This article can also be found in the Premium Editorial Download "Information Security magazine: Combatting the new security threats of today's mobile devices."
Download it now to read this article plus other related content.
It is now a well-known, new-millennium adage that "every time an institution builds a higher wall to fight fraud, the criminals just get taller ladders."
This phenomenon not only continues to be true, but in addition to building taller ladders, criminals are also building more of them and expanding their targets. Looking for every chink in the walls, seeking out the edges and in areas that aren't as solid as they should be, fraudsters are making it much more difficult for financial institutions to build individual walls as point defenses against fraud.
Fortunately, there are technologies available in the online banking security market to create fortresses around vital assets. These new solutions are in part evolutionary versions of technology that has been around for a number of years, as well as new ways of looking at the problem of fraud through dynamic analysis, and even non-technology processes that turn those individual walls into gated communities.
Read on for a closer look at these anti-fraud systems -- the benefits they offer as well as some of their limitations.
THE NEIGHBORHOOD WATCH
In a neighborhood watch, a community comes together to create a vigilant system that keeps an eye on trouble before it has a chance to damage any property. There are systems available today that can look for certain behaviors and stop criminal activity by alerting subscribers to imminent threats so that they can arm themselves before an attack
RSA Security, for example, markets its eFraudNetwork as such a watch system. This network monitors 150 countries for suspicious and known fraud threats including phishing, spoofed web sites, and known sources of criminal activity, pulling that information into a shared database that is used by the company's clients as the basis for adding protection to their authentication and transaction monitoring systems. When a fraud pattern is identified in any of the eFraudNetwork members' systems, the network immediately stores the associated data (IP addresses, URLs, device information, account information, etc) in a shared data store that is used by the company's real-time fraud detection solutions to watch for and catch the same pattern at other institutions. At the same time, RSA Security uses the information to shut down phishing sites through its partnership with ISPs and web providers worldwide.
Fiserv also provides a similar neighborhood watch capability in its FraudNet product. Used in the area of bill payment, FraudNet looks for suspicious activity and known fraud events and uses that information in a shared manner to prevent fraud occurring in its CheckFree bill pay service. If a bill payment instruction is flagged as fraudulent in any of its members' systems, the FraudNet solution uses fraud information, such as user ID, IP address, and payee informationto watch for similar patterns in the whole CheckFree service. If a similar pattern is detected, the system can stop the instruction or provide the information to the institution for secondary challenge to the user or even manual review before the transaction is committed. Subscribers to that service benefit from Fiserv's vigilance in deterring fraud before the fraudsters attack their institution. The company claims that 35 percent of all fraud detected in their bill pay service was found through the sharing of fraud information in the network./p>
If an intruder does make it past the neighborhood watch, the next layer of protection is at the front door, where the criminal faces a lock. In the case of an online banking application, this is the job of the institution's authentication system. While most consumers continue to use essentially the same authentication systems they have always used, mainly user ID and password, what goes on behind the curtain has become more sophisticated than ever. And in the business world, what was once sufficient to create stronger authentication -- one time passwords or tokens, for example -- is proving to be vulnerable to exploitation as well. To compound the problem, customers continue to ask for more authentication endpoints, both software and device based, and in-band and out of band systems.
Current authentication products add breadth of channels and a layer of intelligence to the authentication methodologies of the past. In addition to collecting second-level information like geography and IP information during the authentication process, today's technologies also bring in behavioral data to bear before authenticating a user, including typical access times and types of activity performed. In addition, the latest solutions are also based on a shared services model where risk information is shared between the company's customers, allowing them to use information from one institution to protect the whole community.
Because of the increasing breadth of endpoints available to the user today, many authentication systems are also expanding their reach across multiple origination points. By supporting a wide variety of devices, such as computers, traditional mobile devices and smart phones, and a variety of authentication methods such as certificates, hard tokens, and SMS-based one time passwords, authentication products from vendors like Verisign and Entrust, to name a few, can make it easier for the institution to manage an enterprise-wide deployment using consistent technology and processes.
THE SURVEILLANCE CAMERA
When all else fails, and the criminal is able to bypass the neighborhood watch and door locks, it is up to real-time surveillance to capture fraud activity as its happening but before any real loss occurs.
Most of today's fraud detection systems are based on capturing information from authentication all the way to transaction origination and using this and other information to flag any suspicious activity upon which the institution may want to act. While techniques may vary from vendor to vendor, the common goal of these systems is to score the activity as it occurs and deliver a risk score to the online banking application.
An example of the kind of troubling fraud techniques anti-fraud systems are up against is the "man-in-the-browser" attack. In this specialized Trojan horse program, the fraudulent software interjects between the end user and the institution. While the Trojan horse presents what the user sees as a legitimate session in the browser, the program actually sends the institution different instructions altogether, changing transaction types, amounts, and account numbers to the bank. This type of fraud is extremely difficult to catch as it bypasses even some forms of strong authentication and it looks like a normal session to the end user. Even many fraud detection systems can be fooled since the user authentication was successful and the transaction looks normal as well.
But the latest fraud detection software uses behavioral analysis and intra-session monitoring to catch these kinds of attacks. Vendors such as ArcSight and Guardian Analytics provide real-time tracking of behaviors that take place from login to logout, capturing everything from the authentication to all transaction requests, monitoring how the user moves between pages, what business activities are being performed, and even tracking that activity from day to day as the systems "learn" user behavior. These kinds of systems can more easily catch man-in-the-browser attacks by monitoring the entire online banking session and comparing it against known good or normal user behaviors. The suspect sessions are then typically reported to the online banking application in order to either suspend the session or perhaps present a secondary challenge to the user before the transaction is committed.
As Craig Priess, vice president of products at Guardian Analytics puts it, "Sometimes what a user doesn't do during a session is as important as what they do in order to establish a normal model of behavior." The company's FraudMAP product provides a predictive behavior analysis engine that relies less on rules and uses behavioral models instead. This approach allows the system to detect novel threats that have not been witnessed before and signals the institution through a high confidence score to the possibility of a threat. This type of method yields a second benefit to the industry as it inherently requires a smaller overhead to manage than rules-based approaches typically need.
Most of today's fraud detection solutions are not exclusive to the online channel -- they not only monitor for suspicious activity during the whole online banking session, but can also correlate this activity with behaviors from other channels as well, such as ATM, branch, and call center activity. As fraudsters continue to diversify their attacks, this kind of enterprise approach is critical to preventing more sophisticated threats that span the institution's delivery network. A criminal may use customer information to call the institution's contact center for balance or limit information, then use the online channel to transfer funds, and ultimately use card information to access funds at the ATM.
TUNED FOR BUSINESS
If the man-in-the-browser attack represents the increasing height of the fraud ladder, then certainly the increasing attacks against small businesses represents the building of more ladders. More and more fraudsters are recognizing that there is profit to be made by seeking out the small business community and getting credential information through phishing, pharming, and malware. The result of this activity is that more of the fraud is moving from consumers to small business and from the top tier institutions into the regional and large community bank space.
This phenomenon requires that both technology and business knowledge be used to prevent the increasing danger to the small business market. Rules-based detection systems must have built in to them the concepts of business behaviors that are fundamentally different from consumer activities. The typical steps taken to originate an ACH payment or wire transfer, for example, are not found in the consumer paradigm. In addition, authentication in the small business and corporate cash management worlds are almost always different and stronger than found in the retail banking world -- requiring technology solutions to support multiple authentication events during the same session, for example. For fraud detection and prevention solutions that use behavioral analysis, it is also important that the providers understand the business domain in order to architect, deploy, and support systems that can recognize the different behaviors between a $5 million enterprise and a $500 million dollar company.
For banks, balancing security with customer ease of use is a constant concern. What's interesting is that many anti-fraud systems and initiatives do not seem to be deployed at the detriment of consumer convenience. Some authentication methods such as one-time passwords do inherently force the user to add a step to their normal login process, but few consumers or businesses complain about this added step as long as they understand it is being done for their protection. Likewise, financial institutions are walking a very balanced line when it comes to configuring the trigger point when a suspicious activity is flagged by a detection system. If the trigger is set too low, the user may be wrongfully denied a transaction, but most institutions are either erring on the side of the consumer, letting the users themselves set the appropriate triggers or setting a secondary challenge to the user instead of shutting them off altogether. These steps minimize any negative customer impact.
So why aren't more institutions deploying fraud detection systems today? A recent banking panel on online fraud detection and prevention highlighted the largest issue facing the financial services industry today when it comes to fraud prevention. Four representatives from both security and line of business areas at different institutions were asked if they intended to continue to invest in technologies to prevent the escalation of online banking fraud. The first panelist nodded vigorously, stating that his institution was indeed continuing to invest whatever funds necessary to keep fraud to an absolute minimum. The next two panelists agreed, pointing to customer satisfaction and brand trust as factors that were as important as real funds lost through fraud. The fourth panelist, however, did not only disagree, but he also stated that his institution would not spend a dollar more on fraud detection and prevention technologies until it could be proven that he would make that dollar back through fraud reduction.
At a cost of tens of thousands to millions of dollars to deploy, based on the numbers of active online banking users, few ROI models exist that can point to quantifiable savings from reducing fraud that is escalating but difficult to measure in terms of potential damages. Hesitancy around the sharing of information between institutions on the actual size of the problem also prevents a group-think approach to solving the ROI problem. In response, many vendors are offering their technologies on a "software as a service" basis, reducing the initial capital expenditure needed to deploy anti-fraud programs, and making it easier for smaller banks to protect themselves.
In addition, many banks that do implement fraud detection systems are finding that the actual deployment of technology is usually only one part of a much larger fraud program that should also include system configuration, marketing, customer education, call center support, and enterprise fraud management resources. The total investment necessary in order to get quantifiably meaningful results goes well beyond the licensing of software. Those institutions that do not understand the total commitment are usually dissatisfied with current implementations and are reticent to invest further while many institutions that do understand the size of the commitment necessary to get substantial benefit from anti-fraud programs are understandably overwhelmed by the sheer size of the effort.
COMMUNITY EFFORT IS CRITICAL
It is apparent that today's technologies to help combat fraud are more sophisticated than ever, using strong authentication techniques, complex behavioral modeling, rules, shared data and dynamic responses to help the institution prevent losses from fraud. And most of these anti-fraud systems are designed in such a way that any foreseeable threat can be managed by tweaking the rules or configurations, in most implementations.
Many vendors have built anti-fraud solutions that are linked across multiple channels and even across multiple institutions, but only the larger anti-fraud providers such as Actimize have built fraud case management systems that institutions can deploy onsite. Case management systems can be implemented from non-fraud specific vendors (Pegasystems, SAS), but very few financial institutions are in a position to evolve to that step today.
However, in order to make a real dent in fraud reduction, online banking providers, fraud technology vendors, and institutions need to take a wider, shared approach to the problem and commit to combating fraud at the enterprise level and at the industry level.
n order to build an effective gated community, each member has to not only protect each individual home, but also contribute to the protection of the community itself.
Jerry Silva is a principal at PG Silva Consulting, bringing 25 years of financial services experience, and specializing in the acquisition and implementation of financial services technology serving both providers and institutions. Send comments on this article to firstname.lastname@example.org.
This was first published in March 2010