From sophisticated malware to socially-engineered schemes, banking institutions of all sizes are under constant, multi-channel attack. How can they respond? Daniel Ingevaldson of Easy Solutions shares ideas.
When it comes to multi-channel fraud, the biggest challenge - especially for smaller institutions with limited resources - is organizing a defense against such a sophisticated and complex adversary.
"The bad guys have essentially industrialized their operations, so they can create new technology, they can do their testing and they can launch their attacks in a matter of weeks," says Ingevaldson, CTO of Easy Solutions. "The average procurement cycle for a large, complex piece of enterprise software for a large bank can take nine to 12 months - and that's sometimes optimistic."
Complexity and flexibility are huge challenges for institutions, he says, and so is visibility. Institutions need a broader perspective of the fraud challenge - "to see over the castle wall, to see what the user environment looks like, understand the real-time, day-to-day threat environment that's out there," Ingevaldson says. "It's 2013, but we still see that a lot of major financials ... really don't have a good real-time understanding of what their end-users are dealing with."
In an interview about detecting and preventing multi-channel fraud, Ingevaldson discusses:
- The current threat landscape for banks;
- Gaps in today's anti-fraud approaches;
- New strategies solutions for fighting cross-channel fraud.
Ingevaldson is Chief Technology Officer of Easy Solutions, responsible for technical strategy and overseeing the research team. He was previously Director of Technology Strategy and oversaw the industry-renowned X-Force R&D team at Internet Security Systems (ISS), which was acquired by IBM for $1.3 billion. Most recently, he was co-founder and SVP of Product Management at Endgame Systems.
About Easy Solutions
TOM FIELD: To get us started, why don't you tell us just a bit about yourself and about Easy Solutions, please?
DANIEL INGEVALDSON: My name is Daniel Ingevaldson. I'm CTO of Easy Solutions. Easy Solutions is a fraud prevention company and we have a lot of background in the enterprise security space. My background and the other founders' backgrounds are with a company called Internet Security Systems. We've been at this for several years now. The company is not a traditional enterprise security company. We focus primarily on preventing fraud for financial institutions or other web-oriented properties which are experiencing fraud. The company is very well established. We have over a hundred customers, about 24-25 million users worldwide, which are in some way interacting with our technology.
The company has a pretty large center of gravity in Latin America, and I think that's a very interesting part of our story at Easy Solutions. Back in the early days at my career at ISS, I actually studied the Latin American fraud environment because it was much more advanced and much more hostile than what we've seen in the U.S. In fact, a lot of the financial institutions in Latin America are using very advanced web-authentication techniques or web-authentication technology, like two-factor, and they were deploying browser protection or browser security to their end-users really years, and in some cases as much as over a decade, before some of the main institutions in the U.S.
What we're seeing is a lot of techniques that we predicted early on that were becoming very popular in Latin America - for a whole bunch of reasons we can talk about today - are now becoming very popular in the states. The company is really set up to help prevent web fraud and associated financial crime amongst our customer base.
FIELD: That's a great intro and overview of the threat landscape. And as you mentioned, it's ever-changing. The hostility is spreading. We see banking Trojans. We see targeted attacks, mobile malware and DDoS attacks. There's so much out there. What do you see as today's top online fraud threats, specifically to financial institutions?
INGEVALDSON: At Easy Solutions, we provide a whole platform of anti-fraud technology that we call Total Fraud Protection. A big part of that is watching the Internet, doing a lot of cloud-based analysis and looking for the latest attacks that we see really around the world. Malware is a huge problem. The advancement of malware is a huge problem. One thing that I talk about a lot with customers is the industrialization of malware attacks that are out there that are becoming much more challenging to deal with. We find that large financials are having difficulties dealing with really complicated and complex attacks, but we find that the smaller institutions, like credit unions and small regional banks, are dealing with much more challenging problems than they're really set up to handle. The complexity of malware is a major issue.
We're also seeing the variations on older techniques. Older style attacks like phishing attacks and DNS re-direction attacks, which have been around for over a decade, are constantly evolving. They're constantly being optimized by the bad guys. The bad guys know that if they launch a phishing attack or a pharming attack, it's not going to last for two weeks like it used to. They design their attacks to fool people or capture account credentials and do account takeovers in minutes, as opposed to days. There's really a whole suite of new, much more advanced and much more complex attacks that I call "compound attacks" on the malware side.
Then [there's] the fallback mechanism to using some of the same techniques that have really worked for years and years, but have been refined, modified and customized over the years to be much more targeted. We're finding that the bad guys are targeting the smaller banks just as strongly or just as hard as they're targeting the very large financials, which arguably are probably [better] equipped to stop the attacks.
Top Barriers to Fighting Fraud
FIELD: You're getting into exactly the next question I have, which is: what do you find to be institutions' biggest challenges in responding to these threats? I'm sure it does correspond to size of institution in a lot of instances.
