How are banking institutions reducing losses linked to account takeover incidents? Bill Nelson of the FS-ISAC describes new approaches institutions are taking to address this lingering fraud problem.
Customer education continues to be a priority for banking institutions. But other fraud prevention steps, such as transaction anomaly detection, manual review of wire transfers and blocking access to compromised accounts, are attracting more interest and investment dollars, says Nelson, president and CEO of the Financial Services Sharing and Analysis Center, in an interview with Information Security Media Group [transcript below].
"The attempts are up," Nelson says, and not just in the U.S. "We've met with some European financial institutions, and their fraud is way up from account takeover, the number of attacks. We've seen it in Asia and Japan, and we're seeing it in the U.S., so it's not like it's unique to the U.S."
But recently released survey results from the FS-ISAC show U.S. institutions have made significant strides toward reducing losses associated with account takeover incidents, Nelson adds. "Financial institutions are really doing a good job and have the ability now that maybe they didn't have a few years ago to detect, prevent and really respond to these attacks," he says.
Customer education remains a leading investment, but other defensive measures, such as manual reviews of ACH and wire transactions that exceed specific dollar amounts also are being used more often. And in the wake of recent distributed-denial-of-service attacks, which can be used to distract banks during account takeover attempts, institutions realize investments in new detection techniques are critical, he says.
During this interview, Nelson discusses:
- The increasing role anomaly detection plays in detecting DDoS attacks and preventing fraud;
- How financial institutions are addressing customer education campaigns;
- The role information sharing, across industries and sectors, will continue to play in the fight against fraud.
Before joining the FS-ISAC, a non-profit association dedicated to protecting financial services firms from physical and cyberattacks, Nelson was elected vice chairman of the ISAC Council, a group dedicated to sharing critical infrastructure information. From 1988 to 2006, he served as executive vice president of NACHA - The Electronic Payments Association. While at NACHA, Nelson oversaw the development of the ACH network into one of the largest electronic payment systems in the world, processing nearly 14 billion payments in 2005. He also oversaw NACHA's rule-making, marketing, rules enforcement, education and government relations programs. Prior to joining NACHA, Nelson held several treasury management and lending positions within the banking industry.
Responding to DDoS Attacks
TRACY KITTEN: How are banking institutions responding to concerns about DDoS attacks being connected to fraud?
BILL NELSON: If I look backwards, at 2009 to 2010, we really saw a big uptick in account takeover, particularly spear-phishing attacks against businesses and financial institutions of all sizes and their customers. In 2011, the trend started to see a lot of DDoS attacks by hacktivist groups, mostly like Anonymous, and their objective is a little different. It's really to disrupt operation of the online banking channel. In late 2011 and throughout 2012, we saw a lot of these DDoS attacks, but this time not from Anonymous, but from cybercriminals who have used it to disguise their account takeover attacks.
KITTEN: Some of these attacks are waged by hacktivist groups for political and social reasons, while others are waged by criminal groups to perpetrate fraud. How are banking institutions balancing the two?
NELSON: I don't know if you really need to balance them, because I think the purpose and the motivation behind the attacks are probably irrelevant. They're basically the same type of attack. The mitigation services that you use, the techniques you might use to mitigate that DDoS attack, are going to be the same whether it's a hacktivist or a criminal group. The difference is that with the criminal attack, you really need to be aware that some of your customers may be affected. It's important to do some anomaly detection and be able to detect some of the activity that's going on that may be criminal-related.
Balancing Public Relations, Information Sharing
KITTEN: How can banking institutions balance public relations and information sharing without revealing too much information that can be used by some of these attackers against them?
NELSON: We really have to be careful, because we don't want to have too much information available for the attackers to help their business case for the next round. They may decide that there are some new techniques that they could use to circumvent some of the measures that we're employing in the industry to combat these attacks. In terms of public relations, it's really a decision for each firm in whether to use public relations and go out to the press versus direct communications with the customers. You can do both; you can do just one. It certainly makes sense to do direct communications with your customers. That way, nothing gets distorted. I'm not saying that all the press has distorted the press releases that the financial institutions may issue, but these are facts than without any particular angle or other type of agenda that might be going on. You can get right to your customers and tell them the facts as you know them, and certainly lay out what their options are.
KITTEN: Will addressing DDoS be a priority throughout this year?
NELSON: DDoS attacks present a number of issues, and they're really a priority not just for banks, but Internet service providers, other sectors, government and law enforcement. Look back at the DDoS attacks from the hacktivist groups like Anonymous. After the FBI made some very high-profile arrests about a year and a half ago, we saw a big decline in the hacktivist-type attacks. Making this a priority within government is also very important.
State of Account Takeover Fraud
KITTEN: The FS-ISAC has just released an update about commercial account takeover fraud, based on data collected from 100 U.S. financial-services firms from 2009 through the first half of 2012. What can you tell us about the state of account takeover fraud?
NELSON: The attempts are up. We've seen that around the world. We've met with some European financial institutions and their fraud is way up from account takeover, the number of attacks. We've seen it in Asia and Japan, and we're seeing it in the U.S., so it's not like it's unique to the U.S. But based on the survey results, the good news is the financial institutions are really doing a good job and have the ability now that maybe they didn't have a few years ago to detect, prevent and really respond to these attacks. That has gotten much better.
KITTEN: The majority of these account takeover incidents involved wire fraud, based on this most recent results survey that you put out. How did ACH and check fraud compare?
NELSON: The majority is wire, but if you compare that to previous years, we have a number of different ways to measure it, where commercial account takeovers and monetary transactions were created, and were sent out of the financial institution. If you look at wire back in 2011, that accounted for about 91 percent of those account takeovers. The transactions were created and sent out of the FI. In the latest survey, it accounts for 82 percent, where ACH in 2011 was nine percent, and that's up to 14 percent.
Other mechanisms really didn't count for much of anything in 2011, things like checks, etc., but that accounted for four percent in the first half of 2012.
Another interesting category is when there are actual losses by the financial institution. Losses to the financial institution from wire transactions have actually decreased, from 73 percent of total loss in 2011 to 39 percent in the first half of 2012. At the same time, losses from ACH have increased, from 27 percent to 52 percent. Another big increase came from losses due to other transactions, such as check issuance, and that increased from 0 percent to 9 percent. We've seen the numbers growing a little bit in terms of the actual transactions leaving the bank, but where losses are actually occurring to the FI [financial institution], there are more losses now from ACH than there are from wire.
KITTEN: During the first half of 2012, 65 percent of account takeovers did not actually involve monetary transactions. What did they involve?
NELSON: That means that the transaction did not leave the financial institution. If you look back to 2009, 70 percent of account takeovers actually left the financial institution and resulted in a loss. That's down to 9 percent today. Twenty-six percent today actually have left the financial institution, where monetary transactions were created but were stopped prior to the funds leaving the bank. Nine percent of the 65 percent were no monetary transactions were generated. That means the account takeovers started, but the banks, because of their different risk mitigation methods that they've employed, have been able to detect it and prevent it from leaving. There was an attempt to create the monetary transaction, but it wasn't successful. That's a huge change from 2009, going from 6 percent to 65 percent. That's a big improvement on the procedures that banks are using.
Detection, Prevention Investments
KITTEN: What types of investments have you seen banking institutions making to improve their detection and prevention mechanisms?
NELSON: In terms of the types of methods that the banks have employed, there are a number of different ones and the survey actually came back and asked which ones were actually effective. Customer education, which is recommended, was number one; telling your customers what to look out for, not to click on those links and making sure your antivirus is updated, etc. For business customers, [it was] making sure they have better use of different tools that the bank employed.
Then another effective tool, in terms of reducing losses, according to the survey, is actually shutting down the customer's online access once the anomalous activity is detected. If you see some anomalous activity within the bank, actually shut down that particular customer's access to the online system. Another thing that's fairly popular is manual review of ACH or wire transactions above a specific dollar amount. That's more common in wire because of the batch nature of ACH. You're not really going to look at individual ACH transactions. That may explain why they've been able to stop a lot of these wires, too. The other two categories in the top five are analysis of customer log-in characteristics and patterns - rated number four - and the fifth most popular tool in reducing account takeover fraud is actually interrogation of the customer session to detect anomalous traffic.
Improving Technology, Customer Education
KITTEN: What areas still need to have improvement, where technology and customer education are concerned?
NELSON: One area to consider, that I think has been very effective, is the use of either a dedicated computer for commercial online transactions or using a separate browser. There are a number of vendors out there that really didn't exist in 2008 and 2009 when a lot of this got started, but you can actually have a secure browsing experience in creating a transaction, even if your computer is infected. You're using a product that diverts it to a secure browser, so you're not impacted by the Trojan that might be on your computer or your network. The reason I bring that up is some customers may be reluctant to embrace that, but I think if you do it, I'm not saying it's absolutely full-proof but it certainly raises the bar for the cyber criminal to get around that. In fact, with a dedicated computer, we don't allow e-mail or other types of web browsing. I don't know of any case where that has been circumvented.
FFIEC Authentication Guidance
KITTEN: That goes back to some of the layers of detection and layers of security that the FFIEC has recommended. How has conformance with the FFIEC's updated authentication guidance actually improved banking institutions' response to account takeover fraud?
NELSON: I don't have any direct data to support this argument, but I think anecdotally it has been effective and it's really raised awareness among institutions that are regulated by the FFIEC. But even the state banking authorities have gotten involved and recently they produced a document that state-regulated institutions were starting to implement. It's a series of recommendations that they have now, guidance, because of that raised awareness and we're really seeing it across the whole industry that people are going out and taking security and online banking transactions seriously.
Focus on Risk Assessments
KITTEN: Where would you say, up to this point, banking institutions have focused most of their attention? Has it been on risk assessment, customer education or technology?
NELSON: I think they've focused on technology in the past. It's really not a technology-alone type of problem. I know most financial institutions conduct customer seminars and webinars. But I think risk assessment is also important, and that's part of the FFIEC guidance and what the state banking regulators have done too.
I'm different. I may be a small bank, a community bank. I'm not the same as a large money-center bank, and I have different types of products and services. My customers are different. The tools that I need to implement may be a lot different. They may be in some cases simpler to implement and in some cases more difficult, and they may need to use a third-party service provider to help them through that. But we're seeing more focus in the future on risk assessment.
Investments in 2013
KITTEN: What types of investments do you expect to see financial institutions making in 2013?
NELSON: We'll see more investments in tools like anomaly detection and multifactor authentication. Other types of tools that will actually help the customer verify the transactions are ones that they have originated or sent. As we go forward, there needs to be more investment in securing your own network too as a financial institution, not just your customers that are impacted. We've seen an uptick in the number of attacks directed at the financial institutions themselves. You have to make sure that your people are educated, not just your customers, and that you have a secure network and system that can hopefully make it difficult to be compromised.
KITTEN: What final thoughts would you like to share about fraud trends and the steps institutions are taking to address them?
NELSON: We're going to see a continued escalation in the sophistication of the types of attacks that occur, but also more combinations like we've seen in the last year, with the DDoS combined with account takeover fraud. We may see more of that type of collaboration between different types of tools that the cyber criminals may use, or political hacktivists. That's really what the future is in terms of the threats that we have.
In terms of how institutions can address them, clearly [it's] sharing of information. Our middle name is "information sharing," but FS-ISAC is a non-profit organization. We're dedicated to sharing information to protect the financial services sector. Part of that is also sharing with government and other sectors. What we're seeing from government can also be helpful in terms of the threat indicators. The types of attacks they're seeing may actually be a precursor to what we're going to see in the banking industry, or vice-versa. Sharing of information, really having somebody to turn to for help if you're attacked, is helpful. As people share their information about attacks they've seen, it really helps the next guy that may be attacked tomorrow.