Getting smarter about online fraud

Electronic commerce continues to be one of the hottest growth areas for new or expanded financial services, and the rise of online banking undoubtedly presents enormous opportunities for banks. However, with these opportunities come new challenges, not least those posed by cyber-criminals, and the rise of phishing and spyware have made online security and authentication a priority for banks of all sizes. According to recent guidelines issued by the Federal Financial Institutions Examinations Council (FFIEC), financial institutions engaging in any form of internet banking “should have effective and reliable methods to authenticate customers.”

As a Senior Analyst for the TowerGroup Delivery Channel research service, George Tubin’s areas of responsibility include internet banking and contact center strategies and technologies, as well as collaborative web technologies. With 15 years in the banking and high-technology industries, Tubin has experience in strategic planning, online financial services, back-office operations, business process re-engineering, and merger integration. Prior to joining TowerGroup, George was a Senior Consultant with ADS Financial Services Solutions, providing information technology strategy consulting and systems integration services to the financial services industry. He also held several positions at BayBank, BankBoston and Fleet, including Director of e-Commerce Planning and Development and Vice Pesident of Planning and Analysis for the consumer and small business banking divisions.

FST. What problems do financial institutions face in terms of online fraud and identity theft? Are they more vulnerable than other organizations?

GT. They’re not necessarily more vulnerable, but they tend to be the target because (as the old joke goes) that’s “where the money is”. Going into 2004, we started to see a dramatic rise in phishing; a lot of people didn’t know what phishing was or how it worked and the public (and in some cases the banks) were caught off guard. Phishing grew dramatically through 2004-2005, and indeed it’s still on the rise, but banks have done a very good job in putting in place the right technologies, working with the major ISPs and educating their customers about responding to these bogus e-mails. They’ve done a decent job of containing the phishing problem so that it hasn’t got out of hand. There are still losses associated with phishing, but overall fraud within banking is still reasonably contained.

However, there are some more dangerous fraud techniques on the horizon (and in some cases already here) that do present a more serious threat. These go beyond simple social-engineering techniques that aim to trick people into giving up their personal information; instead, they involve malware (such as spyware or keylogger programs) that gets downloaded onto people’s machines without them even knowing, and captures their user credentials when they log in to certain sites. These methods are much more dangerous, because while we can educate consumers to be careful regarding who they give their personal information to, it’s very hard for consumers to protect themselves from these new types of attack. This is really the next area of focus that the banks need to look at.

FST. What technological measures are being implemented by financial services institutions to help prevent such crimes?

GT. The banks are in a tough situation here, because at the end of the day these types of crimes are targeting the consumer’s desktop, and the bank doesn’t have a view into that; it’s beyond their realm of control.

What I’ve been saying for the past 12 months is that banks have to assume that a customer’s username and password will get stolen. We’ve spent a lot of time trying to protect these passwords through better education: with ATMs, we tell people never to give away their PINs and they’ve responded pretty well; likewise with online banking, people are doing a better job of not responding to fraudulent e-mails and not giving away their username and password. However, despite this, the nature of the new threats mean that banks must assume usernames and passwords are going to get stolen.

That being the case, the most effective thing a bank can do is implement stronger authentication technology. If we assume that the username and password have been compromised, banks need to ensure that people need more than just these requirements to get in to the bank.

When we talk about stronger authentication, there are a number of different options open to banks. The most obvious is a token, something that customers carry with them – perhaps a one-time password token where every 60 seconds the number changes, and in order to log in successfully you need to input this number. The bank can then validate that this number is correct and either let you in or deny you access as appropriate. There are other types of token too (such as tokens that plug into your USB port or various forms of biometric token), but these types of schemes are expensive to implement, they’re difficult to manage and there’s a risk that the user could lose or misplace the token, not have it with them when they need it or experience confusion as to how to use it properly.

FST. So what would you recommend instead?

GT. As you can see, there are a number of issues surrounding the rollout of hard tokens, and one solution is to use a risk-based authentication approach. This is something I’ve been advocating for over a year now; you still ask people for their username and password, but in addition to that you also using information that’s being passed back and forth over the internet without the consumer even knowing that it’s happening. The consumer doesn’t have to do anything different, but the bank is able to gather information that’s available (but that was not being looked at previously) to help decide whether or not a login request is legitimate.

FST. And what does this risk-based authentication approach involve?

GT. There’s really three components, any one of which, when used in combination with one of the others, makes authentication stronger.

First, there’s IP intelligence. Any time you go to a website, you share information about your IP address (which is like a home address or a telephone number unique to you) and a lot of information can be gathered from this – what location you are coming in from, what server you’re coming through, etc. So if you’ve logged in to your bank from New York for the past seven months, and all of a sudden you’re trying to log in from Syria, that’s classed as unusual activity and will be red flagged. You can also block requests from countries you feel represent a higher fraud risk, or at least flag them for further attention. In addition, you can also use IP intelligence to make travel-time calculations – if you log in from London at 8am this morning and then again from Los Angeles two hours later, the bank can tell that this is a physical impossibility and take appropriate action in terms of blocking the request.

The next component is to use secure cookies. When you visit certain websites, a cookie is downloaded on to your machine that cannot be altered or moved from one machine to another. It’s quite simple for a bank to check whether that cookie is present on the machine you are logging in from to tell whether or not it is actually you.

