03
Mar 10

Regulators Revisit E-Banking Security Guidelines

facebooktwittergoogle_plusredditpinterestlinkedinmail

Prodded by incessant reports of small- to mid-sized business losing millions of dollars at the hands of organized cyber criminals, federal regulators may soon outline more stringent steps that commercial banks need to take to protect business customers from online banking fraud and educate users about the risks of banking online.

At issue are the guidelines jointly issued in 2005 by five federal banking regulators under the umbrella of the Federal Financial Institutions Examination Council (FFIEC). The guidance was meant to prod banks to implement so-called “multifactor authentication” — essentially, to require customers to provide something else in addition to a user name and password when logging into their bank accounts online, such as the output from a security token.

The FFIEC didn’t specify exactly how the banks had to do this, and indeed it left it up to financial institutions to work out the most appropriate approach. However, many banks appear to have gravitated toward approaches that are relatively inexpensive, easy to defeat, and that may not strictly adhere to the guidance, such as forcing customers to periodically provide the answer to “challenge questions” as a prerequisite to logging in to their accounts online.

Unfortunately, as I have documented time and again, organized computer criminals are defeating these solutions with ease. Experts say part of the problem is that few of these solutions can protect customers whose systems are already infected with password-stealing malicious software. What’s more, few banks have put in place technology on their back-end systems to monitor customer transactions for anomalies that may indicate fraudulent activity, much in the way that the credit card industry sifts through data in real time and alerts the customer if a transaction or set of transactions radically deviate from that customer’s usual purchasing habits.

Last month, krebsonsecurity.com, interviewed Robert C. Drozdowski, a senior technology specialist with the Federal Deposit Insurance Corporation (FDIC). Drozdowski told me that the banking regulators recently convened a series of meetings with banks and security technology providers to figure out whether additional guidance would help banks do a better job of protecting their commercial customers. I asked him about the current state of these regulations and what we might expect from banking regulators in the months ahead on this issue. What follows is a portion of that discussion.

BK: From what I’ve been able to gather, this is a type of fraud that often does not directly impact banks, and therefore might not lead to institutions being able to document the losses from online banking fraud. Do the banking regulators have a way to measure how much companies are losing to online banking fraud?

RD: We do, but that’s not a request that we could just issue right away to the banks. If we thought this information would be valuable, we’d have to demonstrate why we need the information, and then put a request in to the [White House's] Office of Management and Budget, saying we’d like to put a survey to the industry. And then the OMB would get back to us on whether that would be okay.

BK: That doesn’t sound like a huge hurdle…

RD: Agreed, but there are a lot of other issues that  are creating real problems for financial institutions in the area of commercial real estate that we don’t have adequate information on either. With the [losses to smaller companies through online banking fraud], we’re talking about million-dollar losses, whereas the commercial real estate losses are in the billions. The larger economic losses to financial institutions in commercial real estate is creating havoc, and that’s where the main focus is now.

BK: So, you’re saying that if the banks were actually experiencing more situations in which they lost money as a result of this epidemic of online banking fraud being perpetrated against businesses, then regulators would care more about it?

RD: It’s something that comes on our radar screen when banks start taking losses, and not just businesses associated with those entities, that’s a fair observation. But to the extent those [attacks] create risk to bank customers, we have an obligation to engage our institutions and challenge them to do better.

I should note that there are a lot of things going on behind the scenes. We have been providing information to our bank examiners that’s not public on these threats, to ask them to increase their due diligence in looking at the authentication solutions that the banks use. We also issued a retail payments examination handbook that [asks] what institutions are doing to reach out to customers to make sure they’re aware of the requirements needed to conduct security transactions online.

BK: So are there no banks that are suffering financially as as result of this type of fraud?

RD: There are banks that are suffering from it. We have situations where banks are sharing the losses with their customers in order to avoid litigation, and in order to preserve business relationships. There are tangible losses we’re able to cite that make us engage in this area. And there are some legal cases out there that may change that landscape significantly should it be determined that banks aren’t providing the level of protection pursuant to the statute.

BK: Okay, but it doesn’t seem like banks really understand what was meant by that statute. As you just mentioned, there are a few lawsuits going on right now that may ultimately determine whether banks are doing the right thing.

RD: True. That bar is pretty ambiguously defined right now. What is commercially reasonable is not well defined, and right now it’s up to case law to determine it.

BK: I’ve been told by several analysts that part of the issue here is that many commercial banks have effectively outsourced a large portion of their visibility into online money transfers to third party companies, firms like Digital Insight, Jack Henry, Fiserv and others. While these entities may offer back-end transaction monitoring and other security features, it’s not clear to what extent the banks that rely on these companies are adopting those features, or even making them available as an option to commercial customers. It’s also not easy for companies to shop around for the most secure bank, because banks don’t always disclose what they are or are not doing to secure transactions. What are the regulators doing to in this regard?

