It’s a tough road for the banking industry, especially when malware, fraud and the customers’ you-better-not-get-in-my-way mentality all converge.
Add in the new attacks, new vendors and new solutions that seem to constantly hit the market, and you end up with an industry often wasting its time, energy and resources, at least according to David Britton, vice president of industry solutions at 41st Parameter.
“The banks end up spending an enormous amount of time chasing the shiny object when other solutions will do much much better,” Britton said.
41st Parameter has been fighting fraud since they were founded in 2004, and one of their core competencies is being able to recognize digital devices trying to transact online. It’s the mosquito net vs. sniper rifle analogy that Britton likes to use. You can either waste your time trying to swat every single mosquito that’s out there, or you can assume the world if full of mosquitoes, everything is compromised, and invest in a net that protects the assets.
“We have a really unique position because unlike a lot of vendors in the fraud detection space, we actually serve three different market verticals altogether. So one of the things that we have a bit of a unique perspective on is how the fraudsters tend to move, or are starting to move, across industry verticals,” Britton said. “That’s been really interesting to see how they’re evolving in the fraudster community.”
We chatted with Britton about fraud and malware in the banking industry, 41st Parameter’s approach of not chasing the shiny object, and the difficulty of security in an environment where minimizing customer friction is a cornerstone. Our edited conversation follows.
Since you guys have been dealing with fraud for so long, is there anything that stands out at the moment as a hot trend?
Malware is clearly a hot topic, particularly among the banks today, and malware as we see it has a couple of different flavors in terms of how you can solve the malware problem. … There are misconceptions about what malware is really designed to do these days. I think that a lot of people feel it is taking over victims machines left and right and attacking a victim’s account from the victim’s machine. And the evidence we’ve seen is the fraudsters don’t see that as a very scalable approach to theft because it requires somewhat opportunistic thinking – waiting for someone to either log into their account or only targeting a very specific individual with their specific account. What we typically find is really happening is most of the malware on the market today – whether it’s using man-in-the-browser tactics, whether it’s using things like session hijacking, whether it’s using things like HTML injection – almost every case they are still simply harvesting credentials.
Now I say that as if it’s a simple thing to do. It’s not, but when it comes to how you protect against it, there are a lot of solutions that are coming on the market that purport to be able to prevent these sophisticated malware attacks. What we find is they may be able to stop a particular variant of an attack, but our approach is, listen, if it’s really credential theft and the use of those credentials that is the actual crime, then you’re better off coming up with a complete coverage being able to recognize when those credentials are used rather than trying to come up with a point solution against every malware variant.
You mentioned HTML injection, is that something you see growing and being used more by fraudsters?
The name HTML injection is starting to get used, although what we really like to think of it as is session manipulation by the malware, and what it basically purports to do is the following: if I can infect your machine as a victim, when you go to your bank to login, your bank will usually present you with a couple of form fields – a username field and a password field and maybe one or two other fields. … Because the malware is sitting in the browser, as a fraudster I can command it that if you go to a certain bank’s page, when the bank asks for two fields, I can modify the browser to ask for six more, right? So I can now ask you for your cell phone number. I can ask you for your email address. I can even ask you for some security question answers, and then I can harvest those as you post them back to the bank’s site. That’s what we’re talking about when we say HTML injection or session manipulation is I think a more accurate term. …
There are a lot of flashy new vendors coming up in the space that talk about how they’re detecting this kind of attack, and we just see a lot of challenges with them [in being effective]. Our approach has always been recognized the device itself and see that there are signals from the device that indicate that the device has been modified, meaning it’s been infected. That’s one side of how we go about solving the problem. And then secondarily look at the usage. Who’s actually using the credentials? Is it the device that normally uses them or is it a totally new device, totally unfamiliar? So we think of malware more as a real generalist problem to solve, and the best way to solve it is by recognizing the digital consumer when they come back and try to transact.
What about the recent attacks against NatWest bank? Was that using HTML injection?
That’s almost more of a traditional phishing-site attack. There was some complexity to it from how they may have been routing the browser to the different page. That may even be what they call a DNS poisoning, right, where you type in one thing in a URL and takes you to a different place. The other thing that NatWest suffered from was simply distributed denial of service. That was a huge piece of it where people simply couldn’t access, and that to me doesn’t require malware at all. That’s just the fraudsters recruiting a botnet from the local university labs where they’ve got a thousand computers at their disposal and then overwhelming the site with traffic. And that was the best possible scenario from a fraudster’s perspective. You do a one-two punch where you do a denial of service on the legitimate site to disrupt traffic while also poisoning DNS or doing something to route people to another place.
