FFIEC Authentication Guidance: Preparing for 2012Experts: Time to Focus on Risk Assessments, Layered Security and Fraud
Angel Grant and Marshall Toburen of RSA have expert insights on exactly what institutions need to prepare to face.
"It's important for us to remember that the fraudster community has easily learned how to manipulate and move from channel to channel," says Grant, senior manager for anti-fraud solutions. She sees the fraudsters easily moving across banking channels, finding new vulnerabilities and launching new attacks to give them access to customer accounts. "I find this trend troubling because we tend to forget that fraudsters follow where they can make money. So, like us, they're always looking for what the ROI is, and they're aware that most institutions are primarily focusing their security efforts on just the web channel."
Toburen, who manages risk-related solutions for RSA-Archer, sees a trend where fraudsters are focusing less on draining commercial accounts, more on consumer accounts - which don't always have the same levels of protection.
"It's challenging for the financial institution because they can't impose the same level of security controls around their consumer [accounts] as they do their commercial," he says. And the consumers don't have a vested interest in taking on more responsibility for their own security.
In an exclusive interview about the FFIEC Guidance and how institutions should prepare best for their next regulatory exams, Toburen and Grant discuss:
- The most troubling fraud trends going into 2012;
- How institutions need to improve risk assessments before their next examination;
- The most effective layered security controls, including out-of-wallet challenge questions, for institutions to consider.
TOM FIELD: Angel, I want to toss this question to you first and Marshall I would welcome your response as well. What does the FFIEC authentication guidance tell us about today's threat landscape?
ANGEL GRANT: The new supplement really tells us that today's threat landscape has dramatically changed since the initial guidance was issued in 2005. There have been changes not just in the sophistication and evolution of those events, real-time attacks such as man-in-the-browser or Trojans like Zeus and SpyEye, but there's also been a change in the traditional customer base and the functionality and the frequency of user transactions online. For years, we thought a primary focus for many financial institutions centered on protecting just the log-in and help prevent unauthorized access to accounts. But what we're seeing now is more targeted attacks against the actual transaction itself. This is why this new FFIEC supplement emphasizes how important it is not only to protect the log-in, but also protect the transaction. Also with today's threat landscape, it's clear that the traditional KYC, or know your customer, policies simply are not enough. You not only need to know your customers now, but also you need to know what type and frequency of transactions they're conducting. By taking this approach, it will allow institutions to continuously adapt the security against these evolving threats, as [there's] no longer such a thing as one-and-done security implementation anymore.
MARSHALL TOBUREN: I certainly agree. This updated guidance tells us that the regulators are increasingly concerned with transaction fraud and information breaches, and the frequency and sophistication of these attacks has increased significantly since they issued the original guidance. Like the first issuance, which focused on risk assessments, this re-emphasizes the importance of risk assessments, and unlike the last guidance though, it's a little more prescriptive to financial institutions on the issues that they need to consider within those risk assessments. I think for the larger financial institutions that have more sophisticated information security programs, they have been focusing a lot on their risk assessment and looking across the various domains and threat environments, but for the smaller financial institutions this guidance is more prescriptive and gives the financial institutions some specific issues that they need to take a look at as they do that risk assessment. There's the emphasis to do it and there are the targets that they need to be focusing on.
FIELD: Let's look ahead. What do you see as the most troubling fraud trends as we go into 2012?
GRANT: There are a couple of fraud trends that I see troubling as we enter into 2012. The first is a continuing evolution and sophistication of banking Trojans, this fun cat-and-mouse game we have going on. As soon as we modify our security to combat one threat, these Trojans have morphed into something new to bypass that layer of protection. A man-in-the-browser Trojan like Zeus is a perfect example of a Trojan which is continuously morphing and it can fully automate the fraud process from the initial infection to cash-out of the account. This means not only hijack these accounts to take over the user's credentials, but it can also take over the user's device. While all this is going on, the funds of the account are being drained. A legitimate user is completely unaware because the details of that correct transaction and the original balance are still being displayed to that user.
The second trend I see troubling going into 2012 is our lack of focus on securing the mobile channel. It's important for us to remember that the fraudster community has easily figured out ways to move and manipulate from channel to channel. We're seeing the fraudsters continuing to steal or purchase credentials, attack the web channel, recognize this channel has been secured and then move to the more vulnerable channel like your call center, where they'll go in and socially engineer your call center agent to do things like add a page, change your password, add a beneficiary or change an e-mail address. As that mobile channel starts to increase, and the adoption starts to increase, fraudsters have really noticed our lack of focus on securing this channel and they have already started to explore how they can best exploit this channel. Although there hasn't been a ton of attacks against mobile channels yet, they're starting to create what I call "feeler attacks." They're starting to do things like man-in-the-mobile, SMS-bypassing attacks to see how we will react and respond to these types of attacks. I find this trend troubling. We tend to forget that fraudsters follow where they can make money, so they're like us. They're always looking for what the market trends are and where they can make the most ROI, and they're definitely in pilot mode right now in the mobile channel, trying to figure out how they can best manipulate that channel too.
TOBUREN: What that means in terms of trends with respect to customers is that as the financial institutions secure their commercial account channels, the fraudsters tend to move from the commercial side of the house to the retail side of the house. The progression across the industry is they go after the biggest financial institutions. As the big financial institutions get their security in place, they move to smaller financial institutions that may not be as far along in the maturity curve.
But as those institutions address their commercial, then the fraudsters are left with a new channel, as Angel mentioned, the mobile space, but also other aspects of the retail channel. And the problem toward the financial institutions is that while the big dollar transactions are focused with those commercial accounts, they're protected under Article 4A of the Uniform Commercial Code, and if they've set their contracts up with their commercial customers correctly, they will generally be protected. It won't keep them out of the newspaper necessarily, but from the amount of loss they may sustain, they should be reasonably protected. But as the fraudsters move into the consumer space, the consumer relationship with the financial institution isn't governed by 4A. It's governed by the laws that are set up by the federal government, and generally speaking the consumers are protected at a fairly low dollar threshold for electronic-type losses. So in some respects the type of loss has changed as fraudsters move into the retail space and the consumers are more prone to social engineering and may not necessarily pay as much attention to recommended security practices around protecting credentials, practicing safe computing or installing anti-malware. It requires a little bit different approach to the consumer space.
FIELD: Marshall, a few minutes ago you mentioned risk assessments. In your view, where do institutions really need to improve their risk assessments before their next examination?
TOBUREN: Regulators take risk assessments very seriously and they can criticize a financial institution for not performing them or not performing them with an adequate scope. To really achieve best results and the intent of the law, the risk managers in the organizations, and I would include both the information security risk folks as well as the business risk, need to take a step back and look at the overall environment that the bank operates within. What are the products and services that the bank offers? How is money moved in and out of the company? How is information presented to customers and third parties? Then, how is the whole infrastructure put together from the database to application server, but also through the delivery channel on the various websites? And I would add, also for financial institutions that are using third parties, to deliver content that they also are looking at those third-party controls.
Number one, you have to gather the whole population, document the population and then do an assessment on the inherent risk that's the amount of risk in the absence of controls, that if information was breached or unauthorized transactions were to occur, how large would they be? And from there, with limited resources, you could begin to work backward into the technical details around the security to that information or protecting those transactions. For large organizations it can be fairly involved and for small or less, assuming they don't have a lot of sophisticated delivery channels. But if they do that and they periodically refresh their risk assessment as the environment changes, then they should be in pretty good shape.
FIELD: Angel, let's talk about fraud detection and transaction monitoring for a moment. What are some of the best practices that you see now?
