Cyber Attacks: Lopsided WarfareCriminals Have Upper-hand, But Banks Can be Heroes
"A lot of fraud occurs in the ACH channel because the criminal has first-gain access to valuable information through the online account," says Terry Austin, CEO of online security solutions provider Guardian Analytics.
"That's why our approach is to take a very holistic view of the entire ACH payment system and the online system, to enable the financial institutions we work with to see all of the data associated with online, ACH, wire and even checking activity," Austin says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
To combat the problem, merchants and commercial customers need to be aware, take reasonable precautions, and be smart with how they access the Internet, which means incorporating authentication methods. Social media also poses vulnerabilities that institutions are constantly exposed to.
Using a holistic viewpoint, institutions can look at the complete data set that an end user creates when they interact with the banking system. If proper procedures are in place, phishing and vishing attacks can be detected.
During this interview, Austin [transcript below] discusses:
- Why it's critical that solutions vendors work closely with banking platform providers to gain access to transaction data and systems for the integration of fraud-detection tools and solutions;
- How authentication and behavioral analytics complement each other;
- Why it's unrealistic for banks to expect their commercial customers to combat fraud on their own.
Prior to joining Guardian Analytics, Austin served as CEO and president of MarketLive, a leading provider of eCommerce platform solutions, where he created a scalable business strategy, assembled a world-class executive team and led successful fundraising efforts. He was previously president of worldwide marketing and sales at Good Technology, a provider of mobile computing solutions, where he spearheaded the company's rapid growth from 10,000 to over 500,000 subscribers and facilitated its acquisition by Motorola in January 2007. Austin has also served as president of EMEA and executive vice president for Manugistics, a market leading provider of enterprise software. He started his career at Accenture, where he ultimately led an $80 million consulting practice as a lead partner.
Top Fraud StatisticsTRACY KITTEN: You've reviewed results from our recent Faces of Fraud survey. What trends that came out of those results stand out to you?
TERRY AUSTIN: A couple of things jumped out. First off, it's very consistent with results that we've found. One of the statistics was that 76 percent of fraud cases are discovered by the actual customer who has been victimized, rather than the financial institution discovering or detecting the fraud before the money leaves the institutions and the victim finds out about it. That's a pretty disturbing statistic and it says that the financial institutions aren't really able to detect the fraudulent activity before the money leaves the institution.
Then another thing that stood out is this continued focus on trying to grow customer awareness as a way to combat fraud. It's this expectation that educating the end users or the end customers is going to be really effective in the face of this daunting cyber crime epidemic.
KITTEN: That's a note that I've heard from quite a few industry experts. When we're talking about the money that is actually being funneled out of accounts, it relates to ACH fraud. ACH fraud is a growing problem, yet many banking institutions don't really seem to rank it as being the most threatening fraud they face. Do you agree that other threats pose greater concern? Or are banks and credit unions simply missing the mark when it comes to the fraud that they're focusing on?
AUSTIN: If you look at the data, the ACH fraud problem and the phishing and vishing fraud problem, those things add up to a lot of what occurs in online account takeover fraud. What's missing a little bit is an appreciation of the scope of that problem. Fraud originates in the online channel, or through the vulnerability of online that leads to ACH fraud or wire fraud, and contributes to checking fraud or debit card fraud. These things are all interconnected so it's hard to separate them. I think that's what's underappreciated: the scope of the vulnerability that originates online and then perpetrates itself in these other parts of the banking system.
Fraud Detection in the Online WorldKITTEN: A lot of what you're talking about there relates to how financial institutions detect fraud. Now according to our survey, 55 percent of respondents say that they continue to rely on manual reports to identify fraud. In the online world, how reliable are manual reports and detection? And how much fraud is slipping through the cracks and/or not being detected at all until after it leads to a major financial loss?
AUSTIN: This goes back to the earlier statistic of 76 percent of fraud cases are learned about from the end customer actually noticing it in their account statement. An overwhelming amount is actually falling through the cracks and getting out the door. To try and rely on manual reports or log files to detect fraud, it's almost by definition going to be a reactive response. It's not detecting the fraudulent activity before the financial attack. It's really after the fact of remediation rather than proactive prevention.
