Unwary Customers Contribute to Online-Banking Security Woes

Updated: August 20, 2012

Online banking has become a security issue for financial institutions, and consumers and some business customers are contributing to the problem.

An FDIC (Federal Deposit and Insurance Corp.) report cited earlier this year in "The Washington Post" and published in redacted form on the newspaper's Web site underscores the vulnerability. The document, which covers Q2 2007, ascribes 80 percent of bank-computer intrusions to "unknown unauthorized access — online banking." Overall, the average dollar loss per computer intrusion, whether stemming from online banking or other sources such as identity theft , increased nearly three times between Q2 2006 and Q2 2007, according to the FDIC. The average loss per event stood at $29,630 for the latter quarter.

"What's important to understand is that the vast majority of losses are occurring in online-banking applications," said Jon Gossels, president and CEO of SystemExperts Corp., a security and compliance consulting firm. "You tend to be dealing with a relatively large number of largely unskilled users — certainly not sophisticated users."

Consumers, he added, cause the bulk of online-banking security breaches. A customer who unwittingly downloads a Trojan horse may wind up with a keylogger installed on his or her PC. The keylogger can swipe bank-account data, thus opening the account to an attacker.

"The Achilles' heel tends to be end-user consumers, in terms of their level of sophistication and understanding and awareness of the threats," added Mark Steinhoff, who leads the financial-services security and privacy team at Deloitte & Touche LLP.

Unwary consumers may be targets for both malware and social-engineering attacks, Steinhoff noted.

But enterprise customers may stumble as well.

Gossels said that highly targeted spear-phishing campaigns can snare businesses, pointing to one example in which the perpetrators hit customer-relations executives with email disguised as complaints from the BBB (Better Business Bureau). The phony BBB email included an attachment designed to launch a program that would download a keylogger.

"That is your role to deal with consumer complaints, so there's no reason not to open it," said Gossels of the subterfuge. "The thing about spear phishing is that it is very subtle and business-appropriate."

Insufficient Security

Banks, however, also drop the ball when it comes to security.

Sumit Pal, executive vice president with WithumSmith+Brown Global Assurance LLC, a security and compliance consultancy, said that smaller banks may skip the annual IT security audits that they are supposed to undertake. In addition, Pal added that smaller financial institutions have fewer internal controls than their larger counterparts and are therefore more likely to encounter problems.

But large enterprises are not necessarily better off in terms of security, said Ron Lepofsky, president of ERE Information Security Auditors.

"The most common problem we see with regard … to external access is that the custodians of the data do not have the time and the cycles and the energy to constantly be monitoring the status of their access technologies and to be monitoring for lapses in compliance with their own security and access policies," he said. "It cuts across everybody."

And the Web-based applications themselves may have critical weaknesses.

Clients from a range of industries ask SystemExperts to test their Web applications, and the company is able to penetrate more than half of those applications, according to Brad Johnson, a vice president at the company. That penetration may include accessing data that is reserved for authenticated users, obtaining cross-account data and executing functions that are reserved for other authenticated users, he said.

"The vast majority of Web applications are not even instrumented to notify when something odd is happening from a security point of view," Johnson added.

Ideally, a Web application would generate some type of a security event or alert that would be recognized by the organization's overall event-management system, Johnson explained.

Addressing the Problem

Gossels and Steinhoff said that banks need to pursue education programs to make customers more aware of the threat environment.

Pal suggested that banks could also help safeguard customers by providing them with anti-virus software with a whitelist feature. He said that such software only permits a certain set of programs to run on a computer and blocks unknown applications from executing. This approach, he added, would address the problem of keyloggers, rootkits and other types of malware .

In addition, banks that have implemented fraud control in response to anti-money-laundering regulations may be able to use that mechanism to bolster online- banking security, Gossels noted. In such a scenario, an action such as a large wire transfer might trigger an oversight process to determine whether a given transaction is legitimate, he said.

Gossels said that the key is to look for changes in routine actions. For example, if an account has never performed an ACH (Automated Clearing House) transfer and a large one — or several of any size — is requested electronically, additional oversight processes should be initiated, he noted.

Data protection, a measure that extends beyond online banking, represents another layer of defense. Steinhoff said that the current regulatory environment emphasizes this area, pointing to the federal government's "red-flag" rules that were issued in November 2007. Those rules require financial institutions to develop identity-theft-protection programs.

"The identity-theft, red-flag rules raise the bar for institutions to look at existing customer-information-protection programs," Steinhoff said.