Prodded by incessant reports of small- to mid-sized business losing millions of dollars at the hands of organized cyber criminals, federal regulators may soon outline more stringent steps that commercial banks need to take to protect business customers from online banking fraud and educate users about the risks of banking online.
At issue are the guidelines jointly issued in 2005 by five federal banking regulators under the umbrella of the Federal Financial Institutions Examination Council (FFIEC). The guidance was meant to prod banks to implement so-called “multifactor authentication” — essentially, to require customers to provide something else in addition to a user name and password when logging into their bank accounts online, such as the output from a security token.
The FFIEC didn’t specify exactly how the banks had to do this, and indeed it left it up to financial institutions to work out the most appropriate approach. However, many banks appear to have gravitated toward approaches that are relatively inexpensive, easy to defeat, and that may not strictly adhere to the guidance, such as forcing customers to periodically provide the answer to “challenge questions” as a prerequisite to logging in to their accounts online.
Unfortunately, as I have documented time and again, organized computer criminals are defeating these solutions with ease. Experts say part of the problem is that few of these solutions can protect customers whose systems are already infected with password-stealing malicious software. What’s more, few banks have put in place technology on their back-end systems to monitor customer transactions for anomalies that may indicate fraudulent activity, much in the way that the credit card industry sifts through data in real time and alerts the customer if a transaction or set of transactions radically deviate from that customer’s usual purchasing habits.
Last month, krebsonsecurity.com, interviewed Robert C. Drozdowski, a senior technology specialist with the Federal Deposit Insurance Corporation (FDIC). Drozdowski told me that the banking regulators recently convened a series of meetings with banks and security technology providers to figure out whether additional guidance would help banks do a better job of protecting their commercial customers. I asked him about the current state of these regulations and what we might expect from banking regulators in the months ahead on this issue. What follows is a portion of that discussion.
BK: From what I’ve been able to gather, this is a type of fraud that often does not directly impact banks, and therefore might not lead to institutions being able to document the losses from online banking fraud. Do the banking regulators have a way to measure how much companies are losing to online banking fraud?
RD: We do, but that’s not a request that we could just issue right away to the banks. If we thought this information would be valuable, we’d have to demonstrate why we need the information, and then put a request in to the [White House’s] Office of Management and Budget, saying we’d like to put a survey to the industry. And then the OMB would get back to us on whether that would be okay.
BK: That doesn’t sound like a huge hurdle…
RD: Agreed, but there are a lot of other issues that are creating real problems for financial institutions in the area of commercial real estate that we don’t have adequate information on either. With the [losses to smaller companies through online banking fraud], we’re talking about million-dollar losses, whereas the commercial real estate losses are in the billions. The larger economic losses to financial institutions in commercial real estate is creating havoc, and that’s where the main focus is now.
BK: So, you’re saying that if the banks were actually experiencing more situations in which they lost money as a result of this epidemic of online banking fraud being perpetrated against businesses, then regulators would care more about it?
RD: It’s something that comes on our radar screen when banks start taking losses, and not just businesses associated with those entities, that’s a fair observation. But to the extent those [attacks] create risk to bank customers, we have an obligation to engage our institutions and challenge them to do better.
I should note that there are a lot of things going on behind the scenes. We have been providing information to our bank examiners that’s not public on these threats, to ask them to increase their due diligence in looking at the authentication solutions that the banks use. We also issued a retail payments examination handbook that [asks] what institutions are doing to reach out to customers to make sure they’re aware of the requirements needed to conduct security transactions online.
BK: So are there no banks that are suffering financially as as result of this type of fraud?
RD: There are banks that are suffering from it. We have situations where banks are sharing the losses with their customers in order to avoid litigation, and in order to preserve business relationships. There are tangible losses we’re able to cite that make us engage in this area. And there are some legal cases out there that may change that landscape significantly should it be determined that banks aren’t providing the level of protection pursuant to the statute.
BK: Okay, but it doesn’t seem like banks really understand what was meant by that statute. As you just mentioned, there are a few lawsuits going on right now that may ultimately determine whether banks are doing the right thing.
RD: True. That bar is pretty ambiguously defined right now. What is commercially reasonable is not well defined, and right now it’s up to case law to determine it.
BK: I’ve been told by several analysts that part of the issue here is that many commercial banks have effectively outsourced a large portion of their visibility into online money transfers to third party companies, firms like Digital Insight, Jack Henry, Fiserv and others. While these entities may offer back-end transaction monitoring and other security features, it’s not clear to what extent the banks that rely on these companies are adopting those features, or even making them available as an option to commercial customers. It’s also not easy for companies to shop around for the most secure bank, because banks don’t always disclose what they are or are not doing to secure transactions. What are the regulators doing to in this regard?
RD: I can tell you we have been reaching out to all major service providers, and have had them in over the past few months to talk about this issue and adequacy of the authentication guidance that’s now a few years old. We’ve been discussing whether we should revamp that guidance. And we know that they have the products available, and are offering them, but we also know they have not been adopted in all cases because institutions haven’t suffered the losses to justify the expenses involved.
BK: What kinds of offerings are we talking about?
RD: They all have different levels of security that they offer. In most cases it’s cafeteria-style offerings, and the institutions select those or not based on their risk tolerance. That said, you have to recognize that as you meet with these people and talk to them, that they have an incentive to sell more product to get us to support greater authentication, so we need to walk a very fine line of addressing an issue versus promoting a service. We’re cautious about laying out a scenario that would allow them merely to sell more products, so it is a fine line.
I’ve spoken with the Better Business Bureau about this, and something they’re looking to do is create awareness to challenge your institution to provide you with more secure access if they’re not already doing that, and to encourage businesses to pay for those services if they’re available. We’re hoping to get the Small Business Administration involved in this as well.
BK: So are the regulators going to update their guidance?
RD: There is a working group of all FFIEC agencies that is looking at the authentication guidance. We went through a process over the last couple of months where we brought in many of the biggest service providers, the Jack Henrys, the Digital Insights, those type players. We had an open discussions with them but in a closed-door, off-the-record meetings with banking regulators. Then we brought in individual banks of all sizes to talk about the issues. The exploratory process just concluded a couple of weeks ago. The different banking regulators are now rolling up their sleeves and asking ‘What did we learn and what do we want to do next.’
BK: But what does that mean, in practical terms, vis-a-vis the current guidance on online banking?
RD: I think there’s an an awareness that what might have been adequate security four years ago when [a bank] examiner went in and asked institutions what they are doing on dual authentication is not adequate or may not be adequate now. There is an effort to see whether or not we need to update the guidance or issue an FAQ to clarify what is or is not adequate, and perhaps give some illustrated examples of what we believe is not adequate. We’re hoping we may have something released in a few months that speaks to that. So that’s an effort that’s ongoing, and all the banking regulators are involved in it, and it is absolutely very much front-of-mind for the regulators right now.