Fraud: Social Media Heightens New Threat

Appeared in Bank Systems & Technology, December 21, 2009

Monday, December 21, 2009

Bank fraud can take many forms. It can manifest itself in the shape of a counterfeit debit card or as a stolen online ID and password. Sometimes it even appears as a 25-year-old man wearing his mother's pink blouse and head scarf.

That was the picture of fraud at a Chase Bank branch in Franklin, N.J., in early December, when Tita Nyambi, speaking in a high-pitched voice and holding a withdrawal slip with a forged signature, attempted to withdraw $700 from his mother's bank account, according to a report in the Newark Star-Ledger. More often than not, though, banks are not able to look fraud in the face and identify its suspicious five o'clock shadow.

In fact financial institutions are finding it increasingly difficult to distinguish between fraudsters and their own customers. And as social engineering attacks, such as phishing, grow in popularity and complexity, in many ways perpetrators of fraud are not seeking to exploit weaknesses in a bank's security environment, but rather weaknesses in a bank's customer base.

"The basic idea behind a social engineering attack is that you can harden your IT systems to any conceivable degree and there will always be a weak point, which is that those IT systems need to interact with humans," explains Tim Callan, VP of product marketing for Mountain View, Calif.-based VeriSign. "If [hackers] can trick the humans into letting them in, it doesn't matter how strong the security is."

That sentiment is echoed by Bernhardt A. Alama, VP of product management in Honolulu-based Bank of Hawaii's ($10.8 billion in assets) cash management department. "Whether you're talking commercial or individual [accounts], the challenge we have is ... the physical person," he says. "The weakness is really with the individual."

In response, banks have learned to change the way they approach fraud mitigation. Historically, financial institutions addressed fraud on a channel-by-channel basis, according to S. Ramakrishnan, CEO, Reveleus and Mantas products for Oracle (Redwood Shores, Calif.) Financial Services Software. Individual susceptibilities were identified, thus generating individual remedies, he explains.

"What's happened since then is that fraudsters have gotten very clever," Ramakrishnan relates. "Now they attack the entire system through a combination of factors. They tend to do cross-channel fraud. If you continue to look at fraud as it is occurring in each channel, you're missing the connections across these channels that fraudsters are typically exploiting."

As recently as 2004 and 2005, banks still were taking a modular approach to fraud mitigation, says Alison Kuo Sullivan, director of fraud product management at FICO (Minneapolis). Then, "[Banks] started to adopt some of the concepts around enterprise fraud management," she recalls.

An enterprise approach to fraud detection is critical today, asserts Bank of Hawaii's Alama. "The primary driver is that the majority of fraud conducted [today] is related to social engineering," he says. "There are some technical issues related to fraud being conducted, but most of it involves convincing someone to give up their credentials one way or another, whether that's via voice, e-mail, cell phone or another method. What we're finding globally is that our customers are getting duped somewhere in a process to give up something that they shouldn't."

Given changes in products and channels, fraud trends ebb and flow, notes Ben Wallach, VP and fraud operations manager for Regions Bank ($140 billion in assets). But most recently, he adds, he has seen an uptick in cross-channel fraud. "If I had to pinpoint a change, that would probably be the biggest one -- [fraudsters] are using multiple channels now to perpetrate fraud," he says.

Channel Surfing

To address the growing cross-channel threat, Birmingham, Ala.-based Regions Bank recently implemented a new enterprise fraud-monitoring system aimed at detecting fraud in areas such as debit cards and online banking, according to Wallach. While he declines to offer specifics about the solution, Wallach says it is connected to feeds from various channels, giving the bank an enterprisewide view of fraud and allowing it to write rules and score activities across product lines and channels.

"The entire fraud management process is centered around analytics, rules and neural scoring models," Wallach relates. "The approach there hasn't really changed. We've had that approach in individual silos for years now. It's just enriching the data in all those different aspects from various products and channels."

Phishing and key-logging attacks, for example, target multiple channels, Wallach suggests. In a typical phishing attack, for example, a hacker may be able to compromise a customer's PIN in addition to his or her online banking credentials. "[Fraudsters] are obviously going to hit on both those channels, so if you see a particular type of fraud on one channel, you can safely assume that you're going to see it on another channel," Wallach details. "You can immediately react to that in an enterprise system."

The challenge, however, is in implementing a system that is both tightly integrated with a bank's various channels and flexible enough to react to change, according to Wallach. "You can't just take a system ... out of the box, unwrap it and then expect it to meet all the expectations outlined in your business case," he contends. "You have to tightly integrate the system, and you don't want to assume that the integration is only relevant to areas where fraudsters are hitting you today. As soon as they figure out what your controls are, they are obviously going to move."

The process for identifying and eventually investing in an enterprise fraud detection system began at Regions Bank about two years ago, Wallach reports, adding that initial channels went live on the new system in June 2009. During the process, he notes, the business case for the fraud solution held strong through the economic crisis. "If the business case was not as strong as it was, the economics that we all dealt with might have hindered the situation," Wallach recalls. "In light of the business case, the changing economy and the fraud that is indicative of that change probably actually helped us to [justify the investment]."

Fortifying the Defenses

But while an enterprisewide view of transactions can help financial institutions identify fraudulent activities, banks still must drill down into specific channels and deploy specific point solutions to prevent fraud in the first place. Hackers may obtain user credentials for multiple channels, but they still must exploit those credentials on a channel-by-channel basis.

