21 October 2017
Uri Rivner

The Joy of Fraud Fighting

Uri Rivner - BioCatch

78Posts 362,822Views 36Comments
Innovation in Financial Services

Innovation in Financial Services

A discussion of trends in innovation management within financial institutions, and the key processes, technology and cultural shifts driving innovation.

Finger Pointing in Commercial Banking

11 February 2010  |  4907 views  |  9

Hey, that’s a first. A bank sues a customer over losing money to fraud.

It used to be the other way around. Online banking fraud got to executive level attention when in 2005 Bank of America was sued by a customer who got infected with a Trojan and lost $90,000. This was a commercial account, but it had huge ramifications on consumer security.

The funny thing is that back then, Trojans hardly touched commercial banking. In 2005, Trojan developers looked at commercial banking defenses and said: no way are we going to attack that. All these “digital signature” and 2-factor stuff is overwhelming. Consumer banking is so much easier!

Which started a spiraling arms race, especially in Europe. Cybercriminals attacked retail banks; they responded by introducing higher security, propelling the fraudsters to develop further. Like in antibiotics, the germs do not really go away; they just get more resilient so the next battle with them gets more difficult. From simple keyloggers in 2005, we’re now up against Man in the Browser Trojans.

And at some point the Trojan operators take a step back and say: you know what? Our weapons are so high-grade that we can start using them against the big guys: the commercial customers. To paraphrase Willie Sutton, That’s where the BIG money is.

Which is why the FBI recently warned about small businesses losing $100 million to financial Trojans.

 

The Customer is Always Right

In the UK, banks toyed for a long while with the idea of shifting responsibility to the customer. I mean, we all grumbled, at one point or the other, “how daft can that person be” when hearing about naïve victims hit by fraud. “They should be responsible for being this thick”.

The law is actually on the bank’s side: if a customer loses money due to fraud, the bank does not have a legal obligation to make them whole; but as I pointed out in Limbo Dancing in the House of Lords, expecting customers to fight against online threats is failing to understand the nature of today’s cybercrime. Believe me when I say that nowadays almost anyone can get infected with a Trojan, and get their bank account emptied in ten seconds. You don’t need to be particularly daft.

Many banks know they don’t have a lot of leeway in the matter. If consumers learn that they’re responsible for defending themselves against the unknown threats of sinister cybercriminals, and the bank isn’t going to refund their money, they’ll stop banking online and move back to the branches.

Commercial banking isn’t that much different. Customers have a choice: if they know a certain bank isn’t making the customers whole, they can always move to another. In fact it’s their obligation to shareholders: no business wants to be left exposed to such risk.

Just think of it from a commercial customer’s perspective. It’s difficult enough to survive in these troubled times; knowing that your funds can disappear because one of your finance people was tricked by a Trojan is too horrid for you to shrug off. You’ll have to find a way to guarantee that if this ever happens, you’ll get your money back.

So where does that leave the banks? They can try to stand out of the crowd and put the blame on the fraud victims; I’d say that’s going to be a short lived strategy. Most commercial banks will probably decide to turn the threat into an opportunity: tell their customers they should feel safe online because the bank implemented new visible and invisible defense such as behind-the-scenes transaction monitoring, behavioral profiling, anti-Trojan detection and interception services. Educate their customers about the risks, but assure them that their money is safe.

What’s your take on this? Should commercial banks beef up their security or point the finger at the customers who fall for online fraud?

TagsSecurity

Comments: (11)

A Finextra member
A Finextra member | 11 February, 2010, 13:01

"What’s your take on this? Should commercial banks beef up their security or point the finger at the customers who fall for online fraud?"

A real-life analogy would be if I open up a safety deposit box with a bank and the bank blames me if they allow someone else access to this safety deposit box. How would this be received by customers and potential customers?

The answer is commercial banks should beef up their security. Banks should design and offer systems based on the premise that their customer can have a thousand trojans in his PC, a man-in-the browser and could fall for a man-in-the-middle schemes.

To provide secured systems does not require rocket science.  All is needed is the proper 'motivation' for banks to develop and offer secured systems. In the case payment security, there isn't a lot of 'motivation' for issuing banks to provide the best security because it has often been said that Fraud is just one cost of doing business.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 12 February, 2010, 08:45

More and more people are sharing their Internet Banking credentials with Mint, Wesabe and other P2FM services who then seamlessly access bank accounts to download transaction statements on a daily basis. While people sharing their credentials trust these services enough not to misuse their privileged access into their bank accounts, surely banks can't be held responsible for any frauds that might happen if cybercriminals hack into these startups' databases and steal usernames and passwords?

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 12 February, 2010, 09:03

Concerning the  Wesabe, Mint...  obviously, a new factor is added into the mix.  Nonetheless, let's not claim that it is an overly complicated matter for banks to provide read-only access versus read-and-update access.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 12 February, 2010, 11:42

Agree that it should be relatively easy for banks to provide read-only access to accounts. But, I am not aware of any bank that provides such a differentiated access at this point. Until that happens, the fact is, the credentials shared with P2FMs are for read-write access, and the point is, banks can't be held responsible for any cybercrime arising out of that.  

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 12 February, 2010, 11:58

"Until that happens, the fact is, the credentials shared with P2FMs are for read-write access, and the point is, banks can't be held responsible for any cybercrime arising out of that."

It's up to the banks to allow this or not. Because banks can withdraw (ex. Nationwide/Wesabe) their involvement/participation with Mint, Wesabe,... they then should be held responsible for what they allow.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 12 February, 2010, 14:23

Maybe it's time for someone from a bank's technology / infosecurity team to step in and clarify. But, as far as I've gathered from the websites of Mint and other P2FMs about how this works, once a P2FM obtains a customer's credentials, it can access the customer's account without needing to enter into any arrangement with the bank in question. So, I don't believe that banks are actually signing up to permit P2FMs to access account information. Of course, banks might be able to block proxy access from P2FMs (as the Nationwide/Wesabe example illustrates), but that calls for additional efforts from their side to "close a gate" that they haven't opened in the first place. As a matter of fact, in two countries that I know of, namely India and Germany, banks advise their customers to "never open that gate" by proactively warning their customers never to share access credentials with anyone, not even to a bank employee.  

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Chris Barry
Chris Barry - V2 Innovations - Raleigh | 12 February, 2010, 21:02

PFM sites access online banking in one of two ways:

·      OFX gateway - Example Quicken / Money clearly bank enabled for fee access or free

·      Automated login where user provides online banking credentials inclusive of UID / Password - For sites with multifactor the automated login will screen scrape and or replicate the multifactor credential and then allow the user to authenticate real time via the automated login

The weakest link in the chain is the end user and the majority of fraud happens due to lack of end user education on how to protect from fraud. Still the perception in the public is that the financial institution (FI) is always at fault as outlined in the case. This perception should factor in to the FI's risk strategy and included in steps created to build the trust model. The FI can never do enough on the customer’s behalf and must always be an advocate where security is involved.

 

It can get out of hand as it is in the UK where you have to swipe the card to do anything within online banking - this is nuisance territory, so there is a fine line when it comes to the end user experience and overkill in trying to protect them.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Uri Rivner
Uri Rivner - BioCatch - Tel Aviv | 09 March, 2010, 16:56

After posting this blog, someone sent me the following news piece:

The victim, Karen McCarthy, owner of Little & King, noticed directly before the fraud incident that her computer was infected with a computer virus, later confirmed to be a Zeus Trojan. The bank says that Mrs. McCarthy is responsible because the computer virus infected her machine, enabling the fraud to occur.

 

http://ow.ly/1bfwz

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 10 March, 2010, 13:00

"The bank says that Mrs. McCarthy is responsible because the computer virus infected her machine, enabling the fraud to occur."

Well I certainly hope that Mrs. McCarthy counter-sue. 

A Zeus trojan can also be spread through phishing schemes. The general public cannot be expected to know when they are being phished.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Uri Rivner
Uri Rivner - BioCatch - Tel Aviv | 10 March, 2010, 13:32

I agree. In fact, with Drive by Download, a user no longer has to be careless or stupid to get infected. You just happen to be in the wrong place at the wrong time.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Chris Barry
Chris Barry - V2 Innovations - Raleigh | 10 March, 2010, 19:46

It is funny but the link you included ow.ly is from Libya so I did not click it. Are you testing us Uri? Just kidding - I don't like those URL masking tools as they feel very uncomfortable sometimes.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from Uri

Brazil vs. Germany: A Surprising Find

12 July 2014  |  3727 views  |  1 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Sweetheart Scams: When Fraudsters Turn to Romance

30 June 2014  |  3051 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

BitCoin Explained: How to Become a BitCoin Thief - part 1

04 December 2013  |  22123 views  |  1 comments | recomends Recommends 1 TagsMobile & onlinePaymentsGroupInformation Security

A Message from Hell

01 October 2013  |  3743 views  |  0 comments | recomends Recommends 0 TagsSecurityMobile & onlineGroupInnovation in Financial Services

Uri's profile

job title Head of Cyber Strategy
location Tel Aviv
member since 2008
Summary profile See full profile »
Internet. The perfect fraud frontier. These are the thoughts of Uri Rivner, head of Cyber Strategy at BioCatch and formerly Head of new technologies, identity protection, at RSA, the security division...

Uri's expertise

Member since 2008
78 posts36 comments
What Uri reads

Who's commenting on Uri's posts