FDIC's David Nelson on Cyber Fraud at Financial Institutions
RICHARD SWART: This is Richard Swart with Information Security Media Group, publishers of BankInfoSecurity.com, and CUInfoSecurity.com. Today we will be speaking with David Nelson, an examination specialist with a total of twenty-one years with the FDIC, who served thirteen years as a safety and soundness examiner, three years as a compliance examiner, two years as an IT examiner, and three years as an examination specialist at the FDIC Washington headquarters in the technology supervision and anti-money laundering terrorist financing branches. Good day, David. Could you tell us a little bit more about your role in the FDIC and could you explain how the FDIC is tracking cyberfraud?
DAVID NELSON: Sure. Recently, I have become more of an analyst. Before, I was an examiner, as you well know, but now, I've turned into more of an analyst, where I review a lot of information, information that comes from the FINCEN, in the form of FINCEN's SARs that financial institutions submit. I also review quite a bit of open source information that comes in from the newspaper, from the Department of Homeland Security, or from FBI. There's various open source intelligence sources information that I can use. Also, I, of course, we have information from FDIC examiners, that they submit, in the form of examinations and visitations, and we have that database that I have access to. There's a lot of reports out there that are prepared by other government agencies that we monitor. So, I sort of gather as much information as I can, analyze it, and determine what kinds of risks there are to the FDIC. Another, another way that we work is that sometimes we get Congressional inquiries, or inquiries from industry groups. So, we need to search through our databases, to find the information that they are looking for. And the way I do that I do that is each quarter I go ahead and prepare a Cyberfraud and Financial Crime Report. That is based on the same type of information I just told you about. But, one of the good sources is the FINCEN SAR data. I have access to their database. What I do is I download the information into Excel spreadsheets and I try to sample the data. I can't necessarily go in and look at all the SARs, since there are thousands and thousands of them, but what I usually do is take a statistical sampling to try to obtain 90% confidence levels. So my sample may be four or five categories each quarter, and then, hopefully, over a year or two, I will have sampled all the different SAR categories. We use that data to track cyberfraud, and each quarter it seems to change. It seems like its a very good way to gauge the data, because its information that is supplied by banks, based on their records. All banks need to report SAR data, not just banks, but credit unions, and money service businesses, and insurance companies. They all submit this data, which we mine and try to calculate what the average losses are and the total losses are to the financial institutions. That's how we track the current trends in cyberfraud and financial crime.
RICHARD SWART: A lot of literature recently has been discussing identity theft as the number one concern in banks, the number one threat facing banks, I should say. But is this really the number one concern facing financial institutions, or are other threats looking like they are more prominent?
DAVID NELSON: Identity theft is a significant threat. And the reason for that is because it impacts so many different kinds of financial institutions. Any financial institution that originates consumer loans, mortgages, or has deposit accounts is going to be at risk from identity theft. However, it's not the greatest overall risk currently. Currently, counterfeit debit and credit cards seem to be the greatest threat to financial institutions right now. However, if the financial institution doesn't issue credit cards, then their risk may be lessened somewhat. Another risk that we currently are seeing is the mortgage fraud threat and that is very high. However, there are some institutions that do not issue mortgages, they don't originate mortgages, so that wouldn't be a huge threat to them. Depending on what the financial institution's offerings are, what their product lines are, identity theft could be the number one threat to them. However, if they are issuing credit cards or mortgages, then those two areas are of great concern.
RICHARD SWART: You mentioned credit card and debit card fraud, and speaking of that problem, what has been the impact of the TJX data theft incident on the financial institutions?
