ACH Fight Starts OnlineBattle Online Fraud First, and Improvements Will Follow
Automated Clearing House fraud accounts for about $6 billion in annual financial losses. The problems, says IronKey founder and Chairman Jevans, is that banks and credit unions aren't adequately addressing the threat by first addressing the root problem: online fraud.
"Criminals just use the ACH system to move the money around," he says. "Today, the cybercriminals and the attacks are much more sophisticated. That creates a very different threat environment. You can't trust an end-user's computer; you can't trust that the person logging in is the person conducting the transaction," and that's a breach of online authentication, not a breach of ACH.
Most financial institutions are not really tracking fraud, much less fighting it. According to results from our Faces of Fraud Survey, most banks and credit unions continue to rely on manual reports to indentify fraud. And 66 percent say they have fewer than five staff members dedicated to fraud-prevention -- a sign that they are woefully unprepared.
During this interview, Jevans discusses (transcript below):
- Gearing the fraud fight toward the online channel;
- Increasing challenges posed by phishing, Zeus and other malware attacks;
- How banking institutions are not prepared for today's and tomorrow's cyberattacks.
Editor's Note: This is the first part of a two-part interview with Jevans. Hear Part 2: Is Fraud Prevention Misguided?, when Jevans follows up with a discussion about fraud-prevention technology investments banks and credit unions should be making but aren't.
Jevans is the founder of IronKey. His career in Internet security spans more than 10 years, having held senior management positions at Tumbleweed Communications, Valicert, Teros and Differential. Serving on the CEO's technology council at Apple Computer, Jevans helped to develop the company's Internet strategy. He also worked in the advanced technology group at Apple and ran an engineering project involving advanced operating systems. Currently, he serves as the chairman of the Anti-Phishing Working Group, a consortium of more than1,500 financial services companies, Internet service providers, law enforcement agencies and technology vendors dedicated to fighting e-mail fraud and identity theft online.
Innovation and MalwareTRACY KITTEN: 2011 is expected to be a year of great innovation. That's the good news. The bad news is that fraudsters are doing a great job of keeping up and in many cases ahead of those innovations, especially in the ACH space. Malware and phishing attacks continue to plague the financial industry and its customers. As we look out on 2011, what steps will banks and credit unions take to curb ACH fraud? I am here today with Dave Jevans, the chairman and founder of IronKey, which specializes in online security.
Dave, you have reviewed some of the results that we had from our Faces of Fraud Survey, which came out at the end of the year; you have noted a few points that you found interesting. For one, banks and credit unions continue to rely too heavily on manual fraud detection. According to our survey, 55 percent rely on manual reports to identify fraud. More telling, however, you say, is that 66 percent of banking institutions say they have fewer than five staff members dedicated to fraud prevention, a sign that banks are woefully unprepared. Why do you say that they are unprepared and are you speaking in terms of where we currently are with fraud, or where you expect us to be as fraud becomes more sophisticated?
DAVE JEVANS: Tracy, I think the reality of the situation is that, particularly with smaller financial institutions, they haven't seen the level of sophisticated fraud that is starting to happen across the industry. So, they don't see it, they are not prepared for it, there is not a good forum for information sharing about what is happening, and I think a lot of these institutions are thinking, "Well, you know, my day-to-day business is running OK, so it must be working for me."
Unfortunately, what is happening is that cybercriminals, in particular, are targeting smaller financial institutions, smaller business customers; and when they attack, they attack in a big way and the losses are quite substantial.
Education: Curbing FraudKITTEN: Now, another alarming figure that you have noted, and this is again going back to this survey, is that only 18 percent of institutions have taken steps to go beyond mere education when it comes to fraud detection. What does the lack of investment tell you, and what does it tell you about what we can expect regarding undetected ACH fraud as we move forward into 2011?
JEVANS: Well, what we are going to see, unfortunately, is an increased level of fraud; it has been going up over the last 12 to 18 months, particularly through the online channel. I think we are going to see that moving onto the mobile phone channel, as well; and, as you know, we have seen banks moving toward online transactions, online banking, increasing capabilities on a business banking side for companies to be able to move funds around and transact fully online. Education is important and we need to continue to educate, staff inside the institutions as well as customers. But what this level of investment tells me is things are just going to get worse before they get better.
