Article coming from the Review (2012 winter issue)
Author: Wendy M. Grossman
While the rest of the world adopts fraud-fighting technology such as chip-based cards, the US banking system has so far resisted change. But with fraud figures on the rise, how much longer can it hold out?
"Why do you rob banks?” a reporter once asked the legendary American bank robber Willie Sutton. His often-quoted but apocryphal reply: “That’s where the money is.”
Modern-day criminals still have their sights set on banks, but today the money is in cyberspace and, increasingly, the targets are not banks’ secure websites, but their customers.
These cyber-attacks take many forms: computer malware; monitoring devices such as keyloggers; man-in-the- middle attacks; and phishing emails – those spam emails people get that look nearly identical to those from a bank, down to the logos and legal wording. Another is a new take on an age-old con: simply duping insiders or consumers into sharing confidential information, a practice now called social engineering.
Every country handles such problems differently. A trend among UK banks is to issue customers with handheld devices that generate one-time passcodes when they log into their bank’s website. Some of these devices, such as
PINsentry from Barclays
, create a code using the embedded chip when the user inserts his or her card. The result is two-factor authentication: something you have (the card) and something you know (the code).
In the US, however, most credit and debit cards still use magnetic stripes; chip and PIN is nearly unknown. One barrier is the US banking culture. Adam Dolby, eBanking Sales Manager, Gemalto Americas, says that, more than in Europe, US banks have tended to accept fraud as an inevitable cost of doing business. Conversely, security devices have been regarded as a cost with little benefit. But rising fraud and angry customers make this situation unsustainable.
Dolby explains that, in the US, online banking is roughly split in half: consumers do internet banking and corporates do direct deposit, tax payments and payroll. Like many countries, the US grants regulatory protection to consumers, protection that has been reinforced by efforts to encourage consumers to use the internet as a platform for eCommerce by teaching them that they are not liable for losses.
This approach presumes, however, that organizations have the staff and knowledge to look out for themselves. “Caught in the middle of that divide are municipalities, retailers, small businesses and non-profits, where often the services being used are similar to consumer online retail,” says Dolby. “However, they’re really considered a corporate banking client.” Such operations do not have the manpower or expertise to protect themselves – and they are increasingly the targets of online banking fraud.
According to the Nilson Report’s annual fraud figures for 2011, the US accounts for 47% of global card fraud even though it generates only 27% of the total volume of transactions. In August 2011, Dell SecureWorks estimated US banking fraud in 2010 at US$1 billion. The new Federal Financial Institutions Examination Council (FFIEC) guidelines announced in July 2011 do little to protect the customers on Dolby’s list, who are being stuck with the blame – and the losses.
In 2010, the FBI said that 205 US businesses had reported incidents of corporate account takeover since 2004, with losses of US$40 million. By the end of 2011, those figures had mushroomed to 400 incidents and US$85 million and look set to continue growing. In one example, the Diocese of Des Moines, Iowa, lost US$600,000 in a single weekend through an organized attack that funneled funds through “money mules” – usually unsuspecting middlemen who transfer stolen money electronically from the victim account to the fraudster.
The reasons why this type of fraud is on the rise are simple: typically, organizations have larger balances than consumers and the fraud is harder to spot among numerous transactions.
Attacks are increasingly sophisticated. Phishing siphons victims’ money by targeting one or more individuals within an organization who have the authority to transfer funds. Man-in-the-middle attacks hijack browser sessions and direct internet users to a fake website. Alternatively, thieves gain access to vital information through implanted keylogging malware or social engineering.
Technology to prevent this type of fraud has long been available. eCommerce transactions, for example, are protected by the public key infrastructure (PKI) underlying the Secure Sockets Layer (SSL) protocol that ensures financial details are encrypted in transit. The one-time passcodes and PINs generated by the devices European banks deploy to their customers are another example.
While Americans are famous for enthusiastically adopting new technology, they are conservative when it comes to financial change: many families still pay their bills by personal check, and even smaller innovations like the $1 coin meet with near-total rejection. Any fraud protection device needs to be easy to use and offer clear benefits. The Ezio Plug&Sign is one recent development.
Dolby names two challenges for anyone operating in the online banking security space: continuing to evolve the design of any product to stay one step ahead of organized criminals, and addressing what he calls the “ultra mobile” space – smartphones, tablets and similar gadgets.“These are a challenge because often they don’t have a USB port or, in the case of the iPad, any ports at all,” he says, adding that such devices also run on a variety of operating systems. “How to make a device for one user that is potentially usable on multiple operating systems is a challenge. Fortunately, it’s not needed yet, but soon it will be.”
And the final challenge? Changing the culture so that banks, as well as their customers, accept that investing in technology to protect themselves is a necessity.
Gemalto's solution to the assault on account security is
Ezio Plug&Sign, a USB stick that plugs into a spare port on a Windows PC or a Mac. The Linux version is due early in 2012. Plug&Sign installs no software, but launches an application from the stick's read-only partition that offers a choice of functions, such as digitally signing a transfer of funds. To do this, the device opens a secure session within the bank's site, the user chooses a transaction and types in a PIN, then has the opportunity to review the information she or he has sent. The device confirms the action by changing color and digitally signs the transaction to authenticate the user.
Adam Dolby argues that this design has several security benefits. First, it is “zero footprint” – it installs nothing on the user's computer that could be intercepted or corrupted if the machine is infected by malware. The stick has two partitions: one read-only, one read-write. The secure session is opened in the browser software provided in the read-only partition and only loads legitimate, “white-listed” URLs. Also, the design builds on established standards that have been thoroughly tested by years of use, such as SSL for PKI and cryptography. Necessary updates – for example, if there are changes to certificate authorities or URLs, or if a browser update is necessary – are carried out remotely by the issuing bank and transmitted to the read-write partition without disrupting the user's secure session.
Gemalto has also put effort into the usability of the Ezio system, knowing this is where many products fail.
The color-change feedback on completion of a transaction aids the user, as does the gadget’s physical design that the company boasts requires just "a fully functional finger" to operate.