The recent surge in online banking fraud and unauthorized Automated Clearing House (ACH) transfers has led to an astounding $100 million in attempted losses from small and midsize businesses so far this year, according to the FBI. SearchFinancialSecurity recently met with Avivah Litan, a vice president and distinguished analyst at Gartner Inc., to get her thoughts on the alarming trend and some insight into how banks can protect their customers' accounts. Litan is an expert in financial fraud, authentication, identity theft, and fraud detection and prevention technology.
What's most alarming about the attacks on online banking and how are banks responding?
Avivah Litan: First, it's very real. There's not a single bank I've talked to in the last few months that hasn't seen this fraud. You read about it in the news but when hearing about it from the banks, I realize how pervasive it is.
The second thing is the banks that don't have solutions in place are really caught off guard. You can't just whip solutions into place. So they're really kind of stuck doing manual reviews on almost all their wire transfers, if they're a small institution. Obviously, large institutions can't review all their wire transfers manually, and they generally have some solutions in place. It's more the small and midsize banks that are caught off guard.
Avivah Litanvice president and distinguished analyst, Gartner Inc.
Some of the big banks are caught off guard too, but it's easier for them to change the system to automate the fraud detection and whittle down the number of manual reviews they do. It's not like a crisis in terms of those crooks are going to raid bank accounts and the banks can't do anything. Once banks get hit by this, they do take measures -- some are manual, some are automated. …
What this [fraud surge] shows is that there is no end to criminal ingenuity. They are definitely beating common security controls, like one-time password tokens. … Another thing that these attacks have taught us is anything going through the browser is suspect. You can't rely on anything coming through a user's browser, whether it's a login credential, strong authentication, or transaction values -- everything can be altered and intercepted.
What are some best practices for protecting customer accounts?
Litan: The banks really need to step up their defenses and use more sophisticated fraud detection that looks at the behavior of the transaction from login until logout. So it's not just looking at the values in the transaction, but also the behavior. If you're monitoring the transaction velocity -- the time to fill out a payment page or the time to load a webpage - you're looking at response times and data entry times, you can pretty much tell if it's a botnet or a human being. That's effective among the banks using that technology. They have been able to stop these attacks by monitoring the velocity of the transaction.
Also, there are fraud detection solutions that look at the value - what's entered into the payment request. They're effective, but wire transfer data is very unstructured, so the crooks generally put the criminal activity in the comments field. You basically have to be able to parse the text in a good fraud detection system, but that can be done too. None of these fraud detection systems are perfect, but if you put a few of them in place, they can catch most of it and they can at least flag suspect transactions for manual review so that it doesn't inconvenience too many customers -- they keep the false positives down.
What role does out-of-band authentication play?
Litan: It plays a big role if the calls aren't forwarded. Crooks have figured out how to forward phone calls to them. They've been calling the phone carriers, and saying 'I'm leaving town or my phone broke in the house, can you forward all the calls to this number?' They'll give them a cell number and the phone carriers aren't vetting the identity of the caller properly. Authentify, which a lot of companies use for their out-of-band authentication, can stop call forwarding in the U.S. That inconveniences people who use call forwarding but those people just have to call into the bank.
What about token-based authentication as a defense against these attacks?
Litan: It's a big wake-up call that any kind of authentication going through the browser can be compromised and also transactions going through the browser can be compromised. The crooks basically can override the transactions that the user and banks see. Let's say the user wants to move $10,000 to account A; they [criminals] can move it to account B by the time it gets to the bank.
The other thing they can do: If you log in with a one-time password, they can capture those passwords. You enter it [the password], they tell you it's invalid, then say the bank service is unavailable and won't let you log in. Then they'll go log in separately with the one-time password they just captured. Or they let you log in with your one-time password from the token, but change the transaction values that get submitted. …I strongly believe you should have a strong authentication factor but you have to realize it can be broken.
What do you think of the Financial Services Information Sharing and Analysis Center's recommendation that banking customers use a locked down PC with no access to the Internet?
Litan: The most practical step is for the banks to put the right defenses in. The banks that have put the right defenses in have beaten these attacks. They've gotten attacked and criminals haven't gotten away with it. You can solve this with the right technology, processes and policies. When I talked to the FDIC in September about the rise in online banking fraud, the agency recommended that banks educate their customers about security.
What role do you think customer education plays in fending off this online fraud?
Litan: It's a little like saying if a customer comes into the branch and we happen to have a robber there that's going to conk them on the head and steal money, it's their fault. The banks are opening their doors through online banking -- they need to protect that channel.
I'm not a big believer in customer education because I think this is beyond what customers can do. They're running the latest antivirus, the latest firewalls; what else can they do? I think the regulators are really deficient here. They haven't kept up with FFIEC guidance. The FFIEC says you have to put controls in commensurate with the risk. They haven't been examining banks from that angle. They didn't detect this risk to business banking, and even after it came out they should have gone around to banks and said, 'You're not protecting against this risk.' That's one area where they're deficient.
Another area where they're deficient is they don't have any regulations protecting business accounts. They have Regulation E for consumer accounts, but there's no similar regulation for business accounts. I don't think most small businesses are aware that if someone raids their account, the bank doesn't have to pay them back. … Regulators are trying to get their hands around the credit crisis, but that doesn't mean they should ignore the fraud problem.
What kind of threats might be ahead?
Litan: I think the phone systems will start getting compromised because there is going to be more use of mobile browsers. They're already being compromised with the call forwarding [by criminals]. We'll see more attacks against businesses and government agencies as opposed to banks. Another way for them to get money out is to go into an accounts payable system and change the beneficiary amount and create fake payments. That will probably pick up.