In Focus: Agencies Warn BanksOf Attacks Through On-Line Transactions

Bankers, beware! If your institution is offering services over the Internet, you had better guard against "spoofers" and "sniffers."

These represent just two among a growing list of serious threats to bank computer systems that have regulators worried. The Federal Deposit Insurance Corp. has identified five types of risks posed when banks provide Internet transactions and suggested several safeguards to fend off computer crooks. Similar guidance has been issued by the Federal Reserve, and the Office of the Comptroller of the Currency is expected to weigh in early in 1998.

The FDIC did not mandate any specific safeguards, but has ordered examiners to bring any shortcomings to the attention of bank management. "There's no clear recipe," said Cynthia A. Bonnette, FDIC examination specialist. "But bankers must know what's at risk and how they are going to protect themselves."

The primary threats are: theft of confidential information, alteration of data, unauthorized access via phony passwords, false claims that information has not been received, and disruption of a bank's core processing system. The perpetrators, warned the FDIC, may be hackers, unscrupulous technology vendors, disgruntled employees, or even spies.

For instance, on-line prowlers may try to steal confidential information such as account numbers and computer passwords by planting "sniffer" programs on Internet servers that search for and collect certain types of data.

"Spoofers" may attempt illegal transactions by faking the Internet identification, or address, of a computer authorized to access the bank's system. Also, hackers may tap internal processing operations, possibly causing a shutdown of a bank's computer operations.

Some protections are becoming staples of electronic commerce such as encrypting all confidential information, hiring trusted third-party "certificate authorities" to affirm the identity of anyone tapping into a bank's system, and requiring "digital signatures" to certify that transactions have been received.

But additional internal safeguards are necessary, regulators said.

First of all, there should be strong firewalls between an Internet connection and the bank's central operation system. For instance, software should be in place to identify data coming from computers outside the bank's network. That way, institutions can block spoofers who are using stolen internal computer addresses with external terminals. Information can also be protected by software that accepts incoming file transfers, but prohibits requests to send data outside the system. If a firewall should ever fail, the system should be designed to deny all outside access, rather than permit the information flow to continue. Firewalls should also be reassessed after every system change or software upgrade.

Security scanning programs that mimic intrusions can check for weaknesses in Internet servers, firewalls, and internal networks and should be run frequently.

To fight programs that quickly bombard a computer system with password guesses, a brief delay should be required after each incorrect login attempt. Using one-time passwords will also make it useless for attackers to monitor and collect passwords that access the system. The Fed endorsed similar safeguards and also urged bankers to conduct background checks on key information technology employees. The central bank also recommended that institutions reserve the most expensive measures for systems that transfer money or process bank records.

The 95 banks that offer Internet transaction services have been diligent about adding these safeguards, according to the FDIC. Ms. Bonnette said the agencies will need to apply closer scrutiny when transaction services move beyond today's technology leaders.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER