The subversion of the electronic representation of wealth

I teach a class where students are asked to develop scenarios for attacking the economies of the Western world. The point is to conceive of potential solutions to mitigate those threats and not the actual overthrow of the established powers. This is not an exercise in scripting Hollywood disaster movies but rather an analysis of many information sources and factors to develop a set of credible circumstances, along with identifiable indicators, that would predict the occurrence of such a situation.

Recent events appear to be conspiring to create the factors indicative of triggering one such scenario.

Attacking the electronic representation of wealth

A loss of the public’s confidence in the electronic representation of their wealth is just a new twist on an old situation, a ‘run on the bank’. Some people prefer hard cash, or property, but the for most of us, we blindly accept that statement or online balance as being as good as or better than sitting on an equivalent pile of cash. Is there a set of circumstances that would shatter that confidence, with severe consequences for our economies?

In our scenario there are three key macro level factors needed:

• Consumer confidence shaken by negative events that impact the two most critical asset classes: the stock and property markets.
• An exploitable weakness in the security model of online cash management or banking transactions.
• A motivated, stealthy adversary with the ability to manipulate vast numbers of the population’s PCs.

There are also inhibiting factors to consider, which would prevent effective identification and response to the threat. For example:

• Very low conviction rates for competent cyber-criminals.
• Lack of legal liability for software flaws.
• Law enforcement and national leadership preoccupied with ‘higher’ priorities.

The collapse of the US sub-prime mortgage business and the investment vehicles that funded them, along with the resultant credit squeeze and impending foreclosures are shaking the confidence of international investors in the US market. This comes on top of sagging US consumer confidence brought on by the decline in value of most people’s largest asset: their home. Consumers are left particularly sensitive to a threat against the integrity of their electronically accessible liquid assets. Further negative news just lowers the tipping point at which the public’s loss of confidence in the financial system turns to widespread panic.

Consumers’ home PCs, the weak link

In the last two years US consumers lost more than US$7billion to cyber-crime according to a study by Consumer Reports magazine. Based on a survey of 2030 internet-connected homes, 1.8m households were estimated to have replaced their PCs in the last two years due to virus infections and 850,000 replaced their PCS in the last six months due to spyware infestations. The study concludes that your chances of becoming a cyber-victim are about one in four. Security conscious Europeans may not have fared much better, as there is evidence that they are increasingly targeted by fraudsters.

So many people still falling victim to e-mail based fraud is as much a testament to the craftiness of the criminals as it is to the end-users gullibility. At some level of fraudulent activity, consumers lose confidence in the banks’ ability to protect their online accounts. At some level of fraud, financial institutions will not make their customers whole, especially if the exploit originates from the customer’s PC and results from their actions or inactions.

Established practice for securing online accounts has been to issue customers with what is called strong authentication, or two-factor authentication. Typically this is a small physical device, which displays numbers that change. These numbers are added to the password needed to access the account, so only the person with the password and the physical device can get in. This approach is part of the guidelines issued in the US by the FFIEC (Federal Financial Institutions Examination Council) and is favoured by European regulatory bodies like the FSA and by industry groups like the Jericho Forum.

Unfortunately, the criminals have figured out how to withdraw your funds without needing your two factors, fingerprint or picture of your cat. Once a PC is compromised, the browser can be modified via a malicious plug-in. This causes the browser to send hidden fraudulent transactions after the legitimate user has signed in and provided all the correct passwords and passed all the bank’s login checks. The browser plug-in can modify the legitimate target website on the fly, modifying displayed pages (like account balances). A major UK bank had to warn customers after they had signed in about fake web pages that could be inserted that ask for critical information, such as the PIN. Once the browser is compromised, it can modify a legitimate payment instruction. You may have typed pay the florist £50, but the bank will receive a different instruction without your knowledge. This form of attack, or exploit, in security speak, is known as a man in the browser, or more generically as man in the middle.

In the current environment, depending on the security and integrity of the home PC is a fatal flaw for any organisation that does electronic business with the public. One institutional risk management strategy is not to take ownership of that loss, though there are certain statutory protections for consumers in the event of fraud, they are limited in scope and duration.

Another approach is to use transaction anomaly detection. The premise of this concept is that fraudulent transactions do not match the established history for a given customer, or are otherwise clearly identifiable as suspicious. For example, paying the florist £50, is normal, sending £10,000 to Russia is not. While this technique can be an effective part of an overall security model, it has some downsides relating to erroneously blocking legitimate requests and accepting legitimate looking, but still fraudulent transactions.

Thus, the conclusion from the threat scenario planning exercise is that a new security model is needed for online financial transactions, one that specifically does not assume the integrity of the operating system, browser, or security software of the remote computer.

Real-time, mutually authenticated out of band verification

If you do not trust the integrity of a platform or delivery channel, then prudence dictates you verify with the customer the instruction received are in fact the ones intended. You should not use the same platform or channel for the verification process for the very reason you need the confirmation in the first place. That is a benefit of mailing paper statements to the address of record. However, to be effective in preventing frauds, the verification system needs to be faster than the transaction settlement window, (the time it takes the fraudster to get the funds). This makes the telephone, rather than the post, an ideal verification channel.

An emerging security technology, out of band (OoB) verification, may be our best hope in combating determined cyber-criminals who have now discovered how to bypasses existing security, thereby undermining confidence in the whole financial system. An automated telephone based verification system can confirm the identities of both the customer and the system itself to prevent mimicking, and using a text to speech engine read back the transactions for confirmation. Technology leader Validsoft (www.validsoft.com) utilises additional layers of protection by using voice biometrics to further confirm the client.

Implementing OoB requires integration with existing systems and complex telephony systems management skills to scale a real-time solution to a geographically dispersed customer base. In pursuing this strategy, firms may conclude that time to market and implementation risks favour utilising a managed service provider with the appropriate core competencies. Ideally, such a solution will not require maintaining their customers’ confidential data offsite.

What started as a scenario planning exercise has lead to the identification of a powerful new weapon in our collective war against the clear and present danger to our financial system from unchecked cyber-crime. I predict that over the next two to three years, leading financial firms will adopt OoB verification for their high-risk transactions.

Lloyd Gauntlett Hession is Chief Security Officer of BT Global Financial Services.