Criminals are increasingly becoming more sophisticated and using a wide range of tactics to steal money from financial institutions, forcing banks to fight back with more layers of security.
To help financial institutions keep up with attackers’ evolving tactics, IronKey unveiled a multilayered online banking security platform that allows IT departments to roll out different levels of security for various customer segments, the company said Sept. 7.
Instead of IT departments investing in different tools to provide varying levels of security controls for business customers and consumers, the IronKey Trusted Access Platform will help banks roll out a mix of controls, such as a secure browser, out-of-band authentication, smartphone applications, secured portable devices and data analytics, Kevin Bocek, director of product marketing at IronKey, told eWEEK.
Cyber-crime has been around awhile, but attackers have started zeroing in on bank customers with phishing attacks only within the last 10 years, according to Dave Jevans, chairman of IronKey and the Anti Phishing Working Group. Financial institutions are scrambling to ensure their systems are secure and that they don’t become the next data breach victim.
“Attackers are moving faster than banks,” said Jevans. For example, banks started putting customer information into cookies to help authenticate users, but now there are ways to steal cookies from the victim’s machine. As a result, the use of cookies isn’t as effective anymore.
Attackers also have the luxury of switching targets. If they can’t break into the financial institution’s networks ortrick the employees, they will take the “path of least resistance” and simply target the customers through spam and phishing emails, he said.
Attackers have shifted from targeting random users at a financial institution to going after individuals with corporate accounts, the ones with authority to transfer funds, Jevans said. It’s no longer just about credit card numbers or PayPal accounts, according to Jevans. Cyber-criminals are interested in targeted attacks, and it’s an “inevitable next step” that the next victims will be individuals with millions in assets, people with control over various accounts, such as traders.
A “whole generation” of crimeware kits has evolved rapidly over the past 18 months, Jevans said, as malware developers roll out monthly updates to the development toolkit and sell extra add-ons to the software. Many of the developers are professional malware writers, and in many countries, it’s not illegal to develop this kind of software, Jevans said. Using it is against the law, of course.
Security is all about risk assessment, and security managers are “thinking, ‘What’s the right level of security for my customers?'” Bocek said. Larger banks may want to define more customer segments, based on the size of assets or even by region, while smaller institutions may just have two segments, he said. Regardless, attackers are going after financial institutions of all sizes, so it was important to consider multilayered approaches to security, according to Bocek.
With the Trusted Access Platform, banks dramatically reduce the risk of online fraud and simplify compliance with the recent guidance from the Federal Financial Institutions Examination Council (FFIEC), Bocek said.
IronKey released a secure browser in Trusted Access for laptops and desktops. The software is the same as the one that runs on IronKey’s portable device that customers use to access accounts securely. The bank understands that if the portable device is accessing the account, then the user is actually performing the authentication and not some malware that compromised the user’s account.
The same level of confidence applies for users using the secure browser on the PC for online banking, Bocek said. There is no worry about keyloggers because nothing can be saved or downloaded onto the device and the browser software.
Jevans discussed cyber-crime and how it has evolved at a Financial Services Information Sharing and Analysis Center (FS-ISAC) Webinar on Sept. 7.
A recent FS-ISAC survey of commercial account takeover attempts and losses for 2009 and the first half of 2010 found that total exposure dropped from over $15 million in 2009 to a little under $10.5 million in the first half of 2010. While there were more account takeover attempts in the first half of 2010 than in the full year of 2009, FS-ISAC found that 36 percent of the transactions were stopped before the money left the bank in the first half of 2010, compared with just 20 percent in 2009. Only 27 percent of the transactions managed to successfully transfer money out in the first half of 2010, compared with 63 percent in 2009. A later report will capture data for all of 2010, according to FS-ISAC.
The statistics indicate that “financial institutions are doing a better job of stopping transactions from being created and from leaving the financial institution,” said Bill Nelson, president and CEO of FS-ISAC.