FFIEC Authentication Guidance: Anomaly Detection
Spotting Anomalous Behavior Is a Minimum Requirement
Anomaly detection and behavioral monitoring in place are fundamental tools for controlling online fraud. And according to the new guidelines issued by the Federal Financial Institutions Examination Council, they should be every banking institutions' minimum requirements, says Terry Austin of Guardian Analytics.
"[Anomaly detection] really works," says Austin, CEO of online security provider Guardian Analytics. "It stops a wide array of attacks across a wide variety of payment methods."
Anomaly detection isn't specific to just one threat, Austin says, which means it's resilient as the threat profiles change. "And the customers that we have using the system report that their account holders are ecstatic because their institution is looking out for them," he says in an interview with BankInfoSecurity.com's Tracy Kitten [transcript below].
The process works on an individual accountholder level. It monitors for specific online behavior and detects unusual actions that the online user may be taking, such as changing a phone number.
Institutions starting to prepare for the January 2012 deadline should begin with risk assessments, as well as educating themselves and their customers about the current threats. "Meet the minimum requirements from anomaly detection, transaction monitoring and administrative controls," Austin says. "Have a plan and a process for risk assessments, and rethink the customer communication strategy to increase the transparency."
During this interview, Austin discusses:
- The critical role anomaly detection, transaction monitoring and administrative controls play;
- Steps banks and credit unions must take for adequate risk assessments; and
- Why rethinking customer communication is critical.
Prior to joining Guardian Analytics, Austin served as CEO and president of MarketLive, a leading provider of eCommerce platform solutions, where he created a scalable business strategy, assembled a world-class executive team and led successful fundraising efforts. He was previously president of worldwide marketing and sales at Good Technology, a provider of mobile computing solutions, where he spearheaded the company's rapid growth from 10,000 to over 500,000 subscribers and facilitated its acquisition by Motorola in January 2007. Austin has also served as president of EMEA and executive vice president for Manugistics, a market leading provider of enterprise software. He started his career at Accenture, where he ultimately led an $80 million consulting practice as a lead partner.
Anomaly Detection & Transaction MonitoringTRACY KITTEN: You and I spoke in February about ACH fraud and online attacks. Now that the new FFIEC guidance is out, I'd like you to update that conversation a bit. You said in February you were surprised by the number of online fraud incidents that were caught by consumers before financial institutions. In the new guidance, regulators touch on this concern, saying that they highlight the need for anomaly detection and transaction monitoring. Can you explain how these types of technologies could have helped banks and credit unions identify previous incidents of fraud before those incidents were brought to their attention by consumers?
TERRY AUSTIN: Anomaly detection and transaction monitoring is called out by the FFIEC as a minimum requirement, one of only two minimum requirements that the FFIEC dictates. It uses it because it works. It really works. It stops a wide array of attacks across a wide variety of payment methods, whether it's ACH, wire, really any of the variety of payment methodologies. Let me just explain a little bit about what anomaly detection is. Anomaly detection really works at an individual account holder level and it seeks to monitor that individual account holder's specific online behavior and then detect unusual actions that the online user may be taking. That may be money transfer or it may be something as innocent appearing as changing a phone number or manipulating accounts. But in the context of that account holder's normal behavior it looks unusual. By really analyzing and zeroing in on that anomalous behavior, it's been proven over and over again that these kinds of frauds and cyber crime attacks can be stopped. It can spot account recognizance where a criminal is actually looking at the account before attempting to make a transaction. And it can obviously spot fraudulent transactions proactively and allow the financial institution to respond before the money leaves the bank.
We have countless examples. We have a customer that found 75 accounts that had been compromised with millions of dollars at risk. We've detected dual controls being exploited across all sorts of payment frauds. In fact, recently we stopped a nearly two million dollar wire fraud attempt where money was being wired out to China. There's just been a multitude of ACH payments in the hundreds of thousands of dollars involving large networks of money mules where money was being transferred using the ACH system.
With anomaly detection, it's not malware specific; it's not threat specific. It's very resilient as the threat profiles change. And the customers that we have using the system report that their account holders are ecstatic because their institution is looking out for them. Anomaly detection and transaction monitoring can seem hard and complex but it really isn't. It's very easy to deploy, it's very affordable and we have a growing cadre of customers that are reporting on the value and the impact that it can have.
Customer EducationKITTEN: Then what about customer education? Of course this is another area that has been noted in the guidance and obviously it touches on what we just discussed, since customers often times have been picking up on the fraud before financial institutions. But when consumers are the ones who are already aware of what's going on, what additional steps should institutions be taking to educate and collaborate with the consumers?
