Federal banking regulators today released a long-awaited supplement to the 2005 guidelines that describe what banks should be doing to protect e-banking customers from hackers and account takeovers. Experts called the updated guidance a step forward, but were divided over whether it would be adequate to protect small to mid-sized businesses against today’s sophisticated online attackers.

The new guidance updates “Authentication in an Internet Banking Environment,” a document released in 2005 by the Federal Financial Institutions Examination Council (FFIEC) for use by bank security examiners. The 2005 guidance has been criticized for being increasingly irrelevant in the face of current threats like the password-stealing ZeuS Trojan, which can defeat many traditional customer-facing online banking authentication and security measures. The financial industry has been expecting the update since December 2010, when a draft version of the guidelines was accidentally leaked.

The document released today (PDF) recognizes the need to protect customers from newer threats, but stops short of endorsing any specific technology or approach. Instead, it calls on banks to conduct more rigorous risk assessments,  to monitor customer transactions for suspicious activity, and to work harder to educate customers — particularly businesses — about the risks involved in banking online.

“Fraudsters have continued to develop and deploy more sophisticated, effective, and malicious methods to compromise authentication mechanisms and gain unauthorized access to customers’ online accounts,” the FFIEC wrote. “Rapidly growing organized criminal groups have become more specialized in financial fraud and have been successful in compromising an increasing array of controls.”

The 2005 guidelines drew little distinction between precautions a bank should take to protect consumer and commercial accounts, but the supplement makes clear that online business transactions generally involve much higher level of risk to financial institutions and commercial customers. It calls for “layered security programs” to deal with these riskier transactions, such as:

-methods for detecting transaction anomalies;

-dual transaction authorization through different access devices;

-the use of out-of-band verification for transactions;

-the use of “positive pay” and debit blocks to appropriately limit the transactional use of an account;

-”enhanced controls over account activities,” such as transaction value thresholds, payment recipients, the number of transactions allowed per day and allowable payment days and times; and

-”enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate the risk.”

The FFIEC said that, at a minimum, a layered security program should be designed to detect strange or unusual behavior when the customer is logging in to the system, and when initiating electronic transfers to third parties. One pattern of activity that was common in almost every corporate account takeover I’ve written about has been the addition of multiple new “employees” to the victim organization’s payroll account prior to fraudulent transfers.

“Based upon the incidents the Agencies have reviewed, manual or automated transaction monitoring or anomaly detection and response could have prevented many of the frauds since the ACH/wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior.”

Avivah Litan, a fraud analyst at Gartner Inc., said the guidance is silent on the role of bank service providers like Fiserv, Jack Henry and Digital Insight. Most smaller institutions outsource a portion – if not all – of the oversight of their customers’ daily transactions to one of about a dozen third-party service providers. Many of these providers have been criticized for being slow to offer or market services that would let banks detect the types of transaction anomalies described by the FFIEC.

Litan estimates that between 70 and 80 percent of banking institutions in the United States outsource at least some of their visibility into customer transactions to service providers.

“If you’re a small bank that has outsourced most of this to a service provider, what are you supposed to do, demand that the provider implement these guidelines?” Litan asked. “What’s worse is that the [FFIEC guidelines] haven’t been aggressively enforced by the examiners at the service provider level, and the service providers need to be front and center in the spotlight.”

Litan said it was good that the FFIEC said banks should not rely solely on technologies and approaches that have shown to be particularly ineffective against today’s malware, such as “challenge questions” and methods designed to profile the customer’s computer by using some unique identifier. But she said it was disappointing that the regulators didn’t discourage banks from using these technologies altogether.

“This is a political document — it’s very wish-washy — you can tell they’re trying to balance the demands of the banking lobbyists and protect the safety of accounts,” Litan said. “But they got the overall principles right: banks should perform regular risk assessments, adopt a layered approach, and look for anomalous activity and not expect their customers to spot that.”

Sari Greene, president of South Portland, Maine consultancy Sage Data Security, said the guidelines may seem like common sense no-brainers to security experts.

“I think you have to frame the discussion of what’s in this document in the context of its intended audience, which is folks in the banking community and risk management at those institutions,” Greene said. “To that end, I think it does a pretty good job of delivering the message that this is a cat-and-mouse game and you have to be continually reassessing the risk.”

Although the 2005 guidance required banks to conduct only “periodic” risk assessments, Greene said, this updated document says institutions must reassess whether their security is adequate whenever they offer new electronic banking services, when substantially new threats arise, or at least every 12 months.

Greene said the updated guidance doesn’t give a free pass to banks that outsource security to service providers. “I think the guidance speaks to the notion that you can use service providers, but that the onus is still on you, the institution, to absorb the risk for those transactions,” she said.

Greene added that the most important part of the FFIEC’s guidelines is that bank examiners will have more leverage in deciding whether financial institutions are doing enough to protect their customers.

“The important thing is the ammunition they’re giving to bank examiners,” Greene said. “Those examiners now have a lot more information to work with when doing their exams and holding banks accountable.”

A lawsuit headed to court this week over the 2009 cyber theft of more than a half-million dollars from a small metals shop in Michigan could help draw brighter lines on how far banks need to go to protect their business customers from account takeovers and fraud.

The case is being closely watched by a number of small to mid-sized organizations that have lost millions to cyber thieves and have been waiting for some sign that courts might be willing to force banks to assume at least some of those losses.

Nearly two years ago, cyber crooks stole more than $560,000 from Sterling Heights, Mich. based Experi-Metal Inc. (EMI), sending the money to co-conspirators in a half-dozen countries.

On Jan. 22, 2009, EMI controller Keith Maslowski responded to an e-mail that appeared to be from its bank, Comerica. The message claimed the bank needed to carry out scheduled maintenance on its banking software, and instructed the EMI employee to log in at a Web site that looked like Comerica’s online banking site. Maslowski says the email resembled the annual e-mails Comerica used to send, prompting customers to renew EMI’s digital certificates. Trouble was, the year before, Comerica had switched from using digital certificates to requiring commercial customers to enter the one-time passcode from a security token. The site linked to in the e-mail asked for that code, and Maslowski complied.

Almost immediately, the crooks who stole those credentials began wiring money out of EMI’s account. Between 7:30 a.m. and 10:50 a.m. that day, the attackers initiated 47 wire transfers — to China, Estonia, Finland, Russia and Scotland.

Both EMI and Comerica agree on the above version of events, but have very different versions of what happened before and directly after the theft. The two parties met on Tuesday for a pretrial conference, and presented their respective briefs to the court. Comerica’s is here (PDF), and Experi-Metal’s is available at this link (PDF).

EMI claims Comerica inquired about the transfers at 10:50 a.m., and that EMI asked the banks not to honor any requested wire transfers until future notice. But over the next three hours, thieves would initiate another 38 wires from EMI’s account. EMI also noted that, prior to this burst of fraudulent wires, the company had requested a total of two wire transfers in as many years.

For its part, Comerica said Experi-Metal is not entitled to relief because it cannot prove that Comerica’s actions caused its claimed damages. “The unfortunate events of January 22, 2009 happened because Mr. Maslowski failed to safeguard Experi-Metal’s security information, in breach of Experi-Metal’s contract with Comerica,” Comerica said in its pre-trial brief. “And those losses would not have occurred had Experi-Metal accepted Comerica’s recommendation that Experi-Metal require a different user to approve all wires after one user initiated them.”

Many of the facts to be litigated center around whether Maslowski was authorized to initiate electronic transfers, and did Comerica employees fail to take action with respect to the suspected fraud on a timely basis under industry and commercial standards? Also in question is what portion of Experi-Metal’s claimed losses occurred before Comerica knew of and had a reasonable amount of time to react to the fraudulent wires?

