Fighting Fraud: Deputize the ConsumerJavelin: Banks Still Struggle to Improve Online Security
In its annual Banking Identity Safety Scorecard, Javelin identifies three weaknesses in online banking:
- The need for more layered authentication: Institutions rely too heavily on device identification, log-ins and passwords.
- Continued use of Social Security numbers: Banks and credit unions still use Social Security numbers to identify and verify online users, despite the known identity-theft risks;
- Not enough implementation of customer and member alerts: Many institutions have alerts, but most are not comprehensive, and few offer more than a pushed communication. Blank says more institutions must deploy two-way, actionable alerts - those that actively involve the consumer.
Up to now, banking institutions have not taken prescriptive security measures into account. "The FFIEC guidance is probably the closest we have to those prescriptive measures, and many FIs have a philosophical bent that the consumer really doesn't want to be involved with security," Blank says in an interview with BankInfoSecurity's Tracy Kitten [transcript below].
But the consumer needs to be involved in fraud prevention. "No software analytics program can know [financial habits] better than you can, so by deputizing the consumer, by enlisting the consumer in the fight against fraud, the fraud can have a material difference."
During this interview, Blank discusses:
- Security vulnerabilities the updated FFIEC guidance does not address;
- Why, despite some improvements, most financial institutions have a long way to go when it comes to consumer fraud education;
- How mobile is expected to expose institutions and consumers to uncharted risks.
Blank provides central leadership to Javelin's Security, Risk and Fraud Practice areas. He has an extensive background in security, information technology, forensics and investigations. His perspectives on information technology and security have been presented at international conferences and published in numerous IT-related publications. He has more than 20 years of experience in both domestic and international organizations, with deep expertise in SAAS operations, security, networking, high availability systems, business continuity planning, customer service and internal support.
TRACY KITTEN: Javelin released its annual banking identity safety scorecard report. What can you tell us about the scorecard, such as the number of institutions that were surveyed for the report?
PHIL BLANK: This is our seventh annual banking identity safety scorecard. We've done this every year for the past seven years so it gives us a pretty good view of what's been going on in the industry. The way we approach the scorecard is we look at the top 25 financial institutions, a combination of credit unions and traditional banks, and we look at the top 25 by deposit size. It's important to note in this study, we're really looking at consumer-facing security measures. We do that for two reasons. One, most FIs won't disclose to us what goes on in the backend of their security with their analytics and two, we would have a very, very difficult time validating and verifying what they're telling us. These are items that are relatively easy for us to validate and take into account how the bank deals with the consumer directly when it comes to security.
Greatest Security Challenges
KITTEN: The study notes that financial institutions continue to struggle to stay ahead of fraud trends in the online space. What vulnerabilities or security weaknesses seem to pose the greatest challenges?
BLANK: We've seen, over the past three years in particular, a really bad drop-off in our prevention detention resolution model. Some of the challenges that the FIs face today are challenges in authentication, the use of what we call layered authentication. A lot of FIs rely on device ID as well as log-in and password. By the way, log-ins and passwords, they've been with us since the '60s and if you think about how much other technology has changed, it's coming time where the creaky old passwords will soon no longer see the light of day.
We're also seeing an increased use of social security numbers. As you know, you have to provide your social security number to provision the account, but FIs really need to move away from the use of SSN when it comes to authenticating the user to the account. We don't see enough FIs incenting the use of the security software. Some of the FIs provide it for free, but many of them don't incent the consumer to use it and therefore lose the advantage of it.
Finally, we see a deficit in alerts. A lot of FIs have alerts but they're either not comprehensive or they are not two-way and actionable. Those are some of the key areas that we've seen in this year's scorecard that are really weaknesses in bank security.
Contributing to the Problem
KITTEN: Is the industry just not doing enough to keep up with the ever-evolving malware and Trojans like Zeus or are there deeper security concerns at the core here? It sounds like maybe some of the practices that institutions are using are really more of the problem.
BLANK: I think you've hit the nail on the head. It's really a combination of issues. Man-in-the-browser protection is very well known, but it's really a technical solution and over time as more and more people get updated software and get man-in-the-browser protection, it will prevent that specific vulnerability. The problem really comes into the fact that most fraudsters are performing what we call "crimes of impersonation." When you perform a crime of impersonation, it's much more difficult for analytics or software to pick that up because as far as the FI knows, it's a legitimate person approaching the FI. It's really incumbent upon the FI to look at a broader range of security issues and that's why a point-technical solution against a Trojan like Zeus or SpyEye isn't really going to solve the total problem.
Online Security Gaps
KITTEN: What trends have been consistent then if we look over the last seven years where online security gaps are concerned? Where do you still see the same problems?
BLANK: Probably the most consistent trend has been a U.S.-based trend. Due to the competitive marketplace in the U.S., the U.S. has never really taken into account prescriptive security measures. The FFIEC guidance is probably the closest we have to those prescriptive measures, and many FIs have a philosophical bent that the consumer really doesn't want to be involved with security. So they try and handle everything behind the scenes. Because of that, there's some amount of fraud that simply is going to continue forever and ever. We've been seeing a very slow change of heart in many of the FIs where they're beginning to realize the value of partnering with the consumer in the fight against fraud, because frankly no one knows your financial habits better than you. No software analytics program can know it better than you can, so by deputizing the consumer, by enlisting the consumer in the fight against fraud, the fraud can have a material difference. That's been a pretty consistent thing we've seen for the past seven years.
KITTEN: Now I've asked about some of the vulnerabilities and some of the gaps that have been consistent over the last seven years. What about areas of improvement? What stood out this time that might be worth noting?
BLANK: The areas of improvement this time have really been around education and providing tools to the consumer. On the other hand, the FIs are not providing the incentives for the consumer to use those tools. So the consumer sees the tool, looks at it and says, "I wonder what that does," and then moves on. For example, several large FIs in the United States provide man-in-the-browser protection for free. It's a free download, but they don't incent the consumer to use it and without having that incentive the consumer isn't likely to go out there on their own.
KITTEN: That's a great point, and I wanted to note also that the report mentions the forthcoming updated FFIEC guidance for online banking authentication. Where did Javelin find that institutions were perhaps lacking when it came to FFIEC conformance?
BLANK: In terms of the consumer-facing security, there's clearly the issue of static versus dynamic KBA [knowledge-based authentication]. With a proliferation of social media, static KBA is really going by the waste side and we're seeing many FIs still rely on it. There has to be an expanded use of multifactor authentication, true multifactor authentication, and that's another area that FIs really need to think about when the factors are too close to each other. They also need to look at things like out-of-band signaling and items that can really enhance the security of their institution.
We found the FFIEC guidance itself was not particularly robust, especially when it came to mobile applications and some of the newer technologies. We would have much preferred a much more comprehensive document, but unfortunately these things tend to move a bit on the slow side. That by the way is a challenge because the fraudsters move very, very fast and that's why you've seen that drop in prevention over the last three years from 79 percent to 54 percent.
KITTEN: That's a great point. The fraudsters often times are moving at a much faster pace than the industry is. This is a good segway because I did want to ask about mobile. Where do you see institutions when it comes to vulnerabilities? Where are some of the greatest risks that surround mobile, whether that's mobile banking or mobile payments?
BLANK: I think some of the risks associated with mobile are the fact that this is a land graph going on right now. And when I say a land graph, everybody is trying to go out and grab market share in the mobile space. This is because the consumers have told us through our surveys that mobile banking is something that they are very, very interested in. In fact, they've indicated to us for example a service called remote deposit capture, where you can deposit checks from your mobile device. If your FI doesn't have that, a fair number of customers would actually change FIs in order to have that particular feature. So a lot of FIs have rushed to market with mobile applications that have not been fully vetted.
We believe that no mobile banking should take place on a device that doesn't have remote-wipe capability, but there are mobile applications out there that don't even have remote-deactivation capability. The good news about that is the mobile environment is still relatively small. The bad news is that it's growing very, very fast. By this time next year, we're going to see a substantial amount of mobile transactions and the fraudsters are really sudden. They're going to go where the money is, so as more and more people continue to do mobile banking, you're going to see more and more mobile Trojans, such as the "zombie" Trojan that we saw in China, targeting specific mobile applications.
KITTEN: You talked a little bit about consumer education earlier and it does sound as if financial institutions are doing better jobs of trying to educate some of the consumers that they work with when it comes to online transactions. What about in the mobile space? Are financial institutions doing a good job about educating consumers about the risks there?
BLANK: Absolutely not. In the mobile space, it's like, "Hey, it's wonderful, it's safe, don't worry about it. Everything's good." And you and I both know, as security professionals, this is really not the case. For example, in our mobile security report we talk about the fact that in the Android market you can now actually purchase software, antivirus software, for your mobile phone. I hate the term smart phone. It's really not a smart phone. It's a PC that happens to be able to make phone calls, and because of that phone-call addition, because of that 3G networking, there's going to be a whole new raft of vulnerabilities and attack vectors that we haven't seen in the past. This is why it's incumbent upon the FIs and it's incumbent upon the mobile suppliers to make sure that the consumers are equipped with the tools they need to fight those vulnerabilities.
KITTEN: Before we close, what advice could you offer to financial institutions that are working toward FFIEC compliance as well as enhanced security on the mobile as well as online channels?
BLANK: Involve the consumer; involve the consumer. The consumer wants to be very much involved in their own security. And this doesn't mean turn them into security geeks, but provide them with the services that they want. Let me give you a great example. When we did the survey, only 72 percent of the FIs that we surveyed had a specific alert for physical address change. Only 20 percent had an alert for me to add or subtract a user. So if I have access to your account and I put myself on your account as an authorized user, only 20 percent of the FIs out there have the ability or have the service to send you the alert. This is something that FIs have a long way to go on.
In closing, I would say deputize the consumer; use the consumer. They want to be involved in the security. It is part of helping them manage their financial affairs, and if we can create that partnership we will see a significant drop in the fraud rate.