The Economy Faces a Cyber Arms Race
During the 1890's, gangs of bank and train robbers terrorized the Wild West. Over a century later, global commerce faces another set of outlaws. Only now it happens with a point and click of a mouse, instead of a gun.
In a bygone era, four or five years ago, most cyber fraud consisted of hacking into personal accounts, to steal victims' identities and credit card information. Since then, activities have morphed, on an exponential scale, to encompass the financial service industry worldwide, and all its commercial customers. The black hats, churning out about 40,000 variant samples of malware a day, are locked in an arms race against the software companies who are working frantically to protect government, industry and private individuals' information.
The costs to business are vast, in terms of lost funds, diverted resources and damaged reputation, trust and relationships. American online banking fraud hit $120 million in the third quarter of 2009, according to the Federal Deposit Insurance Corporation. The situation in the United Kingdom is also dire, with the Financial Fraud Action UK reporting £39 million in losses in the first half of 2009. In March, 2010, the Ponemon Institute research firm released results of its IBM-sponsored survey of 115 C-level UK business executives: all of those surveyed disclosed that their data had been attacked in the past 12 months, while 76% of responders believe the most important aspect of their data protection is to reduce potential security flaws within business-critical applications. That survey "raised eyebrows throughout the world. Until now, many companies have claimed flawless procedures," says Ronald Whitworth, a Washington DC attorney with Sullivan & Worcester. "In reality, they can't assure themselves of that." All they can do is to beef up their protection even more.
Every danger creates investment opportunity. To address the need for ever more sophisticated defenses, a host of technology companies have been creating new platforms for authentication, back end analysis and risk detection, security audits and certifications, data breach forensics, as well as old fashioned competencies such as crisis management. With no single, turnkey solution in sight, firms will need to rely on multiple layers of armor.
"You should start by looking at internal fraud, to see if someone is benefitting," advises William Kowalski, vice president and director of corporate investigations at Rehmann's Corporate Investigative Services. In fact, the vast majority of identity theft is performed by somebody who knows the victim, reveals Wesley Wong, a former senior FBI agent. Despite advances in remote hacking, old style social engineering is still constantly at work, often compounding wire fraud, especially in a worsening economy. It has become even easier to impersonate family and friends, now that an entire network can be penetrated, based on a password. "Everyone telecommutes. If you can access a CEO's username and password, it is as if you were sitting in his office," says Whitworth.
Just as archery and cavalry evolved into gunpowder for cannons, and more latterly WMD, today's cyber criminals keep developing their arsenal at more dangerous levels. The previous generation focused on "phishing" schemes and "man-in-the-middle" attacks, whereby people sent fictitious emails containing links to lure unwitting users to their own sites. Those formerly crude website traps have now become so realistic, that the average person cannot distinguish. It is no secret that many originate from Eastern Europe, while top offending countries are Russia, Moldova and the Ukraine, according to an international crime expert.
The current state-of-the-art focuses on "man-in-the-browser" attacks. Now, the enemy has moved away from its hideout on the server and right onto the user's own computer or browser. Basically, the victim may travel to a genuine website, and there downloads infected software directly on a laptop or PC. Antivirus programs are impotent against the constantly evolving strains. The malware patiently lies dormant in hibernation, until the user goes to a banking or financial site. It is likely looking for a firm that performs large transactions, using wire transfer or ACH. The Automated Clearing House network, an American electronic network for financial transactions, offers a direct route. ACH credit transfers include direct deposit payroll and vendor payments; direct debit transactions cover insurance premium, mortgage payments and other bills.
It then wakes up and "phones home," describes Scott Laliberte, a managing director at consultancy Protiviti. The malware springs into action, copying every item of interest on that website, including passwords and account information. It can then distort information for bill paying or money transfer, like orders to pay a supplier, or instructions to move money from a pension fund to a hedge fund. It takes milliseconds to switch the amounts and payees. Suppose a customer wanted to pay a legitimate supplier $5 million. The malware might double the $5 million to $10 million, and split the payments into five $1 million increments. The bank would recheck a password for confirmation, which the man-in-the-browser appears to supply. Thieves tend to move the transfers in separate corridors so that even if some are intercepted, others will get through.
Typically, the scammer uses carriers, so-called "money mules", to help distribute the sums. These individuals may have been unknowingly recruited through online advertisements, promising them small percentages of cash in return for setting up accounts and making transfers.
"Unless a red flag is tripped through the wire transfer - say, an exceptionally large transfer, out of the normal pattern, or perhaps multiple wires on a given day, or wires abroad - it happens so fast, no one knows a hacker is there, and the money is hardly ever recovered," says Scott Bailey, a principal at Rehmann's. He adds, "Money moved overseas is even harder to get back. It may also take longer to recognize that the transfer has happened."
Because so many the crimes are global in nature, the international criminal police organization INTERPOL plays an active role in tracking laundering activities. William Conner is president and CEO of Entrust, a Dallas-based firm that specializes in securing digital identities. "For the past year we have had a strategic partnership with INTERPOL" says Conner. Although most large international banks may have police relationships in Western Europe, those institutions are less well served in Eastern Europe. Conner continues, "There may actually be more visibility when corporate transactions cross borders, and INTERPOL is best placed to help capture the money mules. Some of the funds are even feeding terrorism."
With so much financial damage perpetrated, and growing daily, a mystery remains: why is so little of the harm publicly reported? The most obvious answer seems that no one likes to be seen with egg on their face. "At first, banks try to hide losses, and make sure there is not a lot of PR noise about it, so as not to cause panic among their customers who bank online," suggests Mickey Boodaei, CEO of Trusteer, a provider of secure browsing services. Once the losses become steeper, they are likely to start to add security layers and educate customers to practice more caution. But it may still be hard for banks to absorb the damage of negotiating reparations with clients, especially for smaller institutions, if losses run into the millions. "That is why," Boodaei surmises, "we may be hearing more stories about business accounts at smaller banks that suffer."
Smaller firms in general may even find themselves subject to blackmail from thieves who threaten to expose a breach. From the customer side, "businesses do not want to report they have had their cash stolen," says Conner. Suppose you manage clients' money. "You might not be keen to advertise a security breach," comments Steve Lee, who heads a litigation consulting and forensic accounting firm in Los Angeles. The reputational damage alone can be decimating. Consumers will be justifiably wary about sharing details with any company that deals with personally identifiable information.
Another reason that cyber crime may not grab big headlines is that the typical size of any given account loss is not in itself enormous. "Most interception probably targets sums in the $4000 to $8000 range," Lee estimates. "A few may reach the low six figures, which can be a devastating event for a small business, but is a long way from defrauding Goldman Sachs!" Banks take an economic, rather than a principled approach to cyber break-ins. If the cost and level of fraud may be tolerable, they reckon "they only have to pay off their consumer clients - not the corporate customers - so it's not such a big deal for them," says Lee.
Inevitably, however, more malfeasance is coming to light. "The Federal Trade Commission has become very aggressive in its enforcement actions," reports Laliberte. For example, consumer data broker ChoicePoint paid $10 million in penalties and $5 million in redress, to settle FTC charges for compromising 163,000 consumers' records. Other breaches have been reported and publicized from retailers like Victoria's Secret, Barnes and Noble, Guess Jeans and Petco. Even the databases of numerous academic institutions have been victimized, including Penn State University, Montana State University, the University of Michigan, UC-Berkeley, Eastern Illinois University and the University of Alabama.
Who pays? Retail consumers do enjoy some legal protections at least, with limits for losses capped under the Fair Credit Billing Act for credit cards and the Electronic Fund Transfer Act for debit cards and ATM transactions. Although banks might lose face or see clients' trust erode, commercial customers are the ones who foot the bill (see sidebar). Under current American regulations, banks are not liable for commercial customers' losses, caused by vulnerabilities in the clients' security controls. Commercial account holders have little recourse other than litigation for negligence against their financial institutions, and "in most cases they will lose, as long as the bank can show it is comporting with reasonable standards of the community," says Lee.
Jeff Theiler, senior vice president at Hancock Bank in Gulfport, Mississippi, explains that the hackers are not directly targeting banks, like his. "They have instead moved downstream to the end user, especially small businesses that do not have the IT staff in place to protect their systems, but are relying on off-the-shelf antivirus packages." His advice is for banks to offer their clientele software solutions to download. "It may not be a panacea, but what we need is a partnership between the bank and its customers."
Just as new weaponry spurs advances in military defenses, current malware proliferation is generating an arsenal of new technology solutions. Ori Eisen, co-founder of Scottsdale, Arizona-based 41st Parameter, and former worldwide fraud director for American Express, outlines a set of mitigation points. To start, when new customers open accounts one must make sure they are not using others' identities; then one must monitor log-ins, to forestall account takeover; and one must ensure transactions are legitimate. He regrets that most of his own clients are not thinking "holistically." For instance, in large banks, the online, checking and brokerage departments all operate discreetly on separate technology platforms. "I'm trying to break those silos and educate them," he says. "The bad guys, who don't use silos, can turn on a dime."
