The Real Source of FraudAre Institutions Missing the Mark on Social Media?
Banks and credit unions, as they work to meet expectations called for in the Federal Financial Institutions Examination Council's updated online authentication guidance, are investing in layered security and authentication approaches that are thwarting online attacks and incidents of corporate account takeover. [See FFIEC Authentication Guidance.]
Other industries are taking similar precautions, by partnering with and in some cases outsourcing online-channel management to third-party security management companies.
Until we address the privacy risks posed by social media networks, we will never keep up with the fraudsters.
Securing the peripheries of online channels is critical. For financial institutions, that means enhancing the ongoing security of their own banking platforms, and continually educating and working with their retail and commercial clients to ensure their systems remain secure as well.
But in their efforts to enforce security layers and multifactor authentication, are banks and credit unions still missing a core problem - the real vulnerabilities fraudsters are banking on?
The problem: social networking, and the amount of information executives, administrators and all of us, for that matter, share about ourselves on social networks.
Fraudsters have evolved. No longer do they simply launch attacks on networks and systems. Today, they rely on a number of tools, including information-gathering based on social engineering and trolling social networking sites such as Facebook and LinkedIn.
The industry has known this for a long time. In fact, a big part of the educational efforts financial institutions have implemented for their customers revolves around identifying targeted attacks, such as spear-phishing, which exploit human trust.
But what we should be focused on is how fraudsters are putting those targeted attacks together in the first place. From where are they gathering their information, and what steps can and should we take as an industry to break that information chain?
Mark Kay, who spent 26 years building ACH systems at JPMorgan Chase, now serves as chairman and CEO of StrikeForce, a startup that's offering out-of-band authentication solutions to banks and others. Kay says, until we address the privacy risks posed by social media networks, we will never keep up with the fraudsters.
"The easiest way to get in is by stealing someone's name and password, and the best way to do that is by getting it through the social media networks," he says. "Most people's names and passwords are the same everywhere they go, and it's likely the same password the admin uses for personal e-mail is the same password he uses to conduct ACH transactions."
The FFIEC guidance is focused on risk-related access to online banking. But that's just one piece, and it's not a catch-all for ACH fraud. "It could be ACH, but not always," Kay says. "The FFIEC covers any high-risk transaction that is initiated online."
But from an ACH perspective, more fraud is committed not by an online-banking breach, but because a fraudster socially engineered logins and passwords from administrators or executives. "ACH and online banking are not how they get your credentials," Kay says. "They get the credentials from somewhere else and then commit the fraud."
It's an interesting observation, and one that's shared by others, such as Bill Wansley, a consultant at Booz Allen Hamilton. Social media poses more concerns than malware, Wansley says. The link between social media and targeted phishing attacks cannot be ignored.
"That is a concern that is now starting to get the attention of bank information security officers and bank risk officers," Wansley says. "They are all working to ensure that the training of their staff is up to a level where they can recognize when they are being targeted."
How much of that social-media training will banking institutions include in their education plans for 2012, and will regulators be expecting some attention to be paid to social-networking vulnerabilities in institutions' risk assessment strategies?
Here's one piece of advice I can share with relative certainty: The more institutions do to enhance security and mitigate risks, the better off they are going to be, whether they're being viewed through the eyes of the public or the magnifying glasses of the regulators. At the end of the day, it really is not about squeaking by, by conforming to the lowest rung of mandates. It's about enhancing security, and that means getting at the root of the fraud.