GRANT: First is to place an emphasis on device identification, anomaly detection and behavioral analysis, which help determine users' normal patterns of behavior against each transaction that's conducted on the account. As I mentioned before, you not only need to know your customer, but you need to know your transactions now. It's important that institutions can identify the activity on a customer's account that may be anomalous to that specific customer's unique behavior. A basic example of this would be you have one customer who's a frequent user of online banking, transfers large sums of money on a regular basis, so if you see this user initiating several large payments over the course of a few days it may not be suspicious. However, if you see another user that typically just logs into his account once a week, pays household bills, now starts to initiate larger payments from a different device then they would normally use, this account activity should be considered highly suspicious.
The next best practice I would recommend is to be able to understand the difference between humans and Trojans. There are certain types of behaviors that might appear to be a real user, but are actually indicators that the section has been hijacked by a Trojan. For example, a man-in-the-browser Trojan can use HTML injection to introduce additional fields into a user's session. With advanced analysis, the type of activity can be detected, and should immediately raise a red flag that something is wrong.
Finally, when an institution detects suspicious activity on a high-risk transaction, they need to decide what to do. We tend to see two primary schools of thought here. Do you challenge the user visibly, or do you delay and investigate? Some financial institutions I have worked with have chosen to initiate visible challenges such as step-up authentication, things like one-time passwords or KBA [knowledge-based authentication] questions, and they're doing this in an attempt to confirm a user's identity or intention to conduct a transaction. The other school of thought chooses to automate their security decisions through invisible monitoring and allow higher transactions to be sent to a team of fraud analysts for further investigation. By taking this approach it gives an FI an ability to drive their decision making based on what their organizational risk threshold tolerance is.
FIELD: Angel, you used the word challenge. Now the guidance says that current challenge questions are ineffective. What do you recommend as an alternative?
GRANT: After the 2005 guidance, most FIs really focused on implementing static challenge questions such as, "What is your parent's name or what was your high school mascot," and this was primarily adopted because it was considered a lower cost, easier way to authenticate users. But we see the updated supplement has taken into consideration how our information sharing habits have dramatically changed since 2005. If you think about it, Facebook was just launched in 2004 and now it has over 800 million people sharing all types of information they would normally use as responses to these challenge questions.
Moving forward, I would recommend ... a couple of things as they select an alternative. The first, their security should align with risk, so if an FI wants to retain their current challenge questions, they need to evaluate the current implementation and accommodating risk factors. As an accommodating risk factor they should consider alternatives such as better device identification or transaction monitoring or better detection with anomalous behaviors I mentioned before. Also, as I evaluate the appropriate balance between the consumer experience and fraud prevention, some may consider completely ripping and replacing their challenge questions and replacing it with alternatives such as a one-time pass code, out-of-band authentication and the solution we have seen most of the markets start to evaluate as a challenge question replacement is dynamic KBA. This is otherwise known as out-of-wallet questions. They're looking at KBA as a good authentication and fraud prevention alternative as it helps validate the user's identity in real time, and unlike challenge questions, KBA questions can be dynamically generated, a top-of-line questions and answers set that the user will be able to answer easily, but hopefully a fraudster will not.
FIELD: That's a great segway to a question I asked at the top of this conversation. I would like to hear from both of you, starting with you Angel. What do see as some of the most effective layered security controls for institutions to consider now?
GRANT: Financial institutions should implement layered security and other controls that are in line with the magnitude with transactional risk. While the authentication of customers that log-in with things like user name and password, one-time pass code and KBA presents that first layer of security for users logging into accounts, additional layers of security and controls are necessary to ensure that first layer of authentication has not been compromised by advanced threats like keyloggers and malware, which are able to capture the data used to authenticate that user at log-in. An effective approach would be to not only provide that basic log-in protection, but layer it with some form of risk-based authentication with step-up authentication for higher risk or suspicious activities. This, coupled with sophisticated device identification, behavioral analysis, anomaly detection and transaction monitoring capabilities, would provide that effective layered security approach. Even if a cyber criminal is able to still use his credentials, take over their device, circumvent log-in, there's still that other invisible layer of defense that's very difficult to get around and will adapt and detect new threats over time.
