Financial losses linked to incidents of corporate account takeover are down. But Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center, says more work is needed.
"The bad guys are constantly looking for new ways to get around controls that you may implement, so you need to look at not just one control, but a variety of controls and make sure you've implemented them and you have sound business practices around them Nelson says.
That said, banking institutions have been diligent about investing in technologies to curb online fraud, and their efforts have paid off.
According to results collected from the FS-ISAC and the American Bankers Association in their Account Takeover Survey, banks are reaping benefits from recommendations handed down in 2009 by the FS-ISAC, NACHA-The Electronic Payments Association and the Federal Bureau of Investigation. Those recommendations included limiting administrative rights and implementing anomaly detection and out-of-band authentication.
In looking at numbers for the first half of 2011, losses linked to ACH and wire fraud totaled $777,000, a noticeable dip from the $3.12 million reported for the full year in 2010."That has been a big improvement," Nelson says in an interview with Information Security Media Group's Tracy Kitten (transcript below).
But Nelson also recommends institutions continue to focus increasing efforts on end-user education. All online banking activities, he says, should be conducted from a dedicated, stand-alone computer, one where e-mail and Web browsing are disabled.
During this interview, Nelson discusses:
- How the survey was conducted;
- Steps industry bodies like the FS-ISAC and others are taking to help banks and credit unions share information about account-takeover trends;
- How incidents of account-takeover events are being incorporated into suspicious activity reporting.
Before FS-ISAC, a non-profit association dedicated to protecting financial services firms from physical and cyberattacks, Nelson in 2009 was elected vice chairman of the ISAC Council, a group dedicated to sharing critical infrastructure information with the government and across the key sectors. From 1988 to 2006, he served as executive vice president of NACHA - The Electronic Payments Association. While at NACHA, Nelson oversaw the development of the ACH network into one of the largest electronic-payment systems in the world, processing nearly 14 billion payments in 2005. He also oversaw NACHA's rule-making, marketing, rules enforcement, education and government relations programs. Prior to joining NACHA, Bill held several treasury management and lending positions within the banking industry.
Account Takeover Survey
TRACY KITTEN: This is the second account takeover survey to be released by the FS-ISAC and the ABA. What can you tell us about the survey, such as the time frames for when data was collected and what some of the comparative year-over-year analysis shows?
BILL NELSON: The time frames for the survey were all of 2009, all of 2010 and the first half of 2011. This is actually a follow-up to a survey we did over a year ago in looking at all of 2009 and the first half of 2010. That provided a good benchmark for us for this survey. I think one of the results was a larger increase in the number of corporate account takeover attacks, but in terms of losses that the financial institutions or their customers have incurred, it's decreased significantly.
KITTEN: Does this survey focus solely on incidents of account takeover, and do those account takeover incidents touch both retail and commercial accounts?
NELSON: This survey just focused on the commercial account takeover, not the retail side. This was actually tasked by a group called the Account Takeover Task Force. It's a group we formed actually two years ago now. One of the things they found was there was some information about various types of online banking fraud, but they were all kind of lumped together.
KITTEN: What can you tell us about the banking institutions that participated in this survey? Is the data collected year-over-year coming from the same pool of financial institutions?
NELSON: Primarily yes. We have expanded the pool a little bit since the prior survey. There were 95 what I would call depository financial institutions, banks and credit unions that participated in this survey. The other five organizations - a total of 100 institutions participated in this survey - were described as service providers and these are typically companies that provide services for financial institutions.
KITTEN: The results for 2011 only include the first six months of the year. How is the FS-ISAC comparing those half-year results with the full-year results about ACH and wire fraud that they collected in 2009 and 2010?
NELSON: If you try to annualize that, the best way to do it is to double it. You can make some assumptions that all of 2011 was at least close to double the first six months. We're not sure that's completely accurate, but [it's] the only way we had to do it since we only collected six months worth of data.
KITTEN: When might we expect full year results for 2011?
NELSON: Our partner in this was the ABA and there are a number of organizations that participated in the task force, literally four or five dozen financial institutions, regulators, law enforcement and associations, and the ABA has volunteered to basically run this survey. We allowed them to do it and I think they've done a great job. We're looking at trying to get this survey off the ground again in the next couple of months, so I would see us probably producing some results by late third quarter.
KITTEN: What differences or nuances, if any, do you think the full year results might reveal?
NELSON: One of the things that the Account Takeover Task Force did was they worked closely with the regulators and we did get some input into the way these SAR reports, suspicious activity reports, are reporting account takeover and we got a specific line item added to the SAR reports. This actually may provide even better metrics around honing in on what's business account takeover vs. other types of online banking fraud. I don't know if this will mean an increase. I doubt if it would mean a decrease. It would probably look like people can identify these more easily through SAR reporting. We may see an increase in numbers, but I'm not sure at this point.
