Sunday, January 19, 2020

Ready the Ramparts! : IT Security and the Modern Bank

Posted by OnCourse Staff December 13, 2010 4:56pm

Photo Credit: Tom Curtis From the Manhattan District Attorney's Office,

"Manhattan District Attorney Cyrus R. Vance, Jr., today [September, 30th] announced the indictments of 36 individuals for their participation in several large-scale international identity theft and cybercrime rings that stole more than $860,000 from 34 separate corporate and individual victims in the United States. The defendants, foreign students who were in the United States on Exchange Visitor Visas, are charged with opening bank accounts at JP Morgan Chase Bank and other financial institutions in New York County and elsewhere, for the purpose of receiving fraudulent transfers from identity theft victims’ bank accounts. (District Attorney, 2010)"

The cybercrime ring mentioned above is the latest in a series of Bank penetrations that originate from a bank's customer.  The attack makes use of a sophisticated Trojan called Zeus, which was written with the specific intent to attack banks.  This type of attack is often referred to as the "Man-in-the-Browser" attack because it begins by infecting the customer, not the Bank.  It takes advantage of vulnerabilities on your customer’s computers and waits for the customer to connect to a Bank website.  Once your customer connects, the trojan is capable of detecting that your customer is browsing a Bank website and can silently make transactions in the background. It can also alert the attacker in real-time so that the attacker can hijack the customers session and manually perform transactions of his own. The Zeus trojan is particularity malicious because it bypasses security controls like usernames, passwords, and is sophisticated enough to even defeat multi-factor authentication.  Essentially, the attack is possible even when technical controls are operating properly!

What is a community Bank to do?  We invest in cutting edge technology to protect our infrastructures, we subject ourselves to internal and regulatory audits, we spend money on security penetration tests and vulnerability assessments, we implement training programs for our employees; and what do the criminal
s do? 

They attack our customers. 

And just when you think it can't get any worse, it does.  The reality of IT in community banking is that we are heavily reliant on outsourcing.  So, not only are the criminals attacking our customers, they are also likely attacking the systems of a third-party vendor we rely on to provide the service.  That leaves the bank in the unenviable position of being stuck between a rock (the infected customer) and a hard place (the targeted service controlled by a vendor).  And here's the rub
: We can't outsource our responsibility.  At the end of the day, if something happens, the regulators are going to be knocking on the Bank's door. It is the Bank's reputation that is going to get hit.

The sophistication of customer-based "Man-in-the-Browser" attacks and the realities of IT in community banking begs the question:  Are we doing enough?  Are our internal controls really adequate? What else can we do to protect ourselves?

There is not a simple answer to the question.  Today's banks must implement a defense that includes both technical and operational controls.  Furthermore, the process of validating the adequacy of the controls must be sophisticated enough to deal with the complexities involved.  

We can begin by tackling the issues related to outsourcing. Take your vendor relationships to the next level. What we often find is that there is a false sense of comfort in relying on a vendor simply because that vendor services a sizable number of other banks. Unfortunately, we are finding that some of these vendors are pushing out software applications without the requisite level of security reviews. Thus, they possess vulnerabilities that can compromise a bank's security posture. So open a dialog with the vendor to gain comfort that the controls implemented are sufficient.  Make the vendor explain the controls to you.  You are stuck in the middle, responsible for managing complicated systems that you don't control and possibly don't fully understand.  Treat your vendors as management tools and make them make you comfortable.  Don't be afraid to enlist the services of other service providers if you are having difficulty understanding.  Here's a tip: document, document, document.  Always make sure you are in a position where you can demonstrate that you did all that you could do. 

Then look at the things you can control.  Have you performed training for your branch managers to ensure they know how to act in the event that suspicious transactions are detected?  Have you considered using fraud detection tools that would allow for detection of suspicious transactions that are out of the norm for a particular customer in real-time?  In the case mentioned above, the investigation started as the result of one suspicious $44,000 wire transfer.  What are the operational controls you have in place to alert you to suspicious activity?  How will you share the liability with your vendor in the event of an incident?

