Banks are used to arms races. In the 1960s and 1970s the
easiest way to for thieves to get hold of a bank's money was to
turn up in person at branches with a gun and demand cash. So banks
placed their workers behind bulletproof glass. This forced the
thieves on to the roads where the vans transporting cash became the
main target. When the vans themselves were armoured it was the man
walking from the van to the bank who became the target, he too was
armoured.
These days such armed robberies are rare, partly because banks
and their "real world" cash are now too well protected but also
because an easier and safer way for thieves to separate banks from
their money has emerged -
online fraud. Banks are in a new arms race - can they win this
one?
First, we should never underestimate the thieves. Bad they may
be, but they are also clever. "Real world" bank robbers may have
put stockings over their heads, but for an online fraudster,
disguise is more subtle and easier to achieve. The easiest way to
commit fraud is to pretend to be someone else with a good
reputation. This is why data leak prevention has become such an
issue with all the big IT security providers making acquisitions in
this area -
Symantec/Vontu,
Trend Micro/Identum,
McAfee/Safeboot.
Data leak prevention focuses on making sure sensitive data only
leaves the business for good reasons and when it has to it does so
securely. Such products aim to help reduce the embarrassing data
losses faced by many organisations over the past 18 months or so
which potentially provide rich pickings for the would-be online
thief. But this does not prevent banks' customers giving their own
details away through online scams such as
phishing attacks (e-mails purporting to be from respected
organisations asking for financial details) or key loggers (spyware
the records activity on users' PCs). Customers can be encouraged to
install desktop protection tools, but many do not.
Banks can tackle phishing directly by working with service
providers such as Mark
Monitor that identify and close down phishing sites before they
can have an impact. But despite all these efforts, personal
financial information will get into the public domain and
fraudsters will have IDs with a previously good reputation to
transact online with. Spotting a thief using someone else's ID
online is hard and banks and their business customers don't want to
turn away valid business or make it too hard to transact
online.
Banks and credit card companies try to spot anomalous behaviour
for a given customer and are using stronger ways of authenticating
them. However, there is another line of defence that is about to
get a big push in Europe. It is not just people that have
reputations, hardware devices do too. Hardware reputation is the
business of Iovation, a vendor founded three years ago in the US
which has just secured new funding for overseas expansion.
Iovation has a database
containing more than 30 million hardware devices and their
reputations. This information is used to allow transactions to go
ahead from trusted hardware and question any that are not. For
example, most people will conduct online banking from the same PC
on a regular basis. Over time, that device will become trusted. If
they start using a different device questions might be raised. It
might be a device known to be owned by an internet café or a newly
manufactured device (both probably OK) or it may be a device that
has previously been used for fraud (clearly not good).
But even a device that Iovation has never seen before may come
under suspicion. Many online fraudsters conceal their behaviour by
keeping transactions small, better to get little amounts of cash
using hundreds of different stolen credit card records than raise
suspicions by making one large transaction using a single record.
However, Iovation can easily spot serial requests for different
credit cards coming for the same PC, warn its customers and flag
the device in its database as untrusted.
There are no privacy issues as Iovation does not store anything
other than a device's reputation to date and its identity which is
made up of a number of factors that make it unique (software serial
numbers, hardware configuration, MAC address etc). Even so,
Iovation says its customers are loathe to go public because this
would alert the fraudsters of which banks to be wary of and take
evasive action. For obvious reasons banks are a large part of
Iovation customer base, but it is also signing up online retailers,
gambling sites and gaming sites - all of which transact online.
Hardware reputation is not a silver bullet, but used alongside
other techniques, data leak prevention, scam detection, user
education and so on, it makes life harder for the fraudsters. The
arms race is likely to continue, but on the whole banks are
maintaining the trust of customers to transact online and that in
itself is a victory.
Bob Tarzey is a service director at
Quocirca