As the “compliance burden” continues to rise, we may sometimes wonder whether information security regulations are worth the effort.  This is a story of how the FFIEC got it right.

A Short History Lesson

For many in banking, this story may appear to have started in June of 2011, when the FFIEC released what we now call “the Supplement.” But in reality, the story really began in 2005, when the banking industry reacted to the original authentication guidance.  Correctly predicting a rise in on-line banking fraud, the 2005 “Guidance on Authentication in an Internet Banking Environment” required institutions to conduct a risk assessment to determine which information assets should utilize strong authentication techniques.  The guidance articulated five risk factors to consider when deciding which applications will require multifactor authentication: customer type, data classification, ease of use, volume, and transactional capability.

In an attempt to be flexible, much of the original guidance was left open to interpretation.  Some understood the guidance to mean that true two-factor authentication would be a reality, though most on-line banking providers offered additional layers of single factor authentication, such as challenge questions.  To the delight of criminals, 2006 ended with the pandemic scare, and our focus shifted to updating our disaster recovery plans.

Ironically, the term “corporate account takeover” was first coined in 2006, after the issue was brought to the attention of the FBI.  Even so, life went on.  Banks learned how to survive a pandemic, but many were still not able to withstand a Corporate Account Takeover attack.

Fast forward to October 2010, when NACHA started predicting that ACH fraud alone would top a billion dollars in 2011.

A pattern emerged from the numerous attack vectors:  Malware would seize control of a computer, which would then be used to drain a victim’s account.  By 2012, criminal attack strategies were so sophisticated that, in many cases, the fraudulent transaction would be immediately followed by the bank being hit with a DDoS attack, causing confusion and a diminished ability to detect and respond. (See related article entitled “The Anatomy of a CAT Attack”)

According to the Ponemon Institute’s 2010 Business Banking Trust survey, 80 percent of victim-banks were oblivious to the fraud until after funds had been transferred.  Back then, a majority of businesses affected by Corporate Account Takeovers, 57%, were unable to recover any losses.  Furthermore, the Ponemon study showed that 40% of businesses victimized by fraud moved their banking activities to another institution.

And then FFIEC released the Supplement in June of 2011, bringing about a sigh of relief from information security professionals.

The Supplement Simplified

The Supplement required institutions to start planning the implementation of layers of security.  The Supplement encouraged us to view authentication as just one control in an arsenal of controls that, when layered properly, work together to lower the likelihood and/or impact of an account takeover.  Instead of a single dimension of “two-factor authentication,” institutions now needed a multi-dimensional approach to strengthening access controls.

Three of the layers suggested by The Supplement include stronger authentication for high-risk transactions, a method of detecting and responding to anomalies in high-risk transactions, and the development of a risk-based customer education program.

To determine the appropriate application of these layers, the Supplement calls for a risk assessment on all assets requiring authentication.  The Authentication Risk Assessment should be “at the transaction level.”  For example, changing a password is higher risk than adding a payee in Billpay, which is higher risk than paying a bill to an existing payee.  (Please go here for a free example Authentication Risk Assessment.)

Most banks depend upon their vendors for authentication. However, we find that leaving a paper trail for what you are not going to do is as important as prioritizing the requests and inquiries you are going to make of your vendors. Being aware of the controls available, as well as those not available, assists in the design of your authentication layers. As vendors realize they can charge a bit for more robust authentication, and bankers are happy to pay that extra fee, risk mitigation can now be focused on where it provides the most value.

Stronger Layers of Authentication

The Supplement overcame the confusion of 2005 by describing more clearly the need for robust authentication controls and the difference between true two-factor authentication and weaker controls such as easily spoofed authentication or additional layers of the same authentication factor.

There are four different factors of authentication, and any two of these factors combined substantially reduce the likelihood of a compromise. The four factors – what you know (i.e. passwords), what you have (i.e. keys), who you are (i.e. retinas), and where you are (i.e. GPS location) – should be fully understood by information security professionals as well as compliance personnel.

To illustrate the power of true two-factor authentication, one needs only turn to ATM machines and the four digit pin. The reason account holders are only required to have a four-digit pin, and not a strong password, is due to the fact that the user must also have the ATM card. By requiring the second factor (what you have), the likelihood of a compromised pin (what you know) allowing access to the ATM is substantially reduced. ATM access can still be compromised, but the likelihood is so low we don’t even worry about the “strength” of the four digit pin.

Layers of true second-factor authentication are starting to be used along with other authentication controls, including out-of-band verification, workstation profiling to strengthen software-based tokens, and true “what-you-have” authentication including key fobs and mobile transaction authorization numbers (mTans). Mobile banking applications are not yet leveraging the “where-you-are” factor, but some fraud monitoring systems are leveraging IP addresses as well as GPS information from smart phones.

We are finding that applying the two-factor authentication “at the transaction level” is not only more secure, but also creates less frustration on the part of our commercial customers. In other words, by requiring the use of a token only when an ACH transaction is initiated, we stop criminals from keeping a session open in order to originate a transaction, and our customers find this approach more convenient than requiring the token at every login.

Vendors now charge for true two-factor authentication, but the benefits far outweigh the costs. Take the recent ruling in People’s United Bank v. Patco Construction Company surrounding the 2009 incident where $300,000 was stolen. Even though the bank thought it did all it could, the court ruled that the bank’s security practices were to blame for the corporate account takeover.  The bank used Jack Henry & Associates’ NetTeller, which offers a number of authentication options.  However, the bank decided to deploy additional layers of what-you-know authentication, in the form of challenge questions, instead of the more expensive authentication controls.

Making matters worse, the bank configured the system to ask challenge questions in front of all transactions.  This created a false sense of security, and the court ruled that the bank actually increased the risk of fraud by not focusing the challenge questions on high-risk transactions.

And the potential impact is critical. Organized criminals now hire security professionals to design applications with the sole purpose of targeting American institutions.  One such application, Zeus, is updated regularly with new modules designed to take advantage of weaknesses in the American banking system’s security posture. And, in July 2013, we’ve discovered that the bad guys are hard a work developing newer, stronger attack applications. (See related article about KINS.)

But the wisdom of the Supplement is not as much in the act of clarifying what is meant by robust authentication, but the requirement for layered security.  The required layers – authentication, detect/respond, customer education – work in concert, accepting that no single layer by itself effectively mitigates risk. To demonstrate, consider the most recent module added to the Zeus offering, Zitmo.  This module, which stands for “Zeus in the Mobile,” is built to compromise the mTAN (mobile transaction authorization number) approach to two-factor authentication.

The mTAN solution, also called Out of Band Authentication (OOBA), relies upon the bank’s internet provider to send a one-time password to the user via text message. Most institutions using this method apply it upon origination of high-risk transactions, such as ACH or wire transfer. Thus, when your customers originate an ACH transaction, they must have their cellphone in order to receive the text message.

Zitmo installs malware on the target’s cellphone, which forwards all incoming text messages to the criminal’s cellphone, thus compromising the two-factor authentication process. The other two layers must be used to mitigate this:

1. Teach the customer how to protect their phone.
2. Encourage the customer to use an isolated workstation for ACH originations.
3. Learn to detect fraudulent transactions and respond to them in real time.

Detect and Respond

Detecting and responding to anomalies in high risk transactions will not only minimize the impact of a takeover, it can often block the fraud completely. Layered security controls must now include processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to initial login and authentication of customers requesting access to the institution’s electronic banking system and initiation of electronic transactions involving the transfer of funds to other parties.

For now, most small banks are going with the following initial approach:

1. Manual detection and response to transactions that transfer money.
2. The monitoring of failed logins.
3. Investigation of fraud monitoring applications.

Manual detect-and-response methods work well only when you have a very low volume of high-risk transactions, but applications are being developed that will assist with detecting anomalies. Eventually everyone will be using fraud detection applications that cover the “detect-and-respond” layer of protection. We anticipate a high satisfaction with the risk-mitigation capability of this control. Of course, the larger the bank, the more transactions, the more risk, the more difficult the detect-and-response, resulting in a quicker adoption.

