In the recent Network World article, “Federal agency issues new security rules for financial institutions,” the FFIEC is instructing financial institutions to deploy layered security systems and recommends they update their risk assessments to detect anomalies and effectively respond to suspicious activity as more profit-driven hackers focus on business computers to perpetrate fraudulent online transactions.

According to the IC3 Annual Internet Crime Reports:

Cyber crime complaints have risen substantially each year since 2005, particularly with respect to commercial accounts.  Fraudsters are responsible for losses of hundreds of millions of dollars resulting from online account takeovers and unauthorized funds transfers.

The new rules instruct banks and financial institutions to focus their network defenses on layered security that involves fraud monitoring, dual customer authorization through different access devices, out-of-band verification, and technologies that limit the fraudulent transactional use of an account.

According to Scott Waddell, Vice President of Technology at iovation, who has been helping the nation’s largest financial institutions and credit issuers implement layered defense programs for years:

We’re glad to see the FFIEC guidelines catching up to the device reputation best practices that our customers enjoy. Complex device recognition, reputation, and real-time risk assessment are powerful additions to any bank’s fraud-fighting arsenal.   

The 2005 FFIEC Guidance described customer authentication as more than the initial authorization of the customer at login.  Including defenses at multiple interaction points such as accessing customer information, or movement of funds within or outside of the financial institution, is equally important.  Risk assessments should consider changes in the internal and external threat environment, changes in customer adoption, changes in electronic banking functionality and incidents of security breaches, identity theft or fraud experienced by the bank or industry.

With business or commercial banking accounts more susceptible to risk (as compared to retail banking) due to the frequency and high dollar amounts of the transactions, a defense-in-depth approach to security is even more important.

As explained specifically by the FFIEC, layered security programs may include:

• Fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response
• The use of dual customer authorization through different access devices
• The use of out-of-band verification for transactions
• The use of “positive pay,” debit blocks, and other techniques to appropriately limit the transactional use of the account
• Enhanced controls over account activities; such as transaction value thresholds, payment recipients, number of transactions allowed per day, and allowable payment windows
• Internet protocol (IP) reputation-based tools to block connection to banking servers from IP addresses known or suspected to be associated with fraudulent activities
• Policies and practices for addressing customer devices identified as potentially compromised and customers who may be facilitating fraud
• Enhanced control over changes to account maintenance activities performed by customers either online or through customer service channels
• Enhanced customer education to increase awareness of the fraud risk and effective techniques customers can use to mitigate risk

The FFIEC recommends that an institution’s security program include device identification strategies that are more sophisticated than the simple cookie or IP address schemes used by many banks today as part of their authentication process.

At iovation, our financial services clients have been doing more than simple device ID for years.  In fact, they’ve been doing more than complex device ID for the last 7 years.  Complex device recognition techniques involve assessing larger sets of attributes and applying both pattern recognition algorithms and pattern-learning processes to identify devices.

While useful, complex device identification is just one part of an effective solution. The big players are tapping into the power of device reputation. Device reputation builds on device recognition with real-time risk assessment, leveraging both the attributes and the behavior of the device.  iovation takes that further still by showing our customers the relationships between devices as they interact with online businesses across iovation’s shared device intelligence community. And understanding how individuals are connected through devices and the accounts they access, as well as past and current behavior, is critical.

Device Reputation is what provides this depth of insight at transaction time.

Read the Supplement:

The Federal Financial Institutions Examination Council (FFIEC), Supplement to Authentication in an Internet Banking Environment

FedEx can and should deny suspicious online transactions. Moneygram and Western Union could also make some effort to deter scammers. It’s hard to weed out the bad guys, but there are technologies that help.

What kind of scam am I talking about? A good friend recently called to ask what I know about check scams. He had received a $2,400 check from a major chemical company via FedEx. He had no idea why, but mentioned that he had placed an add on Craigslist, asking $150 for an item he wished to sell, and that a deaf woman had called him through a translating service and offered to FedEx a check.

I explained that this is advanced fee fraud, or a shipping scam, and that he will undoubtedly receive an email demanding that the difference be paid to shippers.

Maybe the scammer pretended to be deaf, using the translator service as a third party to scramble the caller’s location. Or maybe the buyer really was a deaf woman.

But why send a check for $2,400, and why from a chemical company? Probably because it was the only seemingly legitimate check the scammer had printed up at the time, and it’s a nice score if he sends back the $2,250 difference.

My buddy was flabbergasted to think that anyone would fall for such a scam, and insisted that if someone came to his house to pick up the purchased item and demanded he pay the purchaser $2,250, he’d punch them in the face.

Shortly after getting off the phone with me, he received this email:

“Hello Dean,

How are you doing today?

The check has been delivered via Fedex,Thanks for your honesty towards this transaction so far.Well, the overpayment is meant to cover the cost of shipment for the item alongside my other properties including tax and insurance plus the movers and agent fees.

