David Jevans Founder and Chairman IronKey

Rumors are circulating that new guidelines on online bank account security are under consideration by the Federal Financial Institutions Examination Council (FFIEC).  IronKey supports such an initiative and as a technology leader in protecting online financial transactions, offers these insights on what problems regulators are likely to address.

“With up to $6 billion in annual financial losses from online fraud, regulators will be trying to confront the reality of this massive crime wave,” said IronKey Founder and Chairman David Jevans.  “They understand the enormous threat posed by bank phishing and financial malware stemming from loosely confederated gangs of cyber criminals using ZeuS Trojan, Spyeye and their botnets to mount these attacks on an unprecedented scale.”

In Jevans’ view, look for regulators to issue guidelines on how solve these types of threats:

• Man-in-the-browser attacks render strong authentication useless: In this scenario, malware on a client PC waits until a customer is logged into their bank site, and then spawns a separate hidden window within the session to make fraudulent transactions.  Even strong authentication cannot stop this type of attack, which takes place after the client is authenticated.
• Unique attack signatures make AV software ineffective:  Viruses are now designed to evolve their attack, or “signature,” after even as few as one infection.  This lets them slip past anti-virus software unnoticed, since AV software is based on known signatures.
• Client PC endpoints cannot be trusted: More than 50 percent of PCs are infected with some kind of malware, and hackers spend months targeting individual CEOs or businesses to loot their commercial checking accounts or steal intellectual property. 
• ZeuS Trojan and Spyeye:  These are not individual viruses but are complete toolkits for sale on the Web.  With a full suite of applications and developers around the world adding new capabilities all the time, these programs make it easy for thieves to mount very sophisticated attacks and keep them constantly changing. 

“The last major guidance from the FFIEC focused on two-factor authentication, but simply beefing up those requirements won’t cut it today.  An indication of how they might shape new guidelines can be gleaned from what was already issued by the FBI and NACHA for commercial bank accounts,” said Jevans.

The FBI and NACHA issued 25 recommendations to fight commercial online banking fraud, but the most telling is to use a dedicated computer for online banking.  This means having a PC that is not used for Internet browsing, email or any other functions other than online banking.  In addition, the PC must be protected with up-to-date AV software and use two-factor authentication to access online bank accounts securely.

While a dedicated PC for online banking might seem onerous, the idea of keeping an endpoint out of reach from malware has merit.  What regulators may have in mind is to require an isolated environment for online banking that is invulnerable to any malware problems on a PC.

Such an approach would in fact mirror IronKey’s own strategy, proven effective at stopping the more than 70,000 ZeuS Trojan variants produced annually.  To help protect online banking users from financial malware, IronKey developed Trusted Access for Banking, a solution that provides a secure and trusted endpoint independent of the client PC, following the FBI and NACHA guidelines.  It is a secure IronKey USB device, network and server that together provide a separate, dedicated computing environment for commercial banking with automatic software updates, built-in malware scanning and two-factor SecurID authentication.

IronKey recently produced a 20-minute online webcast, aimed at banking executives, commercial online banking customers and enterprises, that explains the latest bank phishing attacks, the ZeuS Trojan and Spyeye, the "mule" economy and dozens of other topics relevant to understanding and fighting this serious crime wave.  “Protecting Online Banking Customers from Evolving Cyber Crime Threats” reports real world scenarios and statistics, presented by security industry insider Jevans. 

Beyond his experiences with IronKey’s clients and security scientists, Jevans’ insights are further shaped by his active involvement with law enforcement agencies and financial services companies as the chairman of the Anti-Phishing Working Group (APWG), a consortium of more than 1,500 organizations dedicated to fighting email fraud and identity theft online.  The group's sponsors and research partners include the American Bankers Association, eBay, PayPal, VeriSign and Entrust.

IronKey provides essential security products for mobile and remote workers. IronKey solutions protect remote workers from the threats of data loss, compromise of passwords and computers infected by malicious software and crimeware. IronKey multi-function devices connect to a computer's USB port and are easy to manage with the IronKey management service. This allows users to securely carry sensitive corporate data, strongly authenticate to VPNs and corporate networks and isolate remote workers from malicious software and crimeware. IronKey customers include Fortune 500 companies, healthcare providers, financial institutions and government agencies around the world.