Consider the technical controls you have in place.  Does the online banking application use tokens to protect itself against session hijacking?  Does the application reside behind a web application firewall and is it coded in such a way as to be able to detect and stop attacks in real-time?  These are the types of questions you should ask your vendor in the event your online banking is outsourced.

Additionally, we have to take responsibility for educating our customers.  Do you provide your customers with online banking security tips when they open new accounts?  For your business banking customers you can consider suggesting things like:
  • Not using the same computer to conduct online banking that is used to read email and surf the internet
  • Training be conducted for personnel at the customers place of business that are responsible for online banking
  • The importance of up-to-date virus and spyware detection software
  • The importance of keeping computers patched with the latest updates available
  • Provide clear steps for customers to take in the event that they suspect fraudulent activity
  • Provide clear information regarding the customers liability in the event of fraud

There is one more thing to consider.  Remember that the same infections that target your customers can also target employees of the Bank itself.  A penetration into the Bank significantly increases the risk.  The fox is in the henhouse - there is no telling what the attacker will try to do.  The potential impact of the attack is elevated as we now bear the full liability.  Think long and hard about the controls you have in place.  Do you have:

  •   Host and Network-based intrusion detection systems?
  •   Automated patch management solutions?
  •   Centralized log aggregation?
  •   An objective and periodic process to assess the adequacy of the training of the required IT controls to your employees?

Technology is the proverbial double-edged sword.  We want to be able to provide the services that technology allows, but we must be cognizant of the security implications.  One of the most difficult things for a community bank to do is to balance the efficiency gained from IT with the security IT requires.  The Zeus trojan is proving that attacks against banks are getting more and more sophisticated.  We must force ourselves out of our comfort zones and take a hard, honest look at what we are.  Do we really understand the risks we face?  Are we really doing everything we can do to mitigate those risks? Are the controls we have in place really adequate?  Don't wait until an incident occurs to finally realize that something needs to be done.


Add a comment

  • Required fields are marked with *.

If you have trouble reading the code, click on the code itself to generate a new random code.


OnCourse Staff

The OnCourse writing staff work to keep you informed about the most pertinent financial industry news of the moment

OnCourse Staff's Posts Subscribe to RSS Feed

Flood Coverage – Still a Hot Regulatory Issue
Interagency Statement on Sharing BSA Resources and Challenges
New Jersey's Corporate Business Tax Legislation: A Look at the Impact for Banks
Correspondent Banking: The Challenges of Data Transparency
Regulation E and Business Account Errors
Controls over Employee and Officer T&E Expenses
Is Regulation CC Put on the Back Burner?
Training – An Investment and Risk Management Tool
Are You Gambling with Your BSA Program?
The Case of Foreign Banks and Heightened Scrutiny
IRS and New Jersey Tax Audits of Banks
State Taxation of Financial Institutions in Today's Environment
Does your 401(k) Plan need an Audit?
De-Risking of Foreign Correspondent Banks
Same Day ACH Credits – Phase One
FinCEN Finalizes Ruling on Beneficial Ownership and Ongoing Customer Due Diligence
Keep an Eye On Your Chip!
Is the IRS Status of your Defined Benefit plan in Jeopardy?
The Dilemma of Banking Medical Marijuana Businesses and Other Indirect Risks
Is your Institution Monitoring Working Capital Lines of Credit?
Financial Reporting and Regulatory Update on the Horizon
BSA/AML Training: Is your program effective?
Planning in a Consolidating Banking Industry
To opt-out or not to opt-out, that is the question – A reminder on March 31, 2015 Call Report, Schedule RC-R, item 3.a
Anti-Money Laundering – The Age of Technology
Top Compliance Topics Discussed at the NJ Bankers Compliance University
Some tips and tricks for dealing with Regulatory Examinations
Updated Regulation E Booklet from the OCC!
Is Flood Disaster Still on the Heat Map?
Have You Implemented Your Plan yet?
FDIC Consumer Newsletter
More Flood Insurance Changes...
Same Sex Married Couples - Ensuring Equal Treatment – Announcement from Consumer Financial Protection Bureau
Truth in Lending (Regulation Z) Annual Threshold Adjustments (CARD ACT, HOEPA and ATR/QM)
FFIEC Releases Revised BSA/AML Examination Manual: So what’s new?
OFAC Consolidates Non-SDN Listings
Coping with HOPA
Coping with the CFPB’s Ability-to-Repay Rule
ABA Survey on Impact of Dodd Frank Compliance
ABA Mortgage Origination Deskbook
Who handles Your Dormant Accounts?
Appraisal Disclosure Rule
Cybercriminals Broaden their Attacks in Social Networks
The Importance of Segregating a Bank’s Credit Function from its Lending Function
Appraisal Management Companies in Regulatory Crosshairs
All About the Home Owners Protection Act
Requesting Current Financial Information
Countdown to Windows XP End of Life and Support: Are you still at Risk?
314(b) Distinct Advantages for Financial Institutions
Where is the Document?
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
The Credit -- Er, IT Crisis?
Keeping the Balance: IT Security and the Org Chart
IT Security: "IT's" About Process
Wag the Dog
Consumerization of Technology and its influence on Information Security
Detective, Reactive and Preventive: Evolving Your IT Security
Do You Know The Security Features of the New $100 Bill?
Segregation of Duties for Wire Transfer Processing
How do you charge Early Withdrawal Fees on Time Deposits?
Do you still offer NOW Accounts?
Policy Changes Required – Do you Wait until Annual Approval?
Summarizing ACAMS White Paper on EDD and AML Risk Assessments (Industry Survey)
ACAMS to provide Free Webinar
ACBB Changes its Name
Who Do You Give Cash to?
ABA Briefing to Help Banks Address Cyber-security Threats
The OCC Issues Booklet: “A Common Sense Approach to Community Banking”
Safe Deposit Box Contents are not insured – But They COULD Be!
Allowance for Loan Loss Tips and Tricks
FDIC Can Review New Products
Let’s Talk About Overdrafts!
Community Banks Slowly Warm Up to Private Student Loans
Has your Bank updated the Adverse Action Notice?
Regulation E and NACHA Rules: When you Want to Stop Payment on a Recurring Debit
CFPB Stands Up Against Poor Debt Collection Practices
Don’t Forget the Small Stuff
Double Endorsed Checks: What is the Risk?
Social Media – Will the Regulators Do Spot Checks?
How Does Your Bank Handle Customer Requested Maintenance Changes?
OCC Releases Booklet on "Common Sense" Community Banking
New SAR Filing Updates
Is your BSA/AML automated monitoring system up to par?
The Importance of BSA Training
Office of Foreign Assets Control (“OFAC”) introduces the OFAC SDN Fuzzy Logic Search Tool
Filing the New CTR Forms: What you need to Know
FFIEC Proposed Risk Management Guidance on Social Media: Beware and Prepare
Solutions to Reducing Dormant Accounts at Your Institution
