By Terry Austin   
Guardian Analytics
650-383-9200
This e-mail address is being protected from spam bots, you need JavaScript enabled to view it

 

 

Regulatory Guidance – One Worth Embracing

Financial institutions have been under significant scrutiny lately, with seemingly endless regulations and guidance with which they need to comply. It’s hard to know where to begin.

Some industry experts are recommending that banks start with improvements that not only meet minimum Agency requirements, but also yield compelling business and customer benefits.

The FFIEC’s Supplement to Authentication in an Internet Banking Environment released in June is that particular breed of guidance whose benefits make complying far more compelling than simply because the Agencies say so. Banks and their customers will be far better off as a result of the Agencies’ actions.

 

 

The FFIEC’s Action Was Based on Increase Threats
The Agencies took action because it became clear to them, and much of the industry, that the threat of online banking fraud was escalating and financial institutions needed to significantly dial up their defenses. The threats indeed are more sophisticated, more pervasive, and having greater success than ever before.

Online banking fraud is a large, sophisticated global business. Fraudsters are very organized and can be highly specialized. They have created powerful networks that are significantly more efficient ecosystems than our banking industry. They continually reinvest their “earnings” in advancing the technology and methods they use to defeat financial institutions’ defenses.

Furthermore, cyber criminals have established social networks to help each other and share their most effective attacks so others can replicate their success, and they operate with explicit or implicit approval and even support of local government. In short, by being criminals and operating outside of the laws and ethics that guide much of the law-abiding behavior of Western financial institutions, fraudsters have a lot of advantages.

Broadly speaking, cyber criminals employ three types of schemes to execute fraudulent transfers: 1) Phishing for online banking credentials via email, phone calls, texting, and Twitter.

2) Data breaches where they hack into large databases to steal personal financial information for large numbers of users in one fell swoop.

3) Malware installed on the account holder’s computer that enables the fraudster to implement a wide range of schemes.

All have been proven to be effective and all must be defended against, although malware that supports such schemes as Man-In-the-Browser attacks, has been particularly on the rise over the past couple years. It’s nearly impossible to avoid having malware installed on an account holder’s computer when you consider:

•    Results from Google image searches result in an estimated half a million referrals to fake (i.e. malware infested) anti-virus sites every day, or 15 million such referrals per month⁽¹⁾

•    71 percent of websites that have malicious code are existing, legitimate entities, not fake sites developed by the fraudsters⁽²⁾

•    81 percent of email is rigged to deliver malicious code⁽²⁾

•    95 percent of comments posted to blogs or chat forums were spam or links to malware payloads⁽²⁾

 

 

A Closer Look at the FFIEC Guidance Supplement
The FFIEC spent months analyzing fraud in order to provide a recommendation for securing online banking. Now banks must understand the guidance as a roadmap for outstanding customer service, not just some regulatory hurdle they must clear. If you want to provide excellent service to your customers by proactively protecting them from fraud, the FFIEC has just shown you how. On the flip side, consider that a business banking study by Guardian Analytics found that 43 percent of businesses change banks after a fraud attack.

Part of taking the Guidance to heart as the right thing to do for your customers requires understanding what the FFIEC really is saying. There are three key components of the Guidance Supplement (see Figure 1), each with clear business or customer service benefits.

 

 

 

[The FFIEC Guidance Supplement includes on the pages noted three key elements: Risk Assessments, Layered Security, and Customer Education]

 

 

1. Risk Assessments. The Agencies made this existing requirement more explicit, stating that risk assessments must be completed at least every 12 months or more frequently in response to new threats, new online banking functionality, or other factors. And this is not unreasonable. It’s just good business to have a comprehensive understanding of what you have in place and where the gaps are.

Fraud attacks are changing more rapidly than ever. At the same time, you want to introduce expanded services in response to changing customer banking preferences. It’s important to assess the risk introduced by both of these and develop appropriate mitigation strategies so you can expand services with confidence.