Businesses do not enjoy the same legal protections afforded to consumer banking customers hit by cyber thieves, and most organizations will be held responsible for any losses due to phishing or account takeovers. But a rash of these attacks that has netted thieves more than $70 million over the last few years has caused some victim businesses and their lawyers to look for ways to hold banks more accountable, by pointing out ways in which the banks may not be living up to the somewhat nebulous state legal standards that govern commercial banking activities.

The few cases brought so far challenge whether banks are meeting their obligations under the Uniform Commercial Code. Michigan’s adoption of the UCC holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method [emphasis mine] of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”

David Navetta, founding partner of the Information Law Group and co-chair of the American Bar Association’s Information Security Committee, said the court in this case punted on any discussion of whether Comerica’s security procedures were commercially reasonable. Instead, Navetta said, the court focused on the contracting process between the parties. It declared as a matter of law that Comerica’s security was reasonable because EMI had agreed that it was reasonable in a contract.

“The EMI Court also focused on process in another way that ultimately hurt the bank, and provide the main basis of the dispute for this trial,” Navetta wrote in an e-mail to KrebsOnSecurity. “The court focused on the question of whether Comerica acted in ‘good faith’ in accepting the payment orders from the phishers. This essentially shifts the analysis to the activities of Comerica in reacting to the security breach and refraining from processing the fraudulent wire transfers and sending money out. The question becomes where do the bank’s responsibilities end and the customer’s begin, and to what degree must banks anticipate their customer’s mistakes and develop security to mitigate the risk of a security breach. Reading the trial papers it is obvious that the big fight in front of the jury is whether and to what degree EMI brought this upon itself.”

Navetta believes this case is likely to make banks look very carefully at their security policies and make sure they are in line with federal guidance from federal regulators. “They also may beef up their educational processes around phishing attacks,” Navetta said. “They will also likely offer very robust security in some cases that their clients may ultimately turn down.”

For the moment, though, relatively few banks — particularly smaller to mid-sized institutions — are offering commercial customers that robust security that goes beyond mere customer authentication, said Charisse Castagnoli, an independent security consultant and adjunct professor at the John Marshall Law School.

Castagnoli said more banks could and should offer the kind of technology employed by the major credit card networks, which try to build profiles of customer activity and then alert the customer or the issuing bank of any suspicious or unusual activity. But she said a large percentage of banks outsource the day-to-day customer transactions to third-party service providers, most of whom do not currently offer services that would conduct that transaction analysis.

“If you look at economic theory, the organization that is best positioned to mitigate the risk is really the bank, because with extremely simple technologies deployed they could reduce risk of current threat or losses from 90 to 95 percent of the time,” Castagnoli said.

“This is a classic case where anomaly detection is ideally suited, because if you look at the circumstances in these thefts and how the transfers occurred, it slaps you in the face because most of this activity looks so odd and would stand out to anyone who took a moment to look,” she said. “But the service providers don’t offer this detection, because of the cost to implement and deploy it, and the question of whether they can push those costs onto their customers. On top of that, there is no incentive or disincentive for that provider to make these investments, because it increases complexity and cost, and nobody is mandating that they do it.”

That may change soon. Garnter fraud analyst Avivah Litan wrote last week that businesses can soon expect new IT security guidance from the the Federal Financial Institutions Examination Council (FFIEC), the regulatory body that issued the last round of guidance on secure electronic banking Authentication in an Internet Banking Environment (PDF) in 2005. From Litan’s blog:

“Nonetheless, not all financial institutions have kept up with the spirit of the 2005 guidance. The threats and associated risk levels have clearly moved ahead of the safeguards many banks and credit unions, and their service providers have in place today.

“Typically, the larger banks and credit unions have remained proactive, for reasons ranging from reducing fraud costs, maintaining reputations, and improving organizational efficiency.

“But most of the smaller financial institutions have relied on their online banking service providers to mitigate fraud risk with appropriate services, but the service providers have not introduced risk appropriate fraud mitigation services across their various platform versions and implementations, leaving thousands of U.S. financial institutions — and their customers — unnecessarily exposed.

“I don’t envy the regulators’ job of striking the right balance between too much and too little prescriptive guidance. But based on what happened with the last round, it appears that many executives at financial institutions need more regulatory prodding and detailed guidance in order to allocate budgetary resources to their online and mobile (and other channels’) banking security programs.

“The fate of a customer’s bank account safety should not be determined by the U.S. courts. It should be proactively guided by well-informed and balanced regulators, and conscientious security staff at our nation’s banks.”

I will continue to closely follow this case and others like it. Stay tuned for more updates, including news of additional lawsuits from commercial banking customers seeking to recover six-figure losses from cyber fraud.”

Prodded by incessant reports of small- to mid-sized business losing millions of dollars at the hands of organized cyber criminals, federal regulators may soon outline more stringent steps that commercial banks need to take to protect business customers from online banking fraud and educate users about the risks of banking online.

At issue are the guidelines jointly issued in 2005 by five federal banking regulators under the umbrella of the Federal Financial Institutions Examination Council (FFIEC). The guidance was meant to prod banks to implement so-called “multifactor authentication” — essentially, to require customers to provide something else in addition to a user name and password when logging into their bank accounts online, such as the output from a security token.

The FFIEC didn’t specify exactly how the banks had to do this, and indeed it left it up to financial institutions to work out the most appropriate approach. However, many banks appear to have gravitated toward approaches that are relatively inexpensive, easy to defeat, and that may not strictly adhere to the guidance, such as forcing customers to periodically provide the answer to “challenge questions” as a prerequisite to logging in to their accounts online.

Unfortunately, as I have documented time and again, organized computer criminals are defeating these solutions with ease. Experts say part of the problem is that few of these solutions can protect customers whose systems are already infected with password-stealing malicious software. What’s more, few banks have put in place technology on their back-end systems to monitor customer transactions for anomalies that may indicate fraudulent activity, much in the way that the credit card industry sifts through data in real time and alerts the customer if a transaction or set of transactions radically deviate from that customer’s usual purchasing habits.

Last month, krebsonsecurity.com, interviewed Robert C. Drozdowski, a senior technology specialist with the Federal Deposit Insurance Corporation (FDIC). Drozdowski told me that the banking regulators recently convened a series of meetings with banks and security technology providers to figure out whether additional guidance would help banks do a better job of protecting their commercial customers. I asked him about the current state of these regulations and what we might expect from banking regulators in the months ahead on this issue. What follows is a portion of that discussion.

BK: From what I’ve been able to gather, this is a type of fraud that often does not directly impact banks, and therefore might not lead to institutions being able to document the losses from online banking fraud. Do the banking regulators have a way to measure how much companies are losing to online banking fraud?

RD: We do, but that’s not a request that we could just issue right away to the banks. If we thought this information would be valuable, we’d have to demonstrate why we need the information, and then put a request in to the [White House's] Office of Management and Budget, saying we’d like to put a survey to the industry. And then the OMB would get back to us on whether that would be okay.

BK: That doesn’t sound like a huge hurdle…

RD: Agreed, but there are a lot of other issues that  are creating real problems for financial institutions in the area of commercial real estate that we don’t have adequate information on either. With the [losses to smaller companies through online banking fraud], we’re talking about million-dollar losses, whereas the commercial real estate losses are in the billions. The larger economic losses to financial institutions in commercial real estate is creating havoc, and that’s where the main focus is now.

BK: So, you’re saying that if the banks were actually experiencing more situations in which they lost money as a result of this epidemic of online banking fraud being perpetrated against businesses, then regulators would care more about it?

