Are Financial Industry Security Administrators Losing the War?
In the online banking segment, some industry watchers warn, the bad guys are winning the war against unsuspecting account holders.
The otherwise low-profile Financial Services Information Sharing and Analysis Center (FS ISAC) became a household name last month when it issued a warning to its members (including the Federal Reserve and the New York Stock Exchange) that online banking is inherently dangerous, citing both the difficulty of securing banking transactions and a lack of regulatory protections.
The FS ISAC warning addressed business (as distinct from consumer) online banking. Its recommendations -- which urge the use of a "hardened … and locked-down computer from which e-mail and Web browsing is not possible" to facilitate all online banking transactions -- nonetheless raise questions about viability of consumer online banking.
Citing "a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium-sized businesses," the FS ISAC advisory depicts a cyberscape in which hackers are able to repeatedly defraud business users of online banking services.
It's even worse than that, caution Gartner analysts Avivah Litan and Richard Hunter in a recent research blast. They say that the FS ISAC warning not only "calls into question the safety of online banking for business account holders," but "confirms that criminals are winning the cyber war against financial institution account holders."
If anecdotal accounts are any indication, there's no shortage of issues to worry about. Take a recent story in the Washington Post, chronicling a pair of cases in which cyber-criminals successfully used bogus bank transfers to defraud small business account holders out of tens of thousands of dollars. Tennent Lee Stack, the co-owner of one of the two companies profiled in the Post article, claimed that she had been contacted by other small business victims, all of whom were unwilling to go public with their stories for fear of negative publicity.
The issue is compounded by a lack of accountability, Litan and Hunter warn: banks frequently don't disclose such incidents to shareholders or account holders, who instead hear about them in the news media.
There's also the business banking angle, which is fairly new. As Litan and Hunter note, it's low-hanging fruit of a sort: business accounts are both flush with cash and (more importantly) imperfectly monitored. What's more, attackers can use all of the traditional weapons in their arsenals -- malware, Trojans, viruses, phishing attacks, and more -- to harvest business banking information, hence the FS ISAC's recommendation of what amounts to a strongbox banking PC.
"Criminals frequently target business bank accounts that cash managers handle on behalf of small businesses, school districts, county governments, and other similar organizations," the Gartner duo writes. "Criminals raid these accounts for millions of dollars … by planting trojans on user desktops to steal account credentials and transfer money to criminals' accounts."
Gartner didn't attempt to estimate the total amount of business banking fraud -- citing a lack of data -- but suggested that "it could be very large."
In addition to being both bigger and more haphazardly monitored than their consumer kith, business accounts "typically … enjoy less protection under the law," Litan and Hunter note. They highlight a number of other concerns -- starting with the insufficiency of extant defense mechanisms, such as antivirus and anti-malware software, as well as "Criminals' ability to circumvent strong user authentication, which includes using dedicated one-time password tokens issued by the bank to business users."
Attackers are also getting much more sophisticated, Litan and Hunter add, which suggests another, altogether more disquieting development. "The new level of sophistication in reconnaissance, asset acquisition, and exploitation demonstrated by these attacks, raising the possibility that ex-intelligence, paramilitary, and military personnel are working with traditional organized crime groups," they write.
There's even more to be concerned about. Unlike credit card fraud -- or, more specifically, sensational exploits in which attackers harvest multitudes of credit card numbers -- customers are on the hook for wire fraud, Litan and Hunter point out.
"When cards are stolen, regulations typically require reimbursement of customers for unauthorized charges. In money transfer attacks, business users are unlikely to recover the bulk of their stolen funds."
What's a would-be online banker to do? As a baseline, Litan and Hunter recommend a "three-pronged" approach (i.e., "strong user authentication, fraud detection and out-of-band transaction verification") and especially caution security teams against relying "solely on the strength of user authentication if the authentication is communicated through a PC browser."
Customers -- and the banks that service them -- must also try to keep pace with the sophistication of their attacks, the Gartner analysts conclude. "Consider offering your customers on-demand desktop and session protection tools that safeguard the user's session by creating a virtual locked environment that will not allow malware or viruses to touch that session, even if malware has been installed on the PC," they write.
"A few banks have successfully used such tools to stop trojans from inflicting damage on enrolled users. Products that provide, in part, anti-malware protection include Trusteer, Verdasys and Prevyx. Also consider implementing a locked-down browser offered by a company such as Authentium."