TOBUREN: I certainly agree with the point about behavioral analysis. I mentioned the consumers and the fact that fraud is moving into the consumer space and consumers don't have the same motivation or interest in providing security. Behavior analysis provides an advantage for financial institutions, that as the final layer in the process, as Angel mentioned, it's looking at the standard types of things like geo-location, but it's also analyzing in some cases for individual consumers the time of day that they typically come in and do their banking, the day of the week that they do their banking, computer types that they're using, the operating system, the operating system version.
For example, to speak to mobile banking, if a consumer normally comes in and does their banking using a PC with Vista operating system 2.1, and now all of a sudden they're coming in with a mobile banking application, it scores a little bit higher risk and it's potentially a fraud scenario, but it also looks at the type of business that a customer is transacting. Customers have a standard pattern of activity and so sometimes when they come in just to do bill-pay and they may never look at their statements, they may never change their e-mail address or their mailing address, and so these behavioral tools build a pattern and when it sees anomalies out there it begins to score that risk higher. For consumers where there are tens or hundreds of thousands of consumer accounts with online banking activity, this is really the best way to try to find those needles in a haystack and address those before our losses are sustained.
FIELD: Marshall, one of the key tenets of the FFIEC guidance is customer education. What are your recommendations for guarding education, for both the retail and the commercial customers?
TOBUREN: Education is really critical, both on the commercial and the consumer side. For the commercial side you have to do education to reinforce your responsibilities under Article 4A, so you're talking to generally a clientele in a larger company that is already pretty sophisticated and their security may be well and very operationally sound. But for the smaller businesses, sole proprietorships, you can kind of look at those the same way that you might look at consumer-account education. In those cases you need to be a little more basic in terms of telling them and repeatedly telling them that they need to protect their credentials. Don't use unsecured wireless. Don't download malware or spyware, and make sure that your computer's anti-malware program is loaded. Don't place your passwords and your IDs in a location where somebody else could get to them. Don't give your passwords and credentials up to a phishing attack. Notify the financial institutions promptly if you think your account has been compromised, and if you see reports or notifications from your financial institution that the name and address, phone number and e-mail have been changed or other security settings changed, definitely respond as quickly as possible to try to prevent any loss from occurring.
FIELD: It's time for one final question. I would love to get final thoughts from each of you. Marshall I will start with you. As we look at conforming with the FFIEC guidance, what do you see institutions most overlooking now?
TOBUREN: Really repeating what I had said earlier, I think there are two things if I were in a situation of enhancing security within an FI. One, I would take a step back, look at my risk assessment and make sure that I had taken a holistic approach. Look to see that it's integrated in with the overall eGRC program for the company. One area that I think is so overlooked often times in larger companies that may have an information security function, they don't necessarily talk with the traditional risk management function of the company where loss management occurs. I think there's a lot of value in looking at the losses for an unauthorized transaction that have been posted within the FI. Many times those unauthorized transactions have something to do with a compromise of an attack. It might be an online compromise. It could have been a phishing attack or it could have been a more traditional stolen checkbook, but in any case those are very prescriptive and are valuable in assessing any kind of back-testing the effectiveness of the risk assessment process and whether there are other elements that need to be included there.
Then lastly, to repeat myself, a very big proponent that as you get the stronger authentication tools implemented in your organization, both on a commercial and the consumer side, don't forget the use of behavioral analytics tools to supplement those layers of security to help you identify emerging problems as they occur.
GRANT: What I'm seeing as an area overlooked is the mobile channel because the mobile channel wasn't specifically called out in the guidance. I'm seeing that's an overlooked area. When I am talking with FIs, I'm always emphasizing to them that we need to ensure that we learn from our past security lessons. In the early 2000s when most FIs rolled out their online banking, security was an afterthought. As most companies are so focused on the functionality they wanted to provide online, this is all new. Now I'm starting to see the trend again as FIs are rolling out their mobile banking strategy. They're so focused on what functionality they should include in that channel, they're forgetting to include security into their bigger plan. We must not go down that path again. The security must not be an afterthought. Even the supplement did not specifically call out mobile channels. Banks should assume that they should apply this guidance across all of their channel platforms.