FFIEC: Banks Need Layered Security
Looking Beyond Mere Compliance Ensures Online SecurityThe final FFIEC Authentication Guidance urges banks and credit unions to do a better job of authenticating and identifying devices, areas that aren't bolstering the kind of security they could be, says security expert Ori Eisen.
Cookies are a way of tagging devices, but they aren't reliable. "A lot of good consumers are returning to the bank with devices that the cookies have been cleaned from, and hence they have difficulty recognizing them," Eisen says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
Banks and credit unions need to look into more complex ways of doing device identification, embedding it into audit logs and running risk rules and risk logic to identify what the fraudsters are doing.
Screening data from the device and logging it can later be used in conducting log analysis. For example, if a customer is logging in from a device in the middle of Russia when they live in Middle America, a flag should be going up and institutions can catch the fraud. "Banks that aren't capable or don't have the technology to do that would not even know that it's not the real user," Eisen says.
The entire financial industry needs to be united in fighting fraud, otherwise the threats will just move from one institution to another, "as opposed to moving it out of our financial system," Eisen says.
During this interview, Eisen discusses:
- Why institutions must focus on the whole fraud picture, rather than just a piece of it;
- How banks and credit unions should address mobile security, especially where device identification and log analysis are concerned; and
- Why focusing solely on compliance will not ensure security.
Eisen is the founder, chairman and chief innovation officer of 41st Parameter. He has spent the last 10 years in the information technology industry and is respected for his business knowledge and leadership. Prior to launching 41st Parameter, Eisen served as the worldwide fraud director for American Express, focusing on Internet, MOTO and counterfeit fraud. During his tenure with American Express, Eisen championed the project to enhance the American Express authorization. Before American Express, Eisen served as the director of fraud prevention for VeriSign/Network Solutions. Eisen serves as a board advisor for the Merchant Risk Council and holds a bachelor's degree in business administration from Montclair State University.
Editor's Note: This interview was conducted just day's before the final FFIEC Authentication Guidance was issued.
FFIEC Guidance
TRACY KITTEN: Much has been said about the update that the FFIEC is expected to issue to its 2005 online authentication guidance. I'd like to open up with a general question, and that is, what is your overall take on the guidance? Do you see improvements and are there any glaring omissions?ORI EISEN: There's clearly some improvement. This guidance is not as vague as the one that was presented in 2005. That is very good for everybody. Some of the omissions perhaps would be that we are still talking about having solutions, as opposed to telling banks to find the MOs, modus operandi, and additional solutions. What I mean by that is, if one would only implement what is there today, we know for a fact that in the wild, there are some MOs that will not be covered, such as the Zeus Trojan, for example.
KITTEN: A couple of the new points raised in the drafted guidance relate to the need for financial institutions to do a better job of authenticating and identifying the devices from which consumers and commercial customers access their online bank accounts. Could you give us a little background and a little perspective on this guidance, and how banks and credit unions should interpret the FFIEC's new recommendation for device identification as well as log analysis?
EISEN: Clearly, device identification has played a key role in authenticating users, albeit the different methods of doing it have prevented some banks and credit unions from getting the full potential of what this technology could do for them. The main two ways that that could be done is either by tagging devices by the use of cookies, for example, and hoping that the good customer's device will keep that cookie, and when they return to the bank they will get recognized. Unfortunately, in today's day and age, and the focus on privacy, that's just not the case anymore, and a lot of good consumers are returning to the bank with devices that the cookies have been cleaned from and hence they have difficulty recognizing them.
The other way of doing it is recognizing the devices in a way that does not leave any residue and does not require the browser to save anything. That gives a much better chance of the device returning and being used. So if you take this additional information I just described and plant it inside your log, it can then do a lot of detection of different kinds of MOs, for example account takeover detection or an imposter of a device that is trying to come to the bank, and so forth. If I would be asked, I would suggest banks and credit unions look into a more complex way of doing device identification, embedding it in their logs, and then running risk rules and risk logic to identify what are the bad guys doing.
Device Identification and Log Analysis
KITTEN: And how do device identification and log analysis fit together or complement one another?EISEN: They fit together in the way that data that is screened from the device and logged can then be used later on to find fraud MOs. Let me give some examples. If you don't ask the device that's coming to log to the account what time zone it is configured in, you can't answer the question later. Let's just say it's placed in Kentucky, for example. Why is the time zone of the device in the middle of Russia? You see, banks that aren't capable or don't have the technology to do that would not even know that it's not the real user.
