Breaking the bank
Breaking the bank
The technological age has brought with it a number of challenges as well as tremendous advances. Stuart Finlayson talks to some of the leading proponents of information security in the banking industry in Australia and around the world to find out what financial institutions are doing to minimise the risk to sensitive customer information posed by fraudsters, as well as examining the steps banks are taking to combat new threats to our finances and our very identities.
The Internet as a means of conducting business has been touted for some years as the future of commerce. While the dotcom boom only served to accelerate this notion, the subsequent bust did some damage to this perception across industry as a whole.
The spectacular collapse of the dotcoms had little to no effect on the zeal with which the banking industry took to the Internet as a means of doing business with its customers. Little wonder really, seeing as how the convenience of Internet banking has proven to be extremely popular with customers, given the fact that it takes away the pain of having to trek to a physical location during your lunch break then wait in an interminably long queue.
From the point of view of the banks, the Internet has allowed them to drastically reduce the number of said physical locations, thus allowing the banks to make huge savings on staff salaries, real estate costs and other expenses incurred in the upkeep of such premises, whilst the customer still has a more convenient outlet to do their banking. All smiles then? Well, not quite, because for every breakthrough that technology brings in terms of business efficiency, be it Internet banking, or the increasing prevalence of ATMs, so too does it present the criminal fraternity with new avenues within which to perpetrate crimes.
One of the major fraud issues that the Internet has spawned is that of phishing, a scam designed to dupe customers into divulging their account details, which are then used to empty their account.
According to Jon Andreasson, executive director of the Australasian division of the ATMIA (ATM Industry Association), this form of fraud comes in a number of guises."Phishing works typically by creating a snapshot of a financial institution's website and gaining a client listing of account holders.
"One version of the scam typically works with a email to the target with a message seemingly from either the Customer Accounts or Fraud Department stating that either frauds have recently been perpetrated by a person with their details or that they are verifying the bone fides of existing account holders. This message then asks them to send their details to the site for account verification.
"Another version of the scam is for a Trojan or Keylog virus program or pass-through program to be sent to a computer, which then relays to the fraudster the account details and log in codes when a victim is performing online banking."
Yet another variant, says Andreasson, involves the screenshot of a financial institution being replicated and sent to the customer. The customer often does not check the website URL and thinks that they are corresponding with their bank.
The phishing frauds are relatively new, but already most major financial institutions throughout the world have reported a significant increase in attacks. Very few institutions have escaped, with most of the leading Australian banks having also been targeted by this fraud.
Due to the critical nature of information they possess on their customers, financial institutions are heavily regulated. This regulation can be as detailed as the rules for IP packet construction described in the AS2805 standard for electronic financial transactions, through to the more general advisements on risk management described in the Basel II Accord.
According to Andrew Walls, principal consultant at security and trust services provider Betrusted, regulatory compliance has been something of a bitter pill for financial institutions to swallow in recent times in terms of the financial outlay involved in getting up to code, but an entirely necessary one, not only in terms of compliance, but also in terms of instilling a public perception that the financial institutions are doing everything within their powers to protect their customers' money and personal information.
"Developing and monitoring compliance to these external regulations is a costly and time consuming activity and is critical to the continued viability of the institution. Increasingly, lack of compliance can result in significant financial penalties that extend beyond corporate funds and into personal holdings as required in legislation such as Sarbanes-Oxley.
"Financial institutions are entrusted with funds by customers. Financial services companies make profits by managing Other Peoples' Money (OPM). In order to gain access to OPM, financial institution must be able to provide high levels of assurance that OPM is sufficiently secured to protect the customer's interests."
Information, says Walls, is the lifeblood of a financial institution. Although financial services companies talks about loans, debentures, deposits, investments, shares, and the like, all of these products are financial concepts that can be reduced to the manipulation of data in various computers. "A transfer of funds between accounts does not involve a physical manipulation of currency notes. Data is modified to indicate differing amounts in various databases and the transfer is complete.
Without access to data, the institution ceases to exist as a viable financial concern. This situation was made very real when the 9/11 attacks froze billions of dollars as banks and traders were unable to update the status of transactions due to the loss of various transaction switching facilities. Fundamentally, there are no physical inventories or manual procedures that can be invoked to continue the business when the information systems are unavailable."
One company that has invested heavily to ensure that it has the tools available to help financial institutions win the race to achieve Basel II compliance is IBM. "IBM Business Consulting Services (BCS) has worked in the Basel II arena ever since the impact of the requirements began to emerge," reveals Kevin Pleiter, principal, financial markets, IBM Business Consulting Services. "We believed from the start that in order to gain maximum strategic and operational benefit banks needed to look beyond the target of mere compliance and take a more holistic view to their risk management function.
