acm-header
Sign In

Communications of the ACM

New architectures for financial services

Who Will Rob You on the Digital Highway?


In the not-so-distant past, bandits and highwaymen frequently roamed the major transportation routes robbing travelers and the pony express of gold, money, and other precious assets. In the current digital age, except for few retail transactions where paper money or coins are used, money and money flows are represented by information about financial assets owned, owed, or transferred to another party. When information is no longer isolated, surrounded by thick walls, or guarded by armed security personnel, and never locked in a safe, it seems an almost impossible task to provide security for money.

The financial services landscape is rapidly changing. Information and communication technologies in general and more specifically the Internet, mobile phones, and channel integration have had a major impact on how financial organizations provide their services. Internet banking, direct sales, and mobile banking activities are increasing in volume significantly. Financial organizations have become more dependent on the Internet as higher transaction volumes and transaction values are becoming ever more common. Broadband connections and wireless computing are enabling customers to be online nearly anytime, anywhere. Phones and PCs are also converging: soft phones on PCs, wireless telephony using 802.11a/b/g networks, and IP telephones with large, color displays. For mobile computing, 3G or UMTS will provide much higher bandwidth than GPRS, thus offering the capability to provide more functionality. Web services make it easier to integrate information systems, not only within an organization but also across organizations utilizing public networks, thereby also opening them to the threat of loss of data.

This article examines the security threats that result from these trends and the measures that should be considered. The sidebar, "Basic Security Concepts," provides a categorization of attacks against security and an overview typology of security measures. The key question readers should consider is: Who is likely to rob you on the digital highway? [3].

Back to Top

Emerging Trends in Security Threats

The financial services industry and the ICT trends have lead to information systems that are unavoidably more exposed to attacks. As the incidence of attacks increases, the following four trends in security threats are emerging:

  • A shift from generic attacks to more sophisticated and well targeted attacks;
  • Increasing propagation speed and volume of virus attacks—these viruses may contain Trojan horses;
  • Increasing speed of the release new of viruses and attacks after the detection of a vulnerability; and
  • Increase in identity fraud.

Financial organizations have traditionally paid more attention to security than other business sectors, mainly because the expected gains are quite high, which makes them an attractive target. It is only a matter of time before the attacks by Internet criminals will shift from generic attacks, such as attacks on browsers to cause disruptions, or damage inflicted mainly by script kiddies, to more sophisticated and well-targeted attacks, for example, on Internet banking, thereby increasing the possibilities of electronic fraud. These attacks will be aimed less at the availability of services, and more at the integrity of transactions, to obtain direct financial gain by having customers perform activities other than their intended transactions. Data theft, by breaching confidentiality, will be on the rise. Such thefts will be carried out, for example by viruses that contain keystroke loggers that capture passwords and identity information and transmit it to a data collection point [9, 10]. Before 2003, attacks on banks were often done by sending email to the customers of the bank, that in turn, lead them to a false bank Web site that was set up to obtain identity and authentication information [11]. By 2003, special viruses were created intended to steal this information directly from the customers of financial organizations. For example, the Bugbear virus was designed to monitor if a bank customer's infected computer was being used for conducting Internet-based electronic transactions at a financial institution's Web site, and if found to do so, steal the corresponding passwords.

Second, the volume and speed with which the viruses have spread has increased enormously. On January 25, 2003 the Slammer worm exploited a buffer overflow vulnerability in Microsoft's SQL Server or Microsoft SQL Server Desktop Engine. This weakness in an underlying indexing service was discovered in July 2002 and Microsoft released a patch for it. Within 10 minutes after the start of the attack, a majority of the estimated 75,000 machines that were hit had already been infected [7]. Another example is the SoBig virus, which propagated swiftly via email using its own SMTP engine, leading to a torrential flood of email messages that peaked at one infected email message in every 17 messages scanned [6]. In addition, SoBig could receive updates from remote locations. Virus attacks have also made it clear it is not sufficient to only protect the network resources from danger and threats from the outside. Mobile workers may have corrupted or infected their corporate laptops while working outside the corporate networks. When they connect back it becomes necessary to also secure the resources connected within corporate networks.

