Avivah LitanI attended the FDIC public event on ‘Combating Commercial Payments Fraud’ yesterday at the regulators offices in Virginia. My main impression of the day is that the fraud rings conducting these account takeovers using Zeus malware and man-in-the-browser attacks have put the regulators, law enforcement agencies and certainly most of the banks and businesses being hit by these scams on the total defense and in reaction mode. In other words, they are not on top of the situation, to say the least.
Depending on whom you talk with, there is anywhere from one to several (probably less then 10) Eastern European gangs conducting these heists, which the FBI (perhaps inadvertently) said yesterday is costing banks and businesses hundreds of millions of dollars, while they investigate about 250 cases. (Please refer to these research notes for more information on how these scams work and what you can do to prevent them: G00174740 “Case Study: Bank Defeats Attempted Zeus Malware Raids of Business Accounts” and G00173132 “Where Strong Authentication Fails and What You Can Do About It”).
The FBI indicated they had identified the crooks, but probably because of political asylum (and because the crooks are greasing the pockets of the politicians in their countries, or better yet ARE the politicians – which is true in some cases), they are not able to nab them. So instead, the FBI announced it is going to launch proactive enforcement of the law against the money mules, who are typically located in the U.S. where they do have jurisdiction. If they arrest enough mules, they could put a big dent in the crooks’ ability to cash out.
So in the end, probably some 20 Eastern European hacker types have the U.S. banking industry up in arms while hundreds of small businesses, country governments, school districts and churches take a direct hit on their livelihoods when their bank accounts are raided. Many banks won’t reimburse them because, until now, by law they are not obligated to.
There was too much rich content at that conference to cover in a short blog, so it will be covered in future Gartner research but here are some highlights from the day:
a) The FFIEC 2005 guidance on strong internet authentication is widely misunderstood by the market to mean banks have to implement multi-factor authentication, rather than assess their risks and implement security controls sufficient to mitigate those risks. I expect the FFIEC to issue another FAQ to clear up this confusion, that they themselves created via the title and structure of the FFIEC guidance document.
b) Right now, the FFIEC guidance is just guidance – it’s not a standard that the banks must abide by. Rather banks are bound by the UCC code (section 4A) that says they must implement a ‘commercially reasonable’ security standard. As of today, until the courts determine otherwise, a commercially reasonable security standard can be simple multi-factor authentication, which we all know the crooks are easily breaking these days. The banks’ obligations stop there. They don’t have to monitor bank account activity after that standard is ‘executed.’
c) The FS-ISAC group is launching an “Account Takeover Taskforce” to share information among banks on these particular and related threats. They have done a good job in information sharing thus far; I am hoping it will continue.
d) None of the regulators have any numbers on the extent and dollar impact of this fraud. I frankly find that unacceptable and wonder if it’s a little like the subprime mortgage crisis (albeit of course on a much smaller scale). They won’t get any numbers until and unless a lot of damage is done, and a lot of money is lost. If you went to the conference yesterday, you’d believe that indeed there is a crisis here. The robbers are looting small businesses and other bank accounts and victims are often not getting their money back.
The volume of attacks continues to escalate, already reaching hundreds of millions of dollars. Why would the crooks stop? No one is about to arrest them anyways. And if the FBI can make headway in making arrests one day, you got to believe that the politicans in the criminals’ countries will give them ample warning so that they can get away.
e) For now the regulators are much more concerned with the liquidity and capital structure of the banks they regulate. This problem (of account takeover and theft) is simply an annoyance factor in the scheme of things. Personally, I think they are missing the point. Taxpayers pay the government to protect them.
f) Howard Schmidt indicated in his keynote that the White House is looking at a federated identity management system for citizens. Does that mean the Federal Government will finally step up to the plate and issue credentials for all of us that they will back up? I kind of doubt it but details were lacking.
g) Even though most of the conference focused on electronic payment transfer fraud, remote check capture fraud seems to be looming as a big problem, as businesses are now able to deposit checks remotely from their offices as part of new banking cash management services. And good old checks are still the biggest fraud problem for U.S. businesses. According to the AFP, 73% of businesses they just surveyed had a fraud event/attempt in the last year, and 39% actually lost money. Check fraud was the main source of fraud.
h) There was a lot of talk about the need for ‘out of band’ authentication and transaction verification, but the crooks have already been breaking that, so enterprises need to implement these good solutions carefully. Some designs work; others don’t.
All in all it was a good useful conference. Lots of good content and lots of useful perspective sharing. Joe Menn from the Financial Times gave a great keynote on his book about the fraudsters, which gave all the attendees a good peek into how they work. I imagine these gangs won’t stop working on their lucrative crimes until we get on top of the issue with good fraud detection and prevention. But just like we squashed much of the old organized crime networks, I do have faith we can squash the new ones as well, if we put our minds and resources to it.
Comments Off
Category: Uncategorized Tags:
