The Spy That Doesn’t Love You
Written for Independent Banker
Community banks are increasingly the target of malicious spyware – here’s how to stay out of the cross-hairs.
By Julie Sturgeon
For as much media attention as they receive, viruses and worms shouldn’t keep bankers awake at night. There’s a new nasty in town now, using still more sophisticated ways to cripple your business: spyware.
Between January and June 2005, Manhattan-based Cyota, which specializes in anti-fraud software for financial institutions, tracked a 633 percent increase in phishing attacks against regional banks and credit units and shut down roughly 7,000 attempts against its customers. “The reason is simple,” says Cyota founder and CEO Amir Orad. “If the large banks are putting defense mechanisms in place, fraudsters just target the smaller guys.”
Not to mention software engineers and hackers have chased each other for decades in a slap down race for superiority. Michael Mathews, Ph.D., chief operating officer and chief technology officer for information security firm CynergisTek in Austin, Texas, likens it to any common burglary. “They try the front door first. If that doesn’t work, then they try the windows. If the windows are locked, they try the back door,” he describes. “Hackers have the same mentality. They learned years ago how to attack a network, so the focus has been on network security. Now they’ve decided to move on to the next generation – the application layer, and we’re playing catch up again.”
In hard numbers, 60 percent of computers in the country are infected with spyware, reports Mark Lobel, principle and advisory partner in PricewaterhouseCoopers’s security services group.
In layman’s terms, spyware is a program that plants itself into a computer system and captures users’ keystrokes to steal personal data. It then sends social security numbers, bank account numbers, birthdates, credit card numbers and other pertinent info to a third party for resale. In the past, the attackers were mostly what the tech world calls “script kitties” – young kids or hobbyists seeking glory by hacking into someone’s system just to prove they can. While this element hasn’t died, the true threat to community banks often comes from international crime organizations. In 2004, several spyware break-ins in the Midwest traced to the Russian mafia.
“The professional identity thieves are absolutely frightening,” says Mathews. “They are determined, they are professional, and generally outside of the U.S. jurisdiction.”
Spyware sneaks in through two common ways: The first is through enticing a receiver into opening an attachment. Today’s computer users have become pretty savvy to this game, so fraudsters have stooped to truly tempting offers: photos of a captured Osama Bin Laden or breaking news on Natalie Holloway’s disappearance. It’s also common for spyware to hammer at your system’s software vulnerabilities. “You don’t even have to interact with them - they just directly implant and run the spyware on your system remotely,” says Charles Renert, the co-founder of Symantec’s Antivirus Research Center, a developer for Norton AntiVirus and today the director of security research for Determina in Redwood City, California. Colleagues call him “Dr. Worm.”
Once inside, the damage list is enormous. Here’s just a smidgeon of what Brian Grayek, chief technology officer of IT security company Preventsys, has seen these programs do at his bank clients’ sites:
- change security settings
- provide access to all the bank’s systems, allowing for bank transfers, then erasing the trail.
- allow spam to be sent into the bank, and even structure it so the bank actually spams its customers.
- compromise the banks’ ability to conduct electronic business.
The latest wave poised to wash over the financial industry is known as “spear phishing” or “puddle phishing” – targeted spyware that uses stolen information from a person to harvest still more. For instance, a community bank’s customer would receive a notice supposedly from their loan officer, complete with the account number to prove legitimacy, asking the client to click through to a “secure site” to provide additional feedback. The click-through, of course, invisibly redirects to a location the fraudster owns. According to Lobel, some crooks even target a bank employee, mimicking a memo from the CEO asking for sensitive data. Research shows spear phishing succeeds 50 percent of the time before a company educates its employees on this phenomenon; even after training 15 percent still fell for it in studies, Lobel adds.
Orad sees still another boogeyman gathering steam today: trojans. Rather than sending the captured information down the stream, these spyware programs infect your clients’ desktop PCs, then follow them through the authentication door – even if it’s a changing password set-up – to then trail behind each transaction like an ominous shadow. From this vantage point, they can place transactions on the user’s behalf. “It’s not science fiction,” Orad insists. “It’s happening today and it will get worse.” Already one of his customers discovered that seven percent of the computers in its bank were infected with trojans.
A small part of the blame for this seemingly sudden proliferation lies at bankers’ feet. “The original perception was that this problem affected customers, but banks weren’t doing anything wrong. That’s absolutely correct,” Lobel says. “However, like any other intellectual property theft, when someone uses your brand out in the commercial marketplace in an unauthorized fashion, it has an impact on the brand.”
In other words, spyware ultimately strips customer trust, a far more costly commodity than money. “It’s similar to the accusation that Lance Armstrong took steroids, “ Mathews illustrates. “Whether he proves beyond a shadow of a doubt he never took performance enhancing drugs, his reputation will never be the same.”
“The pie is definitely getting bigger, the problem is definitely increasing, and as long as folks continue to violate trust we all lose,” adds Lobel.
Parry and Thrust
So the game of cat and mouse plays out daily. To thwart keystroke captures, some banks deployed sophisticated measures that required users to click on graphics using a mouse. Then the bad guys began screen scraping – capturing both the keyboard and site graphics.
Since the Code Red worm successfully attacked hundreds of thousands of Microsoft web servers in 2001, technology experts have seen an exponential growth in these invisible software attacks. Currently, the software industry discloses nearly 4,000 vulnerabilities in their programs annually – holes where fraudsters are writing specific customized bits of code that lack a signature in hopes of breaching the wall.
Take, for instance, a computer system’s buffer overflow – if that program doesn’t check the date that it receives input data from users, spyware can send a large chunk of data to that buffer and turn it into an executable code. At that point, the fraudster can log keystrokes, open back doors, even turn the system into an STP server that allows the attacker to transfer files on and off that machine – all without detection, Renert warns.
And, of course, blanket, unmitigated access to the Internet opens up a bank’s risk to attracting spyware. Thankfully, many bank policies shut down this avenue in Mathew’s experience “That doesn’t mean spyware can’t be deployed,” he says. “It means it can’t do what it is supposed to do because it doesn’t have access out of your network to talk to whomever it needs to.
‘Even the vulnerabilities that are technical, 99 percent of the time to root cause of security issues are policy related,” he adds. In other words, if the number of Microsoft vulnerabilities explodes in a year’s time, why would your IT plan call for periodic testing only in January? Mathews recommends his clients step up whatever schedule state and regulators may require for vulnerability testing.
Secondly, community banks should insist their IT departments – whether that’s an in-house CIO or an outside application service provider – maintain a specific patch management policy; once a week at best. Unfortunately, too many of the bankers Renert runs into carry the notion that patches are synonymous with magic potions: the software developer releases a way to stop up its newly discovered vulnerability and poof! Problem solved.
In reality, the 4,000 known holes are just the tip of the iceberg. Second, his latest customer data research shows it takes an average of 63 days, or two months, for a software developer to release a patch. When the Zotob worm patch was released this summer, hackers had written an exploit code to still wiggle through approximately 10 hours later. Not to mention patches are difficult to deploy on all of a bank’s critical servers and workstations. “So even when you know about the vulnerability, it takes time to test and deploy it,” says Renert.
Finally, most patches come in various versions, with later fixes showing much more strength in warding off attacks. Bankers who don’t stay up to date may find themselves victim, again.
Orad offers another layer of protection he calls risk-based authentication. Basically, the solution measures the risk of every transaction after the log-in in real time using sophisticated propheting. So if the transaction varies from customer’s typical pattern – a different IP address, a new transaction, a sudden appearance on Wednesday when she’s always logged in on Saturday mornings -- the system requires the user to authenticate herself again. Additionally, he has formed a shared network of banks that alert each other when they catch a fraudulent account number, the better to shut it down across the board.
But not all ideas on the table offer value. “There is anti-spyware legislation pending, but it will be like it was with anti-spam legislation,” dismisses Jimmy Sawyers, director of consulting at Reynolds, Bone, & Griesbeck PLC, a CPA and advisory firm headquartered in Memphis, Tennessee. “The government isn’t going to protect us from this. They can write all the legislation they want and make examples of some of the criminals. I’m all for that. But that is not going to solve the problem in most organizations. It takes a multi-prong, multi-solution approach.”
Experts also now pooh-pooh earlier advice to switch your web browser away from Microsoft products like Internet Explorer in favor of Mozilla, Netscape or other, less susceptible, options. The truth is, all of them have been hit. And thanks to the fact many specialized bank applications are written to work with Internet Explorer, any banker who runs with that advice without doing due diligence may end up with better spyware protection, but they can’t operate their loan ordination or check imaging applications.
