IronKey Unveils Bank Cyber-Crime Security Kit

IronKey unveiled a multi-layered online banking security platform that would allow IT departments to roll out different levels of security for various customer segments, the company said.

Criminals’ tactics are becoming more sophisticated and using a wide range of methods for stealing money from financial institutions, forcing banks to fight back with more layers of security. IronKey says its aim is to help financial institutions keep up with attackers’ evolving tactics.

An Armoury To Fight Cyber-Crime

Instead of IT departments investing in different tools to provide varying levels of security controls for business customers and consumers, the IronKey Trusted Access Platform would help banks rollout a mix of controls, such as a secure browser, out-of-band authentication, smartphone applications, secured portable devices, and data analytics, Kevin Bocek, director of product marketing at IronKey, told eWEEK.

Cyber-crime has been around a while, but attackers have started zeroing-in on bank customers with phishing attacks only within the last ten years, according to Dave Jevans, chairman of IronKey and the Anti Phishing Working Group. Financial institutions are scrambling to ensure their systems are secure and that they do not become the next data breach victim.

“Attackers are moving faster than banks,” said Jevans. For example, banks started putting customer information into cookies to help authenticate users, but now that there are ways to steal cookies from the victim’s machine. As a result the use of cookies is not as effective anymore.

Attackers also have the luxury of switching targets. If they can not break into the financial institution’s networks or trick the employees, they will take the “path of least resistance” and simply target the customers through spam and phishing emails, Jevans said.

Spear Phishing Attacks Increasing

Attackers have shifted from targeting random users at a financial institution to going after individuals with corporate accounts, the ones with authority to transfer funds, Jevans said. It is no longer just about credit card numbers or PayPal accounts, according to Jevans. Cyber-criminals are interested in targeted attacks, and it is an “inevitable next step” that the next victims will be individuals with millions in assets, people with control over various accounts, such as traders.

A “whole generation” of crimeware kits have evolved rapidly over the past 18 months, Jevans said, as malware developers roll out monthly updates to the development toolkit and sell extra add-ons to the software. Many of the developers are professional malware writers, and in many countries, it is not illegal to develop this kind of software, Jevans. Using it is against the law, of course.

Security is all about risk assessment, and security managers are “thinking, ‘What’s the right level of security for my customers?'” Bocek said. Larger banks may want to define more customer segments, based on the size of assets or even by region, while smaller institutions may just have two segments, Bocek said. Regardless, attackers are going after financial institutions of all sizes so it was important to consider multi-layered approaches to security, according to Bocek.

With the Trusted Access Platform, banks dramatically reduce the risk of online fraud and simplify compliance with the recent guidance from the Federal Financial Institutions Examination Council (FFIEC), Bocek said.

Browser Authentication

IronKey released a secure browser in Trusted Access for laptops and desktops. The software is the same as the one that runs on IronKey’s portable device that customers use to access accounts securely. The bank understands that if the portable device is accessing the account, then the user is actually performing the authentication and not some malware that compromised the user’s account.

The same level of confidence applies for users using the secure browser on the PC for online banking, Bocek said. There is no worry about keyloggers because nothing can be saved or downloaded onto the device and the browser software.

Jevans discussed cyber-crime and how it has evolved at a Financial Services Information Sharing andAnalysisCentre (FS-ISAC) Webinar.

A recent FS-ISAC survey of commercial account takeover attempts and losses for 2009 and the first half of 2010 found that total exposure dropped from over $15 million in 2009 to a little under $10.5 million in the first half of 2010.

While there were more account takeover attempts in the first half of 2010 than in the full year of 2009, FS-ISAC found that 36 percent of the transactions were stopped before the money left the bank in the first half of 2010, compared to just 20 percent in 2009. Only 27 percent of the transactions managed to successfully transfer money out in the first half of 2010, compared to 63 percent in 2009. A later report will capture data for all of 2010, according to FS-ISAC.

The statistics indicated that “financial institutions are doing a better job of stopping transactions from being created and from leaving the financial institution”, said Bill Nelson, president and CEO of FS-ISAC.