January 2, 2006
Protecting Online Accounts
Online Attacks are in the News
You’ve read the articles—my favorite is the one about the business owner who was logged on to his corporate online brokerage account when he noticed the balance suddenly change. While he watched, somebody systematically wired all his company’s funds to a number of offshore banks. The brokerage washed their hands of the whole affair, pointing to their standard disclaimer signed by each client, which states that keeping passwords secure is the customer’s responsibility.
Well, they’re right—it is certainly the customer’s responsibility to practice good security hygiene. But just as the owner of an unfenced swimming pool is responsible for injuries sustained by youthful trespassers under “attractive nuisance” laws, surely the brokerage firm bears some responsibility for failing to design adequate security into their systems.
Adequate security? This was one of the top brokerage houses in the nation! Yet total access to client resources was protected by a single user-chosen password and nothing else. Not only that, every newly created client account came by default with the ability to perform wire transfers. Convenient, to be sure—convenient for the account holder and convenient for the brokerage firm, but supremely convenient for the hacker.
We have all heard for years about Internet security, protecting ourselves from hackers with firewalls, intrusion prevention systems and other expensive and complicated systems. But more and more security failures these days occur outside the data center. Today’s most popular attacks are aimed not at the well-defended bank security perimeter, but directly at your customers, breaking into their personal computers or fooling them into willingly handing over their online account passwords.
How Attackers Think
What is a hacker looking for when he breaks into a banking customer account? Well, as Willie Sutton said, “That’s where the money is.” But it’s more than that; otherwise Fort Knox would be the most attacked place around. He wants a target that is likely to yield to his efforts. He wants to get away without getting caught. And he wants to average significantly better than minimum wage.
There are still attackers around who do it for the thrill and for bragging rights with their friends, but the majority of breaches these days are done by organized professionals plying their trade. Like any entrepreneurial thinker out there, they look for large, untapped markets that can be addressed using available tools. When it comes to online systems, that means gaining access credentials to a large number of online accounts from which entire balances can be quickly extracted.
An attacker of online banking systems, therefore, has two main goals: gaining access to the client account, and extracting money from it. Stopping either goal protects the customer’s money.
How Hackers Steal Your Money
Of the two hacker goals, withdrawing funds is both easier to understand and easier to secure, since the design of the banking web site is, theoretically, completely under the bank’s control. Take this simple test: take a tour through your online account, clicking your way through every menu, option and link you can find, and keeping track of actions that could be used to move money out of the account. If the site is well designed, the resulting list will be short. If the site is really well designed, each such action will have special conditions or extra authentication steps standing guard. The attacker is not interested in moving money from savings to checking, or in sending the gas company an extra $100, because these actions do nothing to accomplish his goals. Having a bank check written and waiting at the front desk is risky, because the teller will want to see a picture ID that matches his face as well as the name on the account, and even a forged driver’s license will not help if the teller happens to know the account holder. Note the obvious advantage here to community banks.
As I step through the online site for my own bank account, one vulnerability I see is the ability to create a new bill payee and have a check mailed. An attacker could create a bogus payee name and address; he could use the account holder’s own name along with a P.O. box; or, he could send it to an unsuspecting local resident, following the mailman down the street two days later and snatching the check from the mailbox.
How Hackers Get In
This is where we enter the more traditional realm of security design: the world of passwords, encryption, certificates and protocols. Hackers understand the technology side all too well, and to thwart them, we must, too. Let’s look at some of the methods they use to gain access to client accounts.
Keystroke Loggers
Hackers use e-mail viruses and attacks embedded in web sites to break into Windows computers. One popular program they install is called a keystroke logger, so-called because it secretly records every keystroke typed by the computer owner. The program then sends the recorded keystrokes to the hacker, who extracts the login credentials needed to break into the online account.
Phishing Attacks
Phishing is the process of broadcasting e-mail messages far and wide designed to look like official correspondence from the recipient’s bank or other vendor of online services. The attacker hopes that the customer will be fooled into following a web link in the message that leads to an equally official-looking web site. Although the web site looks like the real thing, all it does is collect the user’s login and password.
Pharming Attacks
Pharming is the process of illegitimately taking control of someone else’s Internet domain name. This means that when any of your customers tries to visit your online banking site by typing in the site name or clicking on their bookmark for it, the browser will display the hacker’s web site instead of yours. Just as with phishing attacks, the pharming hacker can make his web site look just like the real thing, but now he can harvest passwords and clean out client accounts in even greater bulk. Even worse, he could mount a man-in-the-middle attack, setting up his server as a sort of secret go-between, passing messages back and forth from the user to the bank and vice-versa. Everything would appear normal to the user, yet the hacker would be watching and recording every bit of data that passes through its hands.
Applying Principle-Based Security
You, as a banker, have the power to minimize the impact of even these kinds of attacks by employing principles of good security design. The right approach starts by looking top-down—by starting with general principles and then developing specific tactical approaches.
I use the following four basic principles as a basis for approaching every information security issue.
Be Prepared
My Boy Scout training taught me this well—if you think ahead and prepare for any situation, or at least the most likely ones, your level of performance when under attack will soar. Thoroughness is key here; risk analysis tools go a long way toward making sure you have met “due care” requirements. A risk or threat matrix can help you enumerate the various kinds of threats facing your information systems, understand the business impact of those threats, and plan how to respond. If the brokerage company had been well prepared, they would have researched best practices in protecting online accounts rather than just doing what other large companies do.
Minimum Exposure
Everyone else calls this “Least Privilege,” but I believe Minimum Exposure is a clearer expression of the concept of removing seldom needed capabilities, especially risky activities. If the brokerage firm had applied the principle of Minimum Exposure, they would have turned on wire capability only on an as-needed basis rather than enabling it on every new account. At the very minimum, such a request should elicit a verifying phone call from the broker to the account holder.
Constant Vigilance
It’s no good building the perfect fortress if nobody takes notice when the Barbarians start tunneling under your beautiful stone walls. Safes and vaults are not given ratings such as “impenetrable,” “super-tough” or “not that great,” but by the number of hours you can expect them to stand up to attack by a well equipped professional. Just as physical security requires alarms and video monitoring to back up physical barriers, information defenses must be monitored and alarmed for failures and persistent attacks if you want them to actually prevent intrusions rather than merely slowing them down.
Defense in Depth
NASA does it. The military does it. Football teams do it. Layers of defense, backups on your backups, are immensely more reliable than a single seemingly impenetrable Maginot Line. Layers are also a great place to inject variety, which means added complexity as well as effort and time to the hacker’s job. Layers tend to come in nice budget-friendly sizes, allowing you to gradually improve your systems by adding more depth.
My broker (yes, the same one referred to above) is now practicing Defense in Depth by requiring a signed document or an in-person visit before allowing wire transfers to international destinations. That makes me wonder about their claim in the story that they were not at fault. But they still have a ways to go—it looks like their lawyers are making as many security decisions as their security designers are. Their answer to securing domestic wire transfers is a new three-step click-through agreement whereby the account holder agrees that the checkboxes are the legal equivalent of my signature. I feel certain that absolutely any hacker would gladly accept such an agreement on my behalf.
These general principles are the foundation of security design. As we seek to apply them to our online banking scenario, more specific goals start to become clear. What is the purpose of an online account? Is it to completely replace all interaction with the financial services company? Or would most customers be satisfied as long as they could perform their everyday tasks online? Whatever we do, we need to do something to make it much, much harder for hackers to steal money. The easiest way is to add required steps that can’t be performed via the Internet. This leads us to our first application-specific principle.
Reduce or remove the ability to defeat the system using only Internet-based attacks
Think of all those techniques your bank uses to secure transactions with your customers. You don’t honor a check without a signature. A teller doesn’t hand cash across the counter without seeing a picture ID that authenticates the person to the account. Those are good principles; don’t ignore them when designing your online systems just because technology is involved. Moving the riskiest actions (which are often also the least used) out of the reach of long-distance attackers applies the principle of Minimum Exposure such that security is dramatically improved.
At first glance, it would seem that removing a customer’s ability to add a new online bill-pay destination would be a crippling inconvenience. So come up with ways to make it less inconvenient. Start an aggressive campaign to sign up local companies to populate your site’s list of pre-approved vendors. Go ahead and give your customers the same new company online form they have now, but add an approval process that involves having a human give it a sanity check.
“That’s great,” you say, “but it makes my skin crawl to think that hackers can still easily get into my customers’ accounts. What if I missed something?” Let’s apply our principles to the problem of protecting the account authentication process. The first thing we notice is that we’re usually dealing with security on a PC in a customer’s home. Advantage: hacker. Let’s take the advantage back.
Prefer methods that do not require secure customer computer systems
If you think it’s hard to secure your bank’s internal systems, imagine the impossibility of ensuring the security of your customers’ systems. And if you’ve had a hard time training your internal staff to understand and implement good security practices, think what it would take to do the same with your clients. “Idiot-proof” solutions aren’t solutions for idiots—they’re well designed systems that can operate in uncontrolled environments.
Minimum Exposure would tell us to find tools that are, again, out of the reach of hackers. Examine the ways their most popular attacks work, then add layers of defense specifically targeting those attacks.
Defending Yourself
Pharming has earned a lot of doom and gloom comments in the press recently because of its ability to redirect every single one of your online customers to a hacker site rather than only those who are gullible enough to click through a phishing attack message. However, the news is really not all that bad. The fact that a site has been pharmed is instantly detectable by monitoring equipment, allowing you to employ the principle of Constant Vigilance by taking immediate corrective action.
Passwords are a relatively weak authentication technique, in our context, mostly because there are so many ways to intercept or otherwise obtain them from afar. A technique known as two-factor authentication uses something you have and something you know, the something you know part being a password or PIN, and the something you have being something that is either difficult or impossible for the hacker to obtain. Online banks in northern Europe have used two-factor authentication for over a decade, without a single published breach. Two very effective such technologies are client-side SSL certificates and security tokens. These technologies are not 100% foolproof, but they are both far more effective defenses against pharming, phishing and keystroke logger attacks than passwords alone.
Another remarkably effective countermeasure against phishing attacks is to simply assure your clients that your bank will never, ever, use e-mail to inform them of security problems, and that all such messages should be interpreted as attacks, no matter how real they might appear to be. Repeat this warning each time the user logs in to the real online banking site.
There are a number of other defenses that are commercially available or that could be developed, but the ones mentioned here are the most commonly known or the most appropriate for online banking.
Take Action
Research by The Gartner Group shows that 58 percent of people who shop, bank or pay bills online say they are very concerned about the security of their online information. They have good reason for concern; the U. S. Department of the Treasury recently reported that, in 2004, “proceeds from cybercrime were greater than proceeds from the sale of illegal drugs.” They added that, “Cybercrime is moving at such a high speed that law enforcement cannot catch up with it.” The public recognizes this, and is reluctant to trust their hard-earned cash to an industry that can’t seem to keep out of the news. Gartner says that only 22 percent of consumers believe that their banks are extremely competent in protecting their information.
That doesn’t have to be the case. Technologies are available that can dramatically improve the security of typical online banking sites. Fear mongering by journalists and security writers and a lack of action by online providers have done a lot of damage that needs to be undone.
Examine your own web site, or hire a competent analyst to do a vulnerability analysis. Apply the principle of Minimum Exposure to move the riskiest activities back into the physical realm where they can be more easily controlled. Employ the principle of Constant Vigilance to ensure that your organization will respond quickly and appropriately when attacks occur. Then add Defense in Depth by improving client authentication security beyond a simple password. Be Prepared for the coming onslaught.
Studies consistently show that people would switch banks to obtain better online security. Take these simple steps to lock down your online systems. Then talk up your new security in your advertising. Your new customers will love you for it.