Financial Institutions, Customers See Drop in Cyber Crime Losses

WASHINGTON — Despite a steady stream of negative headlines, the intensifying focus on the threat that cyber crime poses to the financial sector may be yielding positive results.

Losses to financial institutions and their customers as a result of cyber-related fraud declined over the last 18 months, even though the number of attacks increased, according to testimony at a hearing held Wednesday by the House Financial Services Committee.

That finding comes from the Financial Services Information Sharing and Analysis Center, an organization dedicated to fighting cybercrime whose members include thousands of banks, credit unions, insurance companies and payment processors.

"Statistics indicate financial institutions are doing a better job of stopping fraudulent transactions from being created and from funds leaving the financial institution," said William Nelson, the organization's president.

In 2009, 63% of reported takeovers of commercial accounts resulted in funds being sent out of the financial institution, according to survey data cited in Nelson's testimony. In the first six months of 2010, that number fell to 36%.

Likewise, the percentage of cases where monetary transactions were created but the funds were stopped before they left the financial institution rose from 20% to 36% during the same time period.

Notwithstanding the progress, witnesses at the hearing testified about the need for greater vigilance and better collaboration between government and private industry.

"The bottom line is: No one entity has all the information; it takes teamwork to bring all the pieces together to complete the picture," said Greg Garcia of Bank of America Corp. "Most acknowledge that actionable threat information that is not shared is useless information."

Democratic and Republican lawmakers at the hearing were on the same page about the importance of the cyber crime threat.

"This year alone there have been numerous security breaches and attacks on private companies, federal agencies, and financial institutions," said Rep. Shelley Moore Capito, R-W.Va., the subcommittee's chair. "These threats are especially acute in the financial services industry."

Rep. Carolyn Maloney of New York, the subcommittee's top Democrat, warned: "There is no such thing as a completely secure network. And the cost to secure these systems is extremely high, both in terms of protecting against hacking incidents and combating them when they happen."

The hearing also touched on several other key areas, including:

• The new federal guidance on Internet banking authentication, issued in June by the Federal Financial Institutions Examination Council, got positive marks from the non-profit organization formed by financial institutions to combat cyber crime. The new guidelines advise financial institutions to verify customers' identities using multiple challenge questions that can't be answered using publicly available information.

"Commercially reasonable security procedures must achieve an appropriate balance between security, risk and usability," the Financial Services Information Sharing and Analysis Center states in its testimony, adding that the recently issued guidance "goes a long way towards achieving that balance without dictating any single solution which may prove to be untenable over time."

• The FBI warned that mobile banking and Twitter offer new opportunities for cyber crime. Specifically, criminals are sending malicious text messages and tweets to gain access to users' online banking accounts.

"Because financial institutions sometimes use text messaging to verify that online transactions are initiated by a legitimate user, the infected mobile phones forward messages to the criminal, thwarting the bank's two-factor authentication," Gordon Snow, assistant director of the FBI's cyber division, said.

• Witnesses warned about the threats posed by a company's own employees and contractors. The FBI notes that people with direct access to a firm's core processing centers may be in a position to steal intellectual property, insider information, and data that could damage the company's reputation.

Gregory Shannon of the Software Engineering Institute at Carnegie Mellon University also warned that the stress from the struggling economy is exacerbating the potential threat from company insiders.

"Organizations are working hard to build walls around their network infrastructure to keep people out but are having a difficult time defending against potential menaces that are already on the inside of the fence," he states.

• Financial services places third on the 2011 list of top business sectors in terms of data breach victims, trailing the hospitality and retail sectors, according to a report on data breaches by Verizon.

The Verizon report also finds that nine of the top 10 hacking methods used in electronic crimes are very simple in nature. According to testimony from A. Bryan Sartin of Verizon, "our research shows that with so many weak and easily exploited targets of opportunity available, great complexity and sophistication are not necessary for cyber crimes to succeed."

For reprint and licensing requests for this article, click here.
Law and regulation Bank technology Community banking
MORE FROM AMERICAN BANKER