KITTEN: Would some of that be addressed if channels were more integrated?
AUSTIN: Well certainly integrating channels, but also just leverage the data and the information that the banks already have at their disposal. They have an incredibly deep amount of information that they can gather through the interaction that their consumer, credit union member or merchant account leaves behind through their interaction with the banking system, whether that's online or through other channels. By tapping into that data, integrating it and analyzing it, they can really be much more effective at proactively preventing this sort of fraud.
ACH FraudKITTEN: I'm going to go back to the discussion about ACH. We hear quite a bit about ACH. It's made quite a few headlines and of course the year 2010 kind of set the precedent for ACH fraud. But some experts have suggested the industry focuses too much on ACH fraud and not enough on preventing online fraud. Would you agree, and if so why?
AUSTIN: They are very interconnected. We think that a lot of ACH transactions are originated in the online channel. A lot of fraud occurs in the ACH channel because the criminal has first-gain access to valuable information through the online account. It's really hard to separate ACH fraud and online fraud there. They are tightly coupled and interconnected.
That's why our approach is to take a very holistic view of the entire ACH payment system and the online system to enable the financial institutions we work with to see all of the data associated with online, ACH, wire and even checking activity, because it's all interconnected.
KITTEN: Do you feel that financial institutions understand that interconnectivity?
AUSTIN: I think some of the leading ones do. A number of the financial institutions that we work with do, but as a whole the industry doesn't have an appreciation for how interconnected it is.
Vendor's Role in FraudKITTEN: The next question I wanted to ask talks about the role of the vendor when it comes to fraud detection and security overall. In the online environment, banking institutions are often expected to be the so-called experts when it comes to fraud detection and prevention, but most institutions that don't fall among the top tier rely heavily on third parties and vendors for security and fraud detection and prevention solutions. What role do you see vendors playing here where fraud detection and prevention are concerned, and what roles should they play?
AUSTIN: You need to think about the world of vendors as a deep fraud prevention, with security experts like Guardian Analytics and the banking platform providers, because those are two distinct types of providers to the banking industry. From the platform provider prospective, we really think their role is to help enable and allow access to all the data and to the platform so that solutions like Guardian Analytics can be deployed and integrated into the banking system. We actually interoperate some of the leading banking platforms like S1, Pfizer, and FIS into it. It's really important that we are able to cooperate with those platform providers to gain access to the data that we need to help the banks and credit unions combat the fraud.
KITTEN: The debate over ACH fraud liability between banks and merchants is expected to heat up in 2011, just based on the precedent set in 2010, which I noted earlier. From your perspective, how do you see this unfolding? Will banks ultimately be held more accountable when it comes to protecting their commercial customers?
AUSTIN: It's hard to say. I know that there's been discussion about Reg. E being extended to include some categories of commercial accounts and to extend the same kind of consumer protection that consumers enjoy under Reg-E. But we don't really know if that will occur. But from our perspective, the liability is not the big issue because really when there is a fraud event, everybody loses. The bank loses whether they cover the loss or not, because they have taken a reputation hit. Their trusted brand image has been damaged. There's often litigation that follows which is very costly. There are huge productivity hits. The impact of these fraud events, whoever bears the loss is profoundly negative for everybody concerned. It's less about liability as it is about taking a really proactive stand to prevent the fraud in the first place.
Merchant Liability?KITTEN: You may have already answered my next question, but I'm going to go ahead and pose it anyway. Is it fair to ask merchants and commercial customers to take more responsibility for online fraud losses, or should banks be the experts in this arena?
AUSTIN: I think it's reasonable to ask merchants and commercial customers to be aware, take reasonable precautions and to be smart about how they access the Internet, how they use social media and what vulnerabilities they expose themselves to. But it's unrealistic to expect them to be deep cyber security experts and to take all of the detailed technical precautions that are often advised, and to be that diligent. The overwhelming lopsidedness of this battle and the arsenal that cyber criminals have to exploit, those end points, it's just unrealistic to expect merchants and commercial customers to be able to equip themselves adequately to defend against that.
