Banks have a problem when it comes to security: Their users.
Financial institutions have gone to great lengths to make banking more convenient for consumers and businesses—but the migration to the web and mobile banking apps has come at the cost of a knock-out, drag-out fight with the cyber-criminal community. The problem of course is that banks increasingly find control to be out of their hands, as consumers use personal devices and poor security hygiene to find ways to consistently hand over the account keys to the bad guys.
Fortunately, according to Simon Collins at EY (formerly Ernst & Young), there are some best practices that institutions can take to minimize the impact of undereducated end users.
Speaking at the Enfuse 2017 conference, he noted that in many ways, banks are backed into a corner. If customers become a victim of a malware infection, or of a phishing gambit, they have essentially provided their information to the crooks. Yet the banks most often shoulder the victimhood themselves.
“In personal banking banks refund the money regardless of how unwise the customer was,” Collins explained. “There, customers think, ‘I used online banking because they said it was better and now I have no money.’ In business banking, the bank might give a business a loan to cover losses—there are stronger contractual relationships in place.”
For the banks, choices are few. Consider that in many cases, the malware that infects a machine can be generic and drive-by. Unbeknownst to the user, it then detects the use of online banking, allowing criminals to create databases of owned PCs whose owners are also customers of a specific bank. From there, they may sell that subset to someone who will write a specific code intended to perform a man-in-the-middle attack for a certain bank.
“We’re not talking about someone trying to hack into SWIFT or a core network,” Collins explained. “In most of these cases, they target the customer. So what do you do? The only foolproof thing is to shut down the channel entirely and go back to paper and physical money—and we know that’s not going to happen.”
Phishing is just as insidious, he added.
“An attorney that lost $40,000 insisted that she would know if she gave up her credentials. Under live analysis we determined that six months earlier she took three steps to give away the details. Once in, attackers will watch, and then when money comes in, they will siphon it off.”
In the realm of authentication, it’s important to remember that no method can stop fraud when a customer hands over access. However, encryption and requiring strong authentication at certain layers is always a best practice—which gets into the need to be smart about what to allow customers access to.
Aspects to evaluate include whether to allow new beneficiaries to be set up on non-whitelisted accounts from trusted devices; whether to only offer read-only access to account information is two-factor authentication is not enabled; and what kinds of transfer thresholds should be in place.
“What functionality do you want to provide your customers? Can everyone do million-dollar transfers?” Collins said. “It’s typically only after they’ve lost a lot of money that they sit down and consider whether they really need to provide that.”
He gave one example of an institution that was weighing how to minimize fraud over a holiday weekend. One suggestion was to drop a $5,000 transfer limit to $1,000.
“If you drop transfers to a $1,000 limit, that will make the bad guys go away,” Collins said. “But they were concerned about losing customers. We asked how many legitimate customers they had over the last holiday weekend transferring $5,000 outside of business hours, and they didn’t know. They decided not to drop the limit and lost well over a $1mn. And later analysis showed that only one customer legitimately transferred money.”
Some of this can be personalized and tailored to the user via device identification and protection profiling. Banks can implement software that identifies the device used, and what security controls are in place. Is it trusted? Jailbroken? Is there malware protection? Does it track geolocation data? Are biometrics enabled?
On the backend, behavioral biometrics, which gets to “know” specific user patterns like the tilt of a phone or the pattern of typing, can help detect when there’s malicious activity afoot.
“This is a relatively specialized area,” Collins said. “On a fresh user, the system will know what bad looks like, i.e., how a RAT behaves, or if it’s a coder because they use keyboard shortcuts instead of a mouse. A robot will also follow a certain pattern. Then it will build what ‘good’ looks like as it gets to know the user. These are non-intrusive measures that can help.”
Clearly, understanding with live statistics how customers typically use a banking function can allow banks to make better decisions dynamically. Therefore, metrics become critical.
Also, monitoring and alerting are important.
Consider: There are anywhere between two and 10 points of contact in any attack before the money is siphoned.
“Attackers leave traces,” Collins said. “Indicators of compromise can be detected in the infrastructure, and many are detectable long before fraud occurs because the bad guys are looking to see if there’s money there.”
He added, “Knowing if this is a new beneficiary, if the request comes from overseas or from a dangerous area, if it’s to a known mule account etc. is critical—and technical info should be plugged into that to arrive at a risk score,” Collins said. “If there’s a login that creates new beneficiaries and goes on to do a transaction in 10 seconds—that’s clearly not a human.”
And finally, fraud is inevitable. So it’s also key to put mitigation strategies in place. For instance, key to any digital banking security model is overall governance—it’s important to have an post-incident organizational structure in place, including delineated roles and responsibility with clear and consistent reporting lines, especially in an incident-response scenario.