Financial institutions feel the pain of recent retail breaches, and they seek new ways to secure payments and fight fraud. But how can security leaders influence changes within their own organizations?
To help answer this question, Information Security Media Group's Tom Field sat down with Daniel Ingevaldson, CTO of survey sponsor Easy Solutions. Their first topic: What can banking institutions do to combat the plague of retail point-of-sale breaches?
"That's really the $50,000 question," Ingevaldson says. "There's been a lot said publicly around how we have an antiquated payment system, which goes back to using mag stripe cards and mag stripe readers for the vast majority of payments here in the US. The part that is underreported is the payment system works really well from a convenience standpoint."
Emerging technology solutions such as contactless payments and digital wallets haven't been embraced, particularly in the U.S., because traditional payment cards are so convenient for customers, he says. "They're very easy to use. The system works pretty well -- except for when it doesn't, when there's a large breach."In this Faces of Fraud survey interview, Ingevaldson talks about:
- The impact of retail breaches;
- The future of secure electronic payments;
- The customer's role in fraud detection.
Ingevaldson has over 15 years of experience protecting some of the world's biggest organizations from next-generation threats. As Easy Solutions' CTO, he defines and executes the strategies for researching and creating the next phase of Total Fraud ProtectionÂ® products. Ingevaldson spent a decade at Internet Security Systems, Inc., where he held various roles in research, management, consulting and strategy. He formed part of the "X-Force" R&D group that would become the most productive and influential independent vulnerability research group in the industry. Ingevaldson also occupied an important role as an ISS public spokesperson, sharing his expert opinions with media outlets and speaking at conferences on topics such as emerging threats, market trends and risk forecasting.
2014 Faces of Fraud Survey Results
TOM FIELD: What surprises you most about the 2014 Faces of Fraud Survey results?
DANIEL INGEVALDSON: There're probably two things that popped out at me. There's great data in here, a lot of great insight. But the first point that was surprising was the fact that a number of respondents, 70 percent, were affected by the Target, Sally Beauty, and Neiman Marcus breaches. I actually felt that was kind of low. It seemed like nearly every single financial institution we talked to was affected by the breach in some fashion. I was actually surprised to see that number at 70 percent.
The second piece which was interesting was the fact that the general numbers around account takeover were relatively unchanged... from last year. It's great to have this survey every year to measure changes, and that was something that was relatively steady. That was particularly interesting, because so much focus has been put on account takeover with various technologies, regulatory requirements, as well as vendors in the space working on solving that problem. So it was surprising to me to see that the net effect was not captured in the survey results.
Feeling the Pain of Retail Breaches
FIELD: Do you see the real pain banking institutions are feeling from the Target, Neiman Marcus and Sally Beauty breaches?
INGEVALDSON: The survey did a pretty good job breaking that up in a few of the questions. The answer depends on what size bank you're talking about. The larger banks are obviously much better equipped to be able to handle these kind of events. Any sort of crisis management is something that a larger bank will have more capability to deal with. That [comes] down to the cost, resources and amount of time they have to focus on these things, as well as setting aside larger amounts of money for a rainy day, if you will.
The smaller banks are a different story. We talked to numerous smaller institutions which were hit very hard. They got hit with the brunt of the cost and time wasted in dealing with the event internally. That goes from identifying accounts at risk, [those that] had been compromised, as well as the massive reissue cost, which is certainly higher for smaller banks. [They] don't have the same volume as the large card issuers. There certainly is a spectrum of pain; but in this case, if you take everything else on balance, the smaller banks are impacted much more severely by these large retail credit card breaches.
How to Respond to Breaches
FIELD: What can banks do about this retail breach trend?
INGEVALDSON: That's really the $50,000 question. The payment system, if you look at it holistically, is designed to carefully balance security and convenience. There's been a lot said publicly around how we have an antiquated, ancient payment system, which goes back to using mag stripe cards for the vast majority in the U.S. The part of that that is underreported is: The payment system works well from a convenience standpoint. A lot of the reason why contactless payments or NFC chips, in the back of phones and digital wallets, haven't taken off is that credit cards are just convenient. It's completely saturated the entire U.S. market. Everyone has one or many, they're very easy to use. The system works pretty well, except for when it doesn't...except for when there's a large breach and these things happen. There's a lot of things we can do, but a lot of them are incremental steps. Obviously we should update the entire U.S. payment system over time, but do so from a managed point of view. There's no silver bullet; there's no one solution which can solve this problem. EMV is only one arrow in the quiver. It's only one of the techniques we can use to cover the risks associated with large retail breaches, but certainly not all of them.