AUSTIN: The FFIEC guidance really puts the customer education emphasis on transparency, and it really calls for the financial institutions to create more transparency between them and their account holders about what the risks are, what the actions are and what the protections that are in place are. I think this is good news. I think the FFIEC got it right here. I think it's good news for both banks and account holders, because it will lead to hopefully opening up the discussion and the dialog so account holders can make smarter decisions about how they bank and whom they bank with. It should give them better awareness of their rights, protections and liabilities. I think ultimately it will drive account holders to look for banks with the best security solutions in place.
Consumer education about threats, best practices and safe internet usage, that's all good stuff. But account holders will never be able to fully protect themselves from the sophistication and unending attack profiles that are hitting them.
MalwareKITTEN: Let's talk a little bit about some of those attack profiles. I wanted to ask you about malware. The new guidance knows that there's increased sophistication of trojans like Zeus, but are financial institutions really doing much to address those threats?
AUSTIN: The best step that the institutions can make is to assume that the end point device, the consumer's computer or mobile device, is compromised and plan their security strategies accordingly. Malware is continuously evolving and it's getting more complex. It's hiding itself from end point security solutions even more effectively, and now the malware is even targeting specific malware detection software in order to defeat it. This is why the minimum requirements that the FFIEC pointed out focus on anomaly detection and transaction monitoring, putting better controls in around banking administration functions because you just can't guarantee security at the end point. The FFIEC put malware detection solutions in as a layer but not a core minimum expectation because of that fact.
KITTEN: The guidance also touches on the need for banks and credit unions to invest more heavily in device identification as well as log analysis. These are technologies and solutions that work in tandem to match log-in credentials with devices. Can you tell us how these technologies help?
AUSTIN: It definitely helps to be able to identify if the device that's logging in is a trusted device or if it's a known bad actor device. Being able to put that capability in place is a good practice. Again the FFIEC distinguishes that as a layer to be considered and not a core minimum requirement. The reason again is a lot of the malware that's out there effectively defeats some of the device identification solutions. If the financial institution with that core anomaly detection adds layers like device identification or anti-malware techniques, it can combine to create a very comprehensive solution.
KITTEN: I would like to go back to the discussion that you and I had in February when we talked about socially engineered schemes perpetrated by phishing or vishing, and how those schemes have elevated the number of corporate account takeover cases over the last two years. How are institutions addressing those socially engineered schemes? In light of the new FFIEC guidance, what more should they be doing in that arena?
AUSTIN: It keeps coming back to the same topic. Social engineering schemes and all the vishing and phishing that are going on, it's another way to compromise the credentials and gain access to the account. So it's in the same category as malware. It's another way that the criminals penetrate the accounts and they do it very, very effectively. If the bank or credit union assumes that the end point is compromised, whether its because of malware or a social engineering scheme, and they are continually monitoring every session for suspicious behavior, they can detect the account takeover and fraud before the money leaves the bank, whether the threat comes from social engineering, phishing, malware or any of the other multitudes of threats. Again, it's an important layer for institutions to be thinking about in the context of doing this continual transaction monitoring and anomaly detection.
Next StepsKITTEN: Overall, when you take a look at the guidance, what next steps do you advise institutions to take to ensure that they comply with the changes that they have to have in place by January of 2012?
AUSTIN: It begins with risk assessments, and we recommend that institutions really educate themselves on the complete set of threats and risks for the products they are offering today and for the new financial products or expedited service levels that they are considering in the future. They should understand the entire scope of threats against both their retail and commercial online banking customers. I would also encourage institutions to think through the total impact of fraud, not just the dollars lost but the impact on productivity, the impact on brand reputation and all the potential impacts that fraud can have.
From a technology standpoint, the minimum requirements on page five of the FFIEC guidance are very clear and institutions should just start there. They should deploy the technology associated with the minimum requirements and then create a plan for additional layers based on the level of risk they are facing as an organization. We recommend that they move quickly to address the minimum requirements. The technology is available. It's straight-forward, it's easy to deploy and institutions can very quickly check off these minimum requirements without spending a lot of time, money or resources. They have so many other issues on their plates to deal with, Durbin, Dodd-Frank and all these other things that are being thrown at them. They can address these FFIEC core minimum requirements very quickly and very easily with existing technology that is in the market today.
KITTEN: And in closing, if you had to offer three priorities for banks and credit unions when it comes to compliance, what would those priorities be?
AUSTIN: Meet the minimum requirements from anomaly detection, transaction monitoring and administrative controls. Have a plan and a process for risk assessments, and rethink the customer communication strategy to increase the transparency between them and their customers. I think if they do that, they are really meeting the FFIEC guidance and they are doing a much better job of protecting themselves and their customers, and I think it will pay huge dividends.