLEY: Well, it's interesting because they are actually very inter-twined as it works because a lot of the fraud that is going on is in fact multi-channel. It may not always appear to be multi-channeled, and that's the catch, because if you think about especially the larger financial services organizations, the numbers of ways to get into the system to look at the information. You can actually have a fraudulent transaction occur that may appear to come from one channel. Phone for example is one channel where there is a lot of rise going on. It's been reported in the media. So phone fraud is definitely on the rise and trackable, but sometimes that phone fraud is actually fueled by fraud that is coming in from other channels, for example online.
So what attackers are really trying to do is two things: 1) is to increase their intelligence so that when they go in and execute an attack, they have more information so they can make that attack a little bit stronger, a little bit better. For example, knowing when you get your paycheck or when you get that bonus. That is knowledge that is useful to an attacker. They know how much is in that account that they could potentially remove unfortunately, but that is what they are trying to do. 2) The other thing that the attackers are doing with the multi-channel is they are trying to make it hard for financial services organizations to understand where that attack is coming from. So if you break it up, it can be more difficult to understand what they are trying to do than if you are going through only one specific area. So it is pretty similar with when you see attacks online. What we're seeing is a rise in password-stealing software, for example, but then nobody's quite sure, well, how is that password-stealing software being used? Is it in fact being used to get into accounts and move money? And the multi-channel attack, you could steal a password that appears to go through one channel. You get online through that reconnaissance work and know how much information or how much money is in that account, or get information such as even in some cases credit card numbers, and I can explain that a little bit more if you liked. But then go off and then make the attack through another channel, and then tying that all together is where it really becomes very difficult sometimes to know.
You know, from all those different points of getting into the information what the attackers are really up to, or that it is the same attack line from one particular attack group.
FIELD: Now one of the things that was interesting in your white paper, is you actually outline the anatomy of an attack. Could you sort of summarize and give us kind of the profile you are looking at there.
KELLEY: Yeah this is actually came out of an interview that I had with one of the financial services firms I spoke with, and they did approve use of that attack without mentioning the name of the financial services firm. And what happened in that attack was exactly the kind of point that I had found was happening again and again, so it was a good summary.
In that case, it appeared to be an off-line attack. So it was an attack where an order came through for transfer of money and the approval came through on a fax. So, you would see that as -- although we know faxes are digital -- that doesn't count as being on the internet. So first that institution thought 'Well, this is your kind off-line attack,' but as they went back through and looked at all the activity on that particular account where the fraud had occurred, they realized that the attack had started much earlier than when that fax got transferred. The attack had started back in the online account, but what the attacker had done on the online account did not appear fraudulent because they weren't flagging for that level of activity. And it was activity, and you might say, well shouldn't they have been flagging? Well not necessarily because the activity was all reconnaissance work so it was logging in. It was understanding how much money was in the account, so how much you could transfer without you know, cleaning the account completely blank. They knew what was there, so that they weren't going to over-transfer. They could also see things such as signatures, and then signature could be used on a fax to make it appear as though it was a legitimate request for the transfer of the funds.
So as they went back, they realized that what looked like an off-line attack was in fact actually a combination online and off-line attack or multi-channel fraud.
FIELD: That is scary stuff.
KELLEY: I know it is. It was a little bit of a scary research product because you do, you hear about this quite a bit in the media, but to go through and actually talk to institutions to hear what is going on ... And I actually looked at my own accounts, and that is actually how as I was saying, credit card information, I did find out that in some cases our banks because they are putting, we often have savings accounts with banks. Now that we have some sort of a credit card with as well, and some organizations are actually putting the PDF of your credit card statements online. And guess what? That is one of the few places other than your credit card where you see that full sixteen digits ...
FIELD: Now given the economic times we're in right now, are financial institutions more vulnerable to fraud?
KELLEY: Because of what would be the economic crisis that is going on? Would it make them more vulnerable? I don't think necessarily that the crisis itself.. But I think, however, what could impact additional vulnerability is that one of the best things that a financial service institution can do is to stay on top of things and monitor at all times, because fraudsters are always going to be attacking. So it's really about monitoring. And a couple of things are happening. One is that many financial services institutions have to slash their staff, and as they slash staff that could mean slashing the people that are actually monitoring the reporting tools that they have telling them a fraud is occurring or not. So that could impact. You know, if you don't have somebody watching store, then you could have a higher impact or you could see fraud increase because of that.
