Targeting Online Risk

In what has been described as one of the most pervasive breaches of data security in history, last yearu00e2u20acu2122s announcement by retailer TJ Maxx that cyberthieves had hacked into the companyu00e2u20acu2122s mainframe and stolen sensitive customer data for the past two years sent shockwaves through the countryu00e2u20acu2122s banking system. This massive break-in not only put the customersu00e2u20acu2122 accounts at risk but also those of the 45.7 million credit and debit card customers that dwelt in the companyu00e2u20acu2122s computer systems.

Particularly hard hit were financial institutions on the eastern seaboard, where TJ Maxxu00e2u20acu2122s stores predominate. u00e2u20acu0153We had never received so many angry phone calls from bank CEOs,u00e2u20ac says Lindsey Pinkham, a spokesman for the Connecticut Bankers Association, which joined with banking associations in Massachusetts and Maine in a lawsuit against the retailer. By December 2007, parent company TJX Cos. announced a $40.9 million settlement agreement with all but one of the seven banks and bankers associations that sued the corporation in a putative class action as a result of the hack into the retaileru00e2u20acu2122s computer system. Afterward, Carol Meyrowitz, president and CEO of TJX, stated, u00e2u20acu0153The TJX experience underscores broader challenges facing the U.S. payment card system that require urgent action by merchants, banks, payment card companies and associations, and we look forward to greater cooperation in order to better serve and protect customers.u00e2u20ac

This case has had widespread ramifications for corporate America and consumersu00e2u20ac”but lenders hope some positive lessons will be learned. Daniel J. Forte, president of the Massachusetts Bankers Association, says this jolt has served to harden the countryu00e2u20acu2122s data processing and computer systems against similar intrusions. u00e2u20acu0153For our member banks,u00e2u20ac Forte declares, u00e2u20acu0153the protection of customer data has always been of paramount importance.u00e2u20ac

Wake-up call

The TJX incident serves as a dizzying reminder that savvy but ruthless corporate hackers are just one of myriad security threats facing the banking system today. The U.S. Census Bureau reports 62 million U.S. households, or 55% of all residences, owned a Web-connected computer in 2003. In households sporting incomes of more than $100,000, that penetration rate rises to 95%. But such affluence poses a risk: Security experts warn that, in the age of the Internet, the number of entry spots to financial institutions has proliferated far beyond the perimeter of the banku00e2u20acu2122s lobby.

For most of the last century, u00e2u20acu0153you had bank robbers like Bonnie and Clyde or Willie Sutton who were sticking a gun in your face,u00e2u20ac says Kelly Trammell, managing director for technology services at Sheshunoff Management Services, an Austin, Texas-based consulting firm. u00e2u20acu0153Now you have to think of other portals as if they were the front door. The bad guys are finding the path of least resistance,u00e2u20ac he adds, u00e2u20acu0153so you have to be on guard in all areas.u00e2u20ac

Top executives and directors at banks are well aware online risk is a major concern. Like a modern Hitchcockian plot line (a fiendish favorite of the legendary director had the protagonists being chased by both the villains and the police), bankers are facing threats from an array of increasingly sophisticated scam artists, and itu00e2u20acu2122s often hard to tell whou00e2u20acu2122s who. At the same time, banks are being pressured by regulators to adopt more costly antifraud systems to stanch identity theft.

Before the year is out, bank examiners will be inspecting financial institutions to ensure they institute a panoply of policies designed to recognize some two dozen red flags that signal possible identity theft. Failure to do so could result in fines from regulators and a loss of reputational risk for the bank.

Yet despite the fact that most banks and their boards are doing everything in their power to eliminate such security risks, they seem to be everywhere. The increased use of plastic over cash, direct deposits instead of paychecks, and the advent of ATMs and telephone and Internet banking have led to a litany of scamsu00e2u20ac”many of which are as ingenious as they are shady. Whether it entails identity theft, phony schemes over the Internet promising money, or sophisticated forgeries, the goal of scammers is as old as sin itself: to separate a bank and its customers from their money.

Yet, one of the most vexing features of the modern age is that bankers have only limited scope over risk prevention at their financial institution. Often security breaches are occurring at third- or fourth-party companies, so that an inordinate amount of security threats are u00e2u20acu0153not necessarily fraud that banks can control,u00e2u20ac says Viveca Ware, director of payments and technology policy at the Independent Community Bankers Association in Washington, D.C.

Joseph Dooley, a former FBI agent and managing director of the forensic practice at accounting firm KPMG, notes that threats can come from thousands of miles away. u00e2u20acu0153Electronic fraud is pervasive,u00e2u20ac he says, explaining that perpetrators often utilize websites originating from Eastern Europe that trade and sell credit card information along with names, Social Security numbers, and dates of birth. To gain such information, fraudsters increasingly deploy what security specialists call social engineering techniquesu00e2u20ac”essentially a modern version of the confidence game.

Fraudsters get to know you u00e2u20acu00a6 and even your dog

At present, the most popular, and perhaps the most pernicious, of the social engineering scams is phishing, which is a criminal attempt to acquire user names, passwords, credit card numbers, and the like over the Internet. Pretending to be your online bank or another well-known retail outlet, the phisher casts a wide net, sending out identical e-mails to thousands of e-mail addresses. The phisheru00e2u20acu2122s e-mail typically claims to be a notification. There is often the assertion that some difficulty with the status of the recipientu00e2u20acu2122s account has cropped up. Recipients are directed to phony websites or even a toll-free number (the voice version of the scam is known as u00e2u20acu0153vishingu00e2u20ac) where they are asked to provide a wealth of valuable information. If the phisher gets his hands on such confidential information as personal identification numbers (PINs) or the name of a favorite pet, for example, heu00e2u20acu2122s off to the races.

Says Trammell of Sheshunoff, u00e2u20acu0153The most effective strategy is to find [out] a little bit about youu00e2u20ac”what your kidsu00e2u20acu2122 names are, your date of birth, and Social Security number. Those questions are asked over and over again. If I [as a phisher] find out that information at one site, frequently I can use it to find your banking and brokerage information. People have the same common profile. So once I know your dogu00e2u20acu2122s name, I can use it at different sites.u00e2u20ac

Ironically, a phisheru00e2u20acu2122s Internet come-on frequently claims there has been a security breach requiring the recipientu00e2u20acu2122s urgent attention. u00e2u20acu0153There are a lot of cover stories on why they need you to go to the website,u00e2u20ac says Marc Gaffan, director of product marketing for RSAu00e2u20acu2122s identity and access assurance group. RSA, which provides consulting services to Bank of America, Wachovia Corp., and Washington Mutual, is the security division of EMC, a Hopkinton, Massachusetts-based information technology company.

u00e2u20acu0153Obviously, awareness is the best defense,u00e2u20ac Gaffan adds, u00e2u20acu0153but itu00e2u20acu2122s also the weakest link. People are susceptible to social engineering. We tend to believe [others], especially if they are persuasive.u00e2u20ac

According to Microsoftu00e2u20acu2122s Security Intelligence Report, 31.6 million phishing scams were identified in the first six months of 2007, a whopping 150% increase over the second half of 2006. Increasingly, experts say, phishers are targeting smaller financial institutions.

u00e2u20acu0153Phishing started at the big banks in New York around three or four years ago,u00e2u20ac Gaffan says. u00e2u20acu0153With so many customers, there was a high probability of success. But those banks hired experts to put in antifraud solutions, and now the phishermen have moved downstream, where there is less sophistication. There are a lot of attacks against regional banks and local credit unions.u00e2u20ac

But as quickly as security experts find ways to block their efforts, phishers are tweaking and refining their game plan. One new strategy is the trend to combine the move downstream with u00e2u20acu0153spear-phishing.u00e2u20ac In this variation, rather than casting a wide net, fraudsters target specific individuals.