RD: I can tell you we have been reaching out to all major service providers, and have had them in over the past few months to talk about this issue and adequacy of the authentication guidance that’s now a few years old. We’ve been discussing whether we should revamp that guidance. And we know that they have the products available, and are offering them, but we also know they have not been adopted in all cases because institutions haven’t suffered the losses to justify the expenses involved.

BK: What kinds of offerings are we talking about?

RD: They all have different levels of security that they offer. In most cases it’s cafeteria-style offerings, and the institutions select those or not based on their risk tolerance. That said, you have to recognize that as you meet with these people and talk to them, that they have an incentive to sell more product to get us to support greater authentication, so we need to walk a very fine line of addressing an issue versus promoting a service. We’re cautious about laying out a scenario that would allow them merely to sell more products, so it is a fine line.

I’ve spoken with the Better Business Bureau about this, and something they’re looking to do is create awareness to challenge your institution to provide you with more secure access if they’re not already doing that, and to encourage businesses to pay for those services if they’re available. We’re hoping to get the Small Business Administration involved in this as well.

BK: So are the regulators going to update their guidance?

RD: There is a working group of all FFIEC agencies that is looking at the authentication guidance. We went through a process over the last couple of months where we brought in many of the biggest service providers, the Jack Henrys, the Digital Insights, those type players. We had an open discussions with them but in a closed-door, off-the-record meetings with banking regulators. Then we brought in individual banks of all sizes to talk about the issues. The exploratory process just concluded a couple of weeks ago. The different banking regulators are now rolling up their sleeves and asking ‘What did we learn and what do we want to do next.’

BK: But what does that mean, in practical terms, vis-a-vis the current guidance on online banking?

RD: I think there’s an an awareness that what might have been adequate security four years ago when [a bank] examiner went in and asked institutions what they are doing on dual authentication is not adequate or may not be adequate now. There is an effort to see whether or not we need to update the guidance or issue an FAQ to clarify what is or is not adequate, and perhaps give some illustrated examples of what we believe is not adequate. We’re hoping we may have something released in a few months that speaks to that. So that’s an effort that’s ongoing, and all the banking regulators are involved in it, and it is absolutely very much front-of-mind for the regulators right now.

Tags: ,

45 comments

  1. Just an idea from a man on the street: what if banks required online customers to submit to a quick virus scan before allowing any transactions (or not putting any transactions through until the computer accessing the bank’s website is deemed free of the most common viruses – I realize that a complete scan would take time and be unacceptable to those who do online banking).

    • Cliff Morrison

      That would work if the virus scan people could get ahead of the crooks, in our case the bank sent a forensic guy to dig into the computer where the virus was at and he could not find it.

    • What would happen if the virus scan didn’t work because you were already protecting yourself with an operating system other than Windows?

      Yes, the server can check for OS and browser, but all the checks and permutations of responses will get very large very quickly, and may be unusable.

  2. Cliff Morrison

    Sounds like a lot of government double speak. This whole problem is in the same place where the crimes are taking place-cyberspace, and it is the latest new frontier for both adventurers and outlaws as there are no laws in this waste land.As one who has experienced this first hand, the problem starts at the most base level in that in our case we suffered a loss of approx. 89K now over a year ago and the only cop I got to show up was the local city police to start a file, after that we contacted first the Secret Service then the FBI. The Secret Service guy called back and said the bank would not return his calls (I guess he lost his gun and badge), the FBI never even called back.
    Thanks Brian for keeping the reporting going, you are the only beacon in this storm.

  3. There is an easy way to stop this theft dead in its tracks.

    Require institutions to get whitelists from customers for ACH transfers.

    Require 2-3 day delays before implementation of any changes and email a secondary email address with the changes.

    My business does not change the individuals and companies it sends money to scarcely ever and I think that is true of nearly all small businesses.

    Even if they are outsourcing their online processing, it still can be implemented at the processor. But the regulators need to get their heads out of their &^*^ and really look at the problem and stop cowering whenever anyone whines and says, “But it will cost me money.”

    • 2-3 day delays? Goodness what rubbish. Use a secure operating system! Windows is not one of them! What’s the problem? Good grief but you people will do everything but admit that simple fact.

      • Rick:

        The simplistic Linux/Unix answer for every threat.

        “Rewrite billions of lines of code to run on their favorite subset of the Linux/Unix multiverse”.

        Of course we would then see the bad guys flock to assault the open systems where the source code is equally available to them too.

  4. Good article Brian. Good to see the FFIEC is actively involved, and seem to understand the shortcomings in their previous guidance. The reality will be if they create new guidance that has some real “teeth” this time (i.e. requiring all banks to implement specific fraud detection capabilities). Given some of the waffle points in Robert’s responses (“…see whether or not we need to update the guidance or issue an FAQ…”), I am not too confident.

    The take-away from the 2005 FFIEC Authentication Guidance document is “Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.”

    At the time, most banks/financial institutions asked, “how can I comply with the guidance while spending the least amount of money?” (aka passing the lowest cost onto customers, directly or indirectly).

