Account Takeovers: Did FFIEC Guidance Make a Difference?PhishLabs' CEO Analyzes Results of Bank Survey on Fraud Prevention Strategies
It's been four years since the Federal Financial Institutions Examination Council issued its updated authentication guidance, which focuses on helping banks and credit unions defend against account takeover schemes. Since then, institutions have made significant investments to shore up their defenses and boost their ability to detect and prevent account takeovers.
But those investments apparently have had little impact on reducing fraud associated with account takeovers, according to a new survey of banks by Information Security Media Group, sponsored by online security firm PhishLabs.
In an interview with ISMG, John LaCour, CEO of PhishLabs, explains why banks need to go far beyond following the FFIEC guidance, taking steps to invest more in technologies that detect attacks before money is wired fraudulently from accounts.
"Most of the investments and the focus has been on catching the attacks after account credentials have already been compromised," LaCour says. "You see that in terms of using things like device fingerprinting and fraud analytics to investigate transaction patterns."
LaCour says too many banks and credit unions have underinvested in technologies, such as malware-blocking, phishing detection, threat intelligence and behavioral analytics, which would allow them to get ahead of account takeover losses by detecting attacks before accounts are compromised.
"There have been a lot of investments in additional controls [since the FFIEC issued its updated guidance] with an intent to thwart fraud," he says. "Unfortunately, as the survey results show, the number of incidents and fraud losses continue to grow."
Seventy-one percent of the banking institutions that responded to the survey say account takeover incidents have stayed the same or increased since 2011, and 59 percent say fraud losses linked to account takeovers have stayed the same or increased.
"This is partly explained by just the prevalence of cybercrime," LaCour says. "Attacks like phishing, banking Trojans and telephone phishing remain pervasive ... Part of the challenge here is keeping up with these attacks - not just the volume of them, but how they've evolved to become more resilient and work around the countermeasures we, as the good guys, are putting in place against them."
Banking institutions should be concerned about malware that has the ability to circumvent dual-factor authentication and other controls, LaCour says. And phishing attacks waged online or through call centers against banking institutions and commercial customers continue to plague the industry, he adds.
"Banks should be investing more in detecting attacks that are attempting to compromise accounts - being further up in the attacker workflow, if you will, to try to stop the attacks," LaCour says. "If you're detecting anomalies, then the bad guy is already in the door. ... Detecting phishing attacks, detecting malware attacks and implementing technologies and services to help mitigate those attacks by blocking them or taking them offline [are] key components to reducing the amount of fraud that's experienced."
During this interview (see audio link below photo), LaCour also discusses why:
- The FFIEC is likely to update its authentication guidance;
- Account takeover fraud is more damaging to banking institutions than card fraud; and
- Institutions struggle to adequately gauge the effectiveness of their fraud-detection and prevention controls.
LaCour, the founder and CEO of PhishLabs, and has expertise in mitigating the risks of account takeover, phishing and distributed denial-of-service attacks. He has made presentations at numerous industry events sponsored by, among others, the Digital Crimes Consortium, the Anti-Phishing Working Group, the Financial Services Information Sharing and Analysis Center and the Internet Security Operations and Intelligence.