The Fraud Blog with Tracy Kitten

Fighting Fraud: Banks Can't Afford to Wait

New Threats Can be Catalysts for Positive Change

As incidents of ACH and wire fraud increase, banking institutions say they can't afford to wait for the Federal Financial Institutions Examination Council to release updates to its 2005 online authentication guidance.

It's been more than four months since a draft of the FFIEC's update was inadvertently released by the National Credit Union Administration. And still, the industry waits. [See NCUA Disclosed FFIEC Draft.]

For Michael Wyffels, senior vice president and chief technology officer of Moline, Ill.-based QCR Holdings Inc., a $1.7 billion holding company that operates three banks, the waiting game has become too risky. "I'd like to make sure our recommendations fit with what the FFIEC is recommending," he says. "But the hackers seem to continue to find new ways to exploit vulnerabilities."

Recent wire fraud incidents originating in China prove account takeover, perpetrated by online attacks, continues to grow. [See New Wave of Wire Fraud Strikes Banks.]

In fact, online breaches, across the industry board, have put everyone on alert.

Online Breach Epidemic?

From RSA to Epsilon to Sony and now LastPass, online security controls are clearly showing their age and their vulnerability. The whole breach epidemic has led to growing "public jitters," according to the Unisys Security Index, which includes consumer survey results about perceived Internet security. [See Public Jitters Over IT Security on Rise.]

In a recent interview with Executive Editor Eric Chabrow, Unisys CISO Patricia Titus says online breaches are eating away at consumer trust. "What is the fallout from the Epsilon breach and Sony breach? Are people going to hold their breath and wait and see what happens, or are they going to proactively take action? Are the institutions actually going to help people understand what protections they could put in place themselves?" she asks.

It all points to the need for new technology. At least that's the way Terry Austin, CEO of Guardian Analytics, sees it. "The whole authentication and malware phenomenon is a cat-and-mouse game," Austin says. "Fighting malware with authentication is a losing battle."

The FFIEC recommends a layered approach, and that's a takeaway Wyffels is embracing. But it's not a catchall, Wyffels warns. Adequate fraud detection and prevention, especially in the online world, require persistent vigilance.

"We, as an institution, want to do as much as reasonably is possible to mitigate risks," he says. "Like everyone, we want to make good choices and sound investments. ... We just can't get comfortable, because things are changing all the time. I hope, as an industry, no one ever says they are comfortable."

Bin Laden's Death and AML Worries

No, we should never get too comfortable - a truth born from another leading story this week. The death of Osama bin Laden, says anti-money-laundering expert Kevin Sullivan, could cause disorder within the ranks of al-Qaeda, and that could lead to new efforts to funnel terrorists' funds through traditional banking channels.

"Any resulting disarray might create some new and/or unusual money movement that may be a red flag and draw the attention of the authorities," he says. "Now is the time to pay close attention to high-risk, terror-aligned countries to see if there is any account activity that could be the resulting fallout and potential power struggle created by the leadership vacuum from bin Laden's death."

As Sullivan rightly points out, banks should take bin Laden's death as an opportunity to check their systems and ensure their existing money-laundering and Bank Secrecy Act screenings are up to par. "We have not defeated terrorism yet," he says.

The same advice should be taken regarding the recent breaches. These incidents should be catalysts for change. Though online breaches are increasing, institutions should follow the example set by Wyffels and his team - don't get too comfortable.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.