KITTEN: Let's talk about the sophistication of some of these cyber attacks that we are now seeing. When we talk about phishing attacks, malware and online breaches, banks and credit unions of course do appreciate the security concerns, and I'm going to go back to our survey here. According to our Faces of Fraud survey, 48 percent of our respondents say phishing and vishing-related frauds are the most concerning. Interestingly enough though, only 20 percent of our respondents say that they feel prepared to fight and prevent phishing and vishing attacks. What do you take from that, and are banks and credit unions simply not understanding the types of technologies they should be investing in?
AUSTIN: You have to break the fraud event down into two parts. There's the account compromised, and phishing and vishing are a form of gaining access to the account and compromising the credentials. As is downloading malware from websites or from malicious email links; so there's a lot of different ways that criminals use to exploit the vulnerability of the end point. Banks can certainly do more to defend against that, but really what they need to do is assume that there's going to be some level of end point compromise and equip themselves to detect fraud due to the fact that some level of vulnerability is always going to exist. The criminals are always going to find ways to compromise the end point.
By really looking more holistically at the complete set of data that the end user creates when they interact with the banking system, banks and credit unions could be massively more effective at preventing this sort of fraud. We see that every day. We see that kind of data being used to very effectively stop all sorts of account compromise, whether it originates from a phishing, vishing attack or some other kind of malware download which is being used to compromise the attack. We've shown a bank can be very, very effective in detecting and stopping that kind of fraud before money leaves the bank.
AuthenticationKITTEN: Going beyond looking at some of the information that they already have in doing more analytics, what about authentication? It's something that the industry is lacking across the board, and we've talked about authentication for a number of years. Cyber criminals have already circumvented most online authentication tools such as one-time passwords. What steps do you see the industry taking to address authentication in the coming year?
AUSTIN: Authentication has been a classis cat and mouse game. Anything that the industry has introduced the criminals have defeated pretty handily and pretty quickly. We tend to think of behavioral analytics as a form of continuous authentication. Even after the user has authenticated themselves using passwords, account names or other out-of-band techniques, they still need to be monitored and they need to be continuously authenticated as they are interacting with the system. We see behavioral analytics as an integral and interrelated step in the whole authentication process.
If that's being done, banks can use other selective, maybe more intrusive forms of out-of-band authentication. But use it selectively only for their highest recessions or the highest risk events they see occurring. Then it can be deployed in a far more effective manner than it has been in the past.
KITTEN: How would a bank define a high-risk session? That seems like that would be something that would be relative to other things. How would a bank determine that?
AUSTIN: It is relative to other things, but by taking this holistic view of the total behavioral history of the account holder, we have proven over and over again that they can be very effective at detecting and identifying the highest risk sessions because the behavior pattern has been altered in some way. There's something unusual about the behavior of a specific online session or banking interaction that will really stand out and be clearly identified as a risk than the other sessions that are going on.
KITTEN: So it's just looking for those anomalies?
AUSTIN: It's looking for anomalies and high risk events of any sort, whether it doesn't match what's expected to be seen or looks unusual for that particular user or that particular account holder. It really is very important to note that it needs to be done at an individual account holder level. Any kind of aggregation deludes the effectiveness of this type of analytics.
Online FraudKITTEN: That makes sense. And in closing, what final thoughts could you share with our audience about what they can expect to see when it comes to online fraud in the coming year?
AUSTIN: The big thing is that this has been a lopsided war. The banks and credit unions can really be heroes. They had their data at their exposal and we're working with dozens and dozens of banks and credit unions of all sizes, from community level credit unions and banks to mid-size and to very large financial institutions. They are being very effective at stopping all sorts of fraud, whether it originates using the Zeus Trojan, a man-in-the-browser-type attack, to any other kind of threat. We are really proving that the banks can be the heroes in this war. Hopefully 2011 is the year that they equip themselves across the board and do more to stop this.