Bank: First Midwest
Problem: Crooks compromised the bank's token-based authentication meant to protect online commercial funds transfers.
Solution: Verifying "out of band," via the phone, all online ACH and wire transfers from commercial clients.
The chief executive was at a dinner party late last summer when he received an odd message. First Midwest Bank, where his company held a corporate account, had sent an alert to his cellphone describing multiple pending funds transfers that would have siphoned thousands of dollars from the company's account, none of which the executive had authorized. But, instead of getting ripped off, and rather than trying to mitigate the theft attempt by running to the office to investigate or make frantic phone calls to the bank, ruining an otherwise pleasant night, he simply pressed "9" and the pound sign on his cell to report the fraud, and continued his evening.
The transfers never went through. And even if he were unable to access his phone, no funds would have moved. That's because he had enrolled his company in First Midwest's phone-based, out-of-band verification system, provided by PhoneFactor, which had launched a few weeks earlier and requires the executive authorize any of his company's wire or automated clearing house transfers.
A similar attack in the summer of 2010 spurred First Midwest to tap PhoneFactor. The Itasca, Ill., community bank was in the middle of deploying token-based authentication to secure corporate funds transfers when Jorge Solis, senior vice president of security, noticed that someone had already broken the system, fraudulently authenticating to pose as a legitimate corporate customer by intercepting the USB token, two-factor method. "Two weeks into the rollout, the tokens were compromised," Solis said. "We immediately stopped the deployment."
Reports that First Midwest receives from its core host and service provider, Fidelity National Information Services, had fortunately flagged the fraudulent transactions by auditing the backend for suspicious activity, using criteria based on real attacks the $8.2 billion-asset bank had recently faced. Staffers were able to stop the transactions before they were processed. Such monitoring is the last layer of defense.
"We knew they had bypassed the system from back-room monitoring; we will never give that up no matter what we're using," Solis said. "Yet those controls are monitored up to the last deployment or release of funds, which could be as late as midnight." Whereas the aim of any multifactor authentication is to "stop fraud long before it ever gets to the back-end system for processing," says Sarah Fender, PhoneFactor's vice president of marketing and product management.
"It's not rocket science how they do this," Solis says of the hack. "Once they compromise a computer, they give you a splash page that you think is legitimate. So when you start conducting your transaction and put the PIN in, [crooks] are putting it in on the real page."
Such exploits have led banks to verify big-dollar, high-risk transactions of their corporate banking customers "out-of-band," meaning through some channel other than online. In First Midwest's case, software that sits in front of the core banking engine sends voice or text messages containing details of wire or ACH transfers as soon as they're initiated to the phones of company principals enrolled in the service. An automated voice will say, "This is First Midwest calling to verify the transfer of $10,000 from account ending in 101 to account ending in 102; enter your PIN and press 'pound' to verify this transaction; or press '9' and press 'pound' to report fraud." If the customer does nothing, the transfer isn't made. "It drastically reduces the risk of fraud," Solis says. "A phone is much more difficult to compromise." Hijacking phone-based authentication requires much more time and social engineering - tricking a telecom or mobile carrier into forwarding customer calls to the perpetrator's phones, for instance - than most criminals are able or willing to employ if easier prey can be found.
First Midwest's PhoneFactor deployment required no coding, Fender says. PhoneFactor, of Overland Park, Kan., offers native integration with several core providers. Direct integration at bigger banks that host their own systems will require some core coding, Fender says. Other phone-based verification vendors include Authentify, Entrust, StrikeForce, Swivel and ValidSoft. The solutions can be applied to account opening and authenticating remote workers as well.
The CEO First Midwest alerted to the fraudulent transfer attempts discovered his company's computer system had been infected with malware, according to Solis. After receiving the PhoneFactor alert and follow-up from the bank, the company removed the exploit that enabled the classic "man-in-the-middle" attack. "We find software that monitors keystrokes in almost all these cases," Solis says. "We've been seeing these attacks for years. That's why we rolled [PhoneFactor] out."