Under lock and key

The Banker Magazine, Financial Times ❘ 7th August 2006

The Banker Magazine

Tim Best, head of business development, e-identity solutions at Logica CMG

With fraudsters mounting increasingly sophisticated and co-ordinated online attacks, banks must be constantly prepared for the latest threats. Dan Barnes explains.

Staring into a flat-screen monitor in Tel Aviv, Israel, a woman watches an online transaction being processed, waiting. An alert pops up on her screen rating the attempted money transfer as “probably fraudulent”. Given the available information - that was the second transaction on the account in a minute, the first from Canada, the second from Portugal - the rating is justified. The account holder is unlikely to have travelled the Atlantic in a few seconds.

The transaction is queried and the system “paints” all available data relating to it - normal access details (PC details, IP address), proxy access details, area and country of origin and bank holding the account. When the (now) frustrated fraudster attempts another transaction from the same IP address but at another bank, this transaction is also queried, the system noting the IP address and “painting” information relating to the new account. The fraudster uses the same machine via another IP address in an attempt to access a new account. The new IP address is also “painted”. “Every time a detail changes we have more factors that can be used to identify that person. It’s like a web - the more they struggle the more enmeshed they are.”

So says Naftali Bennett, senior vice-president of the Consumer Solutions Division at IT firm RSA Security. His team studies banks of monitors in RSA’s cool, air-conditioned centre, patiently waiting for signs of illegal activity, analysing incoming data and serving notice on hosts of fraudulent bank (phishing) websites to get them shut down, notifying banks of unusual activity and monitoring fraudster internet forums described as “the equivalent of Ebay for criminals”. Fraud is a frontline activity for the online criminal.

RSA shuts down anywhere between 50-150 phishing sites per day. It has prevented 15,000 phishing attacks (from unique URLs). That is an impressive amount of countermeasures. Yet globally only between 25 and 50 phishers have been investigated in the past three years and of these not all were prosecuted. To impose any meaningful limit on the current growth of fraud will take an investment from the banks, says Tim Best, head of business development, e-identity solutions at Logica CMG. He takes the example of internal threats: “In cases where employees can be a risk, it is vital that screening is carried out by the banks, and although this can be a time-consuming process, the use of technology can give a bank the edge here.”

Citing work that his organisation has carried out at Schipol Airport in the Netherlands, he explains that a combination of applied process and IT systems can dramatically cut an organisation’s exposure to employee fraud. “Initially it is vital that employees’ backgrounds are checked. At Schipol, for example, potential employees will be checked for outstanding warrants and if any are found, the police will be contacted immediately.”

Cross-referencing

A number of systems can be employed for this purpose. One developed by BT and a winner of “Compliance Initiative of the Year” in The Banker Technology Awards 2005, is entitled URU (you are you). Essentially it is a web service that allows subscribing organisations to search multiple databases, such as electoral rolls and credit reference agencies, in order to verify a person’s identity.

Chris Hughes, marketing director, financial services, BT Consulting & Systems Integration, explains: “We don’t provide a true or false reading with URU but rather a grading of probability based on the checks run on particular records. That gives the bank a measure and it can decide at what level it should query its findings.” The system can be used not only for employees but also to verify the status of customers should fraud be suspected, thus assisting with “Know your customer” (KYC) compliance.”

Once the bank is satisfied that its employee has not previously been connected to any behaviour worthy of concern, it should not lower its guard, says Mr Best. “One of the first points is entry into buildings. You can scan each person entering using your preferred method such as iris scanning, or fingerprint scanning. Using devices such as entry cards on their own is rarely sufficient these days.”

As Jerome Torres Lozano, senior project manager at Kroll Ontrack, points out: “It can be more profitable and less risky to try to rob a bank with a USB stick than with a gun.” For this reason he suggests that banks must carry out IT audits much more frequently than other companies to meet the increased risk.

His colleague Michael Taylor, a legal consultant, says that increasingly insurers are taking interest in the systems a bank is using to protect itself in order to rate premiums: “This is fairly new phenomenon. There is a chance that if banks don’t begin taking action they will begin to see premiums increase for insurance against theft or fraud.”