    The answer came in the form of low cost products in the “layered security or other controls” category. The most popular products incorporated some form of challenge questions which were based on backend “finger printing” of the end point (i.e. device profile, IP geolocation, etc.). Some products even added customer selected pictures to provide “trust” that the user was connected to their bank’s “real” banking application. The BofA “Sitekey” was based on such a product.

    Some of these solutions provided additional protection by integrating actual fraud detection (i.e. transaction volume, velocity, thresholds, etc.), although, outside of the visual elements (i.e. picture and challenge questions), there is no way to know how much actual backend fraud detection (if any) a bank implemented in their online banking applications.

    Of course, none of these simple “challenge question” solutions prevent real-time MITM attacks. Although, to the FFIEC’s credit, at the time, real-time MITM attacks were still mostly theoretical, but everyone knew it was only a matter of time. Several research documents demonstrated the weaknesses of these simple “challenge questions” solutions, to which the vendors responded by stating that their backend fraud detection services are where the real security is anyway.

  5. It’s great to know they’re starting on it but the market has a better chance of getting some thing done. And that hasn’t worked well yet.

    The examination process ultimately relies on well defined laws, rulings, and guidelines. Until the issue more prominently figures into the CAMEL rating system used to assess bank health it’s unlikely to have much push behind it. As stated there are more pressing issues.

    As Brian mentions the market doesn’t share much information about product offerings and that’s because this market is still largely dependent on individual sales people that may feel threatened by more openness. A consumer report type comparison of offerings would be great but that’s a tall order given the thousands of banks.

    I think the regulatory response will be too little too late just like the original guidance.

  6. The FFIEC multifactor requirement was a joke from day 1. Now there is even malware that will hijack a session after true two-factor authentication by the user. My thinking is that back-end fraud detection at the banks needs to be more (and be required to be) robust. A poster above mentioned white listing ACH recipients (Larkin) and other fraud detections (Marty).. Those are good, others would be verbally verifying outgoing wire and ACH payments with a signer on the account before sending the first time. Also, analysis of transactional behaviors (example, they never have sent a foreign wire and they do today…)

  7. If the crooks can hijack ongoing sessions it is pointless to spend additional resources to further beef up security measures to open a session. That wave has passed. It’s time to move to the next wave.

    Checking/restricting IP locations is also probably behind the curve, as surely the crooks will soon be able to impersonate an IP address.

    What the crooks cannot impede (without hacking the bank) is what happens on the backend within the bank. Checking of whitelists for wires and ACH if those whitelists are submitted to the bank by offline method, or maybe FTP outside of the normal online banking channel, would be an example of this.

    Banks have similar technology available (not widely implemented in the industry) for check clearing generically called “positive pay” where the customer immediately electronically submits a check register of checks written (check number and amount) creating a whitelist. All other checks presented on that account are treated as stop payments – returned as unauthorized.

    The primary flaw in that system is that customers routinely fail to keep the bank properly updated as they write checks. Then the bank either has to return items it suspects are legitimate (causing untold problems) or call the customer to rectify the siutation. Either way the rejected items are handled by manually which is very expensive for the bank. Banks charge for these unnecessary hits as a result and soon the customer decides the cost is not worth the fraud protection because they will not change their behavior.

    Other banks in the industry have watched this exercise and saved themselves the cost of implementing a system that customers do not perceive is worth the effort or cost. This is why not all banks offer Positive Pay. It is not a successful product.

    For wire and ACH whitelists to work we have to avoid the same pitfalls existing in Positive Pay or we will suffer the same unsatisfactory result.

    Another example of backend processing inside the bank would be metric limits placed on account activity (number of transactions, dollar amounts, dollar totals – all over a specified period of time). Banks are supposed to have these limits in place for ACH anyway to limit credit risk, and for wires to limit both credit and BSA risks. The technology is already in place and generally being used – but too loosely. Banks need to to place these limits much tighter, and customers need to be more understanding (willing to pay)when they legitimately hit those limits without talking to the bank first. But what happens in the real world is that wires and ACH batches are submitted by most customers at the last minute so the bank is overwhelmed with customers jumping up and down to meet the deadlines with no time to manually process rejecting transactions. Customers will not tolerate the bank missing a transmission deadline because the customer overshot their limit, even though they know their limits ahead of time. They won’t call ahead of time to ask for a limit raise. They insist on waiting until the last minute and constantly ask for deadlines to be made later. And they won’t pay what it would cost the bank to staff up to handle the problems they create without missing deadlines. Too much hassle, too much cost.

    I’m not blaming bank customers. I’m merely stating the obvious – the public does not perceive the risks associated with their behavior and unwillingness to pay. This bad situation is perpetuated if banks cost-share losses with victim customers and lose court cases.

    All these solutions require human intervention, which is expensive. All totally automated (inexpensive) systems are vulnerable.

    Since what is happening now is that the bank customers’ systems are being hacked (not the banks’s systems), it should be evident that the greater problem lies with the customers’ willingness to implement proper security. Nearly all the victims to date have not had hardened security on their own networks with layering, current anti-malware, etc. Moreover, customers in general (with some exceptions, including any readers who care enough about online security to read this blog – a tiny minority) are currently not willing to pay for or tolerate the inconvenience of the security measures that are required to protect them. Example: Positive Pay.

    You can’t put the whole responsibility on the banks. They are only half the equation. The customers are the other half. If they had the same level of awareness and willingness to put forth some effort and pay for solutions, we’d be way ahead of where we are now.

  8. Peter Brewster

    Brian, I think we’re being snookered. The handbook on e-banking is dated 2003. My (so far limited) dealing with banks at the branch platform level tells me managers and IT are without clues – adjectives deleted – and without much interest.

    Whatever e-fraud losses banks experience get moved back to depository clients. The losses do not go to either management or owners, arguably excepting credit unions.

  9. what is happening now is that the bank customers’ systems are being hacked (not the banks’s systems), it should be evident that the greater problem lies with the customers’ willingness to implement proper security. Nearly all the victims to date have not had hardened security on their own networks with layering, current anti-malware, etc. Moreover, customers in general (with some exceptions, including any readers who care enough about online security to read this blog – a tiny minority) are currently not willing to pay for or tolerate the inconvenience of the security measures that are required to protect them. Example: Positive Pay.

    • Sorry but who needs ‘anti-malware’? Why not instead just choose a good operating system? The world does not revolve around Windows. Gasp but it doesn’t. Buy a clue. Real cheap. There’s a river in Egypt and you’re scuba diving in it.

    • Bingo! You hit the nail on the head. As Kirk stated above, it is not all the bank’s fault. End users have their part to play. It’s about lowering your risk, not becoming a victim by your own hand. If my bank account gets compromised, I can guarantee it’s not by my own doing. If it’s within my control, I’m going to take the proper measures to ensure the safety of my stuff. The only thing I want the bank to do is to properly secure their end of the deal. I’m not going to pass the buck and rely on someone else to properly secure my end. That’s MY responsibility and no one else’s! PERIOD!

      P.S. – funny how Kirk gets positive feedback to his post, but “banking” gets negative. Both express basically the same thing! I guess many can’t handle the truth when it’s stated bluntly.

    • Look at this comment. Which insinuates that there is a certain responsibility on the part of botnet Windows PCs. Gee what an outrageous idea.

      And all the fanboys are therefore modding it down. The thoughts immediately go to Jamestown. For that’s what you represent.

      • If you so choose to use a different operating system in order to properly secure your end, so be it. More power to you.

        I choose to do so using Windows. And have done so for 14+ years and have NEVER been compromised in any way or had any online accounts broken into. Contrary to your own belief, it is possible to properly secure a Windows based system. As such, it’s not so much about the OS as to how it’s setup to begin with and then operated.

        Respectfully,
        xAdmin :)

  10. Hey OK. This is good. Banks should of course use the same protection systems as the credit card companies. Duh. But plastic credit cards are not provided by Microsoft. Heaven help us if they were.

    What about the first instance of weakness? What about the wobbly Windows systems that are infected in the first place? That’s something you dudes don’t want to think about, right?

    What are you trying to do? Why are you sticking with a platform that’s been universally condemned? You like Minesweeper and Notepad that much?

    What is wrong with you?

    • Dude! We get it. You’re anti-Microsoft. Give it up already. You sound like an Apple troll. :)

      • Oh bugger off, you fanboy. Seriously. Get. A. Clue. What I sound like? I sound like someone who isn’t drinking Redmond Kool-Aid. What do you sound like? Ridiculous is what. The entire planet is reeling under the onslaught of these slings and arrows and you dare ask what other people sound like? Do you have any idea how pathetic you look?

  11. RD: “There is an effort to see whether or not we need to update the guidance or issue an FAQ to clarify what is or is not adequate, and perhaps give some illustrated examples of what we believe is not adequate.”

    So, perhaps an FAQ, and maybe an illustration. The FFIEC seems to understand that its power to force change on the banks is zero.

    BK: “So are there no banks that are suffering financially as as result of this type of fraud?”

    This seems to be the heart of it.

    I like the suggestion from Mike above: allow customers to lock or set policies on transfers. If I try to buy a cup of coffee in Canada my CC rejects the charge. I should be able to tell my bank that transfers to new recipients require in-person authorization.

  12. Banking Lawyer

    Banks are in fact taking losses for this type of fraud. I recently represented a client which suffered over $400,000 in unauthorized transactions. The bank recovered all but $45,000. We argued that the bank did not have commercially reasonable security procedures, had violated written instructions of the client, and was negligent. We settled for $30,000 paid by the bank. They did not do this as a PR settlement. It was cheaper to resolve informally than through litigation, and we had pretty good case. Until banks base security on factors other than user name and password, they and their clients will suffer losses. Banks cannot offer a product with such potentially catastrophic loss exposure to their clients. They need to step up to the plate. Whitelisting accepted recipients, restricting transfers to reasonable limits commensurate with prior usage by the client, and call back procedures can all help.

    I think the loss figures shown in the media are only the tip of the ice-berg. Most fraud situations settle out of court and are never reported. Bill

  13. It seems the public and banks should be aware that the electronic one time password tokens banks are being asked to deploy are being bypassed by the new crop of trojans such as Zeus, URLzone, Silon etc which simply hijack the users browser and gain a vaild code off the user by bouncing them to a session expired page, “please log in” which they use to verify an outgoing transaction in the background. There is very limited solutions to this type of attack, every electronic solution ive seen requires up to 40+ password characters from the user and expensive devices which themselves open up new security issues. It is primarily the cost which is holding back banks from mass deployment.

    I would like to propose my own one time password authentication solution which is secure against MITB browser attacks as transaction information can be easily encoded into the challenges, whats more is it only consists of a small key pattern printed onto a users bank card which costs nothing if printed at the same time the users name etc is printed. Anyone with interest can check out http://www.passwindow.com and security researchers can download the independant whitepaper and read the security page. Anyone is free to make a case for a better authentication solution keeping in mind passwindow costs nothing to implement into the existing system.

    • Matt has the right idea for a relatively cheap 2 factor solution, that would not be disruptive to the banking industry, and would only require some limited downloads by the client, and of course, I assume he wants to make the bank side costs as low as possible.

      http://blogs.techrepublic.com.com/security/?p=2271&tag=content;leftCol

      We had a good discussion on the idea and argued possible weaknesses, but could not refute the value of the idea. I would also like to point out that Prevx is pushing a free solution to face book users that supposedly takes control of all SSL communication from the browser to the web. It installs at a very low level – I suspect it is a legal rootkit – and can take any information away from keyloggers and screen hook malware and in fact works below the usual I/O hook layer anyway.

      IF the banks invoked both solutions today, I feel the savings in losses would pay for it in spades – and I don’t mean it is a gamble either.

      I do not work for Matt, passwindow, or any other person or company; I just hate malware and crackers with a passion.

      Keep in mind these solutions do NOT require that an infection be rooted out of the client side PC for the security to work!! They work even on a compromised computer!

      Prevx is a cloud based security solution that I have been evaluating for a few weeks, and I can’t wait for it to alert me to my first Vista 64bit keylogger or screen hook!!

      I shall test with samples as soon as I find some safe ones.

  14. For years, security people have been trying to show businesses how to be secure. It is still not working.

    Teach Security to the user at home. Show them how to secure their home computer so that they can do their business on it, preferably for free. Teach it to their kids in school. Start now. Then show them the exact same tools and techniques and rules and safe practices at work. It won’t be something new and different, but something they are used to and they know will work. They will not look at it as something to make their job difficult and inconvenient. Show them that by using this at work it will keep them safe at home. It will stop spam and protect them from the botnets and malware that threatens to ruin their business of running their own home.

    It is what will keep their kids safe online and their money in their bank and the credit cards in their name and out of the online crooks and scammers. Fraud rates would drop and then their interest rate on all these credit cards would drop. And the chargebacks on all the fraud would stop being charged back to the retailer. And the prices of all of our goods and services would drop also.

    Which means the credit card companies would not be making the money they are now. They have set themselves up perfectly. Spam and malware and trojans and botnets and rootkits do not cost the credit card companies a dime.
    They have conned the cons.
    It’s “The Sting” all over again.

    They make big business pay for what the credit card companies say they have to have or it’s no dice. The businesses continue to pay pentesters and compliance auditors. They continue to buy the newest big and shiny blinky light box or software because someone told them it will solve their problem. It won’t. They continue to pay the chargebacks for any fraud that was committed against them and the higher rates the credit card companies charge them. The businesses pass all of these extra costs to them on as a cost directly to the consumers. Us. You and me.

    All businesses that do credit card business of any kind.
    Even Micky D’s.
    Hackers and Crackers. Just Say’n.
    Your Big Mac costs more because of fraud and the credit card companies.
    We pay for the fraud! YOU AND ME!!!

    Believe me, brother, if it were costing them anything, they have more money to throw at this than anybody else on the planet because they have all of our money already. I would not be surprised to find out that it is the credit card companies who are the ones who are paying for the malware to begin with. What the thieves and malware writers don’t understand is their paying the same high prices as everybody else even if it is someone else’s credit card. They would be able to afford alot more stuff on their on credit card if it all just didn’t cost so damn much. The “Cost Of Doing Business” passed down to the working man and woman and working children of working men and women and the working parents of the working man and woman, just to live and raise a family. What a Crock!

    And where is the government in all this? Quietly doing whatever the credit card companies tell them to.
    They owe them more money than we do.

    The banks too, profit from all this, and do all they can to force you to use credit cards. They do nothing to defend your hard earned money in your checking and savings accounts if you fall victim to malware and fraud on your own computer which they have made no effort to help you protect. They actually made money off of the fraudulent transaction in transaction fees or from you, if you catch it in time, with stop payment charges. Or if the credit card companies decide to garnish your accounts, the banks will give your money to them with no regard to your best interest at all. If it’s just sittin’ in your account then it costs them money.