 

 

2. Layered Security. The Agencies identified two elements needed to meet their minimum expectation: anomaly detection and improved controls of administration functions. Sophisticated attacks often include reconnaissance activity such as adding new users, resetting approval levels, and adding payees. These high-risk activities warrant closer oversight.

The anomaly detection requirement is the area that likely requires the largest technology investment, and therefore may be receiving the greatest scrutiny, especially given the number of options for individual layers to include in your security strategy. Many banks are prioritizing anomaly detection for their technology investments, for which proven solutions are available that can be deployed quickly to protect all customers while yielding benefits that get to the heart of a bank’s objective of providing great customer service. More on this below.

 

 

3. Member Education. Clearly not all account holders will listen nor follow through, but who would argue that you shouldn’t share information with customers about the risks and what they can do to protect themselves? Your customers look to you as the experts, and sharing that expertise can only increase trust and loyalty.

 

 

Layered Security and Anomaly Detection
Risk assessments will help you to mitigate growing risk, while customer education will increase member appreciation as you help them lower their own risk. However, the big debate will be around which layer of a layered security strategy to implement first.

By definition, layered security makes it harder for cyber crooks to complete fraudulent transactions by placing layer after layer of roadblocks in their way. As the FDIC's Jeff Kopchik said, "If any one control is compromised, then you have other controls that will pick up the fraud."

One of the layers, as per the guidance, must be anomaly detection, which is the ability to recognize and act on suspicious online behavior and anomalous transactions. Anomaly detection is based not on understanding specific fraud schemes or threats, but on monitoring all types of online banking activity from login to logout (see Figure 2), and comparing each online and mobile banking session to established patterns of individual behavior.

 

 

 

[Anomaly Detection solutions using Behavioral Analytics technology monitor a wide range of online banking behavior, from login to logout.]

 

 

Why Anomaly Detection Is A Powerful Foundation for Layered Security
All of the fraud techniques used by cyber criminals today – phishing (and it’s variations), data breaches, Man-In-the-Browser and other malware – share one comment element: They require some type of interaction with the online banking application to stage and execute fraud. And this is where financial institutions have the best opportunity to stop fraud attacks. By monitoring online behavior, anomaly detection will identify fraud attacks regardless of what scheme was used to gain access to the account or what device is being used, such as a PC, smart phone, or pad computer.

In their Guidance Supplement, the FFIEC stated that anomaly detection could have stopped the fraud attacks they studied as part of developing the updated guidance. It is a priority for the Agencies and should be a priority for all financial institutions to implement because anomaly detection:

•    Defeats the widest range of threats, including malware-based attacks and those using stolen credentials. Other layers of security are effective at what they do, but often address just one type of threat.

•    Detects account takeover, pre-attack reconnaissance, and suspicious transactions before any money is actually transferred, stopping attacks before the money is gone. Other solutions just look at the transaction, by which time it is often too late.

•    Automatically protects 100 percent of retail and business customers. Layers of security that must be adopted by end users result in a large portion (50 percent or more) of an account base left unprotected.

•    Has no impact on customer experience and can be a tool to build trust on an ongoing basis. Many other layers of security put the burden on the account holder.

•    Doesn’t require customers to install or maintain any tools, rules, or software. Other layers of security (unrealistically) require frequent updates in order to recognize new fraud threats.

•    Is transparent to criminals, making it a challenge to defeat.

The effectiveness of anomaly detection is reinforced by a recent study by Aite Group that found most institutions believe “that behavior analytics is very effective at combating online fraud.” Additionally, Guardian Analytics as recently released an educational white paper, A Practical Guide to Anomaly Detection, which uses a Q&A format to explain what anomaly detection is, how it works, and how banks use it to detect and stop online fraud attacks.

With the recent Guidance Supplement, the FFIEC has done a very good job of laying out how to secure your online banking channel. And by starting with anomaly detection, you’ll be providing the best, most secure online and mobile banking service for your customers. And that will trump merely being compliant every day.


(1)    Krebs on Security, May 2011, “Scammers Swap Google Images for Malware”
(2)    Websense Security Labs Report – State of Internet Security, February 4, 2010