Online Fraud: How Banking Institutions can Fight Back
In this exclusive interview, Steve Neville, Director of Identity Solutions at Entrust, discusses:
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is online fraud and I'm talking with Steve Neville, Director of Identity Solutions with Entrust. Steve, thanks so much for joining me today.
STEVE NEVILLE: My pleasure.
FIELD: Steve, could you describe for us the problem of online fraud, and specifically how it impacts banking institutions?
NEVILLE: Sure, yeah, from an online fraud perspective it takes on a lot of forms. At the end of the day, though, the net result is always about a loss of identity and that may be simply the loss of a user's identity, or it could actually go down to monetary losses. As an example, a leading analyst from Gardner stated that $3.2 billion dollars was lost last year in 2007, which represented about 3.6 million adults that lost money to phishing attacks. From an increase perspective, that was about almost double from 2006 for those users. So that's on the user side and the monetary loss side.
The other impact is always going to be brand. So, if you think about the value of a bank's brand, especially in today's world, it is of paramount importance, and the impact of negative occurrences on the brand can be many fold. They can obviously affect stock price, it can see users leave the name, it can see users that will take action by perhaps not leaving the bank, but going away from online banking, which means you are going to increase cost for the bank by these people going to the bricks and mortar branches.
And then finally, as you think about banks wanting to communicate with end users and offering new services, the fact that people are nervous means that the ability of the bank to add new services over time, which would effectively drive more revenue for them, is limited.
FIELD: Well, Steve, you set up the topic of online fraud nicely. What are some of the current fraud trends that you are seeing in the marketplace?
NEVILLE: Well, from a trend perspective it is really about more volume and more sophistication. So, when I say more volume, you think about from 2004 to 2007 effectively about 120% increase in phishing attacks in that time period, according to Gardner. And the challenge is that they are more sophisticated than ever. So if you think back to 2004, if you would have gotten a phishing email, it was pretty clear that the person who was sending it was not, in my case, an English speaker, so you could tell that in fact that user was making grammatical mistakes. Today when you receive a phishing email, it is pretty tough to tell -- and I am in the security industry -- whether it is real or not, other than the fact that I shouldn't be getting an email like this from my bank.
The other sorts of trends are around malware and man-in-the-middle, so those are really, really dangerous types of attacks. Those are on the rise for the past year and effectively doubling in terms of attacks that are out there and in terms of a volume perspective. And then when you think about how these attacks are perpetrated, social engineering is taking a huge role now in the way these attacks are mounted. You think about an April attack back earlier this year, where the attackers found through public listings, likely, the lists of some top executives in banks, and they sent them subpoenas over email. That is something that would make anyone nervous, and where these people normally wouldn't have clicked on a phishing email, the fact that they were getting served a subpoena, which isn't real over email, a lot of people fell for it. And that's just one instance of it; it's not just about that.
Another interesting example is really around an attack over in Europe where social engineering took the form of someone getting an email saying that there was a nuclear disaster, click here to view the video, and when you couldn't view the video it said to install a codec, and you were then infected with malware. So, social engineering is huge, and that's a result of the fact that fraudsters are really very organized.
I mean, fraud fosters organizations that each one has a role and a responsibility of builders, you have packagers, you have usability experts, very sophisticated botnets and command to control centers, selling market places for all these username and passwords that get phished.
There are a lot of things out there that are from a trend perspective really, really quite sophisticated and alarming. I guess the last one I would say is that where people think of online fraud as being just that, cross-channel fraud is increasing in importance and in usage for all of these different types of attacks that are out there.
FIELD: Some scary stuff, Steve. What types of solutions do you see banking institutions starting to employ?
NEVILLE: That's a great question because it is quite different depending on where you are in the world. So, when you think about North America, we had FFIEC guidance that very firmly said you must put something stronger than username password into play. The majority of banks in North America, especially specifically in the U.S., ended up going with things like questions and answers, sometimes using the concept of device authentication where I can tell whether its your machine or not, and I can tell where you are from. In Europe, strong authentication was much more expected and deployed, and it continues to be that way, but there is overall, in Europe especially, a pretty definitive recognition that even strong authentication is not enough, and you can look at the recent attacks of one-time password tokens that when deployed in isolation are no longer enough to stop these fraud attacks.
There are some instances of banks that are putting more of this fraud detection, more than just authentication in place, specifically fraud detection, but very few organizations have effectively combined them to date. Traditionally, looking at their somewhat dated approach to fraud detection, which is batch mode, oftentimes coming days after in terms of catching it in combination with strong authentication.
FIELD: Let's talk about some of your banking customers Steve. I would be curious one, how they tackled online fraud, and I guess the second part of that would be how have their measures helped to safeguard customer information and at the same time ensure their regulatory compliance?
NEVILLE: Sure, yeah. I think the reality is that our customer base is pretty varied. Again, it's a lot to do with geography and regulations, so I will hit on both of those. So in North America, one of the largest banks in North America, U.S. Bank, went fraud first and they decided to go that way because they wanted to make sure they were going to catch all the fraud, and then they followed with adding authentication.
Literally dozens of customers of ours in South America went first with authentication, and that was primarily because of legislation or regulations that said they must have authentication in place at a specific time. The good news is they are going to be moving to fraud next.
You look at Europe as an example of already having deployed strong authentication, in some cases for regulation and other cases just to protect online user identities as looking to evolve to deploying fraud next. And I think that it's pretty important that in these organizations have seen fraud detection and the benefits of it that they are more and more committed to it.
I'll give you an example: A recent customer of ours caught a fraud attack in progress where there was someone coming in from Fallujah and rapidly logging in and logging out, and by the time they completely shut down the user in just under an hour, had logged in to over 500 accounts, and all they were doing was really reconnaissance. They were checking to see whether these were valid usernames and passwords, which they had picked up on some marketplace. And the fact that this customer had fraud detection in place that was real-time versus the batch mode of the past allowed them to very quickly stop access to those accounts, continue to monitor for other account access and ensure that no damage was done.
From a regulation perspective this was important, and obviously from a customer protection perspective very, very important because no damage was done to these accounts, and the users were all reset, they incurred no loss to the bank and no losses to the end users and in fact, the banking organization reached out to these bank affected accounts as part of resetting their accounts and told them we caught someone going in, and so these end users would feel very good about that.
FIELD: That's encouraging. Now you said that there are a lot of organizations and banking institutions that are really just starting to marshal their forces to tackle this seriously. What advice do you give to these institutions that are sort of just getting together to take this on, I guess a "full offensive?"
NEVILLE: Yeah, and I think while the reality is they have all done something to date, so I don't want to take that away. I mean, banks are experts at security, and they are experts at trying to mitigate risk, and this is really about an evolution.
When they are looking at evolving, and really as you stated sort of taking online fraud on full force, the biggest recommendation I can give is that they should look at a vendor that can provide a complete solution. And what I mean by a complete solution is someone that can provide a range of authentication options. It is no longer acceptable to just be able to say I have one type of authentication.
You have a mixed community of users inside banking organizations, mixed levels of risk, and one size really does not fit all. As old as that colloquialism is, it is a reality inside banks, and so it is important that they have that option to choose from a range, and that range should be something that can evolve from today and into the future and easily add more.
The second is that from a complete solution angle they should be thinking about a fraud detection approach that doesn't require modification of the application. And being able to monitor all of those applications in real time without ever modifying or requiring changes to those applications will drive down costs and, of course, increase effectiveness because as I look at these applications and I learn about new types of fraud, I can easily address watching for new types of fraud because I don't have to change those applications. Compared to some of the traditional approaches to fraud detection, that is critical.
And finally, from a solution perspective, look for something that can go cross-channel, and that is important for both authentication as well as fraud detection. So when you think about the modern way of looking at the world for, say, your IVR system, your call center, support system, your online banking, even your ATM's over time, they are all leveraging common channels for communication, typically HTTP or HTTPS. Regardless, you need to be looking at something that can go cross-channel.
And then finally, and this is probably fairly logical, but in a world of innovation that is happening today, which is great news for financial organizations, they should be looking for a solid vendor that is stable, that has of course the complete solution, and that it is someone who is focused on providing strong authentication and fraud detection in a singular way, or from a security perspective. The risk of smaller organizations, of course, is of being acquired, or they simply go away, and then as larger organizations do the acquiring, the risk is always the suffering of innovation that can happen as a smaller organization is encapsulated into a larger stock player if you will.
FIELD: Steve, that's great advice. I really appreciate you taking time to share your insights on fraud today.
NEVILLE: My pleasure, and thanks for having me.
FIELD: We've been talking with Steve Neville, Director of Identity Solutions with entrust. For Information Security Media Group, I'm Tom Field. Thank you very much.