Posts

Banking Security Guidelines Go Into Effect in January 2012

As banking applications evolve, common attacks on banks are becoming correspondingly more sophisticated. Small businesses, municipalities, and moneyed individuals are often targeted for obvious reasons: they have hundreds of thousands of dollars, if not a few million, in the bank, but their security is often no more effective than that of an average American household.

The Federal Financial Institutions Examination Council’s (FFIEC) updated security guidelines go into effect in less than a month. It is imperative that financial institutions recognize that the security precautions currently in place are ineffective in the face of new, more sophisticated attacks. Criminals have gotten around the minor hurdles posed by the tools being used to authenticate clients and prevent unauthorized transactions.

Basic multifactor authentication may be relatively effective for bank accounts that generally contain only enough to pay a month’s worth of bills. But high value accounts are more prone to attacks, and require additional levels of security. Ultimately, what is most important is that a security program includes multiple layers of protection rather than relying on a single mechanism of defense.

Using advanced device identification is also essential. The FFIEC suggests complex device identification, which is more advanced than previous techniques, and the leader in this space is iovation Inc.  They take complex device identification much further by delivering to financial institutions, a reputation of the device as it accesses their site to apply for credit, create an account, transfer money and more.
This proven strategy not only utilizes advanced methods to identify the devices being used to connect to a bank, it also incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and much more to protect financial institutions from cybercrime.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

FFIEC Mandates “System Of Layered Security” to Combat Fraud

For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands.

Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They are using stolen usernames and passwords to transfer money through wire transfers, Automated Clearing House (ACH) and through billing fraud.

The Federal Financial Institutions Examination Council (FFIEC) has repeatedly implored that come January 2012, any lagging financial institutions will be required to significantly upgrade their security protocol. Since any existing form of authentication can be compromised, the FFIEC recommends that financial institutions should institute systems of “layered security.”

Previous FFIEC recommendations discussed authentication, suggesting that the security issue takes place when a user logs in. But in fact, not all the danger occurs at login. Other website integration points are vulnerable to security issues, particularly at the point when money is transferred.

According to the FFIEC’s recent update:

“Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

One of the FFIEC’s recommendations for financial institutions involves complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Smart financial institutions aren’t just complying with the FFIEC’s security recommendations, but are going beyond by incorporating device reputation into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Why Complex Device Identification Isn’t Enough

“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account.

The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.” You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures