Facing down the security attack

By Sharon Stephenson

As urban myths go, this one is a beauty: some time ago, a large African nation introduced a biometric element to the delivery of its welfare payments. Beneficiaries, so the story goes, were required to be fingerprinted and swipe their right index finger on an ATM machine every time they claimed their weekly payments.

“One European bank recently conducted a fake trial where it rang customers and asked them for their PIN and something like 20 out of 100 people gave their details straight away.”

Human nature being what it is, some unscrupulous individuals decided a good way to defraud the system would be to murder people, cut off their right index fingers and use these to claim additional payments.

Fact or fiction, this grisly story is a salutary tale of the lengths some people will go to subvert the system. And of the need for financial institutions to stay several steps ahead the criminal fraternity when it comes to data security and fraud issues.

It's no secret that financial institutions are great movers and repositories of sensitive and valuable data, which makes them an attractive target for criminals. According to software company Symantec, financial institutions are among the most frequently targeted industries and the severity of fraud is often greater as they are more likely to be a target for profit versus nuisance.

Globally, there's little doubt that financial institutions are struggling to keep pace with the increasing frequency and severity of information security risks and online fraud. Indeed, security and fraud management is one of the top 10 strategic IT priorities identified worldwide by research company Financial Insights, while recent studies indicate that security-enhancement technologies, data warehousing and content/document management technologies are among the top investment priorities for European banks.

It's a sentiment shared by Allen Chilver, Senior Consultant - Advisory at PricewaterhouseCoopers (PwC) who says European financial institutions' data security faces attack on four fronts.

"There's the loss of data from staff or customers that creates a data protection breach, as well as the loss of customer identification credentials that facilitate unauthorised payments from customer accounts such as card and other channels including the internet and telephone banking," says Allen. "Two additional threats are the loss of data that exposes a bank's trading positions, which allows competitors to trade against them knowing what their trading positions are, and the loss of the bank's own confidential data which may compromise its strategic plans."

The key issues that result from such data loss are often "depressingly mundane" rather than high tech, says Chilver, and include data leakage through insecure systems, often not the bank's own, as well as data leakage because of dishonest staff, particularly in UK and overseas-based call centres where low-paid staff and high turnover can be an unfortunate combination.

"We know that criminal gangs will actively place people working for them in call centres with the deliberate intent of retrieving confidential data. It's becoming more prevalent and has put the focus onto staff recruitment screening techniques to target those issues."

Significant amounts of data can also be lost through an institution's lax processes, such as inadequate waste disposal, transporting or careless handling of information.

Of these, probably the most significant criminally fraudulent practices in terms of visible mitigation are card and internet fraud, otherwise known as 'phishing'.

Matia Grossi, Research Manager for Physical Security at Frost & Sullivan, says phishing involves trying to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication exchange. "Communications pretending to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public," says Grossi. "Phishing is typically carried out by e-mail and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one."

Or via the telephone where the caller asks for someone's bank details and/or to verify personal identification numbers (PINs).

"Despite banks continually telling customers never to give their details over the phone, they still do. One European bank recently conducted a fake trial where it rang customers and asked them for their PIN and something like 20 out of 100 people gave their details straight away."

Surprisingly, there is little difference between European nations when it comes to banking fraud.

"Take the credit card area, for example, which is a global issue," says Chilver. "Any bank anywhere could potentially find itself in a position where its card data was being compromised because the point of compromise isn't necessarily linked to the bank nor to the country in which the bank operates. In many cases, internet banking fraud is perpetrated overseas perhaps in Eastern Europe or in South East Asia."  

One of the major strides made by banks in the past few years in the fight-back against payment fraud has been the introduction of chip and PIN technology. Chilver estimates this has reduced the incidence of such fraud from around 18 basis points of turnover in 2001 to 12 basis points in 2008.

"Basically we're talking about combating the physical counterfeiting of cards. It's possible to skim, or illicitly take a copy of the magnetic stripe data on a card and transfer that onto a counterfeit card that can then be used at the point of sale. If you could also compromise the customer's PIN, you could then use the card in an ATM. What chip and PIN technology has done is to introduce a much more sophisticated way for the card to prove that it's genuine - ie data authentication."

There are two types of data authentication, Static Data Authentication (SDA) and Dynamic Data Authentication (DDA). The former uses chip data in the form of a digital signature that allows the point of sale terminal or ATM to validate it using a technology called Public P Cryptography. With SDA, the signature is pre-calculated by the bank and written to the chip, so it is always the same and the counterfeiter can record it from a genuine card and play it back from a counterfeit card. 

The second, DDA, actually calculates a different digital signature each time, which makes it a much more powerful authentication mechanism. It is able to defeat any type of skimming attack because it can't be predicted by the counterfeiter.

