Malware and email authentication in financial services

Malware and email authentication are major topics in financial services security. In this video, Paul Smocer discusses the threats and mitigation options.

About the author:
Paul Smocer is the vice president of security at BITS, a division of the Financial Services Roundtable.

Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact   

Malware and email authentication for financial services

Marcia Savage: Hi. I'm Marcia Savage with
I'm here today with Paul Smocer. He's the Vice President of Security at BITS,
a division of the Financial Services Roundtable. Thanks so much for
joining us today, Paul.

Paul Smocer: Marcia, it's always a pleasure.

Marcia Savage: Malware like the Zeus Trojan is a big problem for banks
obviously. What can they do to help protect their customers from this type
of malware?

Paul Smocer: Well, I think we're doing a number of things across a
number of different venues in that space. There's certainly an educational
component, and we've been working with both our member financial
institutions to kind of create a better educational campaign in that space, to
tell their customers the things they should and shouldn't be doing,
particularly with the devices that they're using to do their banking on. And
part of that gets in malware in and of itself as an issue, how that malware
got to the customer is an issue as well, so a lot of the work we're doing
around e-mail authentication kind of comes into play there as well.

We're certainly working with law enforcement. We've always partnered
with them, and we will continue to partner with them as institutions
and as an association both to help them deal with the issue, help
them discover where things are, share information with them, et cetera.
But you know the reality is that the malware has become very sophisticated,
practically speaking in the last few months. Now institutions are doing a
lot of things internally as well, like beefing up their fraud detection software,
so the issue of "was this transaction out of the normal bounds of what this
customer typically did, out of the normal bounds geographically, economically,
et cetera" to try and react to those kinds of things and catch them. So, it is an
issue, the kind of cyber fraud, cyber criminal is always a step kind of process.
We get better, they get better. We get better, they get better, and this one is
probably the most public step in that process.

Marcia Savage: Now you mentioned e-mail authentication. Can you talk a
little bit more about how that can help banks fight the phishing problem?

Paul Smocer: When we first got into the idea of e-mail authentication it was
mainly because of the phishing issue, and it was back in the days, it was
a few years ago, so it was back in the days where phishing was a problem,
but not nearly as sophisticated as it is today but still, financial institutions
were worried about their reputation when it appeared to someone receiving
an e-mail that came from a financial institution when really it didn't. People
were concerned about what were then the unsophisticated kind of attacks
of "give us your - we need to have your user ID and password" where a
certain percentage of people believe it came from a legitimate place and
they'd give up that kind of information. So we started looking at the whole
area of e-mail authentication. How can we validate that e-mail as, in fact,
coming from who it purports to come from and in the end when you receive
it you know that it legitimately came from that organization.

So we're looking at a lot of protocols at that time. We worked with our
members around what were the latest kinds of technologies to authenticate
email, and we came out with a recommendations paper about three years
or so ago. As we've been helping our members work through those
recommendations, we've done some additional work around implementation
guidelines. We're doing some work now actually with the financial services
information sharing and analysis center, around trying to operationalize
and processes so the financial institutions can move more quickly and so
that ISPs and email service providers can actually link in as well and get the
authentication rules that the FIs want to use and try and kind of facilitate that
sharing process in a trusted way.

When we think about e-mail today there's still the phishing problem,
but as I said, it's certainly gotten much more sophisticated and we
saw just general phishing, the old badly-spelled, poorly-grammatically
written emails, moving to a much higher level of sophistication, both in
terms of content, but more importantly in terms of how those emails,
those phishing emails were targeting certain classes of individuals,
what they were delivering in their payload. So, while malware doesn't
all come from emails that are inappropriate, a lot of the malware that
people end up downloading is either because it's in an attachment to
one of those emails or the e-mail is asking you to go to a link where the
link downloads the malware. So when we were talking about malware,
we think of e-mail as somewhat a root cause issue, so it's really important
for us to clean it up, and then even more broadly, our financial institutions
would like to be able to use e-mail more effectively.

We have this dichotomy of we spent years educating folks on what to be
cautious of when they open emails, and yet a lot of those same kind of
things we caution them about are things that ultimately we would like to
do. So we can send a customer an alert that tells them that there is
something, that some activity that's occurred on their account, but then
the ability to then follow through with, "If you have a concern about this
link here" if you think about it, that's the same kind of thing a phishing
e-mail tends to do. So, it's a hard balance to strike to be able to offer
better service, and yet at the same time offer it in a way that the bad
guys are doing as well.

Marcia Savage: Is it hard for small financial institutions to implement
e-mail authentication? I can see large institutions with the resources, it
seems like they might have an easier time with it.

Paul Smocer: Well, actually both sizes of institutions have challenges when
they go through it. On the larger institutions there are often literally dozens
of domains that are sending emails. They often are using in their lines of
business different marketing, third-party marketing firms, third-party sender
firms, sending e-mail on their behalf. So for the larger institution, the
challenges are figuring out where all the e-mail is coming from, prioritizing
which domains you want to deal with first, and really getting the businesses
on board, because in a lot of large organizations, regardless of whether
they are financial institutions are or not, you have lines of business who
are running their own IT or contracting for their own e-mail services, so
kind of herding all that together and figuring out what all you have, what's
important to address, et cetera, is probably the big challenge for a large
organization, albeit they have the technical expertise to then deal with that.

Small organizations don't have nearly the universe of domains to be
concerned with, so it might be a little easier for them to deal with it
from that perspective, but to your point, they may not also have the
technical expertise to deal with it as well.

What we've been trying to do at BITS, and we published a paper last
year where we took the learnings of the larger institutions, so what
are the steps you need to go through to figure out what domains you
have? What are the processes you need to apply to those domains and
the thinking you need to apply? What are the actual kind of technical
specs around what do you then need to do to get that process done?
And we put that together into a paper that we then published so that the
smaller organizations had almost a how-to guide to help them walk
through the process.

What we're currently doing now is we're working with the FSI sect and
we're looking to operationalize some of the process as well. One of the
things that we've heard, one of the challenges across the board,
regardless of what size institution you are, is that on the e-mail side, the
people who actually deliver e-mail, there are a pretty large number of
providers. There are obviously some very large ones that we all know,
the Googles and the Yahoos and et cetera, but there are a lot of small
ones as well, and if you think about it, a process where you've got lots
of financial institutions setting up rules who then need to go to a group
of ISPs and e-mail providers, and you've got a group of e-mail and ISPs
who have to deal with all these institutions when often it isn't really a
smooth process for trying to facilitate across the industry.

So we're working with the FSI sect and actually trying to create a service
that connects the two in a much more seamless way and we think that
we're pretty far along. We're about to look for some potential service
providers in the space, but we think it would be a good way to facilitate
the growth in the industry.

And the other thing I mentioned, too, is the papers that we've done
are actually available online. If you go out to the BITS website under
publications because when we were deciding, we published some
papers for our members only. Those are typically ones that we don't
want bad guys to know what we're necessarily trying to do, but in this
case we recognize that A) this is an issue that goes beyond our
membership to others in the financial services industry, but even
greater, it's an issue that goes to any kind of organization. We know,
for example, that a lot of folks in the retail online shopping space are
looking at this as a solution. Interestingly, even people in the greeting
card industry, the electronic greeting card industry are looking at this
because there's concern that they're being used as a conduit. So, it's
an important issue for us, and one we continue to focus on going forward.

Marcia Savage: Thanks for joining us today, Paul.

Paul Smocer: I'm always glad to talk to you, Marcia.

Marcia Savage: Thank you for joining us. For more information on
these topics, please visit

View All Videos

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.