Third, not only has the propagation speed of the attacks increased. Recent research from Symantec also shows that attacks are released faster after the detection of a vulnerability to the attack [6]. It was also shown that attacks use combinations of Trojan horse-type malicious code to begin, transmit, and spread attacks, so-called blended threats, or metamorphic worms. The damage from these attacks in 2003 has been high, but it could have been much higher if the attacks were not only focused on the fast propagation and degradation of networks (availability), but also on the destruction of data (integrity) or compromising the confidentiality of data. In the future we will also see viruses jump between platforms and applications and viruses that are able to avoid detection by changing their appearance (polymorphic worms). This may lead to a new breed of massively distributed attacks where large numbers of computers are not only targeted to reduce the availability of systems but also on the confidentiality and integrity of information, for example, by distributed cracking of passwords.

Finally, by using identity theft, attackers can use fake names or documents to fraudulently gain access to financial services or credit. Electronic thieves, skimming bank account numbers and PINs, have victimized many people. Millions of credit card numbers have been stolen. Virtually all of the state of California's 265,000 employees, ranging from office workers to the governor, have had their personal information accessed (names, addresses, Social Security numbers and payroll information) [12]. Identity theft is identified as the fastest growing online crime [5]. In 2003, an identity fraud study in the U.S. reported the following key findings (see www.idanalytics.com/news_and_events/20030923.html):

  • Identity fraud happens at least eight times more often than documented occurrences of fraud.
  • Nearly 90% of identity fraud discovered through the research was not classified as such by study participants.
  • Most identity fraud is victimless (involving the creation of fictitious accounts not tied to any real person). However, 97% of fraudulent applications do contain valid Social Security numbers.
  • Fraud rates vary significantly by type of application (for example, whether face-to-face or faceless) and whether credit is granted instantly or not.
  • Faceless instant credit applications—common in the wireless industry—showed the highest rates of identity theft fraud: more than 8% of the number of applications.

In 2002 worldwide identity theft losses measured $73.8 billion; losses for 2003 have been estimated at approximately $221 billion [4].

Back to Top

Trends in Security Measures

The variety of types and tactics of security measures (see the sidebar on security concepts) that may be used counter the four trends in threats described previously are discussed in more detail here.

Threat 1: Shift from generic attacks to more sophisticated and well-targeted attacks. Because a Net-connected PC is inherently insecure, it is difficult to prevent attacks and customers can easily repudiate transactions. Many financial organizations use a combination of username/password as an authentication means to grant access to their Internet-based services and to validate transactions. Some organizations use challenge/response tokens instead.

A username/password combination provides weak authentication and does not provide transaction integrity; it does not prevent or counterfeit man-in the-middle and Trojan horse attacks.

A better solution is to use separate hardware tokens, since they provide a fundamentally higher level of security than software, leaving only the humans as the weakest link. A hardware token is generally a small handheld trusted device, with a secure display and keyboard, that contains secret keys, for instance inside the device itself or on a smart card inserted into the device. A hardware token can either be connected to the PC of the customer, or can be unconnected. Hardware tokens provide strong authentication, and can provide a high level of transaction integrity by signing transaction details: What You See Is What You Sign (WYSIWYS). With WYSIWYS the most important transaction details, like the beneficiary account number and transaction value, are shown, or can even be entered, on a secure device, and are signed inside the device after customer approval.


By having a good monitoring and detection system in place, responding quickly to new security threats, and adapting appropriate security measures as required, organizations are able to provide the right security measures without spending excessive amounts of money.


