Gartner's Avivah Litan on Fraud Trends
What are the top fraud trends facing financial institutions in 2010?

Gartner's Avivah Litan shares her insights in an exclusive interview with Information Security Media Group's Linda McGlasson, discussing:

Increased number of attacks on strong authentication;
How to handle ACH fraud;
The biggest security challenges for banking institutions.

Litan has more than 30 years of experience in the IT industry and is a Gartner Research vice president and distinguished analyst. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk. She also covers the security related to payment systems and PCI compliance.

LINDA MCGLASSON: Hi, this is Linda McGlasson, Managing Editor at Information Security Media Group. We are talking today with Avivah Litan, Gartner Analyst, about fraud trends. Avivah, what are the key trends that you are focused on in 2010?

AVIVAH LITAN: From a fraud prospective, I see a lot more attacks using social networks as the vectors. So for example, not just Facebook account takeover, but also different kinds of social networks where users come together like dating websites, classifieds or games. We are getting calls from several companies in those sectors, and there are a lot of takeover happening in those accounts. Also, those accounts are vectors for planting malware on customer PC's. So the use of social networking is a great attack vector for the criminals, because it brings together millions of unsuspecting users.

Some of the other trends I see is once they get the credentials or account data, the criminals are now focused on cross-channel fraud. That started last year and a little bit in 2008, but they are getting better at figuring out how to call call-center operators and get their way through accounts using information that they gather on the internet to commit different kinds of fraud, whether it's through phone banking or debit card fraud. So the criminals are figuring out how to go about cross-channel fraud.

The other thing we're seeing is these crooks are getting really good at what they're doing. So, they've been studying these bank websites, and they probably know more about how particular bank security works than many people at the bank themselves. They basically are mimicking their systems. They know how many seconds it takes for them to prompt users for authentication credential. So they've just gotten really good, some of them, at knowing how to penetrate bank security by studying them, copying them and figuring out how to socially engineer their customers to get through any of the security controls that are there. So those are the main trends. There are others, but using social networking as an attack vector, using the credentials stolen for cross-channel fraud, and figuring out how these bank websites work just studying them, you know the criminals are studying them and figuring out exactly how they work and how to penetrate through security.

MCGLASSON: What are your thoughts on strong authentication?

LITAN: I've talked to lots of banks over the past year, and I was surprised to find out just how pervasive attacks on strong authentication are. So in countries, for example, such as Scandinavia, where they've been using strong two-factor authentication, the criminals have had to circumvent those controls to get into the bank accounts, and they've really done that and they're starting to do that in the United States, too, when there is two-factor authentication involved.

So, what do I mean by two-factor authentication? It is basically when the user has a token or something in their hand. Most probably it's a one-time password token that generates a new number every 60 seconds. The crooks have figured out how to get through that, and so some banks will react by saying, 'Well, oh, maybe we should use a smart card instead, or a USB token instead?' The bottom line is all these factors are going through the user's browser, and nothing is safe going through the user's browser because the new malware is now sitting inside that browser and is acting on behalf of the user. So you can put a biometric on your PC, you can put smart card, it doesn't matter. As long as it is going through the browser, the crooks have figured out how to beat it.

MCGLASSON: What can we learn from the recent Google hack? Would fraud prevention technology help an organization catch or stop this kind of intrusion?

LITAN: For sure that is what we can learn from the Google attack, and in fact I would bet that Google itself had very good fraud prevention technology, which is why more damage wasn't done. You know, I think they stopped it, although we don't know all the details, pretty early on. But what we did learn is that fraud prevention is really the way to go. You have to have the ability to monitor user behavior, user transactions. One thing we learned from the Google attack is you don't only monitor it, but you have to figure out when to stop it in real-time. So they wouldn't have had any damage if they had great fraud detection that was in line doing real-time blocking, which means you've got to fine-tune it just right so that you know when to stop a transaction without inconveniencing a legitimate user. Now you can do that through other methods.

So, for example, if you see something suspect, you can go to the user over another channel, call them and say 'Is this really you trying to access this account?' If you want to be very extreme about it - so, for example. if you are monitoring privileged users which were allegedly involved in the Google attack -- you could get a voice print of all of your privileged users' voices, so that when they are trying to access an account and you are suspicious of that activity you can go back to them, call them, and register the voice print and match it against your database. That is just an example of what you can do, but the lesson to be learned is you definitely have to have fraud prevention monitoring user behavior and transaction values. So I put them into two buckets:

The first bucket is look at the access and navigation. So a botnet behaves very differently than a human being when they are going through web pages. They botnet will bring the web page into memory much faster. They will click on buttons much faster. They'll go to the same exact spot on a screen. They don't mouse around, because it's all automated. A human being will go much more slowly and deliberately and not as predictably in terms of where they put the mouse or where they click. So good navigational access monitoring can see that it is malware as oppose to a human being.

The other thing that fraud prevention needs to do and the second bucket is look at the transaction value. So for example, is it normal for a user to be transferring this much money to Romania in the middle of the night? And of course in the Google page, is it normal for a user from this location in this machine to be logging into this email account?

There are lots of rules that you can put around fraud prevention. So the bottom line is fraud prevention is a must these days, combined with the ability to block a transaction in real time using technology that won't stop good users like the voice print recognition for example.

MCGLASSON: What is your advice for detecting, preventing, and monitoring ACH fraud? Are we missing some basics here?

LITAN: I've been really surprised to hear just how rudimentary some of the banking systems are out there. It's not that much of a surprise, actually, because many of these smaller banks rely on banking processors, so they've haven't kept their fraud prevention up to date. But if you read about some of the cases that have been uncovered, you hear about a small business lost money because someone got into their account and transferred money to Romania. Now, this small business is in the midwest of the United States and has never done any business in Romania. A very rudimentary check would have seen that in the system, so you've got to ask yourself: Are these banks asleep at the wheel? I don't think they are asleep at the wheel; I think they've outsourced their fraud prevention to banking processors that have not kept up. So we are missing some basics here. You should put in some basic fraud detection that says if a customer has never moved money to Romania, let's take a closer look. So many of the banks have been caught off guard, and it is mainly the smaller banks because their banking processors have not kept up to speed.

My advice on detecting and preventing money transfer fraud, whether it's ACH or wire-transfer, is basically using those techniques we just talked about. Monitoring access behavior, how the user is navigating the system, -- does this look like a machine or a human being? -- and then you monitor the transaction value. Is it normal for this user to transfer $10,000 to the Ukraine? No it's not. Let's flag it and go back to the user. Now that means you probably have to manually review a certain percentage of the transactions, but that is certainly a worthwhile endeavor rather than letting your customers have their accounts rated. So there is some good technology, it just has to be implemented, and more importantly the business has to be able to support the process. So you can't have alarms going off with no one paying attention to them. You've got to have a core group of staff, whether it's a couple of people in a small institution or dozens of people in a large institution, that know how to look at these transactions and know how to throttle the bar so that they look at the right amount of transactions without overwhelming their system. And they handle what they can handle while reducing fraud to an acceptable level.

MCGLASSON: But Avivah, what are some recent developments that financial institutions need to be aware of when it comes to tagging customer's personal computers?

LITAN: There has been some very interesting developments and privacy legislation that is changing the rules so that when customers PC's are tagged -- in other words when there is a cookie or a data file put on their PC that allows a service provider to follow them around -- the new legislation says customers have to be aware of that and they have to opt into it. So they have to say 'Yes, you can put this flash cookie on my PC and you can follow me from now on, or you can know that this is me, so next time I log in to your website you won't be so worried.' Many banks in the United States rely on flash cookies or browser HTTP cookies to track their customers and know that this is the right person logging into the website, because we recognize this new PC. This new privacy legislation that was recently debated in Canada -- it got killed temporarily, but the FTC has made noises that they are following this now, they are looking into it, they are having a series of privacy hearings. The EU, European Union, just updated their rules to promote the opt-in to this type of tracking, so all this legislation either past or coming about means banks need to wean their reliance off of cookies. They can't rely on flash cookies anymore to know this is a good customer or a good customer PC. They've got to use other alternatives, what I call clientless PC identification or any kind of computing device identification.

So just to make a long story short, most banks are relying on cookies on customers' PC's to know it's a good customer. That reliance needs to end ...

Most people don't know where their flash cookies are, they don't know how to delete them. In the future that won't be the case. Anytime flash is being downloaded to your PC, a customer will get this big warning message, "Do you want this software to modify your PC or computer?" And chances are they are not going to like that message, and they'll say no. So there are a lot of different technical aspects to this, but the bottom line is banks should be aware of these new events, and they should start preparing now to stop their alliance on flash cookies.

MCGLASSON: Final question, Avivah: Where do you see the biggest security challenges for banking institutions and their customers in 2010?

LITAN: Well, in some sense we're just going to see a lot more of the same things we started seeing in 2009, so much more malicious malware, and much more targeted accounts against specific bank security systems. And this will just continue to be a big challenge for banking institutions. The smaller banks have a very big challenge in getting their processors if they outsource to keep their security current. I don't think the security has stayed up to date in probably seven to eight thousand banks in the United States. It is mainly the top tier banks that have the resources to keep up with this that has kept up with it to some extent, but the smaller and regional institutions are really out to date for the most part, so they've got to put pressure on their banking processors to upgrade technology.

I also think there is going to be some legislative and regulatory challenges. So, for example, if the FTC starts putting pressure on maintaining consumer privacy on desktops like we just talked about, or if Congress ever gets its act together and starts passing some reasonable regulations that regulate the way banks provide security or services to their customers -- there is a lot of talk in Washington around compliance and regulation of banks, obviously, and that certainly has implications on security spending and what they put their money into. So I think there are not going to be any dull moments in 2010 between the hackers continuing to do a lot more and do it better than they did in 2009, and the pressures from Washington just causing banks to spend a lot more on security and compliance. That is one area that is actually growing in their budgets, where they are actually hiring people from what I hear. So there is no shortage of challenges in 2010...

MCGLASSON: Thanks, Avivah, for joining us today.

LITAN: Thanks; you are very kind.

MCGLASSON: I'm Linda McGlasson for Information Security Media Group until later.




Around the Network