    Win and Win.
    I Call BS!!

    BS on the credit card companies and the banks that represent them and the governments that let them get away with it. They are the only ones to profit from the whole fiasco. As long as you are working to pay off your credit cards you are also paying taxes with no money left to put in the bank or savings for your retirement. What retirement? You will work until you die as servants to the credit card companies, banks and the government. And then you die. And guess what. Then your estate gets to pay off your credit cards and your bank loans and if there is any money left, your taxes you still owe. It is doubtful if anything will be left to bury you with or to leave to your family. But maybe they can but the funeral on the old Visa, M/C, Amex.
    Win and Win and Win.
    They have made it so now you can’t be your own banker in control of your own money.
    Which is absolutely the last thing in the world that they are going to let happen. People in control of their own money.

    Blasphemy. End of the World as we know it.

    Damn Right!

    Put the money back in the hands of the people and the government will listen to what you have to say.

    These hackers appear to be fairly good coders and would probably work a hell of a lot cheaper than what the credit card companies gouge out of the business every year. Give them a job. And then start paying the pentesters and auditors to secure your employees at home. Show them what they stand to lose there and you will have them in the same mind set when they come in to work to get that paycheck that will now buy so much more stuff because online fraud and spam have disappeared and prices on everything
    ( and I mean everything, from Quarter Pounders to toilet paper)
    will be so much lower, because the businesses no longer have to worry about charge back fees and high interest rates (they borrow from the same folks as we do, sister.)

    When you want a business to see where its weakest link is, it is always gonna be Layer 8. The human element. Ask anyone in security “Where is the weakest link?” You will get the same answer every time.
    Us. We are the weakest link.
    You can not blame the user for being a stupid user if you are not doing everything you can to help them not be one. So why do we not devote all of our time and effort and money in this war on fraud on us? Spend the money and manpower where it will do the most good. Teach us to be secure at home where it means the most to us and we will bring that with us when we come to work.

    We can’t allow these machines to get the better of us.

    Can you only imagine what this is going to be like when every Layer 8 on the whole bloody planet gets their own Layer 8 IPv6 address. And we all know there is no way to spoof that. Right??? Your Credit card will have its on static IPv6 address. Your phone, your watch, your car, your TV and your refrigerator.
    Who you gonna call? The scammers 900 numbers. Which they can now dial for you.
    What time is it? Time for Viagra.
    Do you want spam coming out of your car? Pay up or no go.
    Malware on your flatscreen? Pay up or no HBO.
    Scammers in your fridge? Pay up or we’ll turn off your freezer or freeze your beer.
    Crazy Talk.

    This problem must be solved now while it still can be. The businesses should take a small percentage of the money the credit card companies are costing them and spend it on their employees security at home. The users will see where it will make doing the business they do online at home safer, and with cheaper prices and lower interest rates, they will still spend their hard earned money, but now it’s a better deal for everyone, not just the credit card companies. We might even have some money left over to save.
    Imagine that!
    And if our online transactions are safe, we might just use our own money on our own debit card to buy something instead of a credit card.
    What a concept!
    Take back what is ours,
    Secure yourself.
    Then secure everyone around you.

    • I agree with some of what you’re saying. Unfortunately, I don’t hold out much hope as many are beyond being helped. I could sum it up though in a few simple phrases:

      You can lead a horse to water, but you can’t make em drink.
      Stupid is as stupid does.
      You reap what you sow.

      Part of it is the nature of the human condition. But, I believe the root cause is a general apathy or outright laziness and above all a general lack of critical thinking skills in the general population!

      • If you lead the right horse (the individual user) and show him what it will cost him if he doesn’t drink, and what he may be saved from if he does drink, he may decide to have a sip.

        Right now no one is showing the stupid how to do anything any other way.

        We are not currently sowing any seeds for progress in this endeavor to help the general population to be aware of what they can do as individuals to combat this problem of online fraud.
        We are not taking advantage of the news (Google getting hacked, et al.) and the current awareness of this problem in the population’s mind to educate them on what they need to do to stay safe in their online business dealings. If they continue to be victimized, they will lose faith in their ability to conduct any of their business online. While this might be safer for the individual, for business and the internet it would be a great setback.

        • Your experience may be different. But, over the course of my IT career, I’ve attempted to educate users on the risks/benefits to computer security to the point of beating a dead horse so to speak. Some have taken it and used it for the better. But most, I would say the majority; it went in one ear and out the other. They just couldn’t be bothered with it. It’s too much of an inconvenience. I’ve even had fellow IT pros with the same attitude. One recently, got hit hard with malware and finally started implementing a defense in depth computer strategy. Something we’ve talked about to great length at work between us.

          Then there are those like family and friends that you educate and even setup their computer to where it’s locked down and secure. But, they still get themselves in trouble through bad behavior. It’s gotten to the point where I tell them you’re on your own. I’m not going to clean up or re-image/re-build your computer anymore. It comes down to the simple fact they don’t want to be part of the solution. They don’t even want to admit they’re part of the problem!