FIELD: What is your vision for the future of secure payments?
INGEVALDSON: It comes back to convenience. We could design a very secure payment system in the U.S., which would scale. It would provide a lot of different functionality to deal with different payment scenarios, whether it's card-present or card-not- present; physical purchasing with a card or token, or using actual data on those cards in the online sense. The problem is, once you start to layer in additional security controls or factors for authentication, in some cases the convenience factor goes down dramatically.
EMV is something which is very powerful in securing the physical card-not-present situation or transaction. Actually walking into a store with a card and authenticating that card to the point-of-sale device. The problem is, EMV does not protect against the exact scenario which happened at Target and reportedly several other retailers. It doesn't touch the online side of things either, unless an additional second factor authentication is deployed. Things get ugly and complicated very quickly.
One of the primary things which can be done, but at significant cost, is to enforce end-to-end encryption from a keypad all the way to the issuing and acquiring networks, to make sure that there's no clear text credit card information. The malware can never actually capture clear text information. Tokenization comes into that, encryption comes into that, using chip and PIN, or EMV technology. But there's lots of layered incremental technologies which can make the cost of perpetrating these large credit card heists much higher, and make a much lower probability that a large number of cards exist in one centralized place where they can be extracted and bought and sold like you saw with the major breaches.
Facing Fraud Unprepared
FIELD: Why are financial institutions time and time again faced with fraud they're not prepared to face, and how can they address it?
INGEVALDSON: A level of precision in my response is required here because we're getting into some semantics which definitely should be explored. We believe, in our business, that fraud is very cyclical. It's not that a fraud or risk manager is not prepared for a certain type of attack; it's just that their job is to cover all the bases all the time with scarce resources and funds. That's one of the rules of the road when it comes to fraud management. We often make the distinction between fraud management, or managing losses, and fraud risk management. The two are related, but they're very different in practice. Probably the best way to explain it is an actual scenario within a bank or financial institution. If a bank is losing a million dollars a year via credit card transactions or another channel, their endeavor into managing fraud is through the programmatic application of lots of different policies, controls and technologies. Taking a million dollars and reducing that as low as possible.
The other side of the coin is, once you've done that, reduced losses to an appropriate level which the audit committee or executives within the organization can accept,...any transition into fraud risk management, that's when things get much more complicated. It's very easy to fund fraud programs when there is a lot of fraud. It becomes much more challenging politically and realistically within an organization to fund those programs at the same level when fraud is low. What fraudsters always do is exploit this rule of nature, this thing that always seems to happen. It's not something that's very hard to predict or explain. They exploit weaknesses, gaps in visibility, and temporary conditions to maximum effect in a lot of cases. The most sophisticated organizations are the ones that understand the difference between fraud management and fraud risk management, and maintain a level of diligence, funding and size of their programs no matter what the current fraud situation is. That's what allows organizations to be more flexible. It allows them to respond more quickly, to put up barriers to entry for bad guys for unforeseen attacks. They're looking at it from a totally different point of view.
FIELD: How can organizations improve their ability to spot and stop incidents before they get the attention of the customer?
INGEVALDSON: It's something that's been the focus of the survey for quite some time. The way to answer the question is to answer a previous question; where do you want that number to be? How much fraud do you want to control or detect internally before your customer serves as an early warning? Because there's lots of associated costs around that issue. We operate globally, so we deal with lots of different regulatory and political climates, and banking sectors which have different rules of liability and accountability on behalf of the financial institution and the actual retail banking user. A lot of those things determine exactly how reliant the organizations are on their end users. We certainly believe that the best technology out there to perform pattern recognition on an account is the person holding that account. They know their activities, they know what's good or bad. They can look at a whole statement, glance past it, and see something which is abnormal, because they know all that activity. Some level of customer-driven reporting is important, and I don't necessarily see that as a failure in and of itself.
When that becomes the most important component of an anti-fraud program, that's when you have problems. Certainly the lowest friction way to detect fraud from a transactional standpoint, where money actually moves, is to do it with real-time transaction monitoring behind the scenes. There is a lot of technology out there that does it; we do that as part of one of the services we provide. But it's important to merge that into the existing fraud program in the way that makes most sense. The way that doesn't create friction, doesn't create customer inconvenience, while still maintaining a relationship with an end user when they are bought into the fraud control process.
The same thing is true for protection of your devices. If end users are completely divorced from the fraud which happens in their accounts, then fraud will inevitably go up. That's one of the unfortunate side effects of having a very consumer-friendly liability regime, which we operate under in the U.S. When money leaves your account, if you report it, it's no longer your problem. That really tends to influence how much end users are bought into the process of managing fraud on their own accounts.
Detection and Prevention
FIELD: Where are detection and prevention systems failing the institutions?
INGEVALDSON: Fraud is like the reservoir behind a dam. If there's a crack [or] some kind of flaw, fraud will increase. That can be something as simple as malware being on a machine and initiating some kind of transfer. It can be much more complicated, like a channel-hopping attack where fraudsters exploit a lack of visibility across channels. The numbers that make up that 78 percent will probably change every single year. We go through these situations when we see ebbs and flows of different techniques. We hear a lot of cases that some of the largest dollar losses that affect institutions are coming in via the contact center, they're coming in via the actual voice response systems.
A lot of the controls on the online channel have gotten better. It's become more difficult to move large sums of money on the online channel. So what happens is, the bad guys will use the online channel to recon the account, find out behaviors, see how much money is there. Then they'll do their homework and find ways to answer the secret or out-of-wallet questions; they'll call in, answer all the questions asked of them, and wire out $100,000 to an account that's never actually been seen before. When they institute those complex expensive attacks, they go after a big score. We see that all the time.
One of the major things that we constantly talk to our customers about is, we help them assess their confidence in full transactional visibility. Understanding the full scope of the account, all the channels which can touch that account, and all the ways where money can move in and out. That's a holy grail solution. It's one that we're always refining with our customers, always contributing to and working on. But, it's a great goal to set because it allows you to have more flexibility when the winds change, [and] when the attack vector changes as well.
FIELD: Where must organizations make future investments in technology solutions?
INGEVALDSON: We believe in multi-layer protection. It's an overused term, it's something which everyone in information security and anti-fraud deals with every day. It's a vocabulary that we're all very familiar with. To us, it's about building a truly flexible anti-fraud program, and I say program specifically because I'm not talking about technology or products and services; I'm talking about the appropriate application of all of those things: policies, procedures, requirements, technologies. Everything rolled up into one program which is sophisticated enough to be able to manage fraud losses down but provide flexibility when fraud losses are down to deal with the next thing.
We always look at the world through the lens of the attack lifecycle. To move money out of an account, lots of things have to happen. There has to be [a] campaign to acquire information about an account holder, or to acquire credentials for them, to log into the online or mobile banking environment. Attacks are then launched to gain control of those accounts and bypass two-factor authentication. The money has to be moved around within the bank to be able to prepare for a transfer. The last stage [has to be] bypassing any risks or context-based controls to move money out.
Within a well-designed antifraud program, there are controls in place to get a swing at the pitch for each one of those phases; for the reconnaissance and preparation phase, the account takeover phase then the actual transaction phase on the outside. What we try to do, and work with our customers to do, is try to figure out the best and most inexpensive way to break that cycle. You reduce the number of events that make it all the way around, that make it to actually moving money out of the bank.
It's really important to have a strong anti-fraud program as a foundation for a long-term point of view, as opposed to reacting to the latest threat or major buzz which hits for a new Trojan or attack. Fundamentals remain; they are important today, and will remain important going forward.
FIELD: What are institutions doing wrong in terms of customer awareness programs?
INGEVALDSON: Customer awareness is a controversial issue in the industry now. It's something which is mandated by regulators that everyone feels like they have to do. It's almost table stakes; banks will be dinged if they don't have what is seen as an industry standard customer awareness program. The problem is, by definition, customer awareness cannot stop fraud. If you parse this out, it becomes more clear. To educate someone about something, you have to have an actual scenario. You see this through the arc of all of the stuff we've been dealing with in information security and anti-fraud for the last 15 years. Don't click on links which are sent to you by unsolicited people, don't actually respond to unknown email addresses...basic stuff which we've been looking at for phishing attacks for the last 20 years. In order for fraud to be successful, the customer isn't educated against it. There's a fundamental disconnection between the expectation around customer awareness, and what it can actually do. Without a time machine, a customer awareness program by itself will always fail.
We believe that it's a backstop to everything we try to do, but it's never something that's going to get you ahead. It's never something that you can actually invest in to gain additional returns ahead of the threat. It's something which is always going to be in parallel with the threat, but almost always behind it. The crisis around customer awareness is being realistic about the expectations you have, or the expectations of the outcomes that you seek with deploying customer awareness. These are expensive programs. They're very visible, so they're certainly talked about a lot. But it's something that we see as a minor portion or component for a truly comprehensive and effective anti-fraud program.
FIELD: What's your take on the rise of cross-channel fraud?
INGEVALDSON: It's obvious based on industry data, based on what we've seen internally, that banks oftentimes undercount fraud. They undercount precursors to fraud. Obviously they see where the money leaves, but sometimes it's difficult or even impossible to do a full end-to-end root cause analysis to find the very first time an initial action of that fraud cycle manifests. But this is a standard -- not even a fraud or security challenge. It's a standard IT challenge; putting all the threats together, understanding how fraud or attacks manifest in the real world. Certainly this is one of the things which banks are going to continue to invest in. It's a job that's never going to be done. As additional channels are coming online, as new technology is making it easier to bank, this is something which is going to be more important. It's an end state which everyone is going for, but it's something that is very difficult to perfect.
FIELD: When it comes to mobile banking, what are your top fraud concerns?
INGEVALDSON: Mobile is new. A lot of us have been using it for a while, but from a channel perspective it's still the new kid on the block. The biggest way that you can differentiate or tell that mobile is new is, look at the feature sets which are available. A lot of major retail banks still don't allow the ability to create payees, for example, within the actual mobile banking experience. Additionally, it's very difficult to do multifactor authentication in the mobile channel, not just using mobile as a factor in and of itself.
The stats to me weren't very surprising because mobile has not become a massive issue for fraud yet, but there's a lot of fraud risk. So back to the initial distinction between the two. Banks aren't being taken to the cleaners in the mobile channel directly, but it's a contributing factor. Something that we're watching very closely is the increase in mobile malware. We're trying to quantify the risks that banks are dealing with, having jail broken, rooted or insecure phones coming into their environment. We're trying to quantify the risk of insecure applications which can allow data leakage. But the biggest and most significant risk right now is the cross-channel piece. How does mobile change the calculus in dealing with cross-channel fraud? Mobile account takeovers can lead to account takeovers in the online channel, which can lead to money moving. If the mobile channel is designed in such a way where there's visibility gaps, it can create a major challenge. This is something that we're watching very closely, but we're not out there banging the drums saying that mobile is going to dramatically increase fraud losses. We think it has the potential to dramatically increase fraud risk, but those losses have not yet manifested.
The smart banks are the ones trying to get ahead of it, [those] trying to use the form factor of mobile to do new things. Deploying biometrics, for example, in a much more natural fashion to allow their customers to do more with a device which is inherently more secure. The iPhone is more resistant to malware than any PC. How can a bank leverage that as a strength instead of a weakness? We're in the early days of trying to backstop mobile and understand the structure of fraud there, and to provide the right guidance as opposed to trying to scare customers or banks into overinvesting in that environment.
Putting Results to Work
FIELD: In a single piece of advice, what would you tell banking and security leaders about how they can put these survey results to work in their own organizations?
INGEVALDSON: I don't interpret increases in certain areas as a lack of preparedness or a lack of readiness. What I see is a change of internal priorities, which happens behind the scenes. The actual fraud managers that run these programs, they don't get credit in a lot of cases for all the stuff that they did a year ago to make their organizations more resistant to attack. The closing advice that I would provide is, resist the temptation to reduce the funding line for anti-fraud programs when fraud decreases. It's certainly something which should be evaluated, but carefully and realistically to make sure that the reduction of fraud is not a one-time event, but something which can be maintained and persistent with our organization. That's the mark of a very successful program that's realistic, functional, and highly effective.