The Evolving Face of Fraud: Steve Neville, Director of Identity Solutions, Entrust
But what are today's biggest fraud risks to banking institutions, and how can these risks be mitigated?
In an exclusive interview, Steve Neville, Director of Identity Solutions with Entrust, discusses:
Neville draws on more than nine years of hi-tech marketing and product management experience to drive the strategic direction of both products and solutions for Entrust. Prior to joining Entrust, Neville was Director of Marketing at an innovative Web technology company, NetPCS Networks, where he was responsible for all market-facing activities, including direct, channel and corporate marketing. He also was responsible for the company's critical web presence and oversaw the launch of NetPCS' leading-edge online interaction product.
TOM FIELD: Hi, this is Tom Field, Editorial Director with Information Security Media Group. The topic today is fraud -- the topic that is on everybody's minds this year -- and we are talking with Steve Neville, Director of Identity Solutions with Entrust. Steve, it's good to talk with you again.
STEVE NEVILLE: Great to talk to you as well.
FIELD: When we spoke about fraud last year we certainly had an awful lot to talk about, but this year already we have had the Heartland Payment Systems breach, we've got another processor breach that has just been announced, fraud is on everybody's minds. What are the key points to pay attention to, particularly in the Heartland case and this other processor case that has just come to light as well?
NEVILLE: Well, I think when we talk about all the different issues that are out there on top of minds, these are very high profile. I think, though, that the biggest thing that people need to pay attention to is the fact that fraud is such a multifaceted thing and it is constantly changing in terms of landscape and threat profiles.
When you look at the Heartland case, they were attacked from the inside, but the reality is that attacks can originate from any external source just as easily, and organizations really need to be constantly vigilant and taking a layered approach to the problem.
Now Heartland was about mass processing the transactions, but banks' websites are just as vulnerable to losing data from an individual if proper measures aren't taken, including dedicating both time, technology and resources to the problem going forward and not just looking at it as a one shot deal. You may be secure at one moment in time, but as things evolve -- and fraud definitely does that -- you are going to be behind and vulnerable if you don't pay attention.
FIELD: Now, Steve, we didn't speak all that long ago really, but it feels like so much has happened since then, just in the global economy. Given that landscape, what do you see as currently the top fraud threats that are facing financial institutions?
NEVILLE: Well, that's a tough one, because it is constantly changing, and I think the reality is that it is an evolution as opposed to radical change, at least in the way that I look at it. You just have to look at the daily articles that are out there and just see everything is such a wild west out there.
But I think along those lines, you can really identify some of the top threats as stemming from the fact that fraud is a mainstream activity now for criminals, and they are paying top dollar to smart engineers to design and build new types of attacks. They are organized. They are concerned about usability of their malware, which as a software provider I find a bit disconcerting and in some twisted ways entertaining.
A good example is: I was looking at a piece of malware called Silent Banker, which has been hugely successful for the malware community, unfortunately. And when you use it, it literally checks your machine to see if it has malware on it, so it doesn't get messed up when it is creating the malware to go and attack users. It's pretty entertaining, and that is the result of a highly organized approach to creating fraud types of vehicles, and they are really creating highly effective attacks; things like spearphishing, harpooning, they are really working at trying to become more effective.
You guys had on your site a recent Javelin study that talks about how in the U.S. alone the number of fraud victims has increased 22% year-over-year, costing 9.9 million users a total of $48 billion dollars in 2008. Well, that is the U.S. There is a lot of banking going on in the rest of the world as well, and banks really need to address those.
I think the other thing to consider is the attacks go much beyond the typical phishing because of this organized approach, like malware, SQL injections and those types of attacks, and they are hard to detect and deal with. You know you have the historical way of post-transaction analysis, looking over log files, seeing if something has happened, that just doesn't cut it for today and going forward. They really need to consider -- banks and financial organizations really need to look at this hard and fast, to figure out where to go next.
FIELD: You know, Steve, you mentioned the Javelin study. I have spoken to some folks at Javelin and elsewhere, and one of the things I keep hearing about is multi-channel fraud. The fraud is not just coming from phishing, it's not just coming from vishing, and it is coming from everywhere that an organization touches a customer. I am curious as to how that resonates with what you see in the marketplace.
NEVILLE: Yeah, we are seeing that quite a bit as well. Although, pretty much every bank we talk to agrees the most important channel today that needs to be more succinctly and effectively addressed is the online channel. The reality is that organizations are looking for a better way to address online fraud, but they also want the ability to tie into these other systems to deal with cross-channel and multi-channel fraud.
They want an approach that doesn't require them to change the application to detect fraud in the online space, while at the same time allows for an evolution to taking accounts for other channels like IVR and ATM.
The really interesting thing is that some of our customers are doing this today, and they are doing it because a lot of their systems are purely web based. One example is a European customer of ours that monitors everything that goes on their website, whether it is business or consumer banking, as well as their mobile site, which is a dedicated mobile site both for traditional mobile devices as well as iphones, and their call center applications.
So by being able to monitor the online channel, they actually are effectively covering off three different channels for their end users coming into the organization because when a call center application opens up a particular user you can cross verify and cross reference that to what a user is doing online.