Initially, most European-issued credit cards featured the static authentication method, mainly because of the time taken to personalise each card (it's around eight times slower to produce a DDA card than an SDA card) and the cost of chips, which require an additional component to calculate the signature. However, the costs are coming down and Chilver says vendors such as Visa and MasterCard have already mandated their members to use DDA for all offline-capable cards issued after 01 January 2011.    

"It's important, though, to recognise that chip and PIN isn't a silver bullet. What it has done is to eliminate specific types of threat, but then the threat has simply shifted elsewhere, namely to card-not-present fraud which has expanded significantly since chip and PIN was implemented in the UK."

Likewise, in countries that don't use this technology, namely the US, card skimming remains a very real threat.

"The US doesn't have chip and PIN technology and may not adopt it because of the sheer complexity of getting thousands of merchants, third-party processors and other  stakeholders who don't come under a single regulatory umbrella and who may not have any kind of financial incentive to adopt this technology."           

When it comes to delivering sensitive security information such as PINs and other credentials, mail is still the preferred channel for most financial institutions. This, of course, leaves such information vulnerable to mail intercept. "Banks will normally use tamper evident documentation, but even then they are well aware of the threat of mail interception particularly with certain destinations such as shared accommodation which history tells us are particularly vulnerable to mail intercept."

Online banking is, however, increasingly challenging mail as banks' preferred channel to communicate statements, payments and servicing information to customers where, says Chilver, the security issue is serious enough for larger banks to deploy security units devoted full time to counter the threat. "The basic need is for some kind of trusted way to achieve a relationship with the customer and communicate with them. The issue is how to achieve that other than through some kind of physical means of transfer."

Step on up, biometrics. Many banks have either dabbled in, or are enthusiastic users of, biometrics as a form of online security and although they've been around for some time, the big hitters remain fingerprint and voice recognition because of their ability to identify customers without requiring those customers to do too much.

"Of course, there is the initialisation or registration process that requires a physical interaction between the customer and the bank. But once that is completed, having your voice or fingerprints on your credit card can support a virtual relationship that may extend long into the future." 

Ditto voice authentication technology where customers can speak to an ATM, to a phone or to a teller without the need for verification of signatures. It is designed so that at any point, the relationship between the bank and its customers should be easier and less time consuming.

However, both Chilver and Grossi say full implementation of voice authentication is still some way off.

"There's an awful lot of downstream technological changes that have to happened in order to translate this into reality," says Grossi. "For example, you need technology in 

every branch as well as a considerable amount of back-end infrastructure to be able to record voices, turn them into a digital pattern and compare them to a voice on a database."

And then there's the issue of speech/voice interpretation. Says Chilver: "You have to get this right before you use voice authentication. So I'd want to know that the bank understands and clearly interprets what I'm saying to them before I use voice authentication. This creates huge security issues for banks because they need to be very, very sure that they reliably authenticate genuine customers before a transaction takes place."    

Likewise, when customers use internet capabilities to phone their banks (Voice Over Internet Protocols or VOIP), it means that the call is not being routed through the traditional telephone exchange but through the Internet. "VOIP uses open internet protocols and was never designed with security in mind, so it presents all sorts of challenges for both banks and customers. All manner of interception and call spoofing techniques that are now happening over the internet which have serious consequences for how to manage these risks."

Another new generation technology aimed at making life easier for the customer and bank and harder for the fraudster is contact-less ATMs which can, for example, be accessed via mobile phones. These could do away with the need for the customer to collect something physical from the bank because they'll have their own mobile phone through which they can virtually deploy the necessary information and credentials to the customer.

"Instead of inserting a card and tapping out a PIN you do the actual authentication using your mobile phone while you're waiting in the queue waiting to withdraw cash. Then when you get to the front of the queue, instead of inserting a card all you do is tap your mobile phone on the contact-less pad on the ATM and it dispenses your cash."

Of course the drawback is the cost of technology for each ATM, which runs to around £1000. But Chilver predicts that as the price per unit drops, touch-screen ATMs could go the way of Tyrannosaurus Rex.  

Contact-less cards are also the next big thing, and they are already being deployed by Barclays Bank in the UK. Any debit card you now get from Barclays has contact-less capability so that the user doesn't physically have to insert it into a device in order to make a payment. They just have to tap a reader with the card and key in the pin.

One security-based technology still in the nascent stage of development that has experts excited is DNA biometrics. According to Grossi, this has huge potential for large-scale applications in the next 15-20 years.

"The integration of iris and retina recognition biometric systems and 2D and 3D face recognition systems are anticipated to gain widespread adoption in the next seven to 10 years with their low error rates. Multimodal biometrics such as fingerprint, face and iris are expected to become the standard biometric for high-end applications in government, border control and airport security by 2020. And the banking sector probably won't be too much further behind..."