Articles

On September 17, 2012, the Federal Bureau of Investigation (FBI), the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3) released a joint fraud alert titled Cyber Criminals Targeting Financial Institution Employees Credentials to Conduct Wire Transfer Fraud. In the alert, they suggest recent reporting indicates a new trend in cyber attacks to compromise financial institution networks and obtain employee login credentials. In many cases, these attacks used spam and phishing emails to install keyloggers and Remote Access Trojans (RAT) to gain access to the employee's computer and subsequently to the bank network. The majority of victims targeted were small-to-medium sized banks or credit unions; however, the report adds a few larger banks have also been affected.

Lately, the terms "cloud computing" and "cloud-based" are being used to describe a wide array of technology products with varying service models. Because of this, it might seem the meaning of cloud computing is actually up in the air. On July 10th, 2012 the FFIEC Information Technology Subcommittee published some of the first regulatory guidance specifically addressing outsourced cloud computing. This new guidance defines cloud computing generally as "the migration from owned resources to shared resources in which client users receive information technology services, on demand, from third-party service providers via the Internet 'cloud.'" This is a broad definition and it's likely most banks are utilizing at least a few technology solutions would fall into the "outsourced cloud computing" category.

Earlier this year, just one hour before a bank was scheduled to educate their Board of Directors on the concerns of corporate account takeover, the bank's call center received a call from one of their customers asking why the bank's Internet Banking website was down. When the customer attempted to connect, they received a message stating the "Site was down for repair, check back in 24 hours." The bank verified the site was up, and upon further investigation found the customer's machine had been compromised and fraudulent transactions were being created.

Antivirus software has long been accepted as the cornerstone of any healthy security program. As online security threats continue to rise and pose a significant risk to the financial industry, you have, no doubt, implemented many technical controls. Perhaps, in the back of your mind, you've thought if these controls failed, well, at least you have antivirus. Now, however, the discovery of the Flame virus earlier this summer has everyone wondering if their trust was poorly placed.

Flame is a highly complex (arguably the most complex) piece of malware that has been recording audio, keystrokes, network traffic, screenshots, Skype conversations, and documents from infected computers for at least two years. That's two years of antivirus definition updates and two years of potentially weekly or daily virus scans that never detected this very large, very complex, very nosy virus. Flame's sophistication along with its targets supports the widely accepted notion that a government or group of governments is responsible for its creation and distribution. A large majority of the infected machines were discovered in Iran, but infected machines were also found in several other locations, including Europe and North America.

One topic you might have overlooked for training this year is password security. Operating systems, web portals, and software applications have evolved in the realm of technical security measures, so that now it's rare to not see some form of easy-to-use password policy attached. You can easily enforce password length, complexity, and age restrictions for your bank's network; however, these restrictions are insufficient without password security training.

Unfortunately, technical controls can only do so much—your employees are either the strongest or weakest link in information security. Windows password complexity policies, for example, will not prevent anyone from setting their network password to "Password1." It's at least eight characters long and includes both a capital letter and a number, but it is one of the most common and simple password choices. Training can teach your users to try passphrases. These can be song lyrics or quotes that are longer than a password, but are typically easier to remember. Capitalizing the fi rst letter, using spaces between the words (if allowed on the system), and punctuating the end will create an extremely strong password. Length, rather than using symbols and numbers, is actually a greater indicator of password strength.

I attended a conference this week where I had the privilege of hearing a state banking examiner speak about corporate account takeover. One idea he expressed has stuck with me the last few days: "we have to make this a security issue, not a compliance issue..." How many of you have been struggling with the latest FFIEC supplement for Internet Banking? Are you feeling it's yet another compliance mandate? Is your biggest concern to please an examiner or provide the best security for your customers?

Customer awareness and education on Internet banking security was a point of emphasis in the guidance published by the FFIEC on June 28th of 2011 titled Supplement to Authentication in an Internet Banking Environment. Increasing customer awareness of effective techniques for mitigating the risk of fraud should be a major part of your customer education program.

When developing educational material for your online banking customers, it's important to keep in mind both the varying amount of technical knowledge and the amount of time an average customer will dedicate to reviewing the information. The majority of your customers are unlikely to spend hours of their time reading through educational materials containing technically detailed descriptions of common attacks and techniques to avoid them. Providing simple and easy-to-understand security tips can be an effective alternative to detailed security information filled with information security jargon.

I've always been a fan of the underdog. I'll never get tired of any movie featuring an underdog or underprivileged sports team, dancer, speller, or contestant on India's Who Wants to Be a Millionaire. I cry every time even though I know they'll either win the big game or come in a very close second and be okay with the loss because they learned so much about themselves during the season…

What does this have to do with Internet banking? The FFIEC released its Supplement to Authentication in an Internet Banking Environment last summer, and banks across the country have spent the last few months ensuring they're ready for the next exam. By now, you've read the guidance (or at least read enough about the guidance) to know that it really boils down to three main elements you might not have paid attention to in the past:

On June 28 of 2011, the FFIEC published a Press Release titled "Supplement to Authentication in an Internet Banking Environment." In the introduction of the supplement, they stated the FFIEC member agencies "have directed examiners to formally assess financial institutions under the enhanced expectations outlined in the supplement beginning in January 2012." The question is, is your financial institution in compliance with the new guidance? In this article, we will review the basic principles outlined in the guidance.

Purpose and Background: