Sophos found 16,000 Web pages per day newly infected with keylogging or other malware in August. This means online banking customers remain vulnerable to unauthorized access-the difference now is that online reconnaissance is merely the first step in a multi-channel fraud play. SecurityCurve's Diana Kelley says tracking seemingly innocuous online activities requires analytics that are beyond most institutions' authentication firepower these days.
BTN: Can you walk us through the anatomy of the latest form of cross-channel fraud?
Diana Kelley: [In a typical case] getting online and looking at the information in the account is actually a portion of the attack [called] reconnaissance; the attacker is now finding out information that can be used in other channels, in other ways. We looked at a case with one particular financial institution where there appeared to be a standard wire transfer and the request had been faxed in, and it wasn't until they went back in the past [that they] were able to find there was somebody who had been looking at the account to see what was in there and get information. And a lot of what went on during the recon didn't actually appear to be problematic. But if you think about what's in our banking accounts right now, it can actually be a lot of information that can be used in a variety of ways … The whole anatomy includes this reconnaissance portion, which may not be triggering the normal thresholds that you have, such as I'm transferring $10,000.
How can the use of online account analytics help to mitigate this?
It's going to have to be a portion of the toolset in the toolbox. This is not to say that it's something to replace everything else; it's going to be an additional tool, and it is a tool that a lot of financial services institutions don't use yet. And what it does is look for the activity on an account that, while it may not be the kind of activity that automatically triggers investigation such as that $10,000 threshold, it's activity that's being used to gather information. Some accounts, for example, you can look at what the questions are [and] you may find out where the person was born, you may find out what their mother's maiden name is. Most financial institutions now have visual representation of checks, so if I'm an attacker and I'm just looking for information, not even transferring money, I can often see your signature, I can see what your checks look like...So this is about pieces of data that indicate there could be fraudulent login activity, and fraudulent viewing activity, that isn't yet fraudulent transfer activity. It can precede that, but it isn't yet, so ultimately it gives you that warning sign.
Where are U.S. banks when it comes to detecting multi-channel fraud? Are they ramping up on this yet?
Absolutely ramping up. I've interviewed a number of representatives, however different institutions are in different levels of maturity with their ability to connect the multi-channel fraud. It's very hard when you're trying to go after a big fraud attack point. If you're worrying about the phone fraud now, do you have the resources to look at the online fraud now, to link that?
The other thing is…we've had huge consolidation in banking, and every time you bring in a whole other set of architecture and processes and clients, you don't just have your own multi-channel but now you've got your multi-channel with your new partner, and that creates huge architecture problems and risk management problems.
Does a bank's maturity in battling cross-channel fraud seem to depend on the size of the institution?
I think that it's a little hard to say definitively "big's doing it better than small." In a smaller financial services institution they've got a smaller attack surface; they may have fewer channels that are allowed to be used. So they may be able to focus a little bit more closely because they have that smaller attack surface, but they also don't have the same level of resources that you see at a big brokerage or bank.
At the bigger end you probably have more resources and more money, but also more channels, and often a lot more business units.
What's the bottom line for banks on combating multi-channel fraud?
It's a difficult problem, you need a lot of different tools to tie it all together, and one way is going to be the online account analytics. I think it's going to be challenging. Think about Bank of America now trying to bring in Merrill Lynch, think of the enormity of that kind of program; I don't think this is a problem we're going to have solved yet, so all the tools and help you can get I think is going to be good for the financial services world.