Pandemic Preparedness: Are you testing your Pandemic Plan?
Regulation E Foreign Remittance Rules
FFIEC issues revised “Supervision of Technology Service Providers” booklet
Expiration of Unlimited Deposit Insurance for NIBTAs
Is Your Institution's Marketing UDAAP Compliant?
What is Enterprise Risk Management?
New OCC Guidance Released on Investor Owned Properties
Electronic Work Papers - Why acxell Made the Switch
OCC to Toughen Exams in Response to United States Senate Permanent Subcommittee On Investigations
Clarifying Regulatory Obligations Regarding Continuing Activity SAR Filings
Federal Regulatory Agencies Proposal New Rule
Risk management - Smaller institutions and the benefits of ERM
Strengthening Your Loan Maintenance Monitoring
New Lending Proposal from CFPB
FDIC Reaches Settlement on Overdraft Fees
FRB Guidance on Foreclosures
Loan Denials and Withdrawals – Tips to Sure Up your Process
Regulation O – 5 Easy ways to avoid violations
The Summer of CFPB Proposals
Community Lenders Seize Market Share From Big Banks by Using Advanced Online Lending Technology
Dodd-Frank Rule to Change Legal Lending Limit Monitoring Requirements
The ABCs of a TDR
Supreme Court ruling for the Freeman, et al. v. Quicken Loans, Inc case
New FinCEN Guidance for CTR Aggregation for Businesses with Common Ownership (FIN – 2012 –G001)
Senior member of House of Financial Services Committee Introduces Overdraft Protection Act
FinCEN is looking to streamline the financial institution reporting process by issuing mandatory E-filing reporting requirements.
Curry: Operational Risk Now OCC’s Top Concern
JOBS Act Client Alert - Rules 506 of Regulation D
New Rules Proposal for Servicers Coming from the CFPB
Wall Street Receives Volcker Rule Clarity
De-stressing with stress testing
Banks Participate in Information Sharing to Battle Online Theft
IT security: Is your program still effective?
Banking Solutions: ALLL and GAAP in Agreement
How are the most recent regulatory enforcement trends that banks are facing today affecting internal audit? Why?
What are the most recent regulatory enforcement trends that banks are facing today?
Mobile banking: How do we get there?
UBS further struggles with $2 Billion loss by Rogue Trader
Capital One Becomes Dodd-Frank Test as Nation’s Fifth Largest Bank
Community Banks to receive US Funding for Small Businesses
FDIC fields questions about overdraft guidance
Negligent Hiring – A mistake can cost more than just money!
Regulatory Burden – Managing the Pain
From Embezzlement to Imprisonment: Former Citigroup employee faces charges with $19.2 million in bank fraud
TDR or Not to TDR …Much Ado about Nothing?
Finding the Right Hire
Model behavior: Is your ALM model capturing your bank’s risks?
ALLL best practices: Pay attention to qualitative factors
Abandoned Property Law, and its new New York State of Mind
Consumerization of Technology and its influence on Information Security
FDIC releases Provisions on Dodd-Frank to help Community Banks
Social Media in the Employment Arena – It Gets Funky!
The Proof is in the Pudding: Affects of Dodd-Frank on Community Banks
Banks and Businesses get "swiped" over Fees
A little bit of this, and a little bit of that: Fed Unveils list of Banks Helped during Financial Crisis of 2008
IT Security: "IT's" About Process
To Test or Not to Test; That is the Question
2011 Failed Bank List Hits 25
Wag the Dog
Committee on Financial Services to Hold Hearing on the Effects of Dodd-Frank on Small Biz and Banks Today
2011 Failed Bank List up to 18
A Culture of Whatever: On the Path to Proper Governance
The Test Drive: Leasing or Buying a HR IT Platform
Detective, Reactive and Preventive: Evolving Your IT Security
Cracking the ALLL Code: How to Develop the Right FAS 114 Methodology
Double Digits: Bank Closings up to 11 in 2011
FCIC Releases Report on the Causes of the Financial Crisis
Part of the In Crowd: Thoughts on the Dodd-Frank Act
Another One Bites the Dust: Regulators Close 4 Banks
Keeping the Balance: IT Security and the Org Chart
On Notice: FDIC Issues Rule for Temp Unlimited Deposit Insurance
2011 Failed Bank List Up to 3
Welcome to OnCourse
Stick 'Em Up!
Time for a Tune-Up: The Necessity of a HR Audit
Visa Instituting Two-Tiered Debit Card Interchange Structure
The First Failed Banks of 2011
The Credit -- Er, IT Crisis?
Painting a Masterpiece: The Art of the ALLL Reserve
The Law on Your Side: Understanding HR Regulations in 2011
Building a Better Hen House
Ready the Ramparts! : IT Security and the Modern Bank
No Respite from RESPA