Though still in the early adoption phase, these fraud detection applications will be well worth the investment. There are many court cases that support this, but let’s just look at the People’s United Bank incident described above. Criminals drained $300,000 from Patco Construction Company’s account. During the incident, despite the transactions being tagged as suspicious, the bank failed to contact the customer, resulting in a series of successful transactions over seven days. By the time Patco realized what was happening, nearly $600,000 had been transferred out of the company’s account. Half of that amount was able to be recovered.

In the case of the Western Beaver School District, 74 fraudulent transactions were executed. The incident was detected when an unnamed bank informed ESB Bank of the fraud because they questioned the 55th transfer. ESB Bank failed to respond for the next 19 transactions, losing a total of almost $190,000 in that time. The entire cost of the fraud was around $440,000, not including legal costs. That stolen money would have paid for a nice fraud detection system, protected the bank’s reputation, and avoided the legal fees.

Customer Education

By increasing customer awareness, banks strengthen their posture. Though the acronym for Corporate Account Takeover and Customer Awareness Training are the same, one exists because the other is often overlooked. No matter what banks do with authentication, no matter how sophisticated their detect-and-response, the efforts are wasted if customers do not know how to protect themselves.

The legal risk mitigation of a strong customer education program is starting to be revealed. Many cases exist where, if the bank had only been able to point to educational efforts, the detect-and-respond and authentication efforts would have paid off. Instead, judges are hammering banks because customers do not know how to use the available controls.

In the case of People’s United Bank, a customer awareness training program might have stopped the malware from ending up on the customer’s workstation in the first place. Or it might have caused the customer to notice the discrepancy sooner. Maybe the incident response would have worked smoother, so that more than $300k was recovered. We’ll never know. But we do know that the complete lack of a strategy not only left the bank and customer in a weak security posture, but it also left the bank in a very poor legal posture, as it could not point to any evidence that it was attempting to help the customer protect itself.

To fully establish a good layer of customer education, create a strategy that: (1) targets audiences based upon risk, (2) considers multiple delivery channels, and (3) goes beyond the content required by the FFIEC (in the Supplement). A customer awareness training strategy should involve three primary processes:

1. Target: The first step is to sort your customers by risk. A risk assessment on your customers can be as easy as High Risk = ACH Originators, Moderate Risk = Commercial, Low Risk = Retail/Consumer. Categorize your customers so you can decide who should receive more robust education efforts.
2. Delivery: What level of education you will provide to each category of customers, and how the education will be delivered. For low and moderate risk customers, we’ve seen some institutions work with their web designers to create splash ads on their on-line banking site. Other institutions have relied primarily on flyers in the branch. The best solutions take a multi-channeled approach, combining social media with splash-ads with literature. For high risk customers, many institutions meet one-on-one with the customer, accompanied by a standard checklist.
3. Content: Decide what information your customers need to know beyond the normal, “generic” best practice suggestions already provided via flyers, web pages, social media posts, etc. The Supplement is very clear about what you must convey to high-risk customers. (See related article: “What customers need to be told”)

You should also document your customer awareness training strategy for legal risk mitigation purposes. Use the promo code “KUDOSFFIEC” to get a free template!

Kudos to the FFIEC

A layered approach separates the banks already thwarting attacks from those victimized by criminals. According to the Financial Services Information Sharing and Analysis Center (FS-ISAC)’s 2013 “Commercial Account Takeover Survey,” banks are becoming much more successful in mitigating Corporate Account Takeovers as an attack vector.

According to this survey, funds leaving an institution after a takeover dropped from 12% in 2011 to 9% in 2012. The actual number of compromised accounts also dropped – from 3.42 per 1000 customers in 2011 to 2.11 per 1000 customers in 2012. The study also found that more educated bank customers played the largest role in the drop in successful takeovers.

The compliance requirement is no longer something to moan about. We now rush to find solutions. The fact that the answer is right in front of us, in the form of “the Supplement,” reflects well on the FFIEC. The examiners had it right this time.