2006: A Cure for Online Fraud: The Time is Now

Over the last year, much media attention has been focused on phishing and identity theft as the numbers have been staggering. In 2004 alone, according to a report by the Better Business Bureau, 9.3 million US adults were victims of ID theft with overall losses totaling $52.6 billion. Some of this publicity has suggested that the Internet has evolved from a trusted tool for conducting research and legitimate e-commerce to a channel whereby a consumer’s sensitive personal information can be stolen and used for criminal purposes. Social Security and credit card numbers, as well as bank account access data (such as passwords), are examples of some of the most sought-after information, providing perpetrators of identify theft access to bank balances and credit lines.

Today’s online fraud epidemic poses particular challenges for the financial services industry – a target of nearly 91% of all attacks – because many financial institutions (FIs) rely heavily on the Internet to provide a wide variety of online banking services. In some cases, the addition of Internet-enabled services has allowed FIs to consider scaling back brick-and-mortar facilities and the staff required to conduct face-to-face banking transactions. However, security and privacy issues loom large in the minds of consumers. If FI’s are to retain existing customers and attract new ones, they must provide an online banking experience in which customers feel secure and have confidence their assets and personal information will not be compromised.

Highlighting consumers’ concern over fraud and phishing, a slew of recent reports and surveys confirm customer confidence is sliding in the face of escalating Internet crimes. The results of a survey conducted by the Gartner Group in June 2005 predicts that phishing attacks and other breaches are exacting a steep toll on consumer confidence and will inhibit three-year e-commerce growth rates by 1 percent to 3 percent. A recent study by Lightspeed Research revealed that 82.7% of all respondents felt threatened or extremely threatened by identity theft and 83.2% felt threatened or extremely threatened by online fraud. Ponemon Institute survey of 9,000 people found that 12% of respondents had been notified of a data breach or loss by a company with which they did business. Of those affected, 20% said they immediately stopped doing business with the companies that couldn't keep their data secure.

The overarching sentiment of the industry is that the problem of identity theft is not going away anytime soon. Although consumer protections are becoming more effective, hackers are becoming more sophisticated as well.

Automated phishing systems are the way of the future

Trojan Horse schemes and session hijacking systems surged markedly in the latter part of 2005, supporting the Anti-Phishing Working Group’s (APWG’s) view that automated phishing systems are the way of the future for this criminal enterprise. This is a dangerous trend for the financial industry, because educational programs cannot help consumers detect or stop this new breed of attacks in most instances. As people slowly learn to look for the SSL lock on a site or to type the site address manually instead of following a link in an e-mail, the sophistication of attacks are evolving at an astounding rate.

In the latter part of 2005, the number of phishing-related Trojans that plant a keylogger to silently monitor and record access to online bank accounts has more than doubled. In addition, the number of Web sites hosting malicious code meant to steal identities is dramatically on the rise - as are redirectors which exploit browser vulnerabilities to send users to spoofed sites rather than the real ones.

Financial institutions can expect that the return on investment from continued education campaigns will diminish as the shear complexity of attacks expands at a greater rate than the average consumer is capable of technically comprehending much less defending against. In the meantime, consumer online fraud fears continue unabated despite the industry’s move to curb the growing pandemonium and down play the severity of the situation.

Protecting against phishing and online fraud

Most industry experts agree that there is no silver bullet solution that will annihilate all forms of phishing. Instead a layered approach to security is required to curb the proliferation of online identity theft and mitigate the associated risks. While consumer education will remain important, fraud monitoring and blocking technologies along with the usage of effective two-factor authentication is required to further protect consumers from these latest attacks and guard against future threats.

Monitoring technologies can work in one of two ways: 1) by continuously scanning millions of Internet Web sites looking for indications that the financial institution may be the target of a phishing attack, or 2) by scanning and analyzing the financial institution’s own servers for suspicious activity that may indicate that the institution is the victim of a phishing attack. Blocking technologies can be used to selectively block access to suspicious web sites based on defined filter rules or block the download of potentially malicious software such as Trojans or spyware.

While both of these technologies can play a vital role in the fight against phishing, financial institutions should keep in mind that the implementation of these preventative technologies alone cannot compete with the growing sophistication of attacks. These technologies still enable a window of opportunity for fraudsters to capture a user’s information and to perpetrate fraud.

The great weakness of the authentication systems currently in place is that they rely on a single piece of information that is unchanging, and which, once discovered, can be used again and again: the user's password. The password may be long, it may be short, the bank may try to reduce the re-use of parts of it by requesting only certain digits – but if it is compromised, then the attackers have unrestricted access to what they want.

Two factor authentication: offering stronger protection for consumers

The time has come for businesses to respond with better online fraud solutions that will offer long-term protection against morphing attacks. In October 2005, the Federal Financial Institutions Examination Council (FFIEC) updated its guidelines for authentication in the electronic banking environment to make it clear that bank regulators no longer believe single-factor authentication is adequate for high-risk online activities such as accessing consumer account information and moving funds. The Federal Deposit Insurance Corporation (FDIC) expects insured FI’s to be in compliance with the updated guidance by the end of 2006.

The implementation of stronger authentication systems has the potential to render a fatal blow to the current proliferation of online phishing attacks, but the debate continues on what type of technology is best suited for the security, cost and usability requirements of the consumer market. Some of the new approaches are very simple to use but really only offer a short-term approach that won’t deter crooks from using such scams as phishing, “man-in-the-middle” (where an attacker gets between two unsuspecting parties and views information passing back and forth) and “evil twin” (where unsuspecting users log on to fake sites, allowing hackers to read any data the victims send).

One approach under consideration is to enhance existing weak login processes with additional layers of images, audio recordings, or other user-supplied information. Unfortunately, adding an additional piece of static data makes the login process more complex and it does not improve the security of the system – once the static piece of information is compromised, the attackers will still be able to hijack user accounts.

To strengthen the system, banks may choose to use a dynamically produced one-time password (OTP). This is used only once and changes based either on time or an event such as the customer pressing a button. This means that passwords, once used, are useless to attackers – harvesting them is pointless. However, a determined and resourceful attacker might, via a man-in-the-middle attack, harvest and use OTPs in real-time to hijack a user’s account. Once logged in, the attacker can access the account information or change the details of a payment, for instance, to credit a different account, in a different currency, for a different amount.

The FFIEC considers any transaction that involves access to customer information to be high-risk and recommends multiple layers of authentication to protect against compromise. To comply with the mandates and regulations, FIs must continually adjust to the changing technology and threat environment. As the sophistication of online attacks rapidly evolves, this requirement can prove challenging. Today’s cyber criminals are now exploiting yesterday’s “silver bullet” technologies. To protect against keyloggers, man-in-the-middle attacks and emerging forms of malware, financial institutions should consider implementing a system that not only authenticates the user but also protects the integrity of transactions.

The majority of today’s financial institutions use a login-level/flat authentication model (applying authentication only upon entry to the site). By only authenticating users at logon, financial institutions are creating opportunities for fraud. Man-in-the-middle attacks take over a user session once the user is authenticated to perpetrate fraudulent transactions undetected. According to Curt Beeson, Chief Technology Officer of the First Data Secure Signing Group, many attempts to upgrade Web-site security fail. Beeson says: “Banks authenticate consumers when they come to the front door, but don’t authenticate what they do once they’re transacting on the site. Access control is only half the problem. To stop phishing, you need to authenticate the transactions.”

Financial institutions should consider technologies that can authenticate transaction details – as well as the initial login – to decrease the window of opportunity for fraud. By authenticating individual transactions, financial institutions can effectively tie the user’s identity to the execution of a specific transaction as required to enforce a legally binding agreement. These types of solutions utilize software or hardware tokens to create tamper-proof transactions by digitally encoding transaction details. "Solutions that provide long-term protection against future threats, such as malware and man-in-the-middle attacks, by protecting the integrity of transactions are a necessary tool for financial institutions," said Gene Kathol, vice president of research and development for First Data and managing director of the First Data Secure Signing Platform. "Our customers are confident that the use of this type of strong authentication will safeguard against even the most sophisticated threats."

Strong authentication made simple

Technological advances and innovation in authentication solutions and tokens now make strong security affordable and easy to use. Instead of requiring phone calls, or other means of manual intervention to provide strong protection against fraud, these products provide an enhanced layer of security throughout the communication chain to ensure the integrity of every transaction. Banks can minimize their IT costs by investing once in an online fraud solution that offers their consumers long-term protection rather than deploying multiple short-term patches or weaker security offerings in an attempt to play a continuous game of catch up with fraudsters.

There has been some concern by banks that their customers will not sacrifice convenience for security, but security does not have to be inconvenient. The user interface can be similar to today’s password systems – but the presence of the token will ensure the integrity of the system and the security of transactions throughout the user session. By offering a range of tokens, these online fraud solutions address the security and cost considerations of the consumer market while providing banks and their customers’ seamless protection against fraud schemes today and those coming in the future.

Consumers and banking industry regulators are anxious for banks to put an end to the growth of online fraud. Utilizing a combination of anti-phishing tools, including a two-factor solution that addresses emerging attacks, financial institutions can be successful in staying ahead of the fraudsters no matter how advanced their methods become.