RD: It’s something that comes on our radar screen when banks start taking losses, and not just businesses associated with those entities, that’s a fair observation. But to the extent those [attacks] create risk to bank customers, we have an obligation to engage our institutions and challenge them to do better.

I should note that there are a lot of things going on behind the scenes. We have been providing information to our bank examiners that’s not public on these threats, to ask them to increase their due diligence in looking at the authentication solutions that the banks use. We also issued a retail payments examination handbook that [asks] what institutions are doing to reach out to customers to make sure they’re aware of the requirements needed to conduct security transactions online.

BK: So are there no banks that are suffering financially as as result of this type of fraud?

RD: There are banks that are suffering from it. We have situations where banks are sharing the losses with their customers in order to avoid litigation, and in order to preserve business relationships. There are tangible losses we’re able to cite that make us engage in this area. And there are some legal cases out there that may change that landscape significantly should it be determined that banks aren’t providing the level of protection pursuant to the statute.

BK: Okay, but it doesn’t seem like banks really understand what was meant by that statute. As you just mentioned, there are a few lawsuits going on right now that may ultimately determine whether banks are doing the right thing.

RD: True. That bar is pretty ambiguously defined right now. What is commercially reasonable is not well defined, and right now it’s up to case law to determine it.

BK: I’ve been told by several analysts that part of the issue here is that many commercial banks have effectively outsourced a large portion of their visibility into online money transfers to third party companies, firms like Digital Insight, Jack Henry, Fiserv and others. While these entities may offer back-end transaction monitoring and other security features, it’s not clear to what extent the banks that rely on these companies are adopting those features, or even making them available as an option to commercial customers. It’s also not easy for companies to shop around for the most secure bank, because banks don’t always disclose what they are or are not doing to secure transactions. What are the regulators doing to in this regard?

RD: I can tell you we have been reaching out to all major service providers, and have had them in over the past few months to talk about this issue and adequacy of the authentication guidance that’s now a few years old. We’ve been discussing whether we should revamp that guidance. And we know that they have the products available, and are offering them, but we also know they have not been adopted in all cases because institutions haven’t suffered the losses to justify the expenses involved.

BK: What kinds of offerings are we talking about?

RD: They all have different levels of security that they offer. In most cases it’s cafeteria-style offerings, and the institutions select those or not based on their risk tolerance. That said, you have to recognize that as you meet with these people and talk to them, that they have an incentive to sell more product to get us to support greater authentication, so we need to walk a very fine line of addressing an issue versus promoting a service. We’re cautious about laying out a scenario that would allow them merely to sell more products, so it is a fine line.

I’ve spoken with the Better Business Bureau about this, and something they’re looking to do is create awareness to challenge your institution to provide you with more secure access if they’re not already doing that, and to encourage businesses to pay for those services if they’re available. We’re hoping to get the Small Business Administration involved in this as well.

BK: So are the regulators going to update their guidance?

RD: There is a working group of all FFIEC agencies that is looking at the authentication guidance. We went through a process over the last couple of months where we brought in many of the biggest service providers, the Jack Henrys, the Digital Insights, those type players. We had an open discussions with them but in a closed-door, off-the-record meetings with banking regulators. Then we brought in individual banks of all sizes to talk about the issues. The exploratory process just concluded a couple of weeks ago. The different banking regulators are now rolling up their sleeves and asking ‘What did we learn and what do we want to do next.’

BK: But what does that mean, in practical terms, vis-a-vis the current guidance on online banking?

RD: I think there’s an an awareness that what might have been adequate security four years ago when [a bank] examiner went in and asked institutions what they are doing on dual authentication is not adequate or may not be adequate now. There is an effort to see whether or not we need to update the guidance or issue an FAQ to clarify what is or is not adequate, and perhaps give some illustrated examples of what we believe is not adequate. We’re hoping we may have something released in a few months that speaks to that. So that’s an effort that’s ongoing, and all the banking regulators are involved in it, and it is absolutely very much front-of-mind for the regulators right now.