Locking down financial security

One might reasonably expect the finance services sector to be well in credit when it comes to electronic security. But losses from online fraud continue to rise. Danny Bradbury combs through the books.

Finance is one of the most heavily regulated industries, so electronic security in this sector should be exemplary. But why is online fraud on the rise and what are financial services firms doing about this and other kinds of financial scams?

While overall card fraud is falling, instances of online fraud are rocketing, according to UK payment association Apacs. In 2006, internet fraud reached £154.4m, accounting for 73 per cent of card-not-present fraud. That's up from £117m the previous year, when it accounted for just 65 per cent of card-not-present fraud. Overall card-not-present fraud is expected to rise again in 2007.

While banks mull the external fraud problem, some concerns over internal financial security might also alarm customers. Deloitte's 2007 Global Security Survey of 196 financial services firms across the world found only one in six banks encrypted data when it was stored.

Even fewer used an intrusion prevention system. Thirty per cent of banks reported repeated internal breaches, with varying severity, in the past year.

Linked to the internal security problem are concerning figures relating to access control. Problems with system access rights accounted for three of the top five audit findings for those surveyed.

Access control

Access rights are a method of internal control. The concept of least-privilege should only allow employees to do what their role requires and no more.

Access and identity management leaped to the top of the five most important security initiatives for financial services firms this year. Half of the companies tagged this as their most important challenge for the next 12 months.

Last year, it didn't make the top five list. However, banks have a difficult challenge ahead. The administration of role-based access control and the associated provisioning of those roles is a complex process, dependent on organisational structure and employee responsibilities.

However, the security needed to stop fraud outside the firewall may be a tougher challenge still. "Financial services companies have a unique challenge because consumers believe that the banks should be protecting them, but they don't always want to have to do anything additional," says Fran Rosch, VP of identity protection services at VeriSign. How many non-technical consumers are adept at managing PINs and passwords?

And the attack rated most threatening by the banks - phishing - happens without the banks' involvement, as thieves exploit customers directly.

"Customers are being used against them," says JR Reagan, managing director for global risk compliance and security at global IT consulting firm BearingPoint.

Banks are taking a stand, moving to two-factor authentication (2FA) to help solve the problem. This year, banks including Barclays and the Royal Bank of Scotland group gave customers their own chip-and-pin card readers to validate internet transactions.

They attempt to thwart phishers by preventing the use of harvested account details alone for fake transactions. Across the Atlantic, non-mandatory guidelines from the US Federal Financial Institutions Examination Council (FFIEC) now also strongly recommend 2FA for web-based banking transactions.

Banks are listening; 51 per cent of financial firms have moved beyond simple password protection when managing online transactions, says Deloitte.

Conflicting requirements

Technology is not the only problem here. Business tensions underpin the struggle for security. On the one hand, banks need to reduce fraud, but on the other hand, a competitive sector requires them to make transactions run smoothly for customers. "Most of the financial services organisations we work with are only looking at intervening in 0.1 per cent of either logons or transactions," explains VeriSign's Rosch.

Systems that analyse users' behaviour are one method of refining fraud detection, he says. Ideally, they will analyse existing transaction patterns to spot anomalous transactions. But these smarter attacks are testing these systems.

Recently, a variant of the PRG trojan was designed specifically for banking fraud. Delivered to users of high-value commercial accounts via targeted phishing mail, watches victims' behaviour when they access their accounts, later mimicking them when making fraudulent transactions and flying under the fraud detectors' radar.

Ross Anderson, professor of security engineering at Cambridge University's computer science lab, recommends two-channel authentication, where an 'out of band' challenge is made over another link than the one used for a transaction.

VeriSign's Rosch says banking partners of his organisation are beginning to do this. They may send customers SMS messages on their mobile phones, for example, asking them to confirm an online or in-store transaction. This may be more secure than sending a challenge to an already compromised PC.

It's certainly safer than asking the same hackneyed questions used for years in phone-based verification, which can be easily answered by a determined ID thief with a web browser.

As the drive for customer convenience continues, the challenges surrounding financial services security will increase. Contactless payments and wallets on mobile phones will create new attack vectors.

Banks will continue to examine security challenges and criminals will up the ante. Just as in all other areas of security, the cat and mouse game between black hat and white hat will continue. But in the finance sector, the stakes are particularly high.