          Thus, why I stated some of the phrases above.

          • I still say never give up, never surrender. The crooks never will. You have to show the individual what security means to them, in ways that they will understand. If they keep clicking on links in emails, their bank accounts will be emptied by the crooks and scammers. If they browse blindly through the internet, their computers will be used for evil purposes by evil people. Do they want porn popping up on their kids computers? Do they want to have their malware infected botnet computer used to transfer child porn or DDOS the NSA? People are simply not aware of what can happen to them until it does. Make them aware before that happens, in every way at your disposal. Scare the hell out of them if you have to. Make them a part of the solution in ways that benefit them directly and it does not matter if they know they are the problem or not.

  15. Sorry for off topic, but has anyone else noticed the odd behavior in the comments?

    New comments do not show up unless I click reply. The “Like, Dislike” stats do not update either unless I click reply to some other comment.

    Forcing a page refresh, even via CTRL+F5 doesn’t work. (not a cache issue as I clear that when closing the browser)

    Brian, are you aware of any issues regarding the comment system?

  16. The solution is MUCH MUCH simpler than any propsed here. The reason criminals are going after SMB’s is because those accounts aren’t covered in the regulatory framework in terms of limiting customer liability in cases of fraud. Only individual accounts are covered. If you forced banks to eat fraud charges for SMB accounts like the do for individual accounts, security would be increased because it is in the banks’ best interest to do so.

  17. A lot of ideas floating around here. as we all know, this is not an easy subject. Facts are:
    1. criminals are focusing on end users, not the banks
    2. They like corporate accounts because they can typically initiate a large amount of money via the online banking site and wire or ACH.
    3. Their focus will change, once that hole is plugged.
    4. consumers leave gaping holes in their machines, for the criminals to walk through.
    5. MFA isnt going to help much
    6. Losses have to be large enough for banks and regulators to determine the risk justifies the investment. Keep in mind they all feel pinched, these days.

    What is the solution?
    There isnt one. Better MFA will not solve the problem. who cares how you authenticate to the servers, if the hacker owns your machine. Transfer requests can be injected without you knowing, while you are connected. Even the verification pages can be modified to avoid you knowing.

    Modifications to the ACH process would be a big help. And, while a little annoying, Rick’s suggestions does have merit. secure OS is one way to put an end to many of the current problems associated with malware and system take overs. But its not practical for all consumers. My mother would never understand a secure OS.

    Consumer education, I feel, would go a long way. But I agree with xAdmin completely. I’ve been around this industry (banking/security) since the early 90′s. Educating people to the point that they change habits is a monumental task. Futile in many ways. “oh, it wont be a problem this one time!”

    • I agree with the gist of what you are saying however the online MFA injection attack concept on the connection or browser cannot work on the passwindow MFA method even if the attacker owns and controls every aspect of your machine. The ability to encode specific transaction information into the visual challenges (just simple animated gifs) means the user must be aware of what he is authenticating (ie last 3 digits of destination account number) to be able to read the authentication code which is encoded beside it. The almost irreducible simplicity leaves an attacker with very little room to manoeuvre compared to other more complex types of MFA such as electronic solutions etc. Actually only allowing a long term statistical analysis of the user keys/challenges by a Trojan and since this is very predictable can be stopped easily by pushing the interception rate well beyond the lifetime of the user’s key. I am not saying it’s a total solution as at some point criminals can just ask a user to give them their money as is the case with 419 scams and some % of the time the user will want to do it and no amount of security is ever going to stop that problem.
      The problem as others have said is we need to move away from user authentication and towards transaction authentication which actually apart from passwindow some models of electronic token can perform. Unfortunately they all (I have seen) require the user to enter 6-9 digits back and forth from the device to their machine one set of which is some transaction information such their destination account number up to 40+ times which is a lot to ask of an average user for normal value transactions and why I believe only a few boutique European banks have enabled this feature for high value transactions. Sadly they can’t reduce the amount of digits required off the user as they need the entropy into the underlying cryptography used by the devices, but at least it is a solution to the Trojan problem. There is also the IBM electronic device solution called ZTIC which creates a direct encrypted connection to the server through USB port and displays transaction information to the user on its screen for user verification, a much more user friendly solution than token transaction signing as the device isn’t the size of a scientific calculator and requires the user to only accept or deny a transaction. Currently there are no known attacks against the ZTIC method unless someone here is up for the challenge, once things get electronic and complex it is usually over my head as to if they are vulnerable to weird complex attacks like the recent voltage stress attack against machines to help steal cryptographic secret keys. Thankfully with passwindow I don’t have to really worry about anything more than real life physical attacks such as hidden cameras etc which is a much more manageable problem (and I generally defeat with a simple bit of reflective tinting over the key pattern)
      So while we wait for the OS / software guys to finish battling it out there are some solutions already on the table the FDIC could adopt to help manage the problem.

      • I feel most users in the US would be much more amenable to the passwindow model. I don’t think they want any gizmos that they have to buy, and would probably lose. I think passwindow is a very economical solution, until, as you say, something better is conceived.

        One popular device, the iPhone has one advantage in that it can only process one transaction at a time. I understand this is hard wired into its hardware, so this could prevent any attempts to interfere with passwindow on a out of band device method; which I like even better. However, the iPhone is not THAT ubiquitous yet, so I digress.

        I never lose my credit card, so passwindow is a very good fix for now, in my not so humble opinion. I would think even more sophistication could be added with nano-circuitry, that would be powered by the same cheap solar cells used in calculators and wrist watches. Perhaps this could future proof the concept?

        Chip and PIN has already been defeated by several attack methods by crackers, some of them involving a simple paper clip. Having an expensive system like that defeated so quickly with all the expense that went into it, is why US banks are so timid to try that kind of technology. I can’t say I blame them.

        • re Electronic version of PassWindow.
          I have developed the concept of an electronic version of PassWindow however there are three variables at play regarding this – security, cost and usability.

          Security wise while a dynamic key version would be an improvement by completely removing the statistical analysis attack problem, however currently the simple printed method this isnt a problem with 10000+ interception rates a user wont do that many authentications in anywhere near the lifetime of their printed key. As with any added complexity to a system the complexity opens up new hi tech attack problems which need to be seriously considered. Overall the theoretical online security will be improved and some new features added but the practical online security wont change much.

          Second is the cost not just of the devices themselves which would need specialized chips and hardware but also issues like security of the manufacturing chain and delivery costs which is a major issue many people forget or dismiss. Lets say for example the ZTIC devices were given free by the government to every bank for every user, the bank still needs to deliver millions of packages to everyone. Take a standard package delivery cost and multiply it by x million and that is a big headache right there. The existing printed passwindow solution can be mailed by envelope (such as a monthly balance statement) anywhere and manufactured behind the desk of any office so I need to match that level of delivery cost in any future device which means on card electronics which I am watching closely. To be honest the technology just isnt quite there yet with the flexible cheap screens thin enough to go into a credit card, there are some companies with the technology to do it but the reliability isnt acceptable just yet.

          Thirdly is the usability factor which has to be considered, as much as I like the theory of the ZTIC device and other electronic transaction signing tokens its true they are a royal pain to carry around, too big for a wallet and yet small enough to lose easily. The reality is most token devices (including my own) end up being left unattended around the office desk and an attacker only needs a few seconds access and an SMS of the code to his friend in x country and its game over. The most secure place on a person is the universal wallet where people keep their cash money so any solution really needs to be able to work with this existing infrastructure.

          The electronic version will happen but I cant say exactly when.

  18. Shouldn’t the title be “E-Banking security failure”?

  19. WHAT ABOUT CUSTOMER SERVICE. How can the banks fall asleep at the wheel and give out their customers money virtually putting some of them out of business. If you deal with a bank that does not afford you that oipprtunity, then you need to move to another where you are personally known, and if an unauthorised activity appears to be happening on your account, then they need to CALL you before they allow such a transaction to happen.
    What irks me most, they provide lousy cistomer service, and then blame you, the customer. What id your private information was stolen from them and given out to the cybercrooks??????????

  20. People are arguing that if banks had to eat the losses from small businesses the way they do with individual depositors, they would have better security. If so, why don’t they have better security for the individual depositors now?

    While the businesses might be more attractive targets because of the large amounts of money in their accounts, theft from small depositors is more likely to go undetected for longer periods of time. And of course, once the trojan is on the victim’s computer, information about his banking habits is available to the thieves. It’s still a good deal for them. If an attack is coordinated, a single money mule could be used to receive transfers from multiple victims. These thieves don’t hesitate to go after small transactions; they’ve used money mules for years to move consumer electronic products purchased with stolen credit cards out of the country. (Ordering DVD players and then sending a truck to the mule’s home to pick it up is a much more involved process than a bank transfer, and the items being shipped have less value than what the average person has in his bank account on the day after payday.)

    Mr. Drozdowski comes right out and says that that until the losses are in the billions, no one is going to get serious about this. And losses in the billions are exactly what we will get if that’s the threshold for the feds to get involved.

    • Peter Brewster

      Banks do not eat any such loss. It gets passed to depositors or other bank clients. There is no practical mechanism for a loss to be passed to a bank’s investors – the directors would never permit that even if they knew how to do it. They simply take an action that adds to the revenue line.

  21. The Banks couls avoid all this problems and save themselves the agravation of possible lawsuits by simply providing a dedicated workstation to their clients. No email, no browsing to any sites permitted that the Bank’s site, Personal firewall that will allow only a connection to the Bank’s URL, no connection to the interal company network! For about $ 2,000 dollars they could save themselves hundreds of thousands.

    But this is to easy!


Read previous post:
MS: Be Careful With Those Function Keys

Microsoft Corp. has a message for Windows 2000, XP and Server 2003 users: If you browse the Interwebs with Internet...

Close