Loses at small and mid-sized businesses from fraudulent electronic funds transfers are on the rise; that's because criminals increasingly target organizations with hefty account balances but that lack large IT and security operations. Consider the case of the Duanesburg Central School District in New York, which perfectly fits the profile of today's victim. It lost $3 million when hackers tapped into its NBT Bank account earlier this year.
According to a recent analysis by David Nelson, an examination specialist with the FDIC Cyber Fraud and Financial Crimes Section, commercial customers and their banks suffered about $120 million in losses in the third quarter of 2009, up from about $85 million in the third quarter of 2007. In response to this threat, IronKey launched Trusted Access for Banking solution in February, designed for banks' commercial clients.
The IronKey solution is a USB device that prevents man-in-the-browser attacks; a user plugs the device into a computer and enters a password to unlock the device. Once unlocked, IronKey's virtualized operating system automatically runs; a secure Web browser launches and goes directly to the bank's website. The Web browser is protected against malware from the host PC and may be configured so users can visit only specific websites.
David Tripier, IronKey's CMO, describes the environment created by IronKey as a "safe haven" that incorporates many security features to keep the criminals at bay. The system conducts an anti-malware scan of the host computer, the keyboard is encrypted, and the device is "read only" so criminals cannot permanently alter the device. The IronKey solution can also include an RSA security token that generates one-time passwords, which means the device is both a secure banking platform and a mechanism for two-factor authentication. Tripier said "a few" large and regional banks are current customers and there are more than 20 proof-of-concepts in the works.
Eric Ogren, principal analyst at the Ogren Group based in Stow, MA, says "viruses aren't viruses anymore, they're crimeware" and banks and their customers must be on guard. He says IronKey's solution-to essentially create a second minicomputer that's isolated from the rest of the PC and creates a virtual workspace-is not just an excellent idea, it's also mercifully free of complexity. "It passes the mom test. My mom could plug this in and go."