With hackers prowling, financial institutions are turning to an arsenal of security tools.
Suddenly the media is full of apocalyptic stories about security lapses in corporate and governmental information systems-stories that send chills through the financial services industry.
They were sparked by February's wave of denial-of-service (DoS) attacks launched on major Web sites such as Yahoo Inc.! and E*Trade Securities Inc. The attacks and the fallout that resulted have sent financial-service managers scrambling to evaluate, and understand, their own IT security systems.
Banks and brokerages have helped lead the e-business and e-commerce charges over the past few years. But this growth has also left them more vulnerable to a broader range of threats and uncertainties.
Consequently, spending on IT security in financial services has ballooned in recent years. According to Chris Christiansen, an analyst with Framingham, MA-based researcher International Data Corp., worldwide security-vendor revenues in the finance/insurance sector grew from $94.5 million in 1996 to $582.8 million in 1998.
By industry, finance and insurance concerns were the leading spender on security technology over that period, Christiansen says. In 1996, the sector accounted for 7.7% of all IT-security software sales worldwide; by 1998 the sector accounted for 18.5%. Over the same period, total worldwide sales of security technology grew from $1.2 billion to $3.1 billion (see tables).
That doesn't mean that everyone in the industry is a security whiz. Outbreaks like the recent DoS attacks scare managers, says Alex Vakman, systems security officer at the New York office of London-based brokerage HSBC Securities. But he adds, "I'm not sure if they really understand more about security (than before the attacks)."
The recent DoS attacks are particularly scary because there is nothing that individual institutions can do to prevent them, industry observers say. After all, they're not akin to a hacker penetrating a computer network. Rather, DoS is an excess of something desirable-incoming customer requests. Network defense technology can't be configured or programmed to stop them.
According to Simon Perry, security business manager of Islandia, NY- based Computer Associates International Inc., one step individual institutions can take is to deploy software on their firewalls that detects and neutralizes the invading software that hackers need to launch attacks. He says Computer Associates' customers were downloading up to 9,000 copies per day of such software from CA's customer Web site after February's attacks.
He adds that many companies had installed detection software that automatically sends out telephone, email and pager messages to systems managers when their Web site comes under a DoS attack.
But DoS is so hot that everybody's getting jumpy. Last month the Senate Banking Committee, spurred by an erroneous report by The Associated Press that a bank security network had prior knowledge of the DoS attacks, called the company that maintains the network, Reston, VA-based Global Integrity Corp., to ask why they did not inform the authorities (see story on page 4).
Global Integrity was let off the hook when banking representatives, speaking before the committee the day before GI was scheduled to, informed senators of the mistake. "Sadly, the network didn't know anything (about the attacks) before anyone else," the company's vice president, William Marlowe, tells BTN.
DoS attacks are just one of many invasion threats that banks and brokerages face. To counteract them, institutions most commonly use firewalls, intrusion detectors like anti-virus software (also called malicious code detectors) and vulnerability scanners. "(They are) the meat and potatoes of financial institutions' IT security," says Frank Prince, a senior analyst in e-business infrastructure at Forrester Research Inc., of Cambridge, MA.
Firewalls are installed between the institution's connection with the Internet and its own networks. They are configured either by the user or the firewall itself to filter traffic passing into or out of the internal networks. They can, for example, prevent programs from being downloaded off the Internet or block some kinds of departing email.
Intrusion detectors identify and deactivate "malicious codes," or unwelcome online guests such as viruses, so-called Trojan Horses, and Java applets and ActiveX controls. Trojan Horses enter systems because they are in the form of something that firewalls have been pre-configured to admit- generally an email message.
Java applets and Microsoft's competing version, ActiveX Controls, are known as "mobile code" because they are automatically downloaded off the Internet and executed along with the application they are attached to. This makes them difficult to filter out of a network, experts say.
But the needs of financial institutions go beyond a firewall here or some anti-virus software there. Security providers say more banks and brokerages are moving toward integrated solutions like firewalls enhanced with intrusion-detection software. "Banks basically want complete solutions," says Gary Ulaner, group product manager at security supplier Symantec Corp., Cupertino, CA. "They want to manage their anti-virus software and Internet-intrusion detection technology from one place."
Integration typically occurs at the firewall level. Symantec recently developed Norton Antivirus for Firewalls 1.5, which can be installed on IBM- and CVP-compliant firewalls. Computer Associates markets firewalls integrated with content filters and malicious-code scanners that can be instantly upgraded when new invaders appear. Both companies say they count major financial institutions as customers but declined to disclose any.
Unfortunately, most malicious-code detectors can only eliminate intruders that are already known. That's a problem because a new fast- spreading code like that based on Java applets and ActiveX controls can do enormous damage before "antibodies" can be generated.
Mobile code woes
A relatively new product from San Jose, CA-based Finjan Software Inc. resides on a firewall and protects networks from all mobile code. Called SurfinGate, it scans incoming traffic for mobile code, isolates it and tests the application it will run in a pre-configured "sandbox." If the application is outside pre-set parameters, SurfinGate blocks its entry.
This would prevent, for example, a bank's network from being breached by a brand-new piece of malicious mobile code, such as last year's Melissa email virus. Such prevention could save a bank both from having its own and customers' data compromised and from incurring downtime expenses.
Ron Moritz, chief technology officer at Finjan, calls this "proactive and first-strike security" against the stealthiest of invaders. Perhaps the most feared of these is "Back Orifice," which mimics Microsoft Corp.'s own Back Office application and allows hackers access to corporate networks.
Moritz cites a Southern California bank, which he would not identify, that was recently blackmailed by hackers who had installed Back Orifice on the desktop computer of the bank's senior vice-president. The hackers collected sensitive bank information and then threatened to release it publicly unless the bank paid up. "It appears (the bank) cooperated," Moritz says.
HSBC Securities has deployed SurfinGate at a cost of around $100 per user, according to Vakman.
The brokerage, a unit of HSBC Holdings PLC of London, chose the product because it needed "granular protection," meaning a system that destroyed malicious mobile code attacks while allowing friendly code to pass through. No other IT security tool offered such protection, Vakman says. "It does what it's supposed to do and has never let us down," he adds. "Not yet, anyway."
Fear isn't the only emotion driving IT security in the banking industry. Most major institutions are now deploying advanced security technology as they ride a wave of growth in business-to-business e-commerce and corporate online banking.
More and more companies are conducting high-value transactions with their banks and brokerages over the Internet, as well as conducting business with other companies through their financial services providers online. That has pushed banks and brokerages to invest more heavily than other industries in cutting-edge technologies like access control.
As a result, "Banks are in the top 10% to 15% of our customers in terms of their level of understanding" of IT security, according to Perry of Computer Associates.
Most forms of network access control involve some form of "user- authentication" technologies. These allow both the sender and recipient of online transactions to verify themselves and each other, most commonly by attaching a "digital certificate" or some other form of digital signature, which could even be an electronic fingerprint.
"These are the technologies of the future," says Charles Cresson Wood, an information security consultant with Sausalito, CA-based Baseline Software. "That means banks must be investing now in establishing their supporting infrastructure."
Some bankers believe these technologies will significantly increase the current level of protection of both transaction integrity and customer privacy. So those banks that invest in it early hope to expand significantly their corporate customer base by offering them a higher level of privacy and security for high-value transactions.
"Once you've solved the security issue to (your corporate customers') satisfaction, you open the door to providing a full range of services and true 'anytime, anywhere' banking" says Randall York, assistant vice- president of Charlotte, NC-based First Union Corp., which launched its secured access-control service to corporate customers early last year.