Entrust offers authentication and validation solutions, which is a key element of a layered defense system. Digital identity credentials, which are core to electronic transactions, must be verified to secure or authenticate electronic machine-readable travel documents, online transactions, digital signatures, online services and more. CEO Conner illustrates one approach to verify transactions: you cannot communicate through the same channel (e.g., the Web) to confirm sensitive account details. Doing so might put the account at further risk. As an example of an out-of-band authentication, an organization may send a separate SMS/text message. Although it is limited to 140 characters, it can reference the payee and the amount, to confirm account details and circumvent fraud.
Trusteer focuses on a complementary stratagem, building another bulwark of protection. CEO Boodaei admits that he cannot prevent an attack, but he can at least block the consequences. "Our technology provides a shield around data like account credentials, preventing access, so it doesn't matter if a request comes from an unknown source." The company's Rapport product protects sensitive data by locking down the browser and creating a tunnel for safe communication between a customer's computer and a bank web site. That process prevents any malware from "injecting" its own data, and stealing information that has been entered in the browser, or from modifying the details of a transaction.
Such solutions differ from those of standard antivirus programs, which normally first classify the malware, then seek out instances of it and remove them. The crux is that the antivirus must already be familiar with a specific piece of malware it is eliminating. That is an insurmountable challenge today, as new variants of malware are being generated every couple of seconds, making it nearly impossible to keep up. (That said, Citrix and Microsoft still do a fine job of offering daily patches, and those companies that suffer breaches are often behind or neglectful of their patching.)
Theiler, who has been deploying Trusteer's solution at Hancock Bank since April, has now distributed the software for free to over 16,000 customers to download if they choose. Now, whenever one of his customers' hardware becomes corrupted with one of the common nasties, like Zeus, Trusteer immediately notifies Hancock, which then contacts the infected account holder.
When Theiler speaks to his counterparts at other banks, he notes that most are still concentrating on backend protection, or at best relying on front end authentication. "It's a hodge podge. Some don't know what I'm talking about," he says, "but it's picking up steam."
Clearly, opportunities exist in the investment space in the next generation of the internet security industry. On the software side, three main themes appear promising. First, back end risk analysis and detection systems monitor all transactions, looking for anomalies, such as transfers of suspicious amounts outside the country. A well known vendor of those algorithm capabilities is RSA, which is the security division of EMC, and commands a significant market share. Second is authentication, covered in the United States by 2006 regulations that called for all banks to deploy authentication mechanisms, like log-in questions. These requirements can be costly to deploy, so vendors are constantly seeking cheaper solutions, such as mobile authentication. Third, new technology secures the browser against malware.
Another growing sector on the service side is forensics, applied after data has been breached. As soon as any breach comes to light, a company is required to respond right away. (The Graham-Leach-Bliley Act of 1999 mandates a written plan should already be in place.) Some companies, being ill prepared, will need immediately to engage a crisis management team.
Audits and certifications offer a level of comfort in the field. Companies like IBM are available to check that the right controls are already in place, or to help implement them. Some of the products are challenging to put in and configure, necessitating a professional firm to make sure they are correctly deployed. Nor should investors disregard the more mundane area of background checks on employees, especially since internal employee fraud tends to rise during bad economic times.
It is hard to predict the next chapters. Solutions will probably eliminate 95% of the common hacks, but determined criminals will still pursue the big heists. Like any other epidemic, it is likely to worsen, but eventually stabilize, as we adapt and learn to live with it. Wong notes that his former agency takes cyberfraud very seriously - in Robert Mueller's March 17, 2010 Address to Congress, the FBI director lists it directly after terrorism as a national security risk and "growing threat to our economy". Wong, on reflection, does not expect it to play out as a "doomsday scenario, but expects it to affect many individual cases."
As long as security standards remain grossly inadequate, the business of hacking will develop. Financially motivated fraudsters have tremendous incentive to carry on and to innovate, steps ahead of their opponents. Meanwhile, the financial system may eventually be forced to adjust its security requirements, and the rules of banks' liability will probably bear fresh scrutiny, especially with the growing recognition of the cost, especially to small business.