Photo Credit: Tom Curtis
From the Manhattan District Attorney's Office,
"Manhattan District Attorney Cyrus R. Vance, Jr., today [September,
30th] announced the indictments of 36 individuals for their
participation in several large-scale international identity theft and
cybercrime rings that stole more than $860,000 from 34 separate
corporate and individual victims in the United States. The defendants,
foreign students who were in the United States on Exchange Visitor
Visas, are charged with opening bank accounts at JP Morgan Chase Bank
and other financial institutions in New York County and elsewhere, for
the purpose of receiving fraudulent transfers from identity theft
victims’ bank accounts. (District Attorney, 2010)"
The
cybercrime ring mentioned above is the latest in a series of Bank
penetrations that originate from a bank's customer. The attack makes
use of a sophisticated Trojan called Zeus, which was written with the
specific intent to attack banks. This type of attack is often referred
to as the "Man-in-the-Browser" attack because it begins by infecting the
customer, not the Bank. It takes advantage of vulnerabilities on your
customer’s computers and waits for the customer to connect to a Bank
website. Once your customer connects, the trojan is capable
of detecting that your customer is browsing a Bank website and can
silently make transactions in the background. It can also alert the
attacker in real-time so that the attacker can hijack the customers
session and manually perform transactions of his own. The Zeus trojan is
particularity malicious because it bypasses security controls like
usernames, passwords, and is sophisticated enough to even defeat
multi-factor authentication. Essentially, the attack is possible even
when technical controls are operating properly!
What is a
community Bank to do? We invest in cutting edge technology to protect
our infrastructures, we subject ourselves to internal and regulatory
audits, we spend money on security penetration tests and vulnerability assessments, we implement training programs for our employees; and what do the criminals do?
They attack our customers.
And
just when you think it can't get any worse, it does. The reality of IT
in community banking is that we are heavily reliant on outsourcing.
So, not only are the criminals attacking our customers, they are also
likely attacking the systems of a third-party vendor we rely on to
provide the service. That leaves the bank in the unenviable position of
being stuck between a rock (the infected customer) and a hard place
(the targeted service controlled by a vendor). And here's the rub: We
can't outsource our responsibility. At the end of the day, if
something happens, the regulators are going to be knocking on the Bank's
door. It is the Bank's reputation that is going to get hit.
The
sophistication of customer-based "Man-in-the-Browser" attacks and the
realities of IT in community banking begs the question: Are we doing
enough? Are our internal controls really adequate? What else can we do
to protect ourselves?
There is not a simple answer to the question. Today's
banks must implement a defense that includes both technical and
operational controls. Furthermore, the process of validating the
adequacy of the controls must be sophisticated enough to deal with the
complexities involved.
We can begin by tackling the issues
related to outsourcing. Take your vendor relationships to the next
level. What we often find is that there is a false sense of comfort in
relying on a vendor simply because that vendor services a sizable number
of other banks. Unfortunately, we are finding that some of these
vendors are pushing out software applications without the requisite
level of security reviews. Thus, they possess vulnerabilities that can
compromise a bank's security posture. So open a dialog with the vendor
to gain comfort that the controls implemented are sufficient. Make the
vendor explain the controls to you. You are stuck in the middle,
responsible for managing complicated systems that you don't control and
possibly don't fully understand. Treat your vendors as management tools
and make them make you comfortable. Don't be afraid to enlist the
services of other service providers if you are having difficulty
understanding. Here's a tip: document, document, document. Always make
sure you are in a position where you can demonstrate that you did all
that you could do.
Then look at the things you can control.
Have you performed training for your branch managers to ensure they know
how to act in the event that suspicious transactions are detected? Have
you considered using fraud detection tools that would allow for
detection of suspicious transactions that are out of the norm for a
particular customer in real-time? In the case mentioned above, the
investigation started as the result of one suspicious $44,000 wire
transfer. What are the operational controls you have in place to alert
you to suspicious activity? How will you share the liability with your
vendor in the event of an incident?
Consider the technical
controls you have in place. Does the online banking application use
tokens to protect itself against session hijacking? Does the
application reside behind a web application firewall and is it coded in
such a way as to be able to detect and stop attacks in real-time? These
are the types of questions you should ask your vendor in the event your
online banking is outsourced.
Additionally, we have to take
responsibility for educating our customers. Do you provide your
customers with online banking security tips when they open new
accounts? For your business banking customers you can consider
suggesting things like:
- Not using the same computer to conduct online banking that is used to read email and surf the internet
- Training be conducted for personnel at the customers place of business that are responsible for online banking
- The importance of up-to-date virus and spyware detection software
- The importance of keeping computers patched with the latest updates available
- Provide clear steps for customers to take in the event that they suspect fraudulent activity
- Provide clear information regarding the customers liability in the event of fraud
There
is one more thing to consider. Remember that the same infections that
target your customers can also target employees of the Bank itself. A
penetration into the Bank significantly increases the risk. The fox is
in the henhouse - there is no telling what the attacker will try to do.
The potential impact of the attack is elevated as we now bear the full
liability. Think long and hard about the controls you have in place.
Do you have:
- Host and Network-based intrusion detection systems?
- Automated patch management solutions?
- Centralized log aggregation?
- An objective and periodic process to assess the adequacy of the training of the required IT controls to your employees?
Technology
is the proverbial double-edged sword. We want to be able to provide
the services that technology allows, but we must be cognizant of the
security implications. One of the most difficult things for a community
bank to do is to balance the efficiency gained from IT with the
security IT requires. The Zeus trojan is proving that attacks against
banks are getting more and more sophisticated. We must force ourselves
out of our comfort zones and take a hard, honest look at what we are.
Do we really understand the risks we face? Are we really doing
everything we can do to mitigate those risks? Are the controls we have
in place really adequate? Don't wait until an incident occurs to
finally realize that something needs to be done.