Please deposit the check today so that it clears tomorrow after the check has cleared,All you have to do is go the bank and have the rest of the money withdrawn in cash and have it sent to the movers via money gram

Here’s the movers information below.

Name : Jason Shambaugh

Address : 2330 Contra Costa Blv

City : Pleasant Hill

state : CA

Post code : 94523

Do let me know your schedule for the week regarding pickup as i have some other properties to be moved alongside the item. Please do act accordingly as agreed after deducting your money for the item, make the rest fund available to the movers via money gram Money Transfer at any of their outlet around you or check on www.moneygram.com{click find us} and check for their outlets around and get back to me with the transfer details below (as it appears on the receipt) so i can contact the movers for the pick-up at your location ….Deduct the money gram money transfer charges from my fund also $50 for yourself (meant for any hassle or run around).

1}Sender’s name and address

2}Reference number {which is the 8 digits number on the Money Gram receipt}

3}Actual amount sent after the fee had been deducted

Hope i can trust you with the overpayment? Your Honesty and transparency will be appreciated”

The email also included the FedEx tracking information, with my friend’s address. Looking up the shipping address on Google maps reveals an office building, which most likely has some vacancies. The scammer probably has some connection to the building, allowing for anonymous shipments.

Craigslist could easily prevent the majority of these scams easily by using device reputation management. Many Craigslist scammers based in Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, and Malaysia spend their days targeting consumers in the developed world. But real-time device reputation checks, such as those offered by iovation, can detect computers that have been used for auction fraud and expose all of the accounts associated with the suspicious device or group of devices. This provides Craigslist and other websites with the opportunity to instantly shut down sophisticated fraud rings and thousands of fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scambaiting on Fox News. (Disclosures)

Given the impact that cyber crime has on our economy, online businesses especially have a lot riding on the success of these government initiatives. A recent report from LexisNexis estimates that U.S. businesses lose $191 billion annually from computer related crimes. This is why Mr. Schmidt’s combined experience in both government and the private sector will hopefully be an important asset, allowing him to simultaneously understand the issues currently facing businesses and be able to cut through the red tape on Capitol Hill to make real change happen.

Of his appointment, Mr. Schmidt remarked:

Because ultimately no one—not government, not the private sector, not individual citizens—can keep us safe and strong alone. When it comes to cyber security, our vulnerability is shared. I’m committed to bringing all these stakeholders together around a new, comprehensive cyber strategy that keeps America secure and prosperous.

The President and Mr. Schmidt clearly see eye-to-eye regarding the importance of cyberspace on our economy, homeland security, and the U.S.’s ability to remain competitive in a global economy. More importantly, by appointing Schmidt, President Obama is following through on his remarks about securing our nation’s cyber infrastructure: “America’s economic prosperity in the 21st century will depend on cyber security. For all these reasons, it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”

For government and online businesses alike, protecting sensitive information is a shared obligation and needs to continually be addressed. I’m glad President Obama and Mr. Schmidt understand this. I hope that they are successful in leading a coordinated effort to combat this threat. With our personal experience in stopping literally millions and millions of online fraudulent transactions, iovation understands the seriousness of cyber crime.

In the article, they explain a scenario involving an infection called the Clampi trojan, but the success of an account theft or takeover isn’t dependent on any specific trojan. All it takes is some method of infecting a computer in order to provide real time data from that computer back to the online criminal. The NY Times article details the way a trojan spreads and watches for ideal account targets.

“When people visit Web sites that have been taken over by the hackers, the software is surreptitiously downloaded onto their machines. Clampi has an unusual feature that can take advantage of a vulnerability in Windows and spread itself to all of the computers on a corporate network. Mr. Stewart found that each of those machines, in turn, was programmed to notice when their users visited any of 4,600 specified Web pages, including banks, brokerages and other sorts of sites.”

The way the attack works is that any time a user logs into their online bank from an infected computer, the trojan recognizes this and sends account information, including one-time passwords, back to the criminal in real time. The criminal can then use this information to log into the stolen account from his own computer or from a remote session on the infected computer. As unlikely as this sounds, we know of confirmed incidents of this attack.

Does this mean that multi-factor authentication is a waste of time? Not at all. Using tokens is still a best practice for account protection and is far more secure than a simple account ID and password combination. Primarily, the use of these trojans simply highlights the increasing sophistication of criminals in collecting and using personal data for their own financial gains. We have highlighted that online crime is far beyond curious kids and is now big business. Criminals are coordinating their efforts, working together, sharing tools and targeting the personal and account data that they need to be successful.

All this should be a reminder that, when it comes to security, companies should be working together—sharing techniques and information, and diversifying their defenses to meet this serious threat. Going it alone online is a losing proposition long term.