INGEVALDSON: For us, one of the problems that we try to help our customers battle is complexity in dealing with fraud. We talk a lot about online fraud. Easy Solutions specializes in multi-channel fraud, so we certainly deal with the online channel, but we also help our customers protect against fraud across the IVR channel or the ATM channel, or even branch-based fraud. The biggest problem is just managing all these things. The bad guys are essentially mechanizing their operations or industrializing their operations. They can create new technology. They can do their testing and they can launch their attacks in a matter of weeks. The average procurement cycle for a large complex piece of enterprise software for a large bank could take 9-12 months - and that's sometimes optimistic. We're finding that complexity is a major problem. Flexibility is a major problem.
Another big one is visibility. ... Our philosophy or approach to solving this problem is finding ways to help our customers get visibility into the problem, to see over the castle wall, to see what the user environment looks like and understand the day-to-day real-time threat environment that's out there. A lot of the time, the technologies deployed are kind of a Garrison-style defense - higher walls, thicker walls, defenses which are pointed outward - but not really understanding the nature of the threat.
The bad guys have naturally shifted their targets away from trying to compromise things directly to compromising the end users, and that's where the malware problem came from. That's where the phishing problem came from; but, it's 2013 and we still see that a lot of major financials and certainly smaller financials really don't have a good real-time understanding of what their end users are dealing with. What sort of malware are they seeing minute to minute? What sort of phishing attacks are they getting hit with? All of that is really challenging.
Then you go into the regulatory requirements from FFIEC and others which are pushing regulation down to the banks to help them at least organize their plans or give them some structure or some guidelines to putting defensive mechanisms in place to help protect end users. That's really what the FFIEC is trying to do, but a lot of these things generate layers and layers of complexity. With all of our solutions, we've really focused on trying to build a platform of layer technology that all speaks the same language. It all shares the same APIs. All of our technology shares the same interfaces that can be managed together in conjunction with one another. Our goal is to simplify this process and give our customers a greater sense of control over the problem and a greater confidence that they have control over the problem.
FIELD: I want to come back to the visibility topic you raised. We hear a lot about poor cross-channel detection in financial institutions. How must institutions improve their capabilities here so they can detect fraud when it appears cross-channel?
INGEVALDSON: Cross-channel is really the Holy Grail. You really want to build a roadmap for fraud prevention around detecting fraud across different channels. Theoretically, there's no fraud committed until cash leaves the bank. An account can be compromised. Money could be moved around internally. But until that actual cash is transferred to a debit card, cashed out, wired or ACHed out of the bank, there's no fraud.
The bad guys know this and the bad guys exploit the fact that a lot of banks have implemented single-siloed fraud-prevention technologies per channel over the years - cashier-based fraud or check fraud or credit card fraud, with a huge gap on ATM or huge gap on online. You find now with most of the major attacks that are made public, there's this trickle-down effect when there's the online mechanism and there might be an insider mechanism or there might be an ATM mechanism when the cash is actually moved out of the bank.
That's a problem that we focus on. Our technology that watches transactions in real-time is focused on understanding when there's anomalous transactions inside a bank across various channels. It's kind of the last line of defense but also potentially the most powerful line of defense, because transaction anomaly-detection technology has the ability to see everything. It can see all transactions and our products are designed so all our transaction anomaly-detection systems are informed by the other layers of our platform.
What I mean by that is we're constantly building rules. We're constantly tuning the system in real-time, but we're also feeding information in from our detected monitoring service which is monitoring external threats. We're constantly taking in scoring information about endpoint security or endpoint safety, the safety of the end user who's touching the bank. Is the machine infected? Does the machine have a history of being infected? All that information rolls up into risk scoring, which has been taken into account on the back-end. We have some customers that have deployed our layered approach. They've seen remarkable reductions in fraud and specifically cross-channel fraud because they're taking into account these external data sources, which are really available to them, but a lot of the FIs, or financial institutions, have trouble gathering that information and integrating that information.
The layered approach is really critical to approaching fraud holistically. There are many different ways that banks do business in many different channels, and there are various techniques for fraud which are associated with each channel. We take an agnostic approach towards all of them, by putting in a platform that has visibility against every step in the fraud chain, from reconnaissance, attack of end-user accounts, end-user compromise to account takeover, all the way through risk-based authentication and transaction monitoring across all channels. It's a big problem for us to solve. We're very, very busy. We have a lot of work to do to advance our platform, but the approach that we're taking is quite unique in the market and it's proving to be very effective.
Customer SuccessesFIELD: Give us some specific instances. How are your customers responding best to some of the threats that you talked about upfront in our conversation?
INGEVALDSON: The end-to-end approach is what our customers are really looking for. There are new areas of technology where financial institutions in the U.S. are starting to put more of a focus on. A lot of the main-line financials and smaller financials even are looking at implementing secure-browsing technology or safe-browsing technology.
We have a product that we call DSB that's a safe-browsing piece of software that we sell to financial institutions and they deploy for their customers, or they encourage their customers to deploy. This technology hits one of the points that we talked about earlier on visibility. The core feature of a safe-browsing product, any safe-browsing product, is to provide a basic level of elevated protection for an end-user. There are nuances in how different vendors approach that, but our approach is to provide a very stable, incredibly robust, highly available piece of software which will never crash and never cause problems on the end-user environment, but also to provide an elevated level of protection.
It's well understood that the bad guys creating advanced malware kits, commercially available network kits like Zeus, Citadel, and SpyEye, are actively testing their software against antivirus systems. The antivirus guys know that their products aren't really effective at detecting brand new pieces of malware, especially malware that's not highly distributed or sent all over the world. This approach is to provide an elevated level of protection, above and beyond what the antivirus technology can do. The thing that's unique about this is the new market that's emerging is having banks actually provision this software to their end users directly. They feel it's in their best interest to help provide secure-browsing environments or secure-browsing channels to their website. It helps eliminate account takeover fraud. It helps reduce a lot of the fallout effects of fraud after login credentials are stolen.
The benefit that I think is unique to our approach is we certainly focus on the protection aspect. We certainly focus on providing a safe-browsing interface, but for us it's also about visibility. We focus intently on gathering information and collecting a sense of the attack environment that exists against end users. That information is critical for our customers. They want to know when one of their customers trips across a phishing e-mail. They want to know when a new version of Zeus is detected against one of their customers. That allows them to sit back and modify their policies in general, but it also allows them to modify their risk profiles for transaction transfer limits between intra or interbank transfers to set different parameters within a real-time session, or to initiate an authentication request or a re-authentication request to break up the actual work flow of some of these more advanced Trojans. That's the critical piece. We want to be able to provide our customers with real-time analytics with what's happening in their end-user environment.
There's also this concept that we talk about called collaborative protection. We don't need, in some cases, every single end user, every single financial institutions' client, to run a safe-browsing product to provide an enhanced level of protection to the entire population. We call that collaborative protection. There's a similar analog, kind of a biological analog. There's a term in immunology called herd immunity. What that means is, with respect to vaccinations for deadly diseases like Small Pox or Measles, there's scientific evidence that shows that you don't have to vaccinate the entire population to essentially limit the reproduction of that virus in an active population. You have to get to a certain threshold. The same thing is true for this. If we provide a percentage of the banking institution's customers with protection, all that information flows to our data center. It's analyzed and once we see the first attack, we can generally stop it from affecting everyone else. It fits quite nicely with that metaphor from the world of immunology, focused on online threats and online fraud.
FFIEC ConformanceFIELD: The big story of 2012 was the FFIEC authentication guidance update. How are your customers showing their conformance to the FFIEC supplement?
INGEVALDSON: The first major FFIEC guidance which affected online banking or online security was around the use of multi-factor or two-factor authentication. It's interesting comparing the implementation of that to what we saw in Latin America. There was a very loose implementation. It focused on any sort of second-factor and a lot of financial institutions have focused on implementing security questions or secret questions. The banks in Latin America have implemented out-of-band passwords and hardware tokens and wallet grid cards, arguably more secure or more challenging methods to bypass.
Now the update was focused on taking a step further, moving beyond multi-step or multi-factor authentication and moving towards more of a layered approach. The layered approach provides, I would call, loose guidance. There's not a specific recommendation for the exact sorts of technologies needed, but there's an implicit recommendation to employ multiple methods beyond simple multi-factor authentication. It includes risk assessments. It includes various degrees of testing. [It] certainly includes multi-factor authentication, but also the use of back-end technology around transaction anomaly detection. That's a big one. That's one of the most effective technologies to weave together all the other aspects of online fraud, or multi-channel fraud for that manner.
The ability to manage or view transactions - in the case of our platform, in real-time - to define or to understand what's happening and to find behavioral or rule changes that will change moment to moment based on the environment - that's something that's critical we feel, and it fits our vision. It fits our vision to move towards a sustainable, more flexible platform that can really pull all of these things together and come up with a wider spectrum approach to dealing with fraud as a whole.
FIELD: As a bottom line, what advice would you offer institutions today so they can most improve their abilities to detect and prevent fraud across all online channels? If you had to sum it up, what advice would you offer?
INGEVALDSON: The first one would be to seek simplicity in your solutions. I don't mean simplicity in as far as the power of the solution, but just the architecture of the solution. We recommend to our customers that ... you have to plan on changing everything, on responding to something completely out of left field. For us, it's about recommending simplicity, recommending solutions which integrate with other solutions which are relatively open, and focus on trying to find partners and find technology companies that can help build solutions at scale. We don't recommend responding to every new threat with a new vendor or new niche product, which will be something that will take a lot of time and a lot of resources, and by the time it's integrated the bad guys have moved on to the next thing. For us, it's all about building a flexible, layered defense and then understanding that the defense mechanism needs to be flexible, needs to be able to be changed quickly and really consistently through the life of those products. Those are probably the key recommendations that we would consistently recommend to our customers.