The third component is device fingerprinting, which is based around your PC configuration – what operating system you’re running, when it was last updated, what kind of browser you are using and which version, what the time clock on the PC is set to, etc. The bank is able to build a profile of you based upon the characteristics of your computer, so that when you log in it can check to see whether you are using one of the machines you are known to log in through.

FST. How is this enabling banks to make better decisions regarding user authentication?

GT. When you use one or more of these in combination, it’s typically not a yes-no decision; it’s generally a yes-maybe-no decision. An outright ‘no’ is quite rare, and is reserved for situations where the bank is certain that something is not right. However, there are a lot of ‘maybe’ situations where the bank might say, okay, he’s not coming in from the right area, but we can see the secure cookie and a lot of the device configuration elements look the same, so it’s probably the same laptop. Or, the device fingerprinting has changed and we can’t see the cookie, but he’s coming in from the exact same IP location as he has for the previous 12 months so he’s probably just updated his system.

All of these have to be factored in together and analyzed to determine what the risk score is, and based on that risk score the bank can make a decision regarding authentication. If the risk score is such that the bank is unsure, banks then go towards ‘challenge questions’. These are questions that are unique to you, which you answered when you originally joined the bank, such as what was the name of your first grade teacher, what is your favorite food, what is your daughter’s hair color, etc. The point is that if someone stole your wallet or swiped your credit report, they wouldn’t be able to get that information.

The other thing that happens once you’ve answered the challenge question correctly is that your profile is dynamically adjusted. So if your device fingerprint is different from your normal profile but you check out with regards to the other criteria and answer your challenge question correctly, the bank can update your profile to look out for the new device fingerprint next time round.

This is something I see a lot of US banks moving towards right now; of course, smart card technology (for those societies that have already deployed it on a mass scale) is another very effective authentication technique, but at the moment we’re a little behind the rest of the world in this regard.

FST. What impact has the recently announced FFIEC guidance on online fraud prevention had on financial institutions’ efforts to combat authentication challenges??

GT. Although it’s called ‘guidance’, I’ve been telling banks that they really need to look at it as a regulation. It’s not a recommendation, it’s not a suggestion, it’s a requirement, and banks have to implement stronger authentication for high-risk transactions (any transaction that moves money from someone’s account into a different account, or where sensitive information that could be used to commit fraud is delivered) by the end of the year.

When you think about online banking, it means that pretty much any online banking session needs to have stronger authentication associated with it. As a result, the banks here are scrambling to prepare for 2007 when the bank examiners come in to do their audits, as they’re going to expect to see something in place. The good news is that even before the FFIEC guidance came out, US banks were already evaluating different ways of doing this; in essence, the guidance was brought out to push the industry further down a direction they were already going in.

FST. Do you think the guidance is sufficient, or does more need to be done?

GT. One of the reasons the FFIEC guidance came along is that if you look at the phishing/malware attacks that have been happening, the target is usually the larger national or regional banks; smaller rural banks don’t see much activity on this front. However, as the bigger banks begin to do a better job of protecting themselves, the criminals then start focusing on the smaller banks that are much less able to deal with the threat because they just don’t have the same level of technical expertise or the same available resources. They don’t necessarily see these problems coming or now how to deal with them when they do, so the FFIEC guidance really raises awareness of these issues and forces others in the industry to do something about it.

However, in security, it’s a never-ending battle, so there’s always more that can be done. Over the next several years these approaches will be much more effective than simple username/password techniques, but the industry is going to have to continue to evolve and continue to get better over time. This isn’t the end-game, rather it’s the next step along the path.

FST. It seems that one of the major hurdles to be overcome is that many institutions choose to keep problems under wraps for fear of bad publicity and reputational damage, rather than use their experience to help others. Is this really the case? How important is it for institutions to communicate?

GT. There are obvious reasons for the industry not to communicate – irrational reactions on the part of the press and the public is one such example. The banking industry is very used to losses, whether this be through credit cards or check loss or whatever; it’s part of doing business, just as the retail industry accepts a certain amount of shrinkage. The problem is the consumer reaction to this, and so in terms of publicly stating numbers I don’t think we’re going to see the situation change, mainly because of the potential damage to both brands and the industry that this could cause.

However, banks do share information with each other in various ways, whether its through personal contacts or industry forums from which the rest of us are excluded. For the most part, I think banks are looking at security issues more collaboratively than competitively; I don’t think you’ll see banks denigrating competitors’ security, because this damages the industry as a whole by suggesting that banks are not secure.

FST. And what do you see as being the big issues over the next 12 months? Is there a ‘next generation’ of attacks on the horizon, or is it just a case of more of the same?

GT. In the short term, it will take a while for the industry to implement all the approaches we’ve talked about here, so while banks try put these types of approaches in place I think we’ll continue to see phishing attacks, we’ll continue to see a rise in malware attacks, and a lot of banks won’t have the systems in place in time to be able to deal with them. Even when they are up and running, it’s important to remember that no system is 100 percent foolproof (especially when you consider that we need to maintain a balance between security and convenience when dealing with public acceptance), so undoubtedly some of the more enterprising criminals will continue to get through.

In the longer-term, criminals will find some wholesale way around these techniques, and banks will have to step it up another level. By that time we could be looking at advanced smart card technology, but this really a societal shift as much as a technological one.

FST. So do you think there is a market for smart card technology in the US?

GT. Definitely – it’s more a matter of when, and not if. People have been predicting the adoption of smart card technologies for many years now (some more aggressively than others), but I think that sometime during the next five years or so we’ll start to see a shift towards smart cards as more players enter the market and start to find additional uses for the technology.