The other thing that is going on is that as financial institutions are essentially dropping like flies and merging and getting bought by other companies and being brought in, you're seeing a lot of IT departments that are now absorbing a whole other large company. If you are Bank of America, you are looking at what do we do with Merrill Lynch's IT organization for example. And as you merge sometimes -- and I'm not saying that Bank of America or the Merrill Lynch IT departments that this will happen -- but sometimes when you do see big mergers of IT departments, some things can occasionally fall through the crack, can be hard to reconcile the different architectures quickly so that you may find that there could be some vulnerability holds there for any financial services institutions that is going through a big merger or an acquisition of another institution and trying to bring all of those IT and monitoring systems on, you know into one consolidated version.
FIELD: You know it's interesting because I'm not a customer of Bank of America, but I'm receiving fishing emails from Bank of America now, you know to the tune of "you might be a new customer, you are coming over." It seems like we're going to be seeing a lot of those.
KELLEY: Yeah and the attackers their whole thing, as I said earlier, you know if somebody is not watching the store as these companies are going through the mergers and their cutting, and some companies are cutting staff so yeah they're going to try. They are going to try to exploit that.
FIELD: Now it occurs to me, Diana, that one of the risks that financial institutions have to be mindful of is the insider threat, as you said, people are cutting staff people are loosing jobs, and there is little more desperation Have you ever heard of multi-channel insider fraud?
KELLEY: That was actually not one of the things that I was researching specifically, but without a doubt when you've got insiders -- especially as they become disgruntled -- that is going to rise up as a potential. So this is certainly a red-flag and something that organizations should be aware of, and again great monitoring is going to help, but also identity management where you know, you cut off people's access. It's a little bit scary. It crosses all kinds of verticals that even with all the work we've done in identity management, how many times you run into somebody weeks even months after leaving a company saying, "hey, you want to see something cool?" and they can still log in with privileged access to trusted machine. So that is definitely something that the financial services should be very, very aware of. Most of them do have very strong identity management and do have a very global across the board cut-off but for any that don't. It's always a good time; this is even a better time to make sure that is up and running properly.
FIELD: Well you raise a good point there. What are some of the other risks and vulnerabilities that institutions should specifically watch now?
KELLEY: Well, I do think that this multi-channel is very important, and that was really the point of the research is that sometimes what seems to be innocuous behavior is actually just a reconnaissance mission. So you said for example that you are seeing increased phishing, and that increased phishing you know being able to tie that back to is this actually now resulting in an increase reconnaissance work and is that you know, resulting in an increased fraud. So I think that is absolutely major. We've got the red flags from that coming out soon, so I think that is November 1st is when the red flag goes into effect.
So companies looking at that and being more aware of things, such as you know, and in red flags they are talking about address changes. And people might say, "Does that really matter" but that is a core to its huge potentially, it's potentially innocuous. It is something that many of us do multiple times in our life. We legally, legitimately change our address, yet it is an underlining piece of you know how you can begin an identity theft attack. So I think it is really the understanding that there are many of these different pieces of information that people can either receive or alter that would leave them to be able to launch the bigger attacks is one of the most important things for SI to look at. And so a good thing to do would be to really tie them together so as they are bringing organizations together or even cutting staff, look at the increasingly efficient about how their tying the information together. That the credit cards subsidiary and the banking subsidiary are all sharing information with each other so they can tie together suspicious activity on these accounts.
FIELD: One last question for you, Diana. In your research, what are some of the effective ways you want covered that institutions are responding to in preventing multi-channel fraud?
KELLEY: Well, they've all got a lot of really great tool boxes, which is wonderful. And monitoring is without a doubt one of the things that organizations use in order to find out that this is that fraud is going on. And so credit card transactions for example, they've got very good with all the systems to identify "does this look like Tom?" "Does Tom usually his credit card this way or not?" So continuing to use those kinds of tools, we've seen because of the strong authentication guidance, we've seen a great increase in what they are doing to prevent you know, simple log-ins. Just stealing your user name and password may not be enough for log-ins whether they've added complete two-factor or what I think of as partial two-factor, when you get mutual authentication with they want to mark you, so you know it is really the site. You don't log in and give your credentials away to the wrong site, hopefully, to an attack site. But also being able to do a little bit of additional factoring on whether or not you are the legitimate user by understanding things such as what is your IP address, where do you usually log in from, what time do you usually log in. So that, although, just because you login from a different machine, doesn't you are fraudulent, but if you start adding out plots of different pieces of information, then you can start to see that this doesn't appear to be Tom. Because when you go with your credit card, you actually have so many recognizable patterns of how you use your credit card. We are finding out that there is fairly recognizable pattern of how people access their bank accounts and what they do online with them.
FIELD: That makes sense. Diana, I appreciate your time and your insight today.
KELLEY: Oh sure, my pleasure.
FIELD: We've been talking with Diana Kelley, a Partner with Security Curve. The topic has been multi-channel fraud. For Information Security Media Group, I'm Tom Field. Thank you very much.