New Fraud Advice "Lacks Imagination"Experts Question Effectiveness of ACH Tips
A taskforce of nearly 100 members of the financial services industry and law enforcement worked to produce these two advisories for businesses and consumers. The alerts address one of the fastest growing crimes, corporate account takeover, and money mule schemes.
The two advisories, Fraud Advisory for Businesses: Corporate Account Take Over, and Fraud Advisory for Consumers: Involvement in Criminal Activity through Work from Home Scams, were issued by the Financial Services Information Sharing and Analysis Center, the Federal Bureau of Investigation, the United States Secret Service and the Internet Crime Complaint Center.
Industry leaders see these two advisories as just "the tip of the iceberg" when it comes to business and customer education. Dave Jevans, chairman of the Anti Phishing Working Group, says there is some good, prescriptive advice with technical focus on how businesses should handle their online banking by reviewing accounts and other actions.
"[But] if you have to issue a nine-page advisory to tell people what they need to do to protect themselves while doing online banking, and you're still not 100 percent sure that they're going to be protected, this just shows how bad the problem is," Jevans says. "We've got a long way to go."
Security Education NeededThe new advisories illustrate "just how dangerous online banking has become," says Avivah Litan, a security analyst at Gartner. She would like to see banking regulators put out a similarly comprehensive list on how banks should protect their customer accounts.
Charisse Castaganoli, adjunct law professor at John Marshall Law School and an information security law expert, questions how these advisories will get into the hands of the people who need them most - potential victims.
"Are they going to require banks to provide this to consumers?" She adds that the list of security measures is impressive, "with respect to current generally available technologies, but lacks imagination."
She also asks how small businesses are supposed to buy and configure all of these security measures. "The most recent survey I saw indicated more than 90 percent of businesses already have firewalls, so that's not working too well," Castaganoli says. "What about assessing the security measures they have today?"
Castaganoli also says the business advisory is too complicated. "Small businesses need a prioritized list. This should include, as an example, the three most cost-effective changes you can make to secure your online banking environment."
Jevans adds that it is difficult for businesses, especially the smaller ones that are the target of this kind of attack, to formulate a plan from these advisories. "A typical 'mom and pop' business will take one look at this advisory and say, 'It looks difficult. I don't know where to start and it looks expensive,'" he says. Most won't even know who to hire to get their business protected, he adds.
What Isn't in ACH Fraud AdvisoriesThe advisories don't address some of the advancements in the use of technological solutions, such as the use of virtual machines to do online banking. Castaganoli says she is more a fan of using virtualization for online banking.
"Create a virtual machine, lock it down, and don't allow changes." She says by launching a new virtual machine every time a user does online banking, the chance of infection by Zeus or other malware is low. "If a type 1 hypervisor (like Citrix) is used, there isn't a worry about the underlying operating system," she says.
David Navetta, a law partner at the InfoLaw Group, says as the advisories indicate, education and training is the key.
"What is being done to make sure these documents are getting into the hands of the right people," he asks. Once there, "especially on the small and medium business side, what is being done on a practical level to implement some of the recommendations set forth in these notices?"
Navetta says it is nice to have notices, "but if nobody actually gets them or acts upon them, then they obviously aren't that useful." As these documents are coming out of FS-ISAC and most likely to land in the hands of financial institutions, he says those financial institutions should consider further dissemination to their customers.
Elaine Dodd, head of the Oklahoma Bankers Association's fraud division, says she will be making both advisories available to the bankers in her state. She stresses that the more networking and information sharing done by the bankers themselves to their business customers, retail customers and local law enforcement is vital. The local Infragard chapter in Oklahoma City has been very helpful not only in sharing information, she says, but also educating Oklahoma institutions about these attacks.