I'll give you another example. By adding this data into the logs, we can later on see that we have not only the real user's device pretending to come back, but we can see signals of an imposter. All these signals will be very difficult to do without the additional technology, without putting it into the log and making some analysis on it.
KITTEN: I'd like to ask a question about mobile, and mobile wasn't specifically noted in the FFIEC drafted guidance that's been circulating throughout the industry. How does mobile fit into the device identification fold? More institutions are rolling out mobile banking applications. Mobile will surely have an impact on how they launch and manage future fraud prevention and fraud protection measures. What are your thoughts?
EISEN: Again, one of the omissions is not going after MOs, which clearly would include the mobile channel. Everywhere we see that channel growing, and more and more users are attempting to use their financial information from mobile devices. I believe that at this point, it's beyond the category of just noise and something that may take off. I think it's something that will take off, and everybody who is managing risk for their institution has to take that into account.
There's also good news and bad news with mobile. The good news is it will increase reach into devices and people will probably have a better chance of using their financial accounts. It will give banks more opportunities to target and get apps for opportunities, because people will use the services more. The bad news is figuring out how to react with mobile devices and how to authenticate them. It's not their bigger brother in platforms, like Macs and PCs, and again you have to know what you're doing in order to secure that channel.
KITTEN: From your perspective, why have regulators deemed current device identification measures to be a weak point?
EISEN: As we said before, there are two different types of device identification, one of them that marks the device and the other one that doesn't. I think it's proven by now that all the original ways that mark devices are not useful, because crooks delete those cookies and those tags from their computers. In addition, with the regulations and moving to privacy, browsers are doing it on their own, even for good users. Those technologies do not give the value that they should be.
New types of technologies that are more complex in nature - and what I mean by complex is not complex to integrate, but complex in how they run and their efficacy - give better visibility to the bank, or prove actually on the other end, and those deterrents also include the mobile platform.
KITTEN: I'm going to go back and ask about some of these one-time cookies that the industry has historically used. According to the December draft of this guidance that has circulated, so-called simple device identification should be enhanced to include one-time cookies that offer a more complex digital fingerprint of a PC by looking at characteristics like PC configuration, internet protocol address and geolocation, which you've noted. How would you distinguish this more sophisticated device identification from the identification that many institutions continue to rely on today?
EISEN: There are a few ways to look at it. I'll give some examples. Most of the ways that simple cookies are used is by giving a unique number to a user. So, for example, you would be assigned the number 12345 for your computer. That number still doesn't tell me if you are a PC, Mac or a smart phone. That number doesn't tell me if your time, time zone and language configuration are in concert with the information I have of you as my customer. All the simple type of identification was trying to identify was a serial number or a unique number for the device. However, everything we do, and it goes beyond that into the complex world, allows for device intelligence and not just device identification. With the attack vectors that we see today, it's extremely difficult to fight it just by having long-time cookie fingerprinting. It's almost impossible to do.
KITTEN: That's a good point, and I wanted to ask about some of the recent breaches that we've seen. In light of these recent breaches, what role should or do merchants play here when it comes to understanding and complying with the FFIEC's call for device identification?
EISEN: Great question. As you know, there's always a triad of the consumer, the bank, who might be the issuer, and the merchant who might have an acquirer. Together they play a game of everybody needs to authenticate themselves to one another. A merchant could absolutely help by implementing these technologies in concert with what banks are trying to deploy, so they can realize that the very consumer that's right now on my website trying to buy with their card is the very same consumer who usually comes to the bank to check their balance.
KITTEN: And what about merchants' understanding and compliance with the FFIEC's guidance overall? Will they be expected to understand the guidance to better assist in the effort to curb ACH fraud?
EISEN:Unfortunately, I don't think so because the merchants are not governed by the FFIEC. I believe it would be a very good call to action in the industry to work together and recognize that instead of moving the fraud around, you will solve it as an industry. But to my knowledge, the FFIEC does not have any jurisdiction or enforcement over merchants.
KITTEN: That kind of ties into my next question. Fraudsters have increasingly been hitting these smaller businesses with ACH and wire fraud since 2009. What does this trend tell us about the need for stronger authentication and the need for more collaboration between banks and merchants when it comes to the fight against fraud?
EISEN: Merchants in this type of a question could be constructed two ways. I'll give you the answer to both. When the merchant is a web merchant, for example the poster child would be Amazon.com, there's so much they can do. And those things will only work when credit cards are used. However, if the merchant is Amazon and that is their banking relationship and they're moving the ACH, they need to be more adept and more willing to do whatever their financial institutions are asking them to do. Again, good news/bad news is most of the technologies we have talked about so far don't require users to do anything different, remember anything or install anything. It all works covertly. However, as we move into the future, it will be more and more difficult to detect fraud by simple means. We will need to have everybody in the equation involved in one way, shape or form.
KITTEN: How much onus do you expect regulators to put on banks and credit unions to ensure that they are adequately educating their customers, whether they be consumers or commercial customers?
EISEN: I believe it's always going to be a good part of the strategy to curb fraud. However, I personally do not believe that that will put a big dent in the problem. Unfortunately, when you are trying to educate millions of consumers, we can't expect all of them to do the right thing, and we can't expect all of them to become security experts. The good example I usually use is my own mother, who is an Internet user. I can't expect her to understand all the phishing terms and what does that look like, whether it's fake or not. She just wants to use it and not be worried about using it. I believe education is always good. I believe the regulators should ask for that. But we should also recognize there is a limit because today's attacks don't even try to ask the users to do anything; they're doing it with malware that's installed on their computer unbeknownst to them.
KITTEN: I'd like to ask a little bit about the implications of the FFIEC guidance and how it might impact credit unions and banks in different ways. Credit unions, of course, more often than not have more consumer customers than they do commercial customers. And banks of course have more of a mix of commercial and consumer. How will that impact the role that credit unions, for instance, have to play when it comes to complying with the FFIEC guidance, since most of it deals with commercial customer accounts?
EISEN: It's a great question. In general, we can absolutely make the segregation, and if you go higher up, even to Treasury accounts, you'll see that most of the more sophisticated crooks would go after those because they usually have a higher balance. However, we must also recognize that the use of mules is something that the bad guys are using, and the mules don't have any distinction between going to a retail bank or a credit union. In other words, the attack could start at any one of the big financial institutions, yet divert money into accounts in the credit union. For that reason alone, the entire financial industry should be, in addition to being regulated, in concert to fight this, otherwise we'll keep moving the fraud around from one bank to another, as opposed to moving it out of our financial system.
KITTEN: And what about vendors? What role should vendors play in understanding and complying with the new FFIEC guidelines once they're issued? Should they be required to help banks and credit unions work to comply with the guidance?
EISEN: Well that's an interesting question. I believe the role of vendors has to be, first, to educate. 41st parameter, in our view, believes that the best consumers are educated. They're the best customers because they know what they're buying and what they're doing. I do believe vendors have a big role in educating and making sure people know what it is that they're supposed to do. The other thing they can do is help strategize with their customers because the minute any financial institution begins buying features and products without having a strategy, it usually doesn't lead to a solution that's either long lasting or actually checks the box. It's clearly easier said than done, because most vendors, especially with sales forces, would like to make sure that they sell their product. I totally understand that. But in order to comply with the FFIEC guidance, sometimes you need to sell something and sometimes you just need to be the trusted adviser. Vendors who can absolutely help in this guidance should be able to educate, help and bring the solution quickly so the banks are in check when the examiners come to town.
KITTEN: Before we close, what final thoughts would you like to leave our audience with, whether they relate to layered security, device identification, log analysis or just an overall view of the drafted guidance?
EISEN: I would say this. We live in an environment today where word of mouth and reputation are things that travel very quickly. If you are a bank and you go to conferences, or you have a few trusted advisers or a few risk managers that you usually consult with, talk to them. You will note that the top banks already, without even this guidance, have found ways to integrate the very same technology we speak about. And I would have reason to believe that some of the regulators have consulted with them to recognize what we should dictate or what we should put in the guidance so others can learn from what you've done. I believe if any financial institution wants to follow in their footsteps and see how they protect themselves - which would include their strategy, how they build their fortification, and what vendors and technology they use - that would be a good way to start the journey of deciding. What is really a fit for me? What is a fit for my budget? What is a fit for my department? Yet it will match the guidance and allow me to go through my examination.