Monitor behaviour

It is also important that banks maintain a vigil over employees, some more than others. A significant risk is posed by cleaning staff as they have to have access to many areas of the building and are likely to be among the lowest paid staff at a bank. Mr Best points out that internal security cameras tied to the latest software advances can monitor staff behaving oddly. “Nice Systems have a product that will highlight unusual behaviour - such as a cleaner spending 10 minutes under a desk - that could raise alerts to a security guard.”

Mark Johnson, chairman of the LMAs (Lloyd’s Market Association) Financial Institutions Business Panel and director at Talbot Underwriting, also points out that technology is not always the answer. Implementing simple procedures can really assist banks in the fight against internal fraud, he says. “Some old-fashioned checks still really stand up. One recommended procedure is to make employees take a two-week break, during which the company can check for any unusual activities.”

Martin Gibbon, head of risk practice at SAS Institute, says that this type of forensics is ideally assisted by data analysis systems if, for example, a bank employing thousands of people across a region is going to carry out any sort of worthwhile checks. “You need to cross-check entry logs, system access logs and internet access logs as well as looking at data transfer in case it has been transferred to another device or emailed outside of the company.”

The real challenge is getting the data that you need to check in the first place. The ability to carry out these checks is dependent on connected systems within the bank - if your systems only work in silos there is a chance that criminals working across the bank will go unnoticed, he says. “Individual actions may not add up - the more you can see, the better your chance of preventing fraud.”

Patient approach

If internal fraud is discovered, it is important not to act rashly, says Mr Taylor. “To use a gardening metaphor, it is like trying to remove a weed from your garden - you must try and remove the whole root to remove the problem, not simply cap it off above ground.” This is not only vital to ensure the problem does not recur but also to ensure a successful prosecution.

At counter espionage specialists International Intelligence, CEO Alex Bomberg says that even the police can make errors in this field: “I have seen a case where police officers discovered a wire tap and removed it before they monitored its use. Although they were able to arrest the man responsible for planting it, they were only able to caution him for a minor telecommunications offence.”

Disposal or interference with IT evidence is a common error, says Mr Johnson. “All too often banks dump or reuse computers, delete emails or erase someone’s profile from a system when they have left the organisation, destroying what could be vital evidence of fraud. They should be handled as any other evidence at the scene of a crime.”

The weakest link in financial services is usually the customer, with a lack of personal contact often exacerbating the situation. The internet poses a wealth of risks to the financial services industry, despite banks’ protests to the contrary. While customers are encouraged to use it as a channel, banks themselves insist on using the Swift network (the financial co-operative, supplying secure, standardised messaging services) between themselves, due to the lack of online security.

One of the most famous cases of online fraud in recent years is that of Joe Lopez, a Miami businessman who, in 2004, had $90,000 transferred from his business account to a bank in Latvia following the installation of a computer virus called “coreflood” onto the laptop he used for business.

He is bringing a lawsuit against Bank of America, his account provider, stating that it did not provide him with adequate warnings about the risks from viruses.

Peter Bove, sales director, fraud EMEA at Fair Isaac, says that having a virus infect your computer can be astonishingly simple: “There are huge risks even if you don’t do anything you shouldn’t, such as opening attachments from strange emails. I saw a recent claim that 70% of downloadable wallpapers contain viruses. Even if you are shopping at a legitimate business site, how do you know it has been set up honestly?”

Single-stage fraud

The point Mr Bove makes is very pertinent, says Mr Bennett. Fraudsters are usually involved in a single stage of the crime, he explains: “You will find people who build the technology to commit fraud (viruses, false websites and blank credit cards), others who gather data by building websites or sending emails and finally those who actually steal money from accounts.”

Such systems limit the risk for each fraudster. These strategies are not just used on bank customers. When criminals attempted a fraudulent transfer at Sumitomo Mitsui Bank’s London office in 2004, it appeared that one gang planted hardware to capture data reportedly via the bank’s Swift system and that local organised criminals in other countries, such as those arrested in Israel, were then going to broker transferred money to ‘mule’ accounts in their regions. In Mr Gibbon’s words: “The wider the criminals are spread, the bigger the picture the bank must see.”

This sort of co-ordinated attack means that banks must be aware of the latest threats. Mr Bomberg says that the pace of change is a bank’s real enemy “We often see companies whose head of security got their PhD in computing 10 years ago and they’ve been working round the clock since then. If their employer wants them to stay ahead of the threat, they must be given time off to study and get up to date. The risk is only going to grow and losses will mount.”