KITTEN: One point that I found interesting in the results is that the number of attacks banking institutions reported hitting online accounts has steadily increased from 2009 to 2011. Do you think hackers are targeting online accounts more often? Or is it just that the industry three years ago wasn't really doing a great job of detecting takeover attempts?
NELSON: The latter. They're probably doing a better job now, but I don't think it's that significant. If you look at the losses that were reported three years ago in 2009, they were significantly higher, the total dollar amounts, the percentage of the funds that left the financial institution that were not recovered, monetary transactions that were actually generated and were not stopped. If they're able to report that I would think they would be able to report the number of attacks too.
KITTEN: Every time we do a survey, we have to step back and say, "What does this really mean? What do these results really tell us?" And I wanted to ask what you think these results really tell us? Where do you see the positives and the negatives?
NELSON: The fact that either no monetary transactions are generated or the monetary transactions were created but were stopped and the losses that the customers are actually getting hit with - all these figures are going down. I think that's a huge positive. I think it's good to know that. There are a lot of reasons for that and we can talk about that later, but I think on the negative side, there are still losses occurring. There are still losses that the banks are incurring and their customers. With that said, if you look at the data, the percentage losses are way, way down from three years ago, becoming less of a problem for the customers, the business customers, and more of a problem for the banks and making sure they don't incur the losses.
KITTEN: What stood out or came as a surprise from the results?
NELSON: It seems that from some of the data, the criminals are shifting from wires in many respects to ACH to exfiltrate funds; they're trying to do that. But in terms of actually getting the money out of the bank, it seems like wires are still more effective. The numbers we saw were 89 percent. The account takeover fraud that actually got the money moved out, 89 percent of those were wires and 11 percent were ACH. The attempts to exfiltrate were 70 percent wire and 30 percent ACH. Again, wires were more effective.
KITTEN: What can we glean from the results about anti-fraud investments banks are making and stronger authentication and device identification technologies?
NELSON: An action that was taken back in 2009 by FS-ISAC, NACHA and the FBI [was] in identifying various risk mitigation recommendations, things like initiating ACH and wire to dual control, limiting admin rights, reconciling your banking transactions, doing anomaly detection, out-of-band authentication. All of these recommendations were all fairly new at the time, and there have been a number of vendors that have stepped up and provided solutions to many of these, including browser-based solutions too, where even if your computer is infected, you're using a vendor's browser, not your own, to create the transactions. That has been a big improvement.
The other recommendation we had was to execute all your online banking activities from a dedicated, stand-alone computer system where e-mail and web browsing are disabled, so you only have access to the bank. That has been a big improvement too. I think all these measures combined, it's almost like a layered security defense strategy. I think that has worked for the banks. Education of the corporate customers has been much broader. I've been in a number of programs for individual banks to talk to their business customers about using the security controls and making sure they maintain a high level of security when initiating online banking transactions.
Customer and Member Education
KITTEN: That was something else that stood out in the results, the amount of time that institutions are investing in customer, as well as employee, education. But do you think they're focusing too much on education and not enough on technology?
NELSON: No. I think they should focus a lot on education. Even if those transactions have left the financial institution, they've been able to get that back because employees have been educated. Their customers are educated to look for strange things, getting a balance report every morning or every day and saying, "I thought I had $500,000 in the bank and all of a sudden I have zero. What's wrong?" Then, [they] contact their bank. ... Education is important and I think they need to continue to do it, especially the small businesses.
KITTEN: There have been a lot of positive things reflected in the results, but I'm wondering where you may see gaps. Where do you see banking institutions missing the proverbial mark?
NELSON: I think the FFIEC guidance that was actually approved last year and supposed to be implemented this year - financial institutions have some time to implement all the recommendations of the FFIEC regulators, but they really need to be looking at everything that was part of that guidance, from annual risk assessments, updating their controls, putting in layered security for consumer and business accounts, and enhanced security for business accounts. That security needs to include anomaly detection, which it didn't before. Part of all this is customer awareness and education, so I think not every bank has implemented all these points in the guidance, but they're working with the regulators and they're supposed to have a plan in place to implement all this. I think we're still in the early stages from what I've seen.
Minding the Threats
KITTEN: What final thoughts, beyond some of the technology or some of the customer education efforts that institutions are making, would you like to share about the results?
NELSON: It does illustrate that we thought we had almost the silver bullet a number of years ago. Remember when the FFIEC came out and said that you need two-factor authentication and that would solve everything. That was easily compromised. The bad guys are constantly looking for new ways to get around controls that you may implement, so you need to look at not just one control, but a variety of controls and make sure you've implemented them and you have sound business practices around that. If you have those in place, you need to continue to monitor what the latest threats are. We're of course FS-ISAC. Information sharing is our middle name. But you really need to be a part of either local groups or national groups like the FS-ISAC.