Identity Crisis?

With rising customer concerns and growing governmental interest, the pressure is mounting on the financial sector to clamp down on identity fraud. By Neil Davey

“Fraud will always be a challenge. I don’t think the problem will ever go away. Fraud has always been a risk factor and an issue for the financial services industry. The question is how much we can reduce it and mitigate it and that requires a strategy involving lots of different players”
-John Carlson, Senior Director of BITS

If there is a crime most indicative of the modern information age, it is that of identity theft. With its cost to the US economy estimated to be some US$50 billion annually, it has become the highest growth crime in America. Yet despite this, statistically the losses associated with identity fraud do not measure up to other forms of fraud. Instead, its infamous reputation has perhaps been acquired simply because the nature of the crime taps into consumers’ basic financial fears. If an attempt at identity fraud is successful, an offender can rack up vast amounts debt in someone else’s name. And while the financial institutions usually absorb the losses, the victim is still left to clear the damage to his credit rating. A survey of 8200 consumers by RSA Security last year demonstrated that over 80 percent of respondents felt threatened by online identity theft.

As an industry that relies on customers’ trust and confidence, the mounting public concern has put the crime at the top of the agenda for the finance sector, and a recent American Banker’s Association survey of senior fraud prevention managers listed identity theft as the number one threat to the retail banking industry. And the crime has also registered on the government’s radar – and even a cursory glance at the statistics reveals why. The prevalence of privacy violation is such that the federal trade commission estimates the cases of identity theft stand at 10 million per year.

“Identifying who you are dealing with is a big problem,” stresses Ariana-Michele Moore, a Senior Analyst at the Celent consultancy’s Banking Group. “How can you prove that the person who is sitting in front of you is who they say they are? That person may give them all the appropriate information that they possibly could on somebody. But we have even seen twins commit identity fraud against their siblings. So even if you have all the appropriate information, the bank can still be helpless in some instances. They need to be able to tie the information that is being submitted on a particular person to that particular person. In the future I think that biometrics will play a critical role, but I don’t think banks will be rolling out biometrics this year. And in terms of internet banking, it is a matter of banks understanding that usernames and passwords are compromised too easily.”

A recent white paper by the Honeynet Organization, a body dedicated to improving the security of the internet, has also warned that criminal networks are now turning their attention to identity theft. The organization suggests that these groups have spread across the internet, setting up electronic communities to collaborate and exchange information, and exploiting the proliferation of electronic channels to carve out new opportunities for identity fraud.

“Organized crime groups have discovered that money can be made from identity theft with less risk than traditional methods,” explains Brian Contos, Chief Security Officer at CIA-backed security consultancy/provider ArcSight. “Once they have the information, they quickly apply for credit cards, make fake passports and order merchandise online depending on the nature of the information stolen. As recently as a few months ago, they may have stolen 10,000 account numbers but only had the capabilities of leveraging 100 of them. Now we are seeing sophisticated automation techniques to more efficiently make use of the information and organized black markets for selling this information allowing the criminals to keep what they need and still profit from the remainder. When looking at the increasing speed that these scams can propagate and the growing ease of turning that identity information into cash, it’s clear that the most robust security technology available needs to be used to address these threats.”

Different components

The present safeguards against identity fraud are already many, as outlined by John Carlson, Senior Director of BITS, a non-profit CEO-driven industry consortium whose members are 100 of the largest financial institutions in the United States. “The controls go right back to the enrolment process when you first become a customer with the bank and you have to provide certain credentials to validate who you are,” he highlights. Then there are controls that are done electronically in terms of when you log onto a website. There are obviously the authentication practices in terms of making sure that financial institutions have the right credentials. There is also encryption during the session so that what is being transmitted back and forth is protected and cannot be eavesdropped on. Then there are also monitoring programs that look at unusual activities, which is very common in the credit card industry. In addition, there are numerous internal controls that institutions have to address insider threats including background checks, segregation of duties and so on. A financial institution’s information security program has a lot of different components to it.”

Nevertheless, the problem of identity theft still remains and indeed continues to worsen. Certainly, data leaks don’t help the public’s confidence and with institutions holding more customer information than ever before on their databases, these are particularly serious. ChoicePoint, LexisNexis and Bank of America have all been in the headlines recently regarding such leaks, and the impact can be catastrophic – ChoicePoint, for instance, has lost market share and was slapped with a US$15 million fine. With so much customer information being held by the industry, however, the sector is unfortunately a natural target for a growing number of criminals. Hacking incidents on financial institutions are on the rise, whilst there is growing concern that crime syndicates are turning their attention towards employees.

“The easiest way for criminal groups to access personal information from a financial institution is directly through the institution’s employees – insiders,” says Contos. “They may use traditional criminal techniques such as fear or blackmail, or just find somebody that is ethically flexible and looking for some quick money. For organizations that don’t use holistic enterprise monitoring solutions, it would be very difficult to detect an insider that plugged an MP3 player into the network and five minutes later walked out the door with 10 Megabytes of customer account information.” Underlining these concerns are statistics by Celent suggesting that up to 60 percent of the dollar value stolen through bank fraud is now committed by employees. Growing awareness of the surge in hacking and information theft in the financial sector – as well as rising concerns about the legal ramifications of a leak – has led to increasing investments in data protection.

“One of the key things that every financial institution should be offering – and telling their customers that they’re doing, even though it is almost transparent – is encryption of data,” says Chris Novak, Senior Security Consultant at the world’s largest privately held information security company, Cybertrust. “Data encryption is a very important thing to ensure that even if somebody does get into your system, they won’t be able to access your data – it is unreadable.”

Spim and spam

But new and more sophisticated methods of accruing personal data are emerging that also target the customer. Phishing is the latest example of how criminals are leveraging technology channels to further their nefarious ends. Customers are sent an e-mail falsely claiming to be from a legitimate organization, requesting the user to visit a website to update personal information, such as passwords, credit card details and social security information. The website, however, is bogus and with a minimum of effort – and no encryption to tackle – the criminals have a portfolio of personal information to abuse.

“Phishing is growing in popularity and as one door slowly closes to remove its distribution through e-mail spam, another one opens through instant messaging spim [spam over IM],” says Contos. “I don’t see it ending anytime soon, but hopefully with heightened security awareness it will become so unsuccessful that it simply won’t be worth it for the perpetrators. However today, if a million spam/spim Phishing solicitations go out, and only one percent yield tangible results, that’s still plus 10,000 for the criminals for a trivial amount of time and effort.” A study last year by Gartner estimated that around 2.4 million people in the US reported losing US$929 million through phishing scams during the previous year – and the Anti-Phishing Working Group suggests that as much as 85 percent of unique phishing attacks are directed against customers of financial institutions.

But with public awareness growing about these types of attacks, criminals are taking their efforts to steal personal information to the next level, using technological tricks used by virus writers or hackers, such as key loggers on users’ software. Worms or Trojan horses, for instance, log all the keys that a user enters in the computer, saves it in a file and, every so often, sends an e-mail to the criminal with everything that has been typed. So, if a victim enters a bank website, the criminal will see both the site logged on and the information provided.

Identity theft resulting from such attacks remains most rampant for customers of community banks, and since most financial institutions do not hold customers responsible for fraudulent debts, a large proportion of the losses stemming from identity thefts are borne by the bank. Nevertheless, for many institutions, the most concerning damage incurred by identity theft is the breakdown of trust between the customer and the bank – a relationship that is of course largely built on trust.

“Whether it is a matter of them trying to be hit by identity theft criminals or if the criminals are actually successful at that financial institution, it is certainly a problem for most institutions,” emphasizes Moore. “In terms of the amount of fraud relative to other crimes that they need to worry about, like ATM fraud and card fraud and check fraud, identity theft is smaller. Unfortunately, the damage that can be incurred by identity theft is quite high and is causing great concern in the industry, not to mention regulatory pressure.”

Authentication practices

And federal and regulatory bodies are indeed now flexing their muscles regarding the growing epidemic of identity fraud. The federal government is aggressively implementing regulations to manage the problem, including the Fair and Accurate Credit Transactions (FACT) Act that outlines significant requirements for banks and other financial institutions whose customers are victims of identity theft. All financial institutions must now be in compliance with the FACT Act or face an $11,000 fine per violation.

Elsewhere, The Federal Financial Institutions Examination Council (FFIEC), an umbrella group of regulators that includes the Federal Reserve and Federal Deposit Insurance Corp., has been concerned enough about the situation to recommend an improvement in authentication practices in the industry. FFIEC told banks that single-factor authentication, such as a user name and password, isn’t enough to protect against account fraud and identity theft, with particular concerns that it is inadequate for protecting against Internet-level scams such as phishing and pharming. FFIEC is encouraging banks to instead implement two-factor authentication by the year’s end.

Whilst there are other efforts to protect the industry and its customers from identity theft – for instance, Bank of America recently unveiled SiteKey, in which an image picked by the customer appears when he signs in, indicating that the bank recognizes the user’s computer and telling the customer the site is legit; and MasterCard International has developed the Chip Authentication Program, in which credit or debit cards are implanted with a chip that generates a one-time password when the card is entered into a handheld card reader supplied by the customer’s bank – two-factor authentication has attracted the most interest to date.

Two-factor authentication requires two forms of authentication to access a system – something you know (such as a password or pin) and something you have (usually a crypto-graphic token or a scratch card containing a fixed number of passwords). This contrasts with traditional password authentication, which requires only that a user know a password in order to gain access to a system. Two-factor is more secure for numerous reasons. If a customer’s password includes a number that changes every minute then it’s harder for a criminal to intercept. A user also can’t write down the ever-changing part so it can’t be seen. An intercepted password will have expired the next time it’s needed. And of course a two-factor password is harder to guess.