At the end of the day though, multi-channel is going to increase in importance over time, and whatever people choose today has got to be easy to pull in the online channel and have the ability to evolve to the other channels.
FIELD: One of the other areas we hear an awful lot about is the insider threat, and that given the economic conditions we are at heightened risk of the inside threat. From your perspective, what is the reality of this insider threat, and how can financial institutions best mitigate their risks there?
NEVILLE: Well, I think the biggest issue is today the external threat, but insider threats are always going to be an issue that any conscientious and effective organization is going to want to pay some attention to. You just have to look at Heartland or the Societe Generale example from last year to understand that it can happen.
Of course they need to make sure they have good security plans in place in general. You look at the recent consensus audit guidelines that have been released, which talk about critical cyber security controls. They are fairly basic when you think about them, but unless you have a plan that walks through in a structured way, how to deal with insider threats across all of these different areas, you might miss something, and that in and of itself means space is there for insiders to get in.
I think the really interesting part is that a lot of the systems, though, that are being used on the inside in order to perpetrate attacks force fraudsters to go outside. So I will give you an example: You look at the Societe Generale example where the broker was using his past position and back office functions to create new users that he could then go in the online system and affect trades and fraud against Societe Generale.
Well, there are a couple of things there when you think about that one. Strong authentication would have stopped him from ever gaining access to those systems, had that been in place for him to be able to create users. And then you think about the online system -- seeing new users being created, seeing them accessed from particular locations like inside Soc Gen, all of the sudden 50 new users are accessing and doing trades. Those would all be buzzers going off inside the fraud world to watch for. So it sort of goes full circle to the fact that you need to be able to monitor the online world to catch some of this inside fraud at the same time.
FIELD: That makes sense. Steve, let's talk about some of what you are seeing in your marketplace. What are Entrust customers doing to be reducing their fraud risks?
NEVILLE: Well, I think a lot of our customers are doing quite a bit, and it really depends on the geography that is going to drive the different approaches. For example, when you look at South America, legislation and fraud have really driven banks to deploy strong authentication en masse.
We have a lot of customers in South America doing strong authentication, and the really interesting thing is that those banks are now saying that's a good starting point; we want to also layer in fraud detection because strong authentication in and of itself is not the panacea or the thing that is going to be the silver bullet to stop fraud. There is no silver bullet. You need layers there, and so they are doing that.
When you look at Europe, Europe is more accepting of strong authentication and, in fact, more widely deployed first strong authentication. They are really looking at laying in fraud detection, web fraud detection to address what the issues are.
North America is a little bit different, so we had FFIEC come and go, we had the Red Flag Regulations come into play and with all the attacks that are happening out there and those two things, a lot of our customers and in fact prospects, are now taking a re-look at what they are doing and saying, 'You know what, I need to do better on fraud and I probably need to do better on authentication as well.'
FIELD: Now, given what you know and what you see globally, what can banking institutions be doing better now to protect themselves and their customers from these risks that we have discussed?
NEVILLE: I think the biggest thing is that they need to realize the problem is one that needs attention today urgently and will continue to need attention over time. It is really because the fraud problem is continuing to evolve. Banks need to look at getting a real-time fraud web fraud detection system as described in the recent new Gartner Magic Quadrant document that allows them to capture and detect fraud in real time. They need to do this right away so they can start detecting and defending against fraud for their end users.
And the other pieces that they really do need [include] the ability to introduce more strong authentication for end users, especially in North America, where we have been reticent in historical times to get in the way of end users unnecessarily. With web fraud detection in play, you can authenticate users based on risk, but ultimately if you want to add new hire value transactions to a website to an online bank, which in today's economic times would be very appealing, you really need to add more strong authentication availability.
I think the final thing, of course, and this just makes sense -- banks really need to talk to their end customers, and they need to share strategies with them for online safety and communicate that they are safe with the bank. That is all going to help the end users.
FIELD: One last question for you Steve: We've talked about organized crime, we've talked about the insider threat and the risks that are in the marketplace. As you get out and talk with banking institutions and other organizations, what is the single most important piece of advice you can offer to them?
NEVILLE: Well, I think my biggest piece of advice would be that in this time of economic pressure that we are in today, especially financial institutions, the reality is that these are more active than ever. They really are looking at this as an opportunity where financial institutions may be defocused on security and information technology to attack these institutions.
That really means that banks need to focus budgets and effort on solving the fraud problem. There may be other places to cut, but this isn't one of them -- especially if they want to keep their customers safe and happy. They should look to leading analyst firms like Gartner for guidance on choosing proven solutions from vendors that are able to weather the storm. Don't look to the smaller vendors to solve the problem, because you need someone that is going to be around. Leading analyst firms like Gartner, like Javelin, can help with that.
FIELD: Very good, Steve. Thanks so much for your time and your insight today.
NEVILLE: Thanks very much, Tom.
FIELD: We've been talking with Steve Neville, Director of Identity Solutions with Entrust. For Information Security Media Group, I'm Tom Field. Thank you very much.