Staying one step ahead of the enemy

Wherever the slightest opportunity for dishonest financial gain exists you can guarantee that fraudsters are working on exploiting it. Your bank always has to be on its toes, defending against attacks thrown its way whilst counter-punching to protect customers and, of course, its image. Nothing erodes customer confidence more than when news breaks that customer accounts have been plundered and personal details stolen. And with the proliferation of online banking, the criminals spend countless hours trying to unearth chinks in the banks’ armor. If they do find a loophole in the defense, the consequences can be devastating – especially with tens of thousands of customers’ accounts at the mercy of the crooks.

Chris Young is in charge of bolstering the online security of financial institutions and organizations, and protecting their brands and customers against fraud and the latest online threats. “Fraudsters are clever and they will look for vulnerabilities in any system that is out there,” he says. “They will always move their activities to the path of least resistance. Once those opportunities are no longer available, you can expect that the fraudsters will change their approach and change their patterns of behavior and look for vulnerabilities in existing systems.” He continues: “We are obviously trying to provide as much flexibility in the offerings that we bring to the market in an attempt to help our customers be prepared as the fraudsters change their approaches to defrauding the banks and the consumers.”

Phishing for victims

One of the fastest growing online crimes is phishing, where the online miscreant e-mails a bank customer redirecting them to a phony site that the victim assumes is their bank’s genuine homepage. They key in their details on the fake site and the fraudster is able to steal the information without the victim knowing. Young says this form of crime has limited the communication between the banks and customers. “The ability for a financial institution or any sort of online account provider to communicate with its customers via e-mail is limited, largely because of phishing. The pendulum had to swing almost all the way back to saying ‘we can’t really communicate with people over e-mail because they cannot trust the e-mail channel’ in order for people to take a look at this and devise an approach to combat it.

“One of the biggest impacts of something like phishing, which is a very basic approach to defrauding people, is the fact that it is causes customer confidence to become eroded. Banks are working very hard to rebuild some of the confidence that has been lost because it has had a real impact. I’m starting to see financial institutions that are using e-mail again as a communications mechanism but it is certainly not living up to its full potential.”

When you look at the widespread use of phishing it becomes all too clear the uphill battle the banks and the authorities have on their hands. According to the Anti-Phishing Working Group, there were more than 26,000 unique variations on this scam reported in August 2006 – a figure that is growing every month.

Invalid password

In a bid to protect the institutions, RSA has a wealth of technology at its disposal to help flag up fraudulent activity, including its eFraudNetwork. This is a global database of information about known fraud taking place on the internet. It allows RSA to block attacks in real time as the criminals switch their attentions to different banks. “If you spend anytime studying fraudsters, you’ll see they don’t restrict their activities to a single bank,” Young explains. “They may be going after Bank A today but they could be going after Banks B, C and D tomorrow. Those banks could be in different countries and time zones but with the eFraudNetwork we are able to see attacks as they move across different banks.”

RSA’s technology is also always on the lookout for suspicious or out of character behavior to suggest that the legitimate user is not the one logging into an online account. RSA says that 90 percent of users access their bank account details from one or two PCs. When multiple IP addresses suddenly start logging into the same account alarm bells start ringing. Young adds: “We look at characteristics about the user’s sessions. Where are they in the world? Have we seen fraudulent activity coming in from this particular device that is being used to log in or from this IP address?”

So what technologies can help protect against the fraudsters? “A lot of technologies are both maturing and in market to help financial institutions solve these problems,” says Young. “For example, very standard authentication processes continue to be used in many places to protect users against fraud and ID theft. Certainly in several parts of Europe and Japan and Asia the use of tokens to identify users is quite widespread. What we see in the US and the UK is that the banks prefer a model that is behind the scenes and more transparent to the user, which is called risk-based authentication. This is where we use a variety of factors to authenticate the user or to protect the user’s account.”

Identification

Of course, banks don’t only conduct business online – many customers choose to bank using the phone. Again, identifying the correct person to a particular account is vitally important. Not only does it minimize fraud, it also cuts down on the time the user spends on the phone, as Young explains. “Cross-channel authentication is something that can help cut costs. For example, if I can quickly authenticate a user when he or she calls me it means I don’t have to spend a lot of time vetting that user’s identity. The phone and online channel are often quite tied so that you could change your online banking details like your address if you call up customer service.” Young continues: “If you can do a better job of authenticating a user across those different channels you can cut down on the fraud that may move between those channels. Also, you can cut down on the time the customer service representative has to spend on the phone vetting the identity of a user.”

When the institutions approach RSA looking for online security solutions, authentication of online users is top of the list. However, Young is keen to stress the importance of a “layered” approach to the security issues that fraudsters could exploit. “The one thing I often point out to people is that it is not just about authentication and the provisioning of credentials, it is about protecting consumers and users in a holistic fashion. The only way that you can ensure that you are doing the maximum amount to protect your users is to employ a layered approach to security. That could be a combination of making sure they have anti-phishing capabilities by shutting down phishing sites, having authentication credentials, using risk analysis to look for fraud and shutting it down at different touch points in the user’s experience.” Many US financial institutions have adopted a risk-based approach because the guidance clearly states that you have to make sure the level of security matches the level of risk in the channel being protected. The banks are taking the view that it is best to implement a system that allows them to add layers of authentication and protection to cut down on fraud.

Undiscovered scams

Of course, when a weakness in a bank’s security is tightened the criminals switch tack and target another area of an institution’s online operations or another bank altogether on the other side of the world. The fraudsters are getting smarter and more and more devious in their methods with one clear goal – extracting as much money as they can without getting caught.

Young is reluctant to second-guess what will be the crooks’ modus operandi over the next 12-18 months, but does have some sound advice for financial institutions everywhere. “I don’t have a crystal ball but what I can say is that if there is anything certain it is that fraudsters will change the way that they behave online. There is really no way to predict exactly what type of fraud is going to happen next. We recommend to banks that they have a layered approach and multiple lines of defense, which allows them to be more effective when the next type of threat emerges on the horizon. As long as there remain banks out there that allow themselves to be the path of least resistance, the fraudsters will find their way to those banks and those accounts.” It certainly seems the game of cat and mouse between the online banks and criminals will continue in cyberspace – or any remote channel with perceptible weaknesses, for that matter – for many years to come.