KITTEN: Dave, how would you rank ACH fraud relative to other types of fraud? You have noted the online channel and the mobile channel, but both of these channels fall into the ACH fold. According to our survey, most banking institutions don't really deem ACH fraud to be their No. 1 concern, but much of that may be attributed to the fact that they just aren't seeing it.
Online Fraud is the Real ProblemJEVANS: Well, I think that's right. This thing about ACH fraud is that it is one channel for moving money around; and the reality is, we should be thinking about the broader scope of online fraud. The fact that the payments are being moved through the ACH system is almost an artifact of a front-end system that we have for business banking, where people can get in there and start moving money. It happens to go through the ACH system, but it may not even be reported as ACH fraud; it may be reported as a different kind of account-takeover fraud. The fact is that they are just using the ACH system to move the money around.
KITTEN: And, that's a good point you raise, Dave. You say ACH and wire transfer fraud accounts for about $6 billion in losses annually. With that much money being funneled out of the system, it is interesting to note that banks and credit unions just aren't seeing it. But it could just be that they are attributing that fraud loss to a different channel?
JEVANS: Well, that's right. There is an attribution issue; let's also take a look at the $6 billion in losses around ACH. A lot of it is not through the cyberchannel; it's probably about $1 billion through the cyberchannel right now. A lot of it is friendly fraud, such as check-related fraud; but it is interesting when you start to look at how fraud events are reported through SAR reports, for example. You know, there is a lot of uncategorized fraud. In fact, the uncategorized fraud has been growing dramatically over the last three to four years.
The Role Authentication PlaysKITTEN: Now, I would like to take a moment, Dave, and have you connect all of this together to talk about authentication. Authentication is something the industry is lacking, and you note the criminals have circumvented most of the online authentication controls our infrastructure currently relies on, such as onetime passwords and dual account controls. Other industry experts have noted weaknesses in payment card authentication controls. What steps do you see the industry taking to address authentication across the board in the coming year?
JEVANS: Well, I think what we are going to see is an increased focus on authentication and protection of what we call the end-point -- the end-user's computer, where they access the online banking systems. The FFIEC is going to be revising the guidance that they provided to banks back in 2005 around authentication. That guidance was primarily geared toward the consumer banking channel, in the wake of massively increasing phishing attacks; but what we have seen since that guidance was released is that cybercriminals have gotten far more sophisticated. They are employing very sophisticated types of malware and they are using Ph.D. programmers, paying bounties for people to come up with new ways to infect computers that are invisible to end-users. That creates a very different threat environment. The reality is, you just can't trust an end-user's computer. You can't trust that it is really them doing the transaction. We are going to see, I think, a revision of the guidance that the FFIEC came out with, and I think that is going to give financial institutions a wake-up call, and also a great set of guidelines for how they should be moving forward in authentication and in end-user protection, as well as on the back-end and looking at transaction anomalies.
KITTEN: When we talk about the FFIEC guidance, that is something that has been talked about for quite some time. Again, the last bit of guidance came out in 2005; but it may take some time before the FFIEC actually releases anything.
JEVANS: Well, we anticipate that we will see some guidance in the early part of 2011. They have held numerous conferences and information gathering sessions with industry experts and analysts, as well as with financial-services companies. So, we think that we will actually see something soon.
The FFIEC and the FBI and NACHA have come together and issued guidance, both for financial institutions and for business banking customers, so we think that type of information will be leveraged by the FFIEC in their guidance.
KITTEN: And when we talk about the guidance, most of that is going to relate to the online channel. But when we talk about authentication gaps, as they relate to payment cards, will some of that fall into the guidance? What should financial institutions be doing on that front?
JEVANS: Well, I don't think we will see this particular guidance from FFIEC addressing card payments, in particular. I think it will primarily address the corporate banking side of things for the online channel. On the card-payments side, it is really an interesting dilemma that we face in the industry. It is actually the retailers who bear the brunt of the losses, so financial institutions are able to charge back card-not-present losses for Internet transactions that basically use stolen credit card numbers. The issue is that we have a million or more merchants out there and the losses are spread among them. So, there is no real painful thing that financial institutions are facing in order to drive forward something like an authentication standard around. We have an asymmetrical problem, where criminals can basically use the millions of credit card numbers they have stolen, and the fraud is so distributed into the system, there is nothing that anyone can do about it right now.
KITTEN: This is the first part of a two-part interview with Dave Jevans of IronKey. Be sure to check back for part two, when Jevans speaks about the evolution of Zeus and the continuous fraud battle banking institutions are expected to face in the online arena.