Citigroup Inc.’s revelation in June that hackers had stolen personal information from more than 200,000 credit card holders put the spotlight once again on the ongoing problem of data security. But for financial institutions, big breaches are fading in importance compared to other, newer security worries.
Improved fraud detection systems, regulatory initiatives to secure card payments and legislative action, such as the law requiring breached companies to notify customers when their data is at risk, have helped to dramatically reduce payment card fraud in recent years. In its place, smaller, more targeted attacks on the financial industry’s main money-moving operations—the automated clearing and wire transfer systems—have emerged.
“If you talked to 10 people in my position, they would tell you that ACH and wire fraud are the number one problems in the industry today,” says Joe Rogalski, information security officer at Buffalo-based First Niagara Financial Group, with $31 billion in assets.
The shift in criminal tactics came into striking view with the release in April of the 2011 Data Breach Investigations Report, compiled by New York-based Verizon Communications Inc. and the U.S. Secret Service. Financial services targets accounted for only 35 percent of all the data records compromised in 2010, down from rates of 90 percent or more in previous years. A lack of mega breaches at financial institutions is the reason behind the shift, according to the report. In addition, the total number of records compromised across all industries decreased dramatically to only 4 million in 2010, compared to 361 million just two years earlier.
Even though fewer records are being compromised, the number of breaches was higher than ever, reaching 760, up from only 141 in 2009. These numbers reflect the reality that criminals are engaging in “small, opportunistic attacks,” rather than large-scale ones, says the report. Further, they are using “relatively unsophisticated methods” with success.
The more focused, aggressive attacks are presenting a host of challenges for data security professionals. Many banks have not yet implemented the multiple levels of security necessary to thwart the malicious attacks. Regulators only recently updated a six-year-old set of Internet banking authentication guidelines that would put the industry on more solid technological ground in defending itself.
The industry also now faces a good deal of legal uncertainty around who is liable for losses. Retail customers have always had protection against fraudulent activity on their accounts, while commercial customers are solely responsible for any losses. But the large amounts lost to ACH and wire fraud by some commercial clients in recent years have spurred a spate of lawsuits that put this policy into question. The suits underscore a long-running debate in the security world: Where does the bank’s responsibility for security end and the customer’s begin?
Two recent court cases illustrate the inconsistencies in legal circles when it comes to cases involving online security. In June, Detroit-based Comerica Inc. was found to be liable for more than half a million dollars drained from the account of one of its customers when a fraudster installed malware on one of the firm’s computers, ultimately obtaining its online banking credentials. But just weeks earlier, a judge in Maine had ruled that Patco Construction Co., a family-owned construction firm there, was responsible for the $345,000 it lost when its computers were hacked and banking credentials stolen.
While the outcomes of the cases were starkly different, both courts tried to establish whether the security provided by the banks was considered “commercially reasonable” and delivered in good faith, says David Navetta, founding partner of Denver-based Information Law Group. He theorized that in the Maine case, the defendant—Portsmouth, New Hampshire-based Ocean Bank, a subsidiary of People’s United Financial Inc. in Bridgeport, Connecticut—got credit for using behavioral analytics to analyze transactions, in addition to other standard authentication routines. Meanwhile, a lack of behavioral analytics in use at Comerica led the court to conclude in part that the bank had not acted in good faith and should be responsible, Navetta explains. (Ocean Bank did not respond to a request for comment. Comerica has paid the damages and a spokesperson says the matter has been resolved.)
Interestingly, Ocean Bank got points for using behavioral analytics even though the technology did not succeed in preventing the Patco fraud. “Everyone understands that you can’t have perfect security,” Navetta notes. “When you talk about liability, you’re looking at whether the bank took the proper steps.”
The new version of the Internet banking authentication guidelines, issued by an inter-agency group of federal bank regulators in Washington, DC—the Federal Financial Institutions Examination Council (FFIEC)—only weeks after the rulings, supports the position that behavioral analytics are essential to good security.
The new FFIEC guidelines, which require compliance by January 2012, raise the bar on the amount of behavioral analytics a bank needs to employ, says Jeff Kopchik, senior policy analyst at the Federal Deposit Insurance Corp. The 2005 guidelines required banks to perform behavioral analysis whenever customers logged in. A bank might check whether customers were logging in from the same computer every time, for example.
The new guidelines also require banks to analyze customer behavior whenever they make a transaction. “What we’re saying now is you need multiple controls at different points of the process, so you’re not relying on one control at log-in,” says Kopchik. In addition, that control should be one that detects anomalies. Kopchik notes that if anomaly detection had been in place during many of the industry’s recent cases of ACH and wire fraud, “a substantial portion of these account takeovers would have been potentially prevented.”
Banks need not fret that taking corrective action will be complicated or costly. The Verizon report noted that the “vast majority” of data breaches could be avoided without very difficult or expensive security measures. Though the common perception is that anomaly detection is onerous, the truth is actually the opposite, says Terry Austin, president and chief executive officer of Guardian Analytics in Los Altos, California. “You can get it up and running in about a week, and it costs less than most front-end protections, like tokens or device IDs,” he says. “This is not a hard requirement to meet. You can tick it off and be on to other things.”
Aside from requiring layered security, the new FFIEC guidelines emphasize the need for regular risk assessments. The original guidance advised periodic assessments; the new ones ask that they occur annually. “The banks were not doing them often enough,” Kopchik says, especially considering how quickly the attackers increased their sophistication.
The third important prong of the new guidance relates to customer education and awareness. Among other points, the guidance encourages banks to tell their customers to perform their own risk assessments, as well as implement their own additional risk mitigation tools. These recommendations go far beyond the 2005 guidance, which advised banks only to implement a customer awareness program and periodically evaluate it.
The FFIEC’s more aggressive take on customer awareness is still not enough, in the view of Phil Blank, managing director of security risk and fraud at Javelin Strategy & Research in Pleasanton, California. Blank would have liked to see the FFIEC require banks to use alerts to directly involve customers in monitoring activity on their accounts. “You’ll never stop fraud without involving the consumer,” Blank says. “They understand their behavior better than anyone.”
First Niagara is already deeply involved in communicating with its customers about security, Rogalski says. An extensive Security Center section on its web site educates both commercial and retail customers about different types of fraud and how to respond. “The last layer of defense is really the end user,” Rogalski says.
Synovus Financial Corp. found a way to get its corporate customers more involved in protecting themselves against fraud when it began offering a security plug-in from Trusteer, a Boston-based security vendor. The downloadable security application locks down a customer’s browser to protect against malware-based attacks. The $29-billion-asset bank, based in Columbus, Georgia, began offering the optional download less than a year ago when it began to see an increase in ACH and wire fraud. The download offers another way Synovus can reach out to customers about security, says Steven Jones, director of operations risk. “There’s only so much the financial institutions can do themselves,” Jones says. “The responsibility for security is on all of us.”
Each side has plenty to lose. Customers, particularly commercial ones, face the prospect of losing serious money to fraudsters. Banks, meanwhile, run the risk of wrecking customer trust, as Ocean Bank did in the case of Patco. The construction firm no longer uses any form of online banking and is back to writing checks for everything from materials to salaries. “It’s a wicked bummer,” says Mark Patterson, co-owner of the firm. “Our employees keep asking about getting direct deposit back, but there’s nothing we can do.” |BD|