At Bank of Hawaii, key-logging and other malware attacks increasingly target the bank's commercial clients. "It's grown significantly in the last two years," the bank's Alama says. "We've noticed much more aggressive efforts to acquire credentials on the [commercial] side, whereas before it was primarily concentrated on the retail side."

In response the bank has added security layers to its credentialing process. First, Bank of Hawaii mandated dual control for its commercial clients -- requiring two users to each provide credentials to initiate a transaction such as an ACH or wire transfer, according to Alama.

The bank also has rolled out hardware tokens that generate one-time passwords to thwart social engineering fraud attacks, Alama adds. The hardware tokens are distributed to users in the form of an RSA key fob, which contains a small keyboard on which a user types a PIN. The key fob then generates a one-time, six-digit pass code that the user reenters when signing on to Bank of Hawaii's online applications.

Many of Bank of Hawaii's enhanced security measures have been put in place with an assist from Atlanta-based Online Banking Solutions' (OBS) Online Messenger version 3.0 and M-Secure Banking Suite products, Alama reports. Implementation, he relates, began late last year, and the solutions went live in the third quarter of 2009.

In addition to other OBS tools -- including a secure browser that clients can use to access the bank's online applications -- Bank of Hawaii leverages the vendor's M-Secure Virtual Keyboard, software that provides an additional layer of security by limiting account access to a specific computer or other device. Alama describes the virtual keyboard as a "soft token" that uses the same strategy as a hardware token.

Essentially, he explains, a customer uses his or her mouse to enter login information and a PIN number via an on-screen keyboard (as opposed to a physical keyboard) to generate a one-time pass code that automatically is sent to the bank for credentialing. The process eliminates physical keystrokes, greatly reducing the effectiveness of key-logging malware. "The majority of the problems that are out there today are customers that have malware downloaded on their computers that is capturing all their keystrokes and passing that off to a foreign computer somewhere else," Alama says.

Unfortunately, Alama acknowledges, while the new controls have helped to prevent fraud, they also have limited the convenience factor of the online banking channel. "In the end, the applications have gotten a bit more cumbersome to use, especially for the smaller business, because of the dual controls and other security features we've had to implement to protect [clients] from some of the key-logging efforts," he concedes.

Worth the Inconvenience

That said, push back from the bank's customer base has been tempered by the growing awareness of identity theft and other social engineering fraud schemes. "Initially, a couple years ago, it was difficult," Alama says of the effort to partner with customers to prevent fraud. "[But] our customers are actually appreciative that we're going through the effort to try and protect them, even though it may require additional effort on their part."

The balance between convenience and security was central to fraud mitigation efforts at Addison Avenue ($2.2 billion in assets), a Palo Alto, Calif.-based federal credit union serving select employee groups (SEGs) at technology companies such as Hewlett-Packard. With a globally dispersed customer base, Addison considers the online channel to be a top priority. In fact, the credit union aims to provide online banking services that can support any transaction that a member can perform in a physical branch, according to Addison Avenue CIO Blanca Guerrero.

Those online services extend all the way to enabling a customer to open an account online with an electronic signature. "We may open an account with a member and never see their face," Guerrero relates. "The risk is high, but we have measures in place [to ensure] that the person who is applying for a loan or a new account is who they say they are."

In 2006 the company started working with VeriSign to implement the vendor's fraud detection system. The VeriSign solution monitors traffic that comes through the online banking site and develops behavioral patterns for members based on factors such as transaction types and where and when they access their account, explains Sri Balaji, a solutions design and development manager at Addison Avenue. "Everybody has a unique behavioral map. Whenever the system detects a deviation from that existing map, it challenges the member to authenticate themselves," says Balaji, who managed the team that implemented the VeriSign solution.

On top of the behavior engine, the VeriSign solution allows Addison to provide rules to, for example, target specific high-risk transactions for additional authentication.

"Everything is happening in this online system, so we really want to put a lot of rigor in place in terms of validating and authenticating the user who is submitting those requests," Balaji comments.

Addison Avenue's enterprisewide fraud mitigation practices are augmented by specific security layers that aim to ensure users are who they are purporting to be. Like Bank of Hawaii, the credit union introduced one-time pass codes to the authentication process. According to Balaji, when additional credentials are required the company sends users the one-time pass code via phone, e-mail or SMS text message.

Addison also rolled out hardware tokens that generate random one-time pass codes, Balaji adds. The tokens are available to members in various form factors, including key fobs and a credit card-size device. BlackBerry and iPhone users can download software to their mobile devices that serves the same function as the hardware token.

Addison first went live with the VeriSign solution in late 2006 and since the initial deployment has continually updated the system's functionality, adding features such as rules, phone OTP (one-time password) and SMS OTP, Balaji reports. The most recent addition, she notes, was the hardware token rollout, which went live in June 2009.

That progression perhaps best sums up the constantly evolving battle financial institutions face when it comes to fighting fraud. Yesterday's secure practice can become tomorrow's security liability, especially with the advent of cross-channel threats.

"It's a constantly evolving landscape, and our own evolution with the [VeriSign] system speaks to that. When we started off, sending a one-time code to an e-mail was acceptable. Now you have Trojan [horse viruses] and key-loggers, and people's e-mail accounts are getting compromised," Balaji says. "There isn't any one answer that is going to lead to complete security. We have to constantly tweak rules and work toward the next generation [of security solutions] to try and keep up with the hackers."

By Nathan Conz