PKI, digital certificates
The necessary infrastructure for user authentication, known as public key infrastructure, or PKI, consists of two security "keys." One is the public key (the digital certificate), which is either downloaded from a browser or called up from a hard drive and attached to the transaction command or document. By ratifying the sender of the message as the subject of the request, it acts as a kind of digital driver's license that identifies the sender of a transaction and provides certain details about him.
The other component is the private key, also called the RSA key, after RSA Security Inc., the company whose subsidiary is the market leader in digital certificate supply. The private key sits on the hard drive of a computer and, when activated by a user name and password, unlocks the user's PKI access.
Steve Ross, a technology security expert in the Enterprise Risk Services group of New York-based Deloitte & Touche LLP, part of global consultancy Deloitte Touche Tohmatsu, says PKI and digital certificates solve the overlapping problems of safeguarding privacy and security. "Pursuing customer confidentiality has become a strategic area for banks," he said. "But they also want an answer to the question, 'Who am I doing business with?'"
Analysts say nearly all top-tier financial institutions and those with a significant book of corporate customers with transactions of more than $1 million are deploying digital certificate technology. Typically, the financial institution provides customers with the necessary hardware and software to access the PKI.
Bank of America, the country's largest bank with 30 million retail and 2 million business customers, rolled out digital certificates in January last year to 400 online customers of Bank of America Direct, the bank's Web-based transaction and information network. That number has grown along with the bank's corporate online banking business itself, says Mack Hicks, senior vice-president in charge of authentication services at BofA, while declining to offer specific figures.
Hicks says digital certificates allow BofA Direct customers to conduct secure transactions with the bank and its customers, and with customers of other banks.
The bank also recently signed an agreement with Internet hardware supplier Cisco Systems Inc. of San Jose, CA. It will allow Cisco to verify the digital certificates of its customers using the bank network, thus generating an additional source of revenue for BofA. Hicks says the bank hopes to build on such partnerships in the future.
Bank of America is a founding member of Identrus, a global trust organization formed last year to provide authentication for digital certificates. Other Identrus founders include ABN AMRO, Bankers Trust, Barclays Bank, Chase Manhattan Bank, Citigroup, Deutsche Bank and Hypo Vereinsbank.
Using PKI technology, Identrus aims to establish a secure global business-to-business e-commerce network by providing global certificate- authentication (CA) services for business-to-business transactions. Initial users will be the corporate customers of the founding banks.
But some bankers and security analysts point out that the PKI-digital certificate system has security weaknesses. They say the private key can still be reached by a clever hacker over the Internet, so sealing entry to the private key with "just" a user name and password is no longer considered secure enough.
Security providers have developed a variety of solutions to this problem, collectively known as "extended user-authentication." Essentially, these technologies, which can be hardware- or software-based, require the user to enter some form of secured identification to access the password or the private key.
Tokens, also called "keys to the key," are external hardware devices plugged into the computer. They generate a code that the user must enter into the system to unlock access to their private key.
First Union, the nation's sixth-largest bank with 16 million customers, last year began supplying its corporate customers with a one-time password token known as the Digipass 300, developed by Oakbrook Terrace, IL-based Vasco Data Security Inc., which claims to be the banking industry's number one provider of authentication tokens.
The user plugs Digipass into the computer and it generates a one-time password. Following on-screen instructions, the user enters this password when and where prompted, and gains access to his or her private key to the PKI if the numbers match. The device adds to security by changing the password each time it is used.
First Union began offering Digipasses in January last year to its corporate customers who use the bank's PC-based Invision service, allowing them to make secure Automated Clearing House transactions and wire transfers. The $253 billion-asset bank has now rolled out the service to all 600,000 of its cash management account customers.
York says First Union chose the Digipass because it was simple to use, easy to support and cost-efficient. "We have a huge focus on customer service, so anything that makes it easier to do business with us will help us do more business," he explains. As a result, he said, the technology "will definitely help us add to our bottom line" by increasing the amount of business done by existing customers and by attracting new customers with extra security and privacy.
