Wednesday, 12 April 2006

I work in the security field (we build anti-fraud and authentication software and services for financial services and electronic commerce companies like banks, etc). Recently I've been asked by a significant number of people why certain banks are being phished in such large volumes. Now, while I don't write about specific financial institutions or security events (that would not be appropriate), I can tell you that any given bank has little to no control over whether or not it is made a target in the first place. All the big banks (and many tiny ones) get hit hard at some point. What they do have control over is their chosen prevention, mitigation and response plans and methodologies.

In the end, the most effective solution is the fairly simple one: Make it hard enough for the fraudsters and eventually they will move on to another bank. Stopping phishing and other online fraud is really just like everyday police work - It's not actually about ending crime, it's about making it go elsewhere. In the real world, the cops just push the burglars, drunks and drug dealers to someone else's town. We don't solve these problems, we just move them somewhere else.

So, eventually the scammers' targets and victims change. The real problem with online fraud is that we can't put an end to it with infrastructure technology they way it is now. We can get way out in front of it (where I work, we write software that can help prevent most phishing attacks from being launched in the first place, as well as strong authentication software to help stop bad guys from getting in the door even if they have a key). But it's way too easy to run a phishing scam, and prosecution is not an effective solution. Prevention is the way to go, and that means diligence on the part of financial institutions, using the right kinds of technology where needed, and a implementing a whole-community effort to stop the problem before it ever gets started. Tools are out there to let the bank get in front of the problem, and but it off at the knees before the crime occurs - a lot like stopping the bank robber well before he walks into the bank's branch office. Preventing the robbery is a lot less messy than cleaning up afterwards, explaining it to everyone, and trying to convince your customers that have just been held hostage not to leave your bank for another one.

Email is, as designed, one significant part of the problem we face. It's just too easy to abuse. Without getting too far into the whole "email-limitation" debate (Sidebar: When I spoke at a security conference last week one attendee tried to lure me into taking a political position on whether charging to send each email is a good idea... Heh, no I think not...), it's clear at least that there are many problems with the medium. Educating people not to respond and not to click on links will not solve the problem, as has been proven time and time again. Email is an  insecure method of information transport, and unless access can somehow be reasonably curtailed, this problem won't go away. The real question is, can email be restricted for bad guys while still keeping it free and in the spirit of the open Internet for everyone else? If so, how? Something tells me the debate and answers have not changed much over the years.

Ah, what the heck, let's just kill email completely. Block port 25 at the backbone routers. It's a counter-productive way to communicate much of the time anyhow. Imagine all the misunderstandings we'd avoid. The tangible and intangible benefits would be many. :)

But seriously, in the real world, there are three basic approaches to tackling this problem (phishing and cyber-fraud) if you're a financial institution. I'll mention them here briefly, and will likely dive into them in more detail in another post sometime soon:

  • Option One - Purely Reactive Posture - Apologize to customers when they call and tell you there's a problem, refund their accounts, change their passwords for them, hope they don't leave you for another bank.
  • Option Two - Hybrid Reactive Posture - Watch for phishing emails and when you see them, use technology to block them and see if the sites in the emails are real, and if so try to get them taken down, either on your own or through a professional take-down service. Apologize to less customers, and hopefully change their passwords before the bad guys get into the accounts.
  • Option Three - Preemptive Approach - Prevent the fraud attack from being launched in the first place, shut down fraudulent sites before the victims receive an email, make it difficult for the attackers, and protect your customers from being victimized at all.

Which option do you think is best? Which posture do you expect your bank to adopt? For my part, I vote for leveraging all three options, with a strong primary emphasis on Option Three, where prevention is the main focus. That's the area where I spend the majority of my professional time, with a team of developers and forensic techies who build software that prevents attacks and gives banks what they need to protect customers from becoming victims. It's a worthwhile job.



Add/Read: Comments [2]
IT Security | Tech
Thursday, 13 April 2006 01:08:36 (Pacific Standard Time, UTC-08:00)
Great post Greg.. some excellent thinking vetted here. Phishing is a topic very near and dear to my heart as this was one of my areas of research when I first joined Microsoft back in 2001.

One of the most overlooked things is user education, and banks have frankly been terrible at it. At one time, Paypal told customers that as long as they saw "https", they would be safe from fraud. Yikes!
Thursday, 13 April 2006 06:02:03 (Pacific Standard Time, UTC-08:00)
I agree that doing a poor job of user education is inexcusable - and I intend to write about that soon, as well. But just as inexcusable is *relying* on user education to solve the problems. I've always responded by suggesting that people who want to get the user to "do the right thing" recite the serentity prayer a few times:

"Grant me the sernetiy to accept the things I cannot change, the courage to change the things I can, and the wisdom to know the difference."

Fact: You can't effectively change end user behavior, and it only takes one end user doing the wrong thing to set the security bar. What one *can* change are the things we have actual control over - things like tools, systems, programs and processes.

But, educating the end user *is* critical, and the forms and methods of education need to change. Finally some institutions are starting to tell their end-user customers what the bank's doing to protect them. It has historicaly been a big, unspoken secret and in this day and age, communication and education is not just about good behavior, it's about customer retention and trust in the online banking channel.

But anyhow, more on that later. :)
Comments are closed.