Gaffan says the fraudster obtains lists of customers in a particular way, say by hacking into the database of a local merchant, newspaper, or college. u00e2u20acu0153With those geographic ties,u00e2u20ac he explains, u00e2u20acu0153all you need is an e-mail address and some information about the person, such as his name and address. Then you look at what financial institutions are in the area and write him a personal letter.u00e2u20ac With this more-targeted approach, security experts add, the bad guys have the ability to hook bigger game.

Sometimes, taking a trip to a look-alike website can also result in the infiltration and lodgment of viruses in an unsuspecting victimu00e2u20acu2122s computer. These viruses and programsu00e2u20ac”spyware, malware, and Trojan horsesu00e2u20ac”provide tracking information. Some of these programs allow an interloper to accompany the victim to his or her online bank, record the keystrokes, and return later to siphon money. Whatu00e2u20acu2122s worse, RSA reports that some black-market suppliers of such crimeware are routinely offering upgrade packages u00e2u20acu0153so that when crimeware becomes detectable by antivirus providers, they will deliver a new u00e2u20acu02dcundetectableu00e2u20acu2122 variant at minimal cost.u00e2u20ac

According to Doug Kidder, vice president and manager of corporate security and loss prevention at Umpqua Bank in Roseburg, Oregon, so-called Nigerian-type Internet scams are the banku00e2u20acu2122s top security problem (though such scams are nothing new and not confined to Nigeria). Essentially they are variations on confidence tricks that have been around for decades. In an e-mail, the scammer might claim he has received an inheritance or won the lottery, but needs up-front money. Once the money is sent, of course, the perpetrator of the fraud disappears. Despite public exposu00c3u00a9s of such schemes, they continue to wreak havoc. u00e2u20acu0153Every bank in the country is in the same boat,u00e2u20ac Kidder laments.

Moreover, Jeff Marshall, chief technology officer at Orlando, Florida-based Harland Financial Solutions, notes that thieves operating on a personal computer in the comfort of a den, office, or Internet cafu00c3u00a9 can be more brazen. u00e2u20acu0153A guy who wants to cash a fourth-party checku00e2u20ac”itu00e2u20acu2122s [likely] something he found in the street [though] heu00e2u20acu2122s claiming itu00e2u20acu2122s from a friend of a friend and itu00e2u20acu2122s been signed over a couple of timesu00e2u20ac”is probably shaking. A half-trained teller could see that. But on the Internet, nobody can see you.u00e2u20ac

Increasingly, though, bank customers face a multi-pronged threatu00e2u20ac”a blend of the physical threat with the electronic threat that can dramatically enhance the danger. An example of this might be the use of a device slipped onto the credit or debit card slot at a gas station or an ATM machine. Used in conjunction with a hidden camera, which captures the user punching in his or her PIN, the fraudster has the capacity to u00e2u20acu0153hijack ATM information,u00e2u20ac Sheshunoffu00e2u20acu2122s Trammell says. The result can be the manufacture of a duplicate ATM card or invasion of the cardholderu00e2u20acu2122s bank account using a telephone banking service.

Other blended threats include such things as picking through a banku00e2u20acu2122s trash for information that can be put to use online or even bribing a bank teller for the intimate details about certain well-heeled depositors. u00e2u20acu0153These are coordinated attacks,u00e2u20ac Trammell warnsu00e2u20ac”and they can be quite creative. If there are chinks in the mortar, security experts say, fraudsters will find them.

Looking for answers

So what are bankers to do? Michael Perry, a bank director at two-year-old Town Center Bank, a de novo financial institution in Frankfort, Illinois, recommends hiring a top-notch IT security firm with expertise in deterring and mitigating electronic bank fraud. u00e2u20acu0153We wanted to encourage people to use the Internet, but at the same time, we wanted a high level of securityu00e2u20ac at the start-up bank, Perry says. u00e2u20acu0153We knew from reading the newspapers that people were losing their identity and money over the Internet.u00e2u20ac

He says the he and the other Town Center directors were actively involved in narrowing the consultant candidates to a final four. Each was interviewed before the bank settled on Solis Security, an Austin, Texas-based IT firm that specializes in security and regulatory compliance for small and medium-size banks. u00e2u20acu0153[Our board doesnu00e2u20acu2122t] profess to be technically able to identify threats,u00e2u20ac Perry says, u00e2u20acu0153but we wanted to hire the right people with a proven track record of staying on top of technology and hackers.u00e2u20ac

Robert Gray, a Dallas forensic accountant, agrees directors and members of the audit committee should play a proactive role in challenging the adequacy of internal controls at banks. u00e2u20acu0153The directors have got to take an aggressive stance in all areas where there are potential losses,u00e2u20ac he says, citing their need for involvement in such areas as wire transfers, money-laundering controls, IT training, and ensuring that operating systems and firewalls are continually updated.

To stay ahead of phishers and hackers, Solis founder and CEO Terry Oehring recommends that not only banking operations but all businesses and individuals patch their software regularly. (A patch is a small software program designed to update or fix problems as they arise.) u00e2u20acu0153If you donu00e2u20acu2122t patch,u00e2u20ac he says, u00e2u20acu0153malware can be embedded into a website you visit and compromise your machines. Plus, whatu00e2u20acu2122s scary, he adds, is that there are a lot of seemingly innocuous websites u00e2u20acu0153that could be loaded (with malware) and reporting back to some database in Russia.u00e2u20ac

Bankers lament that many consumers do not appear knowledgeable about the risks. Kidder, the director of security at Umpqua Bank, wishes customers would pay more attention to such things as skimming fraud on ATM machines or gas pumps. u00e2u20acu0153The consumer needs to be cognizant,u00e2u20ac he says. u00e2u20acu0153If anything looks different, you might want to think twice before using that device.u00e2u20ac

Sally Greenberg, executive director at the National Consumers League in Washington, D.C., thinks banks should work more diligently with consumers to educate them about the dangers of phishing, Nigerian Internet scams, and other dangers to their accounts. Says Greenberg: u00e2u20acu0153Banks should do more to warn customers about scams, about not clicking on links asking for data and [not entering] personal information into a pop-up window.u00e2u20ac

She also hopes banks will put more emphasis on developing technology that, for example, would in the future u00e2u20acu0153be able to [recognize] counterfeit money and checks. Iu00e2u20acu2122ve got to believe that technology could see patterns with fake checks and that the banking industry could work with consumer groups to prevent some of these things from happening.u00e2u20ac

Regulatory oversight

With identity theft on the rise, federal and state regulatory officials are requiring banks to revise their information security policies by Nov. 1, 2008. As part of the Fair and Accurate Credit Transactions Act, banks must have procedures in place to watch for identity theft red flags and address discrepancies. The regulations identify 25 red flags, including warnings from credit reporting agencies, suspicious documents with personal identifying information, unusual or suspicious account activity, and notifications from customers that they have been victims of identity fraud.

Robert Rowe, senior regulatory counsel for the Independent Community Bankers of America, notes the statute and rules u00e2u20acu0153require that the board has to approve the program. It can be [handled by] an appropriate committee, but at most community banks, the whole board will be approving it and has to be involved in the oversight of the program.u00e2u20ac

Security specialists say that, along with the red flags, itu00e2u20acu2122s a good time to take stock of the banku00e2u20acu2122s overall security program and clear up any deficiencies. But finding extra money when the economy appears to be in a tailspin may not be easyu00e2u20ac”or popular. u00e2u20acu0153Tough times are when costs have to be cut,u00e2u20ac says Philip Levi, a Montreal forensic accountant.

But the fact that hard times are here should give bankers pause about making budget cuts in security, warns Doug Johnson, a senior policy advisor for government relations at the American Bankers Association. u00e2u20acu0153When you have a downturn in the economy, you find folks have a higher level of desperation, and thus, there are going to be more robberies.u00e2u20ac