In Europe, an initiative called FINREAD, (see www.finread.com), has produced the specifications for a trusted device. The FINREAD specifications are aimed at highly secure and interoperable devices, with functionality provided by downloadable signed applets. A FINREAD device can be shared among different service providers. While FINREAD is a very flexible solution, it is also rather expensive. Similar, less expensive proprietary trusted devices have been developed, but without the broad FINREAD flexibility.

These security measures are aimed at securing the information flow between the customer and the financial organization. When looking at information flow between server systems, especially systems from different organizations and/or systems that are geographically dispersed, Web services are starting to play a more important role. The first generation of Web services had no security features built in. This security hole has later been fixed with the specification of digital signatures and encryption for Web services. The Security Assertion Markup Language (SAML), an XML framework for exchanging authentication and authorization information, enables interoperability between different systems that provide security services.

In addition to the improvement of transaction integrity, aimed at preventing or invalidating attacks, financial organizations must pay more attention to the detection of attacks. An important security measure they already should have in place is a fraudulent transaction detection system. Such systems detect abnormal transactions, based on the transaction profile of the customer, like transaction frequency, beneficiary account and value. These systems can be (simple) rule-based if-then criteria to filter suspected transactions, risk-scoring based on statistical models designed to recognize fraudulent transactions, or based on neural network technologies that are an extension of risk-scoring technologies. The neural networks are trained by historical transactions, particularly fraudulent ones, and are able to correlate and weigh various fraud indicators [2]. As the online transaction volumes and values increase the use of these systems is likely to increase.

Threats 2 and 3: Propagation speed and volume of virus attacks; Speed of release of attacks after detection of vulnerability. The increasing propagation speed and volume of attacks and viruses require drastic preventative measures. The large number of patches that most current platforms require to be installed, the unwillingness to take systems offline or to restart them, and the effort needed to test all the patches has often led to long delays installing the appropriate patches, resulting in vulnerable systems. When the support organization is required to intensively work together with the security organization, then a change is set in motion that will lead to the measures needed to mitigate vulnerabilities assisted by near-continuous vulnerability scanning. In addition to the efforts to prevent or invalidate such attacks, financial organizations should also have intrusion-detection systems in place and have computer emergency and response teams to repress attacks. In the case of the aforementioned identity theft of the California state employees, toll-free phones were arranged to contact the three major credit bureaus. Employees received special information packages detailing ways to battle identity theft and workshops were held, a video workshop was distributed, and a new Web page for employees was launched. Responding to an attack is much easier when you are prepared.

For the detection of viruses, scanning based on signatures is no longer sufficient. New viruses spread so rapidly that often the appropriate virus definitions are not available quickly enough to detect them. Heuristic scanners could possibly provide better protection, although they have not fulfilled their potential. In addition, a local firewall is needed to provide protection from attacks outside the system as well as the possibility to detect an infected system.

Threat 4: Identity fraud. To prevent identity fraud, organizations must improve the identity checks, especially if applications for services like credit cards or loans are handled, combined with improved methods of detection of identity fraud. Using electronic identification and authentication provided by the government may also help to prevent identity fraud, especially when these security services are hardware-based.

Third-party sources or financial service providers who can verify the identity of their customers for other parties can also provide identity checks. In The Netherlands, banks are providing an authentication service for non-financial service providers by reusing the hardware tokens provided by the banks, providing a high level of authentication. Another example is Visa 3-D Secure, which utilizes the authentication mechanism of the card issuer instead of that from the merchant, aimed at reducing the fraudulent usage of credit cards.

Back to Top

Conclusion

Financial organizations have traditionally been at the forefront of security, and they should maintain this position in the Internet era. Complete safety is impossible and ultimately most computers that are connected to a network will be probed and attacked. Therefore it is important to understand the inherent risk, but also not to hesitate to explore the opportunities the Internet offers for financial transactions.