The good news: the cost for these layers of protection is falling. Chalk some of it up to economy of scale – as big banks take the brunt of new technology attacks, they develop solutions that can be passed to mid-sized and smaller banks when they, in turn, face the threat. It also helps to ban together when approaching web providers so they can approach costs in a centralized manner. Orad estimates his customers now budget between a couple of dollars per user per year on the high side to fractions on the dollar on the low end.
At the same time, Mark Jaindl, president and CEO of American Bank, knows that as a predominately Internet bank based in Allentown, Pennsylvania, he can’t take the risk of a successful spyware attack. He spends a minimum of $250,000 annually on protection and doesn’t blink at the sum. “If you don’t properly implement a strong security philosophy, it will cost you a lot more money in the long run,” he assures.
Straight from the FDIC
In July 2005, the Federal Deposit Insurance Corporation issued these spyware guidelines:
Recommended Actions to Mitigate the Risks Associated With Spyware
Financial institutions should evaluate the risks associated with spyware and mitigate those risks by considering the following:
- Restricting users from downloading software, especially software not previously approved by the bank. This would prevent users from unwittingly downloading spyware.
- Ensuring that user settings are set to prompt the user whenever a Web site tries to install a new program or Active X control. If possible, configure the browser to reject Active X controls to lessen the likelihood that spyware could be installed on computers through normal Internet browsing.
- Maintaining software patches. Several spyware programs take advantage of reported vulnerabilities that, if patched, would limit the spyware's effectiveness.
- Installing and maintaining current versions of anti-virus and anti-spyware programs.
- Expanding the risk-assessment process to consider threats from spyware. This ensures that the financial institution considers all risks to private customer information and takes appropriate steps to mitigate those risks.
- Expanding security and Internet use policies to include risks associated with spyware and acceptable user behavior (e.g., prohibiting Internet downloads and visits to inappropriate Websites). In addition, management should take steps to enforce these policies and reprimand staff who fail to comply with them.
- Expanding user awareness sessions to include the risks associated with spyware. Users will then become cognizant of the behavior they should adopt to prevent spyware on bank computers and on personal computers that are used to connect to the bank's network.
- Installing and configuring firewalls to monitor both inbound and outbound traffic. If possible, block outbound ports that are not necessary for business functions. Financial institutions should assess the need for employee access to instant messaging as well as peer-to-peer services, and prevent access when a legitimate business need is not present.
- Implementing tools to scan e-mail for SPAM and either block the e-mail or designate it as SPAM. E-mail scanning can limit the likelihood that users could unknowingly infect their computers by viewing or reading e-mail that contains spyware.
- Implementing tools to restrict or prevent pop-up windows. This limits the likelihood that spyware will be downloaded through pop-up windows, either automatically or through user error.
- Following industry trends and developments regarding spyware and its prevention. Awareness enables the financial institution to adjust its practices as new spyware threats and prevention methods emerge.
- Reviewing the list of trusted root certificates 3 on a regular basis. Some spyware installs its own trusted certificates allowing it to intercept secure Internet communications or the execution of malicious code. Organizations that audit their trusted root certificates are more likely to identify certificates installed by unknown or untrusted sources. After researching the validity of these certificates, the financial institution can remove the ones that are installed by spyware.
- Analyzing firewall logs to determine whether a significant number of customers are connecting to Internet banking Web sites using the same Internet address. If research determines that the Internet address belongs to a service that intercepts Internet communications, consider blocking access to the Internet banking site from that address.
- Educating customers about the risks associated with spyware and encouraging them to implement steps to prevent and detect them on their own computers. In addition, advise customers of the risks of using public computers to connect to online banking Web sites.
- Investigating the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer's ID, password and account numbers.
Actions Financial Institutions Should Recommend to Customers
Financial institutions also incur risks when customers connect to Internet banking sites using computers infected with spyware. Therefore, financial institutions should consider informing customers about the risks associated with spyware and recommending actions that customers can take to prevent spyware from being downloaded on their computers.
Customers can prevent and detect spyware by:
- Installing and periodically updating anti-spyware, virus protection and firewall software.
- Adjusting browser settings to prompt the user whenever a Web site tries to install a new program or Active-X control.
- Carefully reading all End User Licensing Agreements and avoiding downloading software when licensing agreements are difficult to understand.
- Maintaining patches to operating systems and browsers.
- Not opening e-mail from untrustworthy sources.