"We have been working with clients to accelerate their Basel projects by firstly understanding the nature of the challenge that is unique to every bank, and then designing and implementing solutions that specifically meet clients' objectives of compliance and additional business benefit."
Pleiter says that in his experience, financial institutions in Australia and New Zealand adapt a more business aligned and risk management approach to fraud prevention as opposed to the traditional point solution approach. "A reflection of this business based approach," states Pleiter, "is to also make sure that customer privacy is protected, so whilst the technologies and solutions delivered minimise fraud, privacy and client integrity is also maintained."
Another fraud which is showing exponential growth worldwide and locally is identity theft. This may be assisted by the Internet in two ways. Firstly, the Internet affords the fraudster anonymity in that they do not have to produce much more than customer details and correct password/login codes for verification. Neither do they have to make contact with a teller or show a photograph or other documentation. It also allows a criminal to cloak themselves with firewalls or international boundaries to delay or hinder detection and prosecution.
"Banks have addressed these issues in a number of ways," says Andreasson. "Some require token ring password encryption and other anti-hacking technologies, but the strongest method of protection that banks have employed is customer awareness and education programs."
These programs may take the form of sending customers fraud alerts or scam methodology awareness messages, as well as other security awareness helpful hints such as cardholder security tips.
"Another recent innovation that banks have employed is media awareness campaigns," observes Andreasson. "Of particular note is the recent joint media campaign by the ABA, The Federal Crime Commission and Senator Chris Ellison, targeting customer awareness of card skimming.
"A number of recent developments by the Australian government have the potential to create a very powerful and invaluable fraud database. Following the Cybercrime report to Federal Parliament earlier this year, it was recommended that the newly formed Australian Crime Commission and the High Tech Crime Squad be the joint custodians of a federally maintained fraud database. Although the dissemination issues have not yet been addressed in detail, given the fact that the "Separation of Powers" in our constitution traditionally gave rise to state based crime management, this new body has a powerful potential. The body will of course need industry support and awareness in order to operate effectively as there is little to impel companies to report fraud other than as required under state law."
The industry generally is currently banding together and initiating a number of programs aimed at providing industry awareness and increased corporate governance. A recent example was the NCR event at the Australian Stock Exchange entitled "Comply with me" that received wide recognition and was very well supported by the industry.
As the primary provider of ATM machines to banks worldwide, NCR plays a vital role in minimising the susceptibility of ATMs to acts of fraud.
Claire Shufflebotham, global market development manager and security consultant at NCR's UK headquarters in Dundee, Scotland, was in Sydney recently for NCR's compliance event.
Shufflebotham says that NCR's security solutions are derived from the company's understanding of banks' requirements to make the self-service channel secure against the increasing threat of organised crime. Key areas of focus for NCR are countermeasures to card trapping (trapping the card in the card reader), skimming (copying the magnetic stripe data from the card), software hackers and physical attack.
"As well as strategic global banks, NCR also continues to work with industry associations such as ATMIA, APACS (Association for Payment Clearing Services) and other crime fighting organisations such as Scotland Yard to minimise the risk of ATM related fraud and understand how, as an industry, we can collaborate to be proactive in reducing the risk of fraud.
"Security and fraud prevention are multi-faceted issues. Fraud has been likened to a balloon, when you press down in one area it expands somewhere else. The analogy can be applied in terms of focusing on one particular solution or indeed to solutions with limited geographic coverage leading to ëfraud displacementí. We believe it is an industry responsibility, including vendors such as NCR, banks, crime fighting organisations and industry bodies such as the ATMIA, to share best practice and collaborate in the fight against fraud. Based on this industry collective knowledge, NCR is committed to providing the solutions that will maintain the integrity of the self-service channel in the face of a growing number of attacks."
The ATMIA is also committed to crime prevention, and has been at the fore of a number of initiatives to achieve this end.
Chief among those has been the formation of GASA (Global ATM Security Alliance), an organisation made up of ATM manufacturers, deployers, owners, card merchants, cash-in-transit organisations and law enforcement agencies such as New Scotland Yard and the FBI. GASA, which also includes banking bodies such as the Australian Banking Association, is chartered to employ global security resources in a united alliance in order to protect the ATM industry from criminal activity.
GASA provides and maintains a fraud alert system and a global ATM crime database.
The ATMIA has also created BANKNOTEWATCH. This organisation provides a global bank security information database for robberies and Modus Operandi - a useful tool for law enforcement agencies to predict global crime trends.
With security being a central component of what the ATMIA do, Andreasson has a number of valuable suggestions as to what financial organisations can do to make their systems more secure.
"Token password protection can provide effective log-in encryption. However, this technology can be both difficult and costly to administer for financial institutions - the cost of which is often not appreciated by customers as a necessary pass-down.
"Neural network software technologies are quite effective. These programs look at the normal transaction profile for a given customers, and if the spending pattern changes, they will prompt action for either the merchant or card administrator, such as a prompt to have a personal discussion with the card user to provide some additional personal information to help verify the card holder."
More often than not though, says Andreasson, basic card holder tips such as customer awareness of PIN storage and shielding of the keypad when using the ATM will often provide the most effective security. The vigilance by merchants to scrutinise the cardholders signature on the back of cards is not always as well enforced a company policy amongst some merchants as it should be, providing a gift for less professional fraudsters.
"Increased internationally recognised security signage that surrounds the ATM and provides security information and card holder tips such as prompts to shield the PIN pad will also go a long way to instilling public confidence and protection of basic information.
"The new triple DES encryption technology, which encrypts PIN and card holder information when it is being transmitted across verification processing networks, will be a vast improvement and provide an effective and powerful weapon to help thwart potential information hackers."
Unfortunately, according to Betrusted's Andrew Walls, banks in Australia are somewhat slower on the uptake when it comes to implementing new security enhancements to combat fraudulent activity compared to their US and European counterparts.
"The majority of banks based in Australia and New Zealand do not tend to implement new security practices as rapidly as do those in the US and Europe. This tendency to lag behind banks in other parts of the world is the result of several factors:
1. Reluctance to innovate-As a result of a generally conservative stance on information technology investment, banks in Australia and New Zealand are reluctant to embrace the risk associated with innovation in technology and process. As a result, they tend to look to larger more aggressive US and European institutions to innovate and then prove the validity of new technologies and procedures. Once a technical strategy is accepted practice elsewhere it becomes an acceptable approach in Australia and New Zealand.
2. Lack of local vendor support -The vast bulk of the market for security technology lies in the northern hemisphere. Accordingly, the principal vendor facilities for research and development are located in the northern hemisphere. This proximity enables European and US banks to develop close relationships with vendors that lead to early adoption of new, more effective approaches to information security.
Although most vendors maintain local representation in Australia and New Zealand, these local operations are generally focussed on sales and support rather than new product specification and development. There are, however, a growing number of Australian and New Zealand companies offering products and services in the security market. Unfortunately, these companies commonly encounter impediments based on the first point raised above.
3. Economies of scale-The provision of security services require significant capital investment and continuing expense. The amounts involved are not generally a reflection of the revenue generating capabilities of the institution. As a result, the cost of security to a national bank in Australia or New Zealand is proportionally higher than the same investment would be to a large European or US institution. A simple demonstration of this principle can be found in ATMs.
The cost of a modern ATM with state of the art cryptographic controls might be AUD$50,000, regardless of whether the ATM processes 1000 transactions a day or 1000 transaction per year. The cost of security is not intrinsically related to the potential for revenue generation. As a result of this equation, the profitability of any given operation following the introduction of appropriate security will be less for an institution with less overall revenue."
Cost is undoubtedly an issue for banks when considering the implementation of tighter security, but as NCR's Shufflebotham points out, the potential costs incurred by banks that fail to invest in such technologies as a result of fraudulent activities, far outweighs any such investment, so the decision to adopt technology that tightens security ought to be a no-brainer.
"We are finding that the Self Service groups within banks often need the buy-in from the Security, Risk and card groups within the bank. If this is the case often it is easier for them to quantify the costs in terms of business return.
"To illustrate the business case, the average card skimming incident in the UK, according to APACS, costs approximately US$3000 (2004). This cost comprises the actual cash loss as well as the other infrastructure expenses. This gives an indication of the scale of the problem. If a deployer has 2000 ATMs and each ATM only sees one incident per year this could cost the bank $6 million per year. (Actual customer evidence would indicate that this figure is conservative in countries where card skimming has become a problem). If these 2000 ATMs were upgraded with anti -skimming measures (including new smart card readers, with illumination in the throat, jitter, and ECRS) the customer would see payback in less than 4 months."
Andreasson agrees and notes that the cost to banks of failure to invest in security is measured in more than dollars and cents, and as such, must be addressed accordingly."The cost to the banks is far greater than the cost of physical or electronic security upgrades. The damage that banks face is the loss of public confidence, legislative punishments in the form of law changes, and fines from breaches under "failure of duty of care" or "failure to provide a safe working environment."
These are the hidden costs that often drive banks to increase security. Protection for all of these facets of operational and organisational risk are almost impossible to measure, but they form a significant and growing proportion of the Capital Expense and training budget for each organisation.
"The increasing profile and power of organisations such as Workcover to both drive workplace changes and impose significant fines is also driving many institutions to increase their security budgets, as is the increasingly diverse transaction environment. These factors require banks to constantly reappraise and redefine their risk environment and transaction pathways to detect possible fraudulent events and design effective countermeasures. Once these are defined, they must be supported by effective and comprehensive training and policy development, which is a significant cost to any organisation."
Related Article: