Here’s a very scary, but very real, crime scenario: A bank customer innocently logs into his online account. In the split second between when his credentials get validated and the online bank screen loads, a malicious program that’s lurked in the background of one computer or the other takes charge of the session, creates a transaction, sends the customer’s money to the criminal’s designated account, and releases the session back to the customer. All the customer notices, if he notices anything at all, may be a slight fluttering of the screen. It’s called ATS, or automatic transfer system, and it’s real.
“What they’ve done with this is pretty ingenious—not that I like to give them compliments. But instead of collecting your user name and password and then going into each account one by one and trying to defraud it and so on, the malware does this automatically,” says Etay Maor, fraud prevention solutions manager for Trusteer, an IBM company.
It’s just one example of the trend in which criminals not only commit larger numbers of attacks, but rev up attack speed. The trend finds general agreement in the cybersecurity world. Says Christopher Pogue, director, Trustwave, “From the time it takes an attacker to perform reconnaissance that identifies a potential target, to the time it takes to breach that target, it’s literally measured in seconds.”
“We are certainly seeing an increase in the frequency of cyber attacks against banks,” adds Michael Read, marketing and sales manager, ABA Insurance Services. “We see a general increase in the overall frequency of losses and reported claims dealing with cybersecurity.” Not only that, he says, but “all banks are impacted by this. Cybercriminals are not just targeting the big banks out there. They are looking at and attacking the smaller community banks, as well.”
The Deloitte Center for Financial Services recently issued a report concluding: “It is clear that the growth in cybercrime has continued, if not accelerated, in the financial services industry.” It cites a data security study by Verizon that found in 2013, 88% of attacks initiated against financial services companies were successful in less than a day. More specifically, 46% were successful “within hours,” 8% were successful “within minutes,” and 34% were successful “within seconds.” At the same time, only 21% of these attacks were detected within a day, and only 40% of those attack detections were restored within a day.
Joel Abramson, sales manager with Complete Data Products, provides this analogy: “While there are, of course, bank heists where attackers gain access to the bank’s infrastructure and the attackers may take months circumventing safeguards and ensuring they can cover their tracks, it is much more likely and much more common that there will be stick ups where users are directly targeted.”
“The question is whether today’s industry can create a dynamic, intelligence-driven approach to cyber risk management not only to prevent, but also detect, respond to, and recover from the potential damage that results from these attacks,” Deloitte notes in its report.
The consensus is that financial institutions need to speed up their detection and response systems even as they maintain the multilayered defenses they currently have.
The business of malware
It’s worthwhile to understand the environment in which today’s cyberhackers operate. It’s not like it was just eight or so years ago, when a single person would create malicious code on his own, then would know where to host it, collect stolen credentials, and cash out the accounts.
“It’s a total business now,” says Maor. “Today, they have people who are experts in their own fields. You have people who know how to program malware. Then you have those people who know how to market it in the underground and how to contact people. And you have people who will sell you infrastructure to host your malware. Everything is kind of segregated, and you can hire and buy whatever you need.”
At the same time, the malware people communicate with each other, trading notes on the latest defenses they’ve run up against, how they’ve gotten around them, and what they’re working on next.
“This is predominantly Eastern Europe organized crime,” says Pogue. “It has a very mature business process. There’s a lot of money involved with this—well into the billions of dollars. Obviously that much money acts as a strong motivation for them not only to be effective, but to be efficient.” The analogy to business breaks down in an important way, he says. “They don’t have a legal department over their heads. They don’t have project managers or program managers. They don’t need to [do quality assurance on] their new releases until they achieve 100%. The new releases may be a bit buggy, but that’s okay. They just need to release them as quickly as possible, because if they don’t, they lose money.”
DDoS as a diversion
Here’s a crime scenario that, unfortunately, is becoming all too familiar: the “blended attack,” as termed by Doug Johnson, ABA vice-president and senior advisor for risk management policy. “This would be the combination of a distributed denial-of-service attack against the bank, which is actually a diversion. They’ve set up customer compromises at the same time, such as through account takeovers or other means. They do a DDoS attack to take your eye off the ball when actually some of your customers are under attack,” says Johnson.
“The example of DDoS attacks as a smoke screen for other more nefarious activities is a very good and actual example,” agrees Vikram Bhat, principal and head, Financial Services/Cyber Risk Services, at Deloitte. “We used it as an example in a desk exercise we ran for a bank in preparing them for such types of things. It’s not just about classical attacks. It’s changing into how do you do multichannel attacks? How do you combine the human element into the attack as much as the electronic element? All of those factors together are what are changing the landscape, as well.”
Security strikes back
It’s true that every bank that’s passed a risk management examination in the past few years has demonstrated both the existence and effectiveness of a multilayered system of defenses against digital and other criminals. As the nature and velocity of cyber attacks increase, however, those multilayered systems need to be constantly reexamined.
Says Bhat: “The reality in today’s world is you cannot prevent all attacks. You need to be what we’re calling ‘secure, vigilant, resilient.’ You need to be constantly vigilant internally, looking at your environment, and externally, looking at what’s going on outside. You need to be able to react quickly.”
“Criminals have multiple layers of security for their products, as well. They’ll know how to overcome certain antiviruses, certain security solutions that are out there, and then build one on top of the other to overcome those layers,” says IBM’s Maor.
While Maor agrees that multiple layers of defense are needed, they must be constantly reevaluated in terms of being as close to real-time as possible, and to be as adaptable as possible. “Systems need to be built keeping in mind the fact that things constantly change. A static system won’t cut it. If you have a static solution that’s based on one detection method, as soon as the criminals discover it—and they will discover it—it’s obsolete,” he says.
Back to Deloitte’s “secure, vigilant, resilient” approach, its report puts it this way: “Financial services firms have traditionally focused their investments on becoming secure. However, this approach is no longer adequate in the face of the rapidly changing threat landscape.”
Predictive analytics and anomaly detection
One approach starting to take hold is the use of predictive analytics, behavioral analytics, anomaly detection, and other systems that automate analysis of large amounts of data. The advantage: the speed with which financial institutions can both detect and respond to incoming threats.
“Where we potentially have a gap is what we call endpoint protection,” says Johnson. “That’s about protecting the customer at the customer level. One of the things you do when you do that is make use of products that use behavioral analytics, as well.” He adds: “One thing that behavioral analytics does is it learns. It learns what your standard behavior is, and gets better and better at predicting that if something that just happened is something that you would probably do. There is great promise in the future of using those kinds of things.”
Maor agrees: “Big analytics is definitely the way you can handle so much information. It’s behavioral analytics, and in some cases, predictive algorithms.”
He gives this example of being able to correlate different events in order to detect a criminal attack that otherwise might not be detected: “Your computer gets infected with malware. I steal your credentials. I log in with your credentials from a new mobile device.” A bank, says Maor, may not see that necessarily as evidence of fraud. But, he continues, “if you combine the information that your device was just infected by malware, and now [the bank] is seeing your credentials coming from a never-seen-before mobile device, with a Russian [internet protocol], then you can understand in almost real-time that that type of action doesn’t make sense.”
Complete Data Products’ Abramson gives another example: “If a pattern is found during one attack, and a similar pattern is found in a different scenario, especially if that behavior is abnormal, one can easily guess that fraud is taking place. For instance, if a user commonly uses Amazon and eBay, but now the card is being used to purchase items in China, there is abnormal activity.” Whoever has responsibility over that card can pursue various options, such as a call back to the legitimate owner or deactivating the card.
Another aspect of data analysis is the need to communicate quickly from one internal security system to another. A bank may employ various defense systems toward money laundering, check fraud, mobile security, online banking, and so forth.
“We’re starting to develop information sharing between systems,” says Maor. “You get a much better holistic approach to combating fraud because each of these vectors affects the others. We are going to see a lot more correlation between these systems, instead of having them siloed or as standalone systems.”
“[The goal] really is to have good access to information very quickly. And not only have it, but be able to share it across siloes,” says Bhat.
Of course, the criminals know about the increasing use of analytics, and are starting to respond in kind. Johnson remembers that when criminals first started doing account takeovers, they crudely went directly to the bill-pay area and inserted various bogus payee names, and the security systems allowed it because that’s how they were programed. “With behavioral analytics and such, the security system would recognize that, as well as the velocity of transactional activity, as unusual. Now, what the criminals have learned is that they need to mimic human behavior,” he says. For example, criminals would likely add fraudulent payees over time instead of all at once so that they are more likely to be accepted. It’s a never-ending, high-stakes game.
Of the cost involved, Trustwave’s Pogue observes, “When you look at the consequences experienced with a breach, it’s really more of an investment than an expense.”
Other information sharing
This gets to another emerging avenue of defense—one that’s been around but is growing in importance—which is the voluntary and secure sharing of ongoing attack details and how they are defended against.
“External collaboration is an important tenet going forward,” says Bhat. “An individual bank alone can deal with some threats but probably cannot deal with all the threats.”