DAVID NELSON: The TJX data theft was discovered in late 2006, and in the first quarter of 2007, we saw a huge increase in the counterfeit debit and counterfeit credit card reports from banks. In all of 2006, counterfeit debit and credit card fraud losses were in the area of around $90 million. However, during the first quarter of 2007, we saw that jump to almost $700 million. A lot of that had to do with the TJX break-in. However, there were still other areas, or other compromises that added to that number. Iit wasn't strictly TJX. There were a lot of other, smaller, companies that got hacked into and had their card data compromised. There is also some skimming going on that is, skimming occurs quite a bit, but the amount of losses are smaller. Just simply because a person who is skimming card data, using one of those handheld devices, doesn't get that many cards. However, if a hacker is able to break into a large data center, or a large merchant, they are able to do a lot more credit cards than someone who is skimming. There is also a lot of unknown sources of counterfeit cards, in other words, there are unauthorized charges on the card, but there is no explanation yet - they still haven't determined how that card information was compromised, or skimmed, so it's reported as sort of an unknown category. And that's, that's roughly half of the frequency, half of the number of SARs reported are unknown. However, overall, the compromises at retailers, such as TJX, are certainly the highest percentage of losses suffered by the institutions.
RICHARD SWART: I was wondering if you could quickly tell us, how much impact has the October 2005 FFIEC guidelines on authentication had on financial institutions.
DAVID NELSON: It's tough to gauge right now, since the deadline went into effect on December 31st of 2006. Banks have had one quarter, or six months now, under the requirement. And the first indications are that this authentication guidance is working, it seems. It seems to be that the losses that are being reported by financial institutions, related to ID theft, has declined significantly. And the reason behind that decline is because there are fewer identity theft incidents and losses related to deposit account takeover, and unauthorized access to those accounts, and generally, we know that things like Phishing or data compromises can cause consumer customer information to be compromised, and scam artists can use that data to access the customer's account, and then transfer funds. We've seen ID theft declining, and the most significant area of that decline is in the deposit account area. We're seeing banks doing a better job of authenticating customers before they are able to access their account or transfer funds. What else is happening in that area? A problem now we see is less in the deposit accounts, but in loan account openings, there is still a problem with data compromises in, not necessarily retailers, but also with universities or other businesses, or perhaps healthcare businesses that hold a lot of customer information. Just like a bank's information, that data can be compromised in some way, and then used to open up a loan account. We are still seeing credit card loans and consumer loans that are impacted by identity theft. However, overall, identity theft seems to be being controlled, at least for the first quarter. That information changes as soon as the hackers determine a new way to compromise an authentication system, or authentication method, they will do so. It could be a different story in another few months, if the Phishers and hackers find another way around the stronger authentication. It's always a cat and mouse game with the hackers, and trying to have the banks try to stay one step ahead of them. It's very difficult.
RICHARD SWART: Let's change gears for a second. As an examiner, what skills do you look for in assessing the capabilities of a financial institution's information security officer? What skills do they really need to have?
DAVID NELSON: Well, they need to have skills. The first thing they need to do is to be independent. They need to have independence, so that they can objectively take a look at access levels. They have to be able to look at the employees' activities online. There's a lot of different things. And some of them also have other duties, quite often. If they're independent, then they're also used to, say, conduct compliance audits or IT audits, or something along those lines. Knowing that they are busy people, they should probably have good time management skills. They have to have the ability to cover a lot of ground, especially if they have other duties in the audit area or in the compliance area, or in the money laundering area. That's the first thing, independence. The second thing is time management skills. And the third thing is to have experience and training. The training needs to be risk-based, and also needs to be based on needs, that should be needs-based training that they have. If they have numerous duties to take care of, then they need to have training in all those different areas. It all depends. Each institution is different. Some are large institutions. Some are small institutions, where the security officer wears many different hats, so that the training and skills requirements are different in each instance. We're going to take a look at their assignments, and look at their experience and training, based on what their assignment is.
RICHARD SWART: How important are information security certifications to the FDIC, and which certifications do you emphasize?
DAVID NELSON: I have a Certified Information Systems Auditor designation, and also the Certified Information Systems Security Professional certification. And I find that both of them are very helpful, for me. I am sort of a generalist. I'm not able to, or, I'm not required to know specifics about certain systems, certain computer systems, or certain computer networks. I can, with a general certification, it's easier to go from one shop to the next. However, some institutions may want their computer security people to have specific certifications, such as Microsoft, or perhaps UNIX, or something along those lines. But, I think that having a general knowledge that is provided by the CISA and the CISSP are best, because it's general. And you can apply them to any kind of either network or mainframe security system.