The Fraud Blog with Tracy Kitten

The Real Source of Fraud

Are Institutions Missing the Mark on Social Media?
The Real Source of Fraud

There's little doubt we're making some significant strides toward improving online security.

Banks and credit unions, as they work to meet expectations called for in the Federal Financial Institutions Examination Council's updated online authentication guidance, are investing in layered security and authentication approaches that are thwarting online attacks and incidents of corporate account takeover. [See FFIEC Authentication Guidance.]

Other industries are taking similar precautions, by partnering with and in some cases outsourcing online-channel management to third-party security management companies.

Securing the peripheries of online channels is critical. For financial institutions, that means enhancing the ongoing security of their own banking platforms, and continually educating and working with their retail and commercial clients to ensure their systems remain secure as well.

But in their efforts to enforce security layers and multifactor authentication, are banks and credit unions still missing a core problem - the real vulnerabilities fraudsters are banking on?

The problem: social networking, and the amount of information executives, administrators and all of us, for that matter, share about ourselves on social networks.

Fraudsters have evolved. No longer do they simply launch attacks on networks and systems. Today, they rely on a number of tools, including information-gathering based on social engineering and trolling social networking sites such as Facebook and LinkedIn.

The industry has known this for a long time. In fact, a big part of the educational efforts financial institutions have implemented for their customers revolves around identifying targeted attacks, such as spear-phishing, which exploit human trust.

But what we should be focused on is how fraudsters are putting those targeted attacks together in the first place. From where are they gathering their information, and what steps can and should we take as an industry to break that information chain?

Mark Kay, who spent 26 years building ACH systems at JPMorgan Chase, now serves as chairman and CEO of StrikeForce, a startup that's offering out-of-band authentication solutions to banks and others. Kay says, until we address the privacy risks posed by social media networks, we will never keep up with the fraudsters.

"The easiest way to get in is by stealing someone's name and password, and the best way to do that is by getting it through the social media networks," he says. "Most people's names and passwords are the same everywhere they go, and it's likely the same password the admin uses for personal e-mail is the same password he uses to conduct ACH transactions."

The FFIEC guidance is focused on risk-related access to online banking. But that's just one piece, and it's not a catch-all for ACH fraud. "It could be ACH, but not always," Kay says. "The FFIEC covers any high-risk transaction that is initiated online."

But from an ACH perspective, more fraud is committed not by an online-banking breach, but because a fraudster socially engineered logins and passwords from administrators or executives. "ACH and online banking are not how they get your credentials," Kay says. "They get the credentials from somewhere else and then commit the fraud."

It's an interesting observation, and one that's shared by others, such as Bill Wansley, a consultant at Booz Allen Hamilton. Social media poses more concerns than malware, Wansley says. The link between social media and targeted phishing attacks cannot be ignored.

"That is a concern that is now starting to get the attention of bank information security officers and bank risk officers," Wansley says. "They are all working to ensure that the training of their staff is up to a level where they can recognize when they are being targeted."

How much of that social-media training will banking institutions include in their education plans for 2012, and will regulators be expecting some attention to be paid to social-networking vulnerabilities in institutions' risk assessment strategies?

Here's one piece of advice I can share with relative certainty: The more institutions do to enhance security and mitigate risks, the better off they are going to be, whether they're being viewed through the eyes of the public or the magnifying glasses of the regulators. At the end of the day, it really is not about squeaking by, by conforming to the lowest rung of mandates. It's about enhancing security, and that means getting at the root of the fraud.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.