Now, again, all of this, as you rightly pointed out, was for them to be able to obtain credentials or other details, knowledge-based answers. They’re simply harvesting data. What I get concerned with is the industry is spending so much time trying to solve edge cases when what we’re really talking about is stolen credentials being used by who knows whom from whatever device they choose and getting in scot-free because they’re not employing what is possible technologically wise in terms of device recognition.
Many have said that simple two-factor authentication could stop a lot of these attacks, and yet it isn’t being widely used, and now I’m seeing some next year predictions that are essentially saying two-factor is dead as a secure method before it’s really had a chance to take off. Any thoughts on that?
The society we live, particularly in the western world, particularly in North America, is all about minimizing the friction with the consumer at any point in their online life cycle with you as an organization. … There’s a customer friction element that two-factor authentication flies in the face of, and depending on the method of two-factor authentication, there are good methods, and there are non-good methods. Part of the concern with two-factor authentication is that unless you can recognize who it is that’s presenting those second-factor credentials, it’s as good as a password. It’s just another password. If the one-time password has been compromised and the wrong person is representing it, then your two-factor has done nothing. …
Our entire business and our entire offering lives under the premise that all of that front-door stuff has been compromised. … So that combined with things like the big security breach with RSA tokens in the last year and a half – there’s just a lot of concern about what all of this overhead in customer friction is really causing. So in our minds, those banks that can figure out a way to recognize their digital consumers, both the good ones and the ones that are trying to break into consumer accounts, those ones that can do that – recognizing the digital devices in an effective way that’s transparent to the end user and uses enough logic to it to be able to say, “We really understand who it is that’s transacting,” they’re going to be in a much better position when it comes to market growth, and everybody these days is all about market growth, channel growth.
So in your mind, it’s on the banks to provide a system that’s both frictionless and safe, and nothing is really on the individual consumer?
History has shown us quite clearly that anytime you depend on the consumer to adopt a security paradigm, you’re asking for trouble. And so whether it’s end-point security like we’ve seen – some vendors that have actually offered what seemed to be really sophisticated end-point security, meaning I can protect this victim’s device from malware as they go onto my bank and so on.The problem is the adoption rate is less than 10, 15 percent of the entire customer base. So relying on your consumer base to proactively defend net interaction is just asking for trouble.
That’s interesting because I thought we may be seeing trends going the other way. We’ve seen some lawsuits for commercial accounts holding them accountable for losses, and even with the NatWest story, for example, the bank initially said it was the consumers’ fault and that the bank was not liable. I thought with increased security options we may see a shift in liability towards the consumer.
There are always different rules for commercial banking then there are for retail banking. … If you look at the retail environment, the consumers like you and me, that’s the bulk of the market that’s driving the growth of a bank. How do you get new banking customers? You steal them from your competition. So those banks that have more fluid interactivity, less draconian measures I think are the ones that are going to win in the end and everyone else is going to be seen as a dinosaur frankly.
Any trends or predictions heading into next year?
Visa and everyone else has made the mandate now that everyone’s got to move to a chip-and-PIN kind of approach to prevent counterfit cards from being used in the commerce world, not e-commerce, but regular, transactional world. What we’ve seen is every other region that has deployed EMV has seen almost an instantaneous spike in the online transactional fraud related to credit card purchases because the EMV chip-and-PIN doesn’t work in a card not present environment like online. That’s one major issue that I see happening.
The next thing I think is we’re going to see more sophisticated ways of stealing credentials. There’s going to be new variants on the malware. There’s going to be new ways to exploit the mobile phone to be able to steal the data required to steal assets. We’re just going to continue to see more and more of the same, although with very creative ways to go about stealing that data. …
Mobile as a channel in general, I think the banks and merchants need to really understand marketing teams are running way ahead. They’ve got great ideas they want to offer to their consumers, and we embrace that. We think that’s fantastic to be able to offer all sorts of new and interesting things. Unfortunately, very oftentimes, the security team is the last to know what those new functionality pieces are going to be, what the new feature sets are going to be in the latest app, of the latest mobile capability. I worry that there’s going to be a widening of the gap in the mobile channel specifically, mobile and tablet, that the security teams may not be aware of, and the recommendation is to find out today. If you’re the information security or the fraud chief risk officer at your organization, go meet with your chief marketing person and figure out what the roadmap is.