Targeting Online Risk
Paul Sweeney

Financial institutions today have enormous challenges with data security. Even so, they must continue to maintain a diligent battle against an army of online gremlins.

In what has been described as one of the most pervasive breaches of data security in history, last year’s announcement by retailer TJ Maxx that cyberthieves had hacked into the company’s mainframe and stolen sensitive customer data for the past two years sent shockwaves through the country’s banking system. This massive break-in not only put the customers’ accounts at risk but also those of the 45.7 million credit and debit card customers that dwelt in the company’s computer systems.

Particularly hard hit were financial institutions on the eastern seaboard, where TJ Maxx’s stores predominate. “We had never received so many angry phone calls from bank CEOs,” says Lindsey Pinkham, a spokesman for the Connecticut Bankers Association, which joined with banking associations in Massachusetts and Maine in a lawsuit against the retailer. By December 2007, parent company TJX Cos. announced a $40.9 million settlement agreement with all but one of the seven banks and bankers associations that sued the corporation in a putative class action as a result of the hack into the retailer’s computer system. Afterward, Carol Meyrowitz, president and CEO of TJX, stated, “The TJX experience underscores broader challenges facing the U.S. payment card system that require urgent action by merchants, banks, payment card companies and associations, and we look forward to greater cooperation in order to better serve and protect customers.”

This case has had widespread ramifications for corporate America and consumers—but lenders hope some positive lessons will be learned. Daniel J. Forte, president of the Massachusetts Bankers Association, says this jolt has served to harden the country’s data processing and computer systems against similar intrusions. “For our member banks,” Forte declares, “the protection of customer data has always been of paramount importance.”

Wake-up call
The TJX incident serves as a dizzying reminder that savvy but ruthless corporate hackers are just one of myriad security threats facing the banking system today. The U.S. Census Bureau reports 62 million U.S. households, or 55% of all residences, owned a Web-connected computer in 2003. In households sporting incomes of more than $100,000, that penetration rate rises to 95%. But such affluence poses a risk: Security experts warn that, in the age of the Internet, the number of entry spots to financial institutions has proliferated far beyond the perimeter of the bank’s lobby.

For most of the last century, “you had bank robbers like Bonnie and Clyde or Willie Sutton who were sticking a gun in your face,” says Kelly Trammell, managing director for technology services at Sheshunoff Management Services, an Austin, Texas-based consulting firm. “Now you have to think of other portals as if they were the front door. The bad guys are finding the path of least resistance,” he adds, “so you have to be on guard in all areas.”

Top executives and directors at banks are well aware online risk is a major concern. Like a modern Hitchcockian plot line (a fiendish favorite of the legendary director had the protagonists being chased by both the villains and the police), bankers are facing threats from an array of increasingly sophisticated scam artists, and it’s often hard to tell who’s who. At the same time, banks are being pressured by regulators to adopt more costly antifraud systems to stanch identity theft.

Before the year is out, bank examiners will be inspecting financial institutions to ensure they institute a panoply of policies designed to recognize some two dozen red flags that signal possible identity theft. Failure to do so could result in fines from regulators and a loss of reputational risk for the bank.

Yet despite the fact that most banks and their boards are doing everything in their power to eliminate such security risks, they seem to be everywhere. The increased use of plastic over cash, direct deposits instead of paychecks, and the advent of ATMs and telephone and Internet banking have led to a litany of scams—many of which are as ingenious as they are shady. Whether it entails identity theft, phony schemes over the Internet promising money, or sophisticated forgeries, the goal of scammers is as old as sin itself: to separate a bank and its customers from their money.

Yet, one of the most vexing features of the modern age is that bankers have only limited scope over risk prevention at their financial institution. Often security breaches are occurring at third- or fourth-party companies, so that an inordinate amount of security threats are “not necessarily fraud that banks can control,” says Viveca Ware, director of payments and technology policy at the Independent Community Bankers Association in Washington, D.C.

Joseph Dooley, a former FBI agent and managing director of the forensic practice at accounting firm KPMG, notes that threats can come from thousands of miles away. “Electronic fraud is pervasive,” he says, explaining that perpetrators often utilize websites originating from Eastern Europe that trade and sell credit card information along with names, Social Security numbers, and dates of birth. To gain such information, fraudsters increasingly deploy what security specialists call social engineering techniques—essentially a modern version of the confidence game.

Fraudsters get to know you … and even your dog
At present, the most popular, and perhaps the most pernicious, of the social engineering scams is phishing, which is a criminal attempt to acquire user names, passwords, credit card numbers, and the like over the Internet. Pretending to be your online bank or another well-known retail outlet, the phisher casts a wide net, sending out identical e-mails to thousands of e-mail addresses. The phisher’s e-mail typically claims to be a notification. There is often the assertion that some difficulty with the status of the recipient’s account has cropped up. Recipients are directed to phony websites or even a toll-free number (the voice version of the scam is known as “vishing”) where they are asked to provide a wealth of valuable information. If the phisher gets his hands on such confidential information as personal identification numbers (PINs) or the name of a favorite pet, for example, he’s off to the races.

Says Trammell of Sheshunoff, “The most effective strategy is to find [out] a little bit about you—what your kids’ names are, your date of birth, and Social Security number. Those questions are asked over and over again. If I [as a phisher] find out that information at one site, frequently I can use it to find your banking and brokerage information. People have the same common profile. So once I know your dog’s name, I can use it at different sites.”

Ironically, a phisher’s Internet come-on frequently claims there has been a security breach requiring the recipient’s urgent attention. “There are a lot of cover stories on why they need you to go to the website,” says Marc Gaffan, director of product marketing for RSA’s identity and access assurance group. RSA, which provides consulting services to Bank of America, Wachovia Corp., and Washington Mutual, is the security division of EMC, a Hopkinton, Massachusetts-based information technology company.

“Obviously, awareness is the best defense,” Gaffan adds, “but it’s also the weakest link. People are susceptible to social engineering. We tend to believe [others], especially if they are persuasive.”

According to Microsoft’s Security Intelligence Report, 31.6 million phishing scams were identified in the first six months of 2007, a whopping 150% increase over the second half of 2006. Increasingly, experts say, phishers are targeting smaller financial institutions.

“Phishing started at the big banks in New York around three or four years ago,” Gaffan says. “With so many customers, there was a high probability of success. But those banks hired experts to put in antifraud solutions, and now the phishermen have moved downstream, where there is less sophistication. There are a lot of attacks against regional banks and local credit unions.”

But as quickly as security experts find ways to block their efforts, phishers are tweaking and refining their game plan. One new strategy is the trend to combine the move downstream with “spear-phishing.” In this variation, rather than casting a wide net, fraudsters target specific individuals.

Gaffan says the fraudster obtains lists of customers in a particular way, say by hacking into the database of a local merchant, newspaper, or college. “With those geographic ties,” he explains, “all you need is an e-mail address and some information about the person, such as his name and address. Then you look at what financial institutions are in the area and write him a personal letter.” With this more-targeted approach, security experts add, the bad guys have the ability to hook bigger game.

Sometimes, taking a trip to a look-alike website can also result in the infiltration and lodgment of viruses in an unsuspecting victim’s computer. These viruses and programs—spyware, malware, and Trojan horses—provide tracking information. Some of these programs allow an interloper to accompany the victim to his or her online bank, record the keystrokes, and return later to siphon money. What’s worse, RSA reports that some black-market suppliers of such crimeware are routinely offering upgrade packages “so that when crimeware becomes detectable by antivirus providers, they will deliver a new ‘undetectable’ variant at minimal cost.”

According to Doug Kidder, vice president and manager of corporate security and loss prevention at Umpqua Bank in Roseburg, Oregon, so-called Nigerian-type Internet scams are the bank’s top security problem (though such scams are nothing new and not confined to Nigeria). Essentially they are variations on confidence tricks that have been around for decades. In an e-mail, the scammer might claim he has received an inheritance or won the lottery, but needs up-front money. Once the money is sent, of course, the perpetrator of the fraud disappears. Despite public exposés of such schemes, they continue to wreak havoc. “Every bank in the country is in the same boat,” Kidder laments.

Moreover, Jeff Marshall, chief technology officer at Orlando, Florida-based Harland Financial Solutions, notes that thieves operating on a personal computer in the comfort of a den, office, or Internet café can be more brazen. “A guy who wants to cash a fourth-party check—it’s [likely] something he found in the street [though] he’s claiming it’s from a friend of a friend and it’s been signed over a couple of times—is probably shaking. A half-trained teller could see that. But on the Internet, nobody can see you.”

