An interesting article in Wired drew my attention to this post on the Internet Crime Complaint Center (IC3) website.  Here’s the Cliff Notes version:   Bad people put malware consisting of remote control software and key loggers on a targeted business user’s computer.  They gather ID’s and passwords and other authentication data. The bad people then use the backdoor into the customers machine to initiate wire transfers and ACH transactions to (here’s that new buzz word) Money Mules who have been duped into “work at home” schemes and are tasked with transferring funds received to the offshore accounts of the aforementioned bad people.

Unfortunately we’ve seen this before.  In fact, the only forms of fraud or security breaches we’ve seen has been with this sort of activity where the end user’s machine has been compromised and used to initiate wire transfer or ACH originations.  Equally as unfortunate, the recommendation from the IC3 and guidance from federal and state regulators leave a huge gap that makes financial institutions and their customers vulnerable.

In the security biz we call that “residual risk” –  that is, the risk or danger of something occurring, after mitigating steps are applied.  Here the mitigating steps suggested are Signature-Based Intrusion Detection and Anti-Virus Systems (IC3) and  financial institutions should implement multi-factor authentication, layered security, or other controls reasonably calculated to mitigate those risks (FFIEC).  Those both sound great, the trouble though is 1) effective IDS hard to implement and usually expensive and 2) the multi-factor authentication mechanisms provided by online banking vendors are woefully lacking in any reasonable means to authenticate users.

I hear the rebuttal from financial institutions all the time: “customers hate it” “we have challenge questions and certificates placed on the users machine”, “we have a picture the user chooses” and ”we’re using everything that vendor provides”.  I’ll focus on the 2nd and 3rd first; neither of these options mitigate the vulnerabilities identified.  Certificates, challenge questions and site identification pictures have been in place were this type of fraudulent activity has occurred.  The bottom line is this: if an attacker has access to a users machine those types of authentication measures are easily defeated.

The first and last comments we hear (customer acceptance and vendor supplied options) rely on education of your customers: explaining that authentication measures are imposed for their protection; and taking ownership of risks presented by the offerings you present to customers.

So what’s the mitigation strategy that bridges the gap?  Evaluating true 2nd factor authentication for high risk transactions.  In every instance we’ve come across, the use of RSA style tokens for authentication would have prevented the attacker from gaining access to the customers online banking accounts.  Does your financial institution have business customers that initiate wires and ACH transactions from their workstations? Are you prepared to assume the risk of lost funds and the resources required to address such a breach?  If you don’t offer true 2nd factor authentication for high risk clients maybe it’s time to address that residual risk.