Fraud Fight: How to Pick Your Battles
Risks Posed by Hacktivists and Mobile Payments to be Focus at RSA 2012
While incidents of ACH- and wire-related fraud continue to plague the banking industry, Joe Rogalski, the information security officer for New York-based First Niagara Bank, says other risky financial transactions and channels are posing growing concerns.
Hacktivism is changing the threat landscape for financial institutions, and groups like Anonymous are increasingly targeting big banks, and their attacks are not always financially motivated. "We're starting to look at that stuff more closely, how we can defend against it and what we can do," he says.
Community banks and credit unions have, by and large, been sheltered from hacktivists' wrath. But Rogalski says that's likely to soon change, as the pool of hackers who claim to be part of the hacktivist movement continues to grow and dilute.
All banks and credit unions need to prepare themselves for that reality.
"What customer records can be exposed?" Rogalski asks. "Can your website be defaced? Can it be taken down?"
"Senior management is concerned about data loss, but they're really also pushing the use of iPad and i-devices," Rogalski says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
Although the risks continue to evolve and change, Rogalski says financial institutions are being proactive when it comes to ACH and wire fraud. "It's still the No. 1 issue in the industry and it's not going away."
Rogalski recently took part in a peer-to-peer discussion at RSA Conference 2012, where he addressed risks and program challenges institutions face when battling emerging risks with security concerns from traditional channels.
During this interview, Rogalski discusses:
- Emerging technology risks, such as those posed by near-field communications and mobile wallets;
- Why ACH and wire fraud continue to plague the industry; and
- How senior management should address data loss concerns linked to website exposure.
Rogalski is the information security officer and first vice president of First Niagara Bank, a top 25 regional bank located in the northeast. Rogalski currently holds CISM and CRISC certifications. Rogalski has more than 18 years of experience in technology and security in a variety of technical and management positions. Before joining First Niagara, Rogalski led information security risk management for M&T Bank. Rogalski also frequently speaks about security, risk management and awareness with industry leaders and First Niagara customers.
TRACY KITTEN: Could you tell us a bit about the existing landscape and areas where you see financial institutions facing the greatest risks?
JOE ROGALSKI: The landscape has really changed for financial institutions over the last year with the emergence of Anonymous, and other hacktivist groups coming to light. The risk difference for institutions - it's not financially motivated anymore. Hacktivism is not financially motivated. It's more out for attention and to show the wrongdoings of institutions and people out there. That, along with malware involved in ACH and wire fraud continually evolving almost on daily basis, the challenges are still there with that as well, but now we have this new breed coming in of Anonymous trying to deface our websites or expose our customer data.
KITTEN: How proactive have most financial institutions been, in your opinion, when it comes to adequately addressing and assessing some of those risks that you've talked about?
ROGALSKI: On the ACH and wire side, people are getting more and more proactive. We're trying to get out in front of the bad guys on that, and, like I said, it's a continual battle on a daily basis. As far as the hacktivism and that type of thing, it's really just starting to come to light now with Occupy Wall Street and Anonymous getting behind them and really going after FIs. I think we saw this with Bank of America when they proposed that debit card charge every month. They were attacked at that point, and so we're starting to look at that stuff more closely, how we can defend against it and what we can do, but slightly in front of it, not too far though.
KITTEN: When we talk about emerging technology posing big concerns, we oftentimes think about things like online banking or mobile banking, but when it comes to the online space we've been addressing risks in that area for more than a decade. Haven't we addressed most of the security challenges that we face in some of these more traditional environments?
ROGALSKI: I think if we did address those risks, I'd be out of a job. As you describe the traditional environment, it still continues to evolve to date. The risks and the threats that are there are still a problem. When you look at the ACH and wire fraud and combating malware there, a colleague of mine described it once as it's like dealing with your young children. You tell them not to touch their sister and they'll hold their hand in front of their face and say, "I'm not touching her." They continually evolve every day and are still a problem, even in the more traditional online banking channels.
KITTEN: So how would you define emerging technologies and risks?
ROGALSKI: I look at this in two different ways. In an emerging technology risk, is it a new technology coming out? Is it mobile? Is it something we haven't seen before? You're starting to see a lot of the near-field spectrum payment type plans with Google Wallet. Those are new and emerging risks. How can a fraud take place there? But then also, looking at it from the traditional or classic environment of ACH and wire fraud, is that being leveraged and is that malware now being leveraged in a different way to go after a customer base, for example, personal accounts that can do ACH?
KITTEN: Let's talk a little bit about the mobile arena because the story is a little bit different here, and again this is an emerging technology and I think that most of the industry would accept that type of definition for mobile. What security concerns have banks and credit unions overlooked as they've dashed to market with new products and services that touch the mobile channel?
ROGALSKI: I think you hit the nail on the head there when you say "dash to market." There were a couple of leaders or bleeders in this area and now that they're out there, everybody else is still catching up. If you don't have a mobile product today, you're really looking to get to market as quickly as possible, and when you're doing that you know it may not be the best of breed product or the most secure product. You've got to look at things. Is it using the same credential storage of web banking or should it be? Is it integrated with your web banking? What functionality are you really offering? Do you want to get ahead by offering remote check deposit, bill pay or ACH and wire on the mobile device? They all need to be looked at from a fraud prospective before you can really take it to market, but some of this stuff is overlooked and to get back or caught up, or to get ahead of those other banks now, people are taking more risk and taking on more risk.
While at RSA
KITTEN: Let's talk a little bit about the RSA Conference. During the conference, you'll be addressing some of these concerns during a discussion that you're having on March 1, and that panel discussion or peer-to-peer discussion is entitled Chicken or the Egg: What Comes First? Discussion of Prioritization. What can you tell us about this discussion and the areas you expect to cover or touch upon during the discussion?
ROGALSKI: The peer-to-peer discussion is really an interactive discussion and there are no slides. It will be a group discussion around prioritization and how do you prioritize. We're looking to hear from other people in the group on how they prioritize their risks and their projects. For example, the new FFIEC guidance came out in June or July of last year and really went into effect Jan. 1. You take that along with your other projects, such as implementing the next generation firewall, what takes precedence? And how do you do those things? What was your thought process behind putting that project ahead of the other one with limited resources?
KITTEN: When it comes to the top security concerns for financial institutions in 2012, where do you see the greatest need for proactive risk assessment?
ROGALSKI: I think it's still staying in front of ACH and wire fraud. It's still the number one issue in the industry and it's not going away. Secondly, it's really looking at hacktivism and where you are exposed. What customer records can be exposed? Can your website be defaced? Can it be taken down? And with that, I like to look at another thing as well. Senior management is concerned about data loss but they're really also pushing the use of iPad and i-devices with the environment, so it's not even a give and take. It's a take and then pull it away with those devices. They are harder to secure but I think that's one of the new things we're going to see next year with the consumerization of IT and bringing your own device to work.
KITTEN: Beyond risk, what other areas do you expect to be highlighted during the conference this year?
ROGALSKI: I think the other area that's going to be highlighted is really advanced persistent threats. Whether it be marketing hype or truth, depending on who you talk to and what industry you're in, there's going to be a lot of focus on APTs this year and how that fraud or how those intrusions are taking place.
KITTEN: And what topics do you think are going to garner the most attention during the sessions and presentations this year?
ROGALSKI: I think it comes back to what we just talked about: Anonymous, APTs and, especially for financial institutions, it's still going to be ACH and wires.