“A lot of companies are working towards two-factor authentication,” confirms Novak. “From the credit card perspective, for instance, there have been the Visa and Mastercard requirements – known as PCI – which mandated two-factor authentication. I think that by the end of the year you are going to see a large majority of financial institutions – whether banking, credit, brokerages, etc. – implementing two-factor.”

Mutual authentication

So is there a solution to identity fraud on the horizon? Unfortunately, not necessarily so. Once again, the criminals are one step ahead. Security vendor F-Secure Corp. recently reported of a case where customers of a Scandinavian bank were tricked into divulging their one-time passwords from a scratch-off sheet. Customers received phishing e-mails that took them to fake websites hosted in South Korea, where they were told to scratch off and enter their passwords – a big mistake. And other forms of attack are already gaining notoriety, attacks that unfortunately two-factor authentication can do little to protect customers and institutions from.

In a man-in-the-middle attack, for instance, an attacker puts up a fake bank website and entices user to that website, whereupon a user types in his password, and the attacker either disconnects the user and makes any fraudulent transactions he wants, or passes along the user’s banking transactions while making his own transactions at the same time. “Secure ID tokens and the like are all well and good but they are subject to these attacks,” confirms Novak. “If somebody requests the information from you, and you give it to them, and they can use that information to log into your bank in the next 30 seconds to a minute then obviously that two-factor authentication goes out of the window.”

And Trojan attacks remain a problem. If a customer has a Trojan installed on his computer and then logs on to his bank’s website, an attacker can piggyback the session to make any fraudulent transactions he wants. Unfortunately, while two-factor is an improvement on traditional password systems, it is no panacea. For this reason, a growing number of institutions are looking at two-factor as a stopgap solution while hedging their bets on mutual authentication, a system generally regarded as security over and above two-factor.

“There are different ways of doing mutual authentication,” explains Novak. “There are ways that mutual authentication can be done with financial institutions. Almost all have SSL certificates to make sure that their websites are encrypted. There are procedures out there now that you can put in place to utilize those SSL certificates to implement mutual authentication between the client and the server. And there are a lot of organizations out there now that are providing similar types of services and similar types of products.”

Unfortunately, at present many financial institutions would probably struggle with the expense or the technical capability of rolling out a large-scale authentication system. “The price of it is going to be one of the sticking points,” continues Novak. “Most banks are just dealing with getting two-factor authentication out. The added expense of rolling out mutual authentication is going to push it off into the future by a couple of years.”

Consumer acceptance

Any financial institutions looking to implement either two-factor or mutual authentication can expect to face a further obstacle. In 2005, BITS conducted a survey of authentication practices of BITS member companies. The survey revealed several impediments to broader adoption of multi-factor authentication, including cost, complexity and integration issues. However, at the top of the list of impediments, and by far and away the main concern, was consumer acceptance.

“Financial institutions know that the authentication method must be convenient and easy for the consumer,” says Carlson. “After all consumers can go wherever they want to go, they are not beholden to any institution. You really need to have an authentication method that is easy, convenient, unintrusive and is workable across multiple institutions as many customers have relationships with multiple banks, securities companies and insurance companies. While multi-factor authentication” sounds really simple, in practice its actually much more complicated in terms of how you would implement an across-the-board authentication program given that one of the big constraints is consumer acceptance.”

The situation certainly puts the financial industry in something of a predicament, particularly in light of increasing federal interest in the situation. “Financial institutions would rather reach a compromise than have the Government step in and tell them what to do, so right now the banks are feeling the pressure of needing to act now and come up with a solution,” suggests Moore. “They want to be able to show the Government that they are taking appropriate measures for the risk to get them off their back and continue with their business.”

But if this is to be achieved, the general public may have to also take responsibility for itself as well. ArcSight forecasts that 2006 will see a big spike in identity theft as organized crime groups increasingly leverage it as a vehicle for revenue generation. Financial institutions will continue their campaign to toughen up their authentication efforts in the face of this surge in attacks. But if it is to be successful, there will need to be cooperation between all the stakeholders involved.

“Fraud will always be a challenge,” concedes Carlson. “I don’t think the problem will ever go away. Fraud has always been a risk factor and an issue for the financial services industry. The question is how much we can reduce it and mitigate it and that requires a strategy involving lots of different players. If we see movement on the part of law enforcement to really take these crimes more seriously than they have in the past, and we continue to work together as an industry like we have in the past several years, and if we engage the major software companies, third party service providers, ISPs, etc., and if the consuming public can continue to gain a greater awareness of the need to participate and implement safeguards, then we can reduce the size of the problem. But it does require all those parties to each step up to the plate and work collaboratively and cooperatively to try to solve this problem.”