Increasingly, though, bank customers face a multi-pronged threat—a blend of the physical threat with the electronic threat that can dramatically enhance the danger. An example of this might be the use of a device slipped onto the credit or debit card slot at a gas station or an ATM machine. Used in conjunction with a hidden camera, which captures the user punching in his or her PIN, the fraudster has the capacity to “hijack ATM information,” Sheshunoff’s Trammell says. The result can be the manufacture of a duplicate ATM card or invasion of the cardholder’s bank account using a telephone banking service.

Other blended threats include such things as picking through a bank’s trash for information that can be put to use online or even bribing a bank teller for the intimate details about certain well-heeled depositors. “These are coordinated attacks,” Trammell warns—and they can be quite creative. If there are chinks in the mortar, security experts say, fraudsters will find them.

Looking for answers
So what are bankers to do? Michael Perry, a bank director at two-year-old Town Center Bank, a de novo financial institution in Frankfort, Illinois, recommends hiring a top-notch IT security firm with expertise in deterring and mitigating electronic bank fraud. “We wanted to encourage people to use the Internet, but at the same time, we wanted a high level of security” at the start-up bank, Perry says. “We knew from reading the newspapers that people were losing their identity and money over the Internet.”

He says the he and the other Town Center directors were actively involved in narrowing the consultant candidates to a final four. Each was interviewed before the bank settled on Solis Security, an Austin, Texas-based IT firm that specializes in security and regulatory compliance for small and medium-size banks. “[Our board doesn’t] profess to be technically able to identify threats,” Perry says, “but we wanted to hire the right people with a proven track record of staying on top of technology and hackers.”

Robert Gray, a Dallas forensic accountant, agrees directors and members of the audit committee should play a proactive role in challenging the adequacy of internal controls at banks. “The directors have got to take an aggressive stance in all areas where there are potential losses,” he says, citing their need for involvement in such areas as wire transfers, money-laundering controls, IT training, and ensuring that operating systems and firewalls are continually updated.

To stay ahead of phishers and hackers, Solis founder and CEO Terry Oehring recommends that not only banking operations but all businesses and individuals patch their software regularly. (A patch is a small software program designed to update or fix problems as they arise.) “If you don’t patch,” he says, “malware can be embedded into a website you visit and compromise your machines. Plus, what’s scary, he adds, is that there are a lot of seemingly innocuous websites “that could be loaded (with malware) and reporting back to some database in Russia.”

Bankers lament that many consumers do not appear knowledgeable about the risks. Kidder, the director of security at Umpqua Bank, wishes customers would pay more attention to such things as skimming fraud on ATM machines or gas pumps. “The consumer needs to be cognizant,” he says. “If anything looks different, you might want to think twice before using that device.”

Sally Greenberg, executive director at the National Consumers League in Washington, D.C., thinks banks should work more diligently with consumers to educate them about the dangers of phishing, Nigerian Internet scams, and other dangers to their accounts. Says Greenberg: “Banks should do more to warn customers about scams, about not clicking on links asking for data and [not entering] personal information into a pop-up window.”

She also hopes banks will put more emphasis on developing technology that, for example, would in the future “be able to [recognize] counterfeit money and checks. I’ve got to believe that technology could see patterns with fake checks and that the banking industry could work with consumer groups to prevent some of these things from happening.”

Regulatory oversight
With identity theft on the rise, federal and state regulatory officials are requiring banks to revise their information security policies by Nov. 1, 2008. As part of the Fair and Accurate Credit Transactions Act, banks must have procedures in place to watch for identity theft red flags and address discrepancies. The regulations identify 25 red flags, including warnings from credit reporting agencies, suspicious documents with personal identifying information, unusual or suspicious account activity, and notifications from customers that they have been victims of identity fraud.

Robert Rowe, senior regulatory counsel for the Independent Community Bankers of America, notes the statute and rules “require that the board has to approve the program. It can be [handled by] an appropriate committee, but at most community banks, the whole board will be approving it and has to be involved in the oversight of the program.”

Security specialists say that, along with the red flags, it’s a good time to take stock of the bank’s overall security program and clear up any deficiencies. But finding extra money when the economy appears to be in a tailspin may not be easy—or popular. “Tough times are when costs have to be cut,” says Philip Levi, a Montreal forensic accountant.

But the fact that hard times are here should give bankers pause about making budget cuts in security, warns Doug Johnson, a senior policy advisor for government relations at the American Bankers Association. “When you have a downturn in the economy, you find folks have a higher level of desperation, and thus, there are going to be more robberies.”

© Board Member Inc. All Rights Reserved