Phishing and forward looking financial institutions

The number of phishing attacks reported (see for example the statistics from the Anti Phishing Working Group or the latest Symantec Internet Security Threat Report) all show upward trend lines.

While actual fraud losses still remain very low, the impact on the credibility of the financial institution with its customers and its ability to drive customers to the on-line channel are the main points. At the end of the day, the most important asset for a financial institution is the “trust” its customers place in it. For instance, its not enough if my credit union made sure that it never let fraud happen and refunds me money. If it sent me a letter saying a phisher had accessed my account, viewed my statements, my electronic bills, my payments, my check images, etc., I would quickly be very unhappy.

So the increase in number of phishing attacks should be a serious concern. However, beyond the numbers, the far more interesting developments in the last several months have been the nature of the attacks and the consequences to financial institutions.

Attacks such as man in the middle (MITM) phishing which just last year were considered theoretical are now increasingly commonplace and prove that they can very easily defeat technologies like tokens (one time passwords). The recent CitiBank attack on a token protected website actually came in through a botnet, which sharply reduces the efficacy of techniques like geolocation. And researchers from MIT Lincoln Laboratories have proven conclusively by doing research on actual users of Bank of America’s SiteKey technology that very low tech approaches based on cookies and images do not work for a vast majority of customers. And yet, it remains true that if accessing and transacting on an on-line banking site becomes too hard, than consumers will simply lick the envelope and mail the paper check!

Financial institutions are also caught in the bind of interpreting the recent FFIEC regulations. As hard as it is to admit, the simple truth is that no one knows, or can know, what being compliant means. The regulators cannot know, the financial institutions cannot know and the vendors cannot know. It all depends on what the threat environment in 2007, 2008, 2009… will look like. Who would have believed in January of 2006 that by summer of 2006 a highly sophisticated bank like Citibank would be seeing man in the middle phishing attacks via botnets against its token technology? And yet it makes no sense to implement something extraordinarily difficult to use (e.g. asking users to attach retina scanner devices to all their computers!) both because of cost, and because it would simply drive users away from the on-line channel.

And there is another very key point to realize, This is not about getting a regulator’s checkmark on an audit for 2006. Authentication infrastructures cost money and ROI should be measured in terms of at least five years. Its not the cost of the product; its educating customers (who for most part only understand userid/passwords), the implementation, the training of the IT infrastructure staff, the call centers,… the Total Cost of Ownership of authentication is high and getting a new one each year (even from the same vendor) is simply untenable.

Strategies of forward looking financial institutions and their processors
All financial intuitions understand that any authentication technique should be secure, usable, cost effective and ensure compliance. The key criterion for forward looking organizations is can the technology take me into the future without having to swap out products, and is the technology reusable so I don’t need different products (even from same vendor) for users and applications who have different risk profiles.

Forward looking organizations do not think in terms of “authentication product A for application 1, authentication product B for application 2 and so on. Rather they think in terms of a single authentication infrastructure that can issue credentials of different strength. If you were in the business of printing credit cards: silver, gold, platinum and black, you would not want four lamination machines. You’d want one with four buttons on it and if you wanted to give me a silver card, you’d press that button, and if you wanted to issue someone else a platinum card you’d press that button! And if someday you decided you wanted to promote me from a silver card to a gold card you’d do so without changing the machine, the support staff or teaching me how to use a completely new device. Reusability of the same infrastructure is critical.

Today the baseline threat appears to be that you at least have to protect against man in the middle attacks coming across botnets. They are too simple to mount, and deploying a technology in 2006 that does not offer this protection would be short sighted. And as the MIT study showed, it should simply be realized that regardless of how much consumer education is attempted, there will always be a large fraction of consumers who will be unconscious and unaware. And the phishers will be quite happy preying on that subset of consumers.

We believe deploying technologies that meet this baseline are appropriate for the moment, but being prepared to very quickly move from authenticating login sessions to transactions in a secure fashion is also critical. A more recent form of attack, where the man in the middle, migrates to the user’s machine itself, is emerging. Some refer to these attacks as man in the browser (MITB). Protecting against MITB is even more difficult as it requires additional verification outside the web browser to web server channel to be truly effective. It would be akin to a customer service representative calling me each time I want to pay a bill on-line and asking me if that is indeed the correct payee and the amount. Obviously such a technique would be extremely inconvenient and costly, and the ‘out of band’ communication has to be achieved within the user’s on-line experience, and technologies to achieve this have emerged.

And, a related theme would be for the financial institution to have a sense of the health of the PC from which the user is logging in. A fraud system which only has to worry about users coming from machines which do not appear to be well protected might actually work. A fraud system that has to look at every transaction without a sense of the strength of the credential or the health of the PC will quickly be overwhelmed with false positives.

And finally, unfortunately there is one enemy which in the physical world financial institutions have long had to deal with and now have to deal with on-line – the crooked consumer. Legally binding digital signatures, which provide non repudiation, especially in today’s chaotic world of phishing, where transactions can easily be denied, are a problem financial institutions are beginning to face. Luckily, digital signature technologies happen to be the very same technologies that can be used to keep phishers at bay and offer strong authentication! Once more the notion of reuse and being prepared to deal with emerging problems of a common infrastructure is critical.

To summarize, it would be a complete mistake to assume that the phishing we saw in 2005 is what we need to protect against. Far more cunning attacks are already prevalent, and you need an infrastructure that is both reusable and will take you into the future. We’ve lived with one authentication paradigm, userid/passwords since the birth of on-line banking over the last decade, we are in the process of changing that paradigm. I believe whatever we move to next needs to last us the next decade.