Smart cards, biometrics
Not all financial institutions are following First Union's lead in securing user authentication systems with password-generating tokens. Some believe that deploying authentication technologies that increase the user's privacy even more than tokens, as well as offering more functions, will increase their share of online corporate banking business.
The ideal security application, they argue, allows as much authentication as possible to take place via an external device, such as a smart card, that carries an authentication biometric, such as a fingerprint. Smart cards like the recently launched American Express Blue hold a microchip that can store data, digital cash, and a private key and digital certificate.
The chief advantage is that the user takes the key out of the computer and carries it with him, ensuring it can't be accessed from outside. By adding a fingerprint scanner and reader to the smart card, the card itself is then fully protected against unauthorized use.
Fingerprint imaging, like other biometrics such as iris-scanning and signature-reading, convert the different recurring patterns in human fingerprints into an algorithm (a regularly recurring pattern of numbers), which is then stored. After a scanner reads a person's fingerprint and converts it to an algorithm, the number is checked against the stored algorithm; if they match, access is granted to the computer or other device.
The BofA way
Bank of America recently completed a year-long test of an extended user-authentication system, with a limited but unspecified number of customers, based on smart cards and fingerprints. The user inserts the smart card into a card reader on the computer and places their finger on a scanner on the computer. If the scan matches the digital fingerprint stored on the smart card's microchip, the user can then proceed with the transaction.
The advantage of this over systems such as password generators is extra privacy for the user coupled with wider applications of the smart card, Hicks of BofA says. These include storing and sending digital certificates and downloading digital cash as well as making credit, debit and ATM transactions.
The $633 billion bank advocates storing users' fingerprint templates on individual smart cards for privacy reasons. "This way, the bank doesn't hold sensitive information on a customer, and it's not stored on the Internet, so it can't be replicated and used," Hicks explains. Officials from BofA's smart card division could not be contacted for comment on when BofA would launch the technology publicly.
Distributing smart cards and their associated hardware could cost banks between $100 and $200 per customer, according to Chris Lomax, head of product management and marketing at Sunrise, FL-based Racal Security and Payments. But banks can offset this cost by selling space on the smart cards to other firms, such as advertisers, he says.
Many European banks have already successfully deployed smart cards to their retail customers, but take-up in the U.S. has been much slower. Nonetheless, Lomax predicts that in two to three years, smart cards will become "a viable security solution" for all retail banking customers.
Fingerprint scanning is also gaining popularity for controlling access to internal computer systems. Marcel ter Ellen, a Netherlands-based analyst with Integrated Solutions Management, which consults with European banks on security technology, is helping "a major Dutch international bank" deploy TouchPass 2.0, a fingerprint-based security log-in system developed by Itasca, IL-based NEC Technologies Inc.
This followed a major bank-employee fraud scandal in the Netherlands three years ago. According to ter Ellen, several employees in the transaction office of leading Dutch bank ABN AMRO N.V. in Amsterdam embezzled 25 million guilders (about $11.5 million) by exchanging their user names and passwords and conducting undisclosed fraudulent transactions.
Ter Ellen says the TouchPass log-in system is presently being deployed for internal security with 700 to 800 banks across Europe. "It's accepted because people know about it," he says. "They feel more comfortable with authentication technology they know the police have used for more than 100 years."
But for all the focus on technology and what it will do, the future of IT security in financial services still depends on the attitude of industry professionals. Wood of Baseline Software says many managers still haven't gotten the message that IT security is a team effort.
The problem is particularly bad in smaller and midsize regional institutions, Wood says. Nearly all top-tier banks have information security management committees, but he estimates only 10% of smaller and regional banks have such committees. "Banks have traditionally been good at building walls around themselves," he adds. "But technology is now blurring the boundaries between them, their customers and third parties."
Rob Luke is a business writer in Indianapolis, IN.