IronKey introduced an integrated platform of multiple security controls to combat cyber-criminals increasingly targeting business bank accounts to steal money.
Criminals
are increasingly becoming more sophisticated and using a wide range of tactics
to steal money from financial institutions, forcing banks to fight back with
more layers of security.
To
help financial institutions keep up with attackers' evolving tactics, IronKey
unveiled a multilayered online banking security platform that allows IT
departments to roll out different levels of security for various customer
segments, the company said Sept. 7.
Instead
of IT departments investing in different tools to provide varying levels of
security controls for business customers and consumers, the IronKey Trusted
Access Platform will help banks roll out a mix of controls, such as a secure
browser, out-of-band authentication, smartphone applications, secured portable
devices and data analytics, Kevin Bocek, director of product marketing at
IronKey, told eWEEK.
Cyber-crime
has been around awhile, but attackers have started zeroing in on bank customers
with phishing attacks only within the last 10 years, according to Dave Jevans,
chairman of IronKey and the Anti Phishing Working Group. Financial institutions
are scrambling to ensure their systems are secure and that they don't become
the next data breach victim.
"Attackers
are moving faster than banks," said Jevans. For example, banks started
putting customer information into cookies to help authenticate users, but now there
are ways to steal cookies from the victim's machine. As a result, the use of
cookies isn't as effective anymore.
Attackers
also have the luxury of switching targets. If they can't break into the
financial institution's networks or
trick the employees, they will take the "path of least
resistance" and simply target the customers through spam and phishing emails,
he said.
Attackers
have shifted from targeting random users at a financial institution to going
after individuals with corporate accounts, the ones with authority to transfer
funds, Jevans said. It's no longer just about credit card numbers or PayPal
accounts, according to Jevans. Cyber-criminals are interested
in targeted attacks, and it's an "inevitable next step" that the
next victims will be individuals with millions in assets, people with control
over various accounts, such as traders.
A
"whole generation" of crimeware
kits has evolved rapidly over the past 18 months, Jevans said, as malware
developers roll out monthly updates to the development toolkit and sell extra
add-ons to the software. Many of the developers are professional malware
writers, and in many countries, it's not illegal to develop this kind of
software, Jevans said. Using it is against the law, of course.
Security
is all about risk assessment, and security managers are "thinking, 'What's
the right level of security for my customers?'" Bocek said. Larger banks
may want to define more customer segments, based on the size of assets or even
by region, while smaller institutions may just have two segments, he said.
Regardless, attackers are going after financial institutions of all sizes, so
it was important to consider multilayered approaches to security, according to
Bocek.
With
the Trusted Access Platform, banks dramatically reduce the risk of online fraud
and simplify compliance with the recent guidance from the Federal Financial
Institutions Examination Council (FFIEC), Bocek said.
IronKey
released a secure browser in Trusted Access for laptops and desktops. The
software is the same as the one that runs on IronKey's portable device that
customers use to access accounts securely. The bank understands that if the
portable device is accessing the account, then the user is actually performing
the authentication and not some malware that compromised the user's account.
The
same level of confidence applies for users using the secure browser on the PC
for online banking, Bocek said. There is no worry about keyloggers because
nothing can be saved or downloaded onto the device and the browser software.
Jevans
discussed cyber-crime and how it has evolved at a Financial Services
Information Sharing and Analysis Center (FS-ISAC) Webinar on Sept. 7.
A
recent FS-ISAC survey of commercial account takeover attempts and losses for
2009 and the first half of 2010 found that total exposure dropped from over $15
million in 2009 to a little under $10.5 million in the first half of 2010.
While there were more account takeover attempts in the first half of 2010 than
in the full year of 2009, FS-ISAC found that 36 percent of the transactions
were stopped before the money left the bank in the first half of 2010, compared
with just 20 percent in 2009. Only 27 percent of the transactions managed to
successfully transfer money out in the first half of 2010, compared with 63
percent in 2009. A later report will capture data for all of 2010, according to
FS-ISAC.
The
statistics indicate that "financial institutions are doing a better job of
stopping transactions from being created and from leaving the financial
institution," said Bill Nelson, president and CEO of FS-ISAC.
Email
Print