Security incidents have demonstrated that the Internet is increasingly unsafe. Security threats change quickly and are difficult to anticipate. Although trends in security threats can be foreseen, it is impossible to predict which new security incidents will occur and when. The security measures discussed in this article are just a few examples of measures organizations can take. The complete set of measures will also be different for each organization, depending on its assets, the risks the organization considers acceptable, and the costs of the (considered) security measures.

In general, financial organizations pay too much attention to preventive measures, which will never be sufficient to keep attackers out. Although it is in line with the risk-avoiding strategy of financial organizations, and cannot be abandoned, once attackers penetrate the preventive barriers, they may remain undetected. By having a good monitoring and detection system in place, responding quickly to new security threats, and adapting appropriate security measures as required, organizations are able to provide the right security measures without spending excessive amounts of money. There is this golden rule in security that your reaction time to attacks should not exceed the time it takes an attacker to get in and do damage. Preventing damage is key and trying to prevent attackers getting in is just one of the measures.

Support from an organization's management is a fundamental factor for security—without top-level management support there will be never sufficient or effective security. The Gartner consultancy consistently lists security as a boardroom concern. This is something Microsoft has well understood, finally, by bringing security to the boardroom, and starting a security turnaround from the top. For security measures the focus is often on logical and technical measures, however, there are many security measures on the organizational or procedural level that have shown to be very effective. Still, many organizations look for tools and pay too little attention to behavior-oriented measures. Examples of effective procedural and organizational measures are: separation of duties, awareness programs, and tailor-made procedures for the termination of a contract or reacting on other special events. As Bruce Schneier has stated, "Amateurs attack systems. Professionals attack people" [1].

Back to Top

References

1. Bertin, M. The new security threats. ZDNet India (Jan. 10, 2001); www.zdnetindia.com/biztech/enterprise/features/stories/11639.html.

2. Bhatla, T., Prahbu, V., and Dua, A. Understanding Credit Card Frauds. Tata Consultancy Services, 2002.

3. Freeman, D.H. How to hack a bank. Forbes (Apr. 2000); www.forbes.com/asap/00/0403/056.htm.

4. Identity Theft: A $2 Trillion Criminal Industry in 2005. Abderdeen Group (May 2003).

5. Identity theft is fastest-growing online crime. eCommerce Times; www.epaynews.com/index.cgi?survey=&keywords=ID%20theft&optional=&subject=&location=&ref=keyword&f=view&id=1056453397622215212&block=1.

6. Internet Security Threat Report, 2003; Symantec; ses.symantec.com/ITR.

7. Moore, D. et al. The spread of the Sapphire/Slammer worm; www.caida.org/outreach/papers/2003/sapphire/sapphire.html.

8. Spam and Viruses Hit All Time Highs in 2003. Message Labs (Nov. 2003).

9. Symantec Internet Security Threat Report Malicious Code Trends, Trends for January 1, 2003–June 30, 2003. Symantec; ses.symantec.com/content.cfm?articleid=1539.

10. The CSO Perspective on Security Threats, Data Protection and Identity and Access Management Solutions. RSA Security, , CSOP WP 1003, 2003.

11. Pearce, J. and Withers, S. Australians hit by online bank fraud. ZDNet Australia (Mar. 18, 2003); news.zdnet.co.uk/hardware/ emergingtech/0,39020357,2132087,00.htm.

12. Wells, S.J. Stolen identity. HR magazine, (Dec. 2002); www.shrm.org/hrmagazine/articles/1202/1202covstory.asp.

Back to Top

Authors

Ton Slewe (ton.slewe@capgemini.nl) is a managing consultant, specializing in security and architecture, at Capgemini, The Netherlands.

Mark Hoogenboom (mark.hoogenboom@capgemini.nl) is a principal consultant, specializing in connecting architecture studies to software engineering projects, at Capgemini, The Netherlands.

Back to Top


©2004 ACM  0002-0782/04/0500  $5.00

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.

The Digital Library is published by the Association for Computing Machinery. Copyright © 2004 ACM, Inc.


 

No entries found