“Sharing information between banks is a very powerful thing,” says Maor. “For example, say I’m the bad guy and I stole your credentials using malware, phishing, whatever. I took money out of your account at Bank A. Now, I go and attack Bank B. My device has already been identified as a criminal device at Bank A. When I go and attack Bank B, I can’t access the account because [the two banks] have a shared tool of known criminal devices.”
A forum for such information sharing is the Financial Services Information Sharing and Analysis Center, of which ABA is a partner, and which counts as members many individual financial institutions. Members worldwide receive timely notification and data to help protect critical systems and assets from physical and cybersecurity threats.
Recently, FS-ISAC announced progress in an initiative to automate threat intelligence sharing for its members. “A first of its kind, this solution collects, analyzes, prioritizes, and shares threat information in near real-time within our sector,” says Bill Nelson, president and CEO, FS-ISAC.
“The problem that we have is that we have so much information,” says ABA’s Johnson, who works closely with FS-ISAC. “We have a hard time to allocate time to analyze it. Being able to automate that analytical process is what some financial institutions allocated $3 million for,” he adds, referring to money banks contributed to the initiative. The new automation system should be running “within the next few years,” FS-ISAC said in an announcement.
Preventative steps to take now
Even as speeded up as defenses may be, they still suffer from the fact that something bad has to occur first. What can banks do—that they may not already be doing—before the bad guys strike?
Anthony Scarola, senior vice-president and information security officer at TowneBank, Suffolk, Va., recently addressed this during a session at ABA’s National Conference for Community Bankers. He provided a checklist of questions top executives should ask information security teams regarding how prepared the bank is for cyber attacks. “This is a proactive approach. It doesn’t consider what happens after the breach. It’s preparing yourself for today’s and tomorrow’s threats,” he said. Here’s the list:
• What is our data? Associated questions include: Where does it reside? How valuable is it to the organization?
• Do we know the threats? Associated questions include: Are we staying on top of technology? Are we contemplating what those potential challenges may be as those new technologies come out?
• What is changing in our environment? Associated questions include: What is changing with our data? Do we have more or less data? Do we have more or fewer customers using our various systems? Who is staying on top of all these changes?
• How is our data protected today? Associated questions include: What controls and processes are in place? How is the data kept confidential? What access controls are in place? Are the controls working as intended?
• How are we managing risk? Associated questions include: How are we accepting, avoiding, or transferring risk?
• What needs to change in our environment? Associated questions include: What is not working? What do we need to do better?
• How often do we repeat this process? “Some systems may need to be looked at much more frequently. Others may not. It goes back to the true risk of the information you looked at and what the impact of a breach of that information would be [for] your institution,” said Scarola.
This all returns to Deloitte’s secure, vigilant, resilient approach, which is summarized this way:
• Being secure against known threats through risk-driven investment in foundational, preventive controls and policies.
• Being vigilant by improving the ability to detect emerging threats and anomalous patterns amid the highly complex and data-saturated environment.
• Being resilient to recover from attacks as quickly as possible and minimize both direct and indirect damages.
ABA CYBERSECURITY RESOURCES:
Solutions endorsed by the Corporation for American Banking.
• Trustwave’s Network Security and Data Protection Resources help banking institutions protect their network, applications, and sensitive data with in-the-cloud managed solutions.
• ABA Insurance Services offers an internet banking liability policy, offering coverage for wrongful electronic/internet banking acts, as well as other coverage.
Cybersecurity briefing/webcast series. Four of the five will have already aired as of the end of April and are available as recordings:
• “Endpoint Security and Anomaly Detection: Protecting Your Customers”
• “Cloud Computing”
• “Mobile Banking Security” (May 6)
• “Third Party and Outsourcing Risk Management: Exploring the OCC and Federal Reserve Guidance”
• “Distributed Denial-of-Service Attacks: Managing and Mitigating the Threat”
• Bank Risk News—A weekly summary of useful information, tips, and case studies regarding matters of bank physical and electronic security.
• Fraud/Scam Alert—A weekly Department of Homeland Security roundup of banking-related fraud and scam reports.
• Databreach information toolkit. The data breach communications kit includes backgrounders, talking points, and sample press and social media pieces that banks can use to inform customers, the media, and others about data breaches and related security issues. Access the kit on aba.com (member registration required).
ABA encourages banks to join the Financial Services Information Sharing and Analysis Center. For more information, go to http://www.aba.com/Issues/CyberSecurity/Pages/default.aspx.