1. /
  2. Confident Insights Newsletter/
  3. Operational Risk Management and the Financial Services Sector

Operational Risk Management and the Financial Services Sector

November 7, 2005

Summary

It's no surprise that financial institutions are assuming a leadership role when it comes to addressing cyber security issues and protecting customers. After all, increases in phishing incidents and other forms of online fraud are dramatically heightening consumer concerns about the safety of the Internet for conducting financial transactions. At the same time, lost and stolen data, including personally identifying consumer information, continues to add to consumer fears and concerns. This article examines some of today's leading threats and vulnerabilities, the potential crisis in consumer confidence, and the steps that the financial services sector is taking to safeguard information and manage cyber security risks.

Introduction

It's no surprise that financial institutions are assuming a leadership role when it comes to addressing cyber security issues and protecting customers. After all, increases in phishing incidents and other forms of online fraud are dramatically heightening consumer concerns about the safety of the Internet for conducting financial transactions. At the same time, lost and stolen data, including personally identifying consumer information, continues to add to consumer fears and concerns. This article examines some of today's leading threats and vulnerabilities, the potential crisis in consumer confidence, and the steps that the financial services sector is taking to safeguard information and manage cyber security risks.

Phishing's disturbing rise

An overview of the current threat landscape offers a vivid reminder of what financial institutions face today. Take phishing as an example. Phishing is an activity that particularly affects organizations in the financial services sector. Phishing is an attempt by a third party to solicit confidential information from an individual, group, or organization, often for financial gain. According to the latest edition of the Symantec Internet Security Threat Report, the number of blocked phishing attempts against targets in the financial services sector rose from a weekly average of 11.0 million attacks in January 2005 to a weekly average of 15.3 million in June 2005. The number of financial institutions targeted by phishing attacks per day grew from an average of five entities per day in the first two weeks of January to an average of 17.5 entities per day in the last two weeks of June.

And consider this: In the first week of January, probes based in the financial services sector detected 580 unique phishing messages. In the final week of June, 2,350 unique phishing messages were detected. That's an increase of 305%.

The financial services sector is a natural target for phishers, of course, as they are usually interested in conducting fraud for financial gain. The large increase in phishing messages targeting this sector seems to reinforce this notion. A report by the Consumer Sentinel shows that, in 2004, fraud relating to bank accounts and credit cards was the most frequently reported type of fraud.

Of course, phishing continues to grow because it continues to succeed and to be lucrative. According to the Internet Crime Complaint Center, in 2004 the average loss to the consumer was $240.00 for credit card fraud and $907.30 for identity theft. According to the FBI, in one specific case an identity theft ring was able to net over $2 million. For phishers, the amount of time required to send out phishing emails is negligible; however, the cost to end users can be significant.

One final note about phishing: The growth in the number of financial institutions being phished can be attributed to the large number of small banks, credit unions, credit card companies, and other financial institutions that provide a large pool of potential targets for phishers who want to continue targeting new companies. Phishing is no longer confined to a handful of well-known institutions.

The top attacks

Now let's look at specific attacks against financial institutions. According to Symantec data, during the first six months of 2005, the most widespread attack detected by sensors deployed by the financial services industry was the Microsoft SQL Resolution Service Stack Buffer Overflow Attack. Also known as the Slammer Attack, it was performed by 31% of the IP addresses detected attacking targets in the financial services industry. This attack is commonly associated with three high-profile malicious code samples: Slammer, Gaobot, and Spybot.

This attack can affect both the Microsoft SQL Server and the Microsoft Desktop Engine (MSDE). The MSDE is included with some third-party software, which makes protecting against this attack very difficult, as each affected software package must be patched. Also, the vulnerability that this attack exploits will be reintroduced whenever a vulnerable application is reinstalled. If patches aren't applied to the software shortly after reinstallation, it is likely that a compromise will occur.

The second and third most widespread attacks against financial institutions during this period were both denial of service (DoS) attacks. DoS attacks are a particular threat to companies that rely on the Internet to generate revenue. As the most recent Symantec Internet Security Threat Report observed, this may be related to financial motivation, as DoS attacks have been threatened as part of reported extortion attempts.

Tackling the crisis in consumer confidence

Last year, BITS, the industry consortium, surveyed its members to estimate the costs to financial institutions of addressing software security and patch management problems. Based on the survey, BITS estimated it costs the financial services industry nearly $1 billion annually to deal with software security and patch management problems.

In a report released this year, BITS acknowledged that

"We are hearing more and more about security breaches and data losses. Data breach disclosures reflect the fact that organizations are required to report security breaches. ... Most of these breaches are physical breaches or lost data as it was being shipped from one facility to another. There also have been hacking-related breaches and insider abuse." ("BITS Consumer Confidence Toolkit: Data Security and Financial Services," September, 2005)

BITS went on to say that notifying customers is a complicated and complex process that can, if poorly done, undermine confidence in the financial services industry and the economy overall. It cautioned that care must be exercised in alerting consumers to steps they can take to protect themselves from ID theft and other forms of fraud while averting needless alarm.

The report also highlighted the following paradox: Consumer fear about online security is the number one reason that consumers give for not conducting financial transactions online. However, monitoring financial accounts online and using electronics rather than paper can actually reduce consumers' risk of identity theft.

Efforts to improve management of risk

As financial institutions know, protecting privacy and maintaining security is an ongoing process. It requires constant vigilance, and there are no simple solutions. Recent efforts undertaken to improve management of risk include the following:
  • Last year, BITS and The Financial Services Roundtable established the Identity Theft Assistance Center (ITAC). The ITAC provides a free victim assistance service for customers of member companies. It aims to help victims of ID theft by reducing the delays that consumers often experience as they restore their financial identity. As of August 2005, the ITAC had helped more than 2,000 consumers restore their financial identities. ITAC information is shared with law enforcement to help prosecute the perpetrators.
  • BITS has also issued software security business requirements to encourage software companies to reduce vulnerabilities in their products and to make the patching process more efficient and effective.
  • BITS created the Phishing Prevention and Investigation Network to help shut down online scams, aid in investigating perpetrators by providing data to law enforcement officials, and provide a "united front" for combating online schemes.
  • Testifying in September at a Congressional field hearing on the current status of financial market preparedness for wide-scale disasters and disruptions, BITS CEO Catherine A. Allen stated that, "over the past four years, the financial services sector has taken major strides to respond to the risks we face today while preparing to address future threats and vulnerabilities." In particular, Allen cited improved communications and coordination of information within the financial services sector during times of disaster. "While I believe our industry overall is better prepared than ever, there are significant risks that can only be addressed by working in partnership with others," she said.
  • The Treasury Department's Office of the Comptroller of the Currency issued a bulletin this past July that outlines the steps banks should take to mitigate the risks of phishing. Among other things, national banks were told they must file suspicious activity reports, or SARs, if they are the target of a spoofing incident.

Conclusion

Today's financial institutions must manage the risk posed by a wide range of potential attackers, including disgruntled workers, mischievous employees, industrial spies, and fraudsters. Risk management is an iterative process that ensures reasonable steps are taken to protect information resources. Symantec can provide the cornerstone of a financial institution's information security risk management program by combining world-class technologies, comprehensive services, and global emergency response teams. As a result, some of the largest financial institutions in the U.S. trust Symantec with the security of their vital information networks.


Disclaimer: The information contained in this web site is made available for informational purposes only and is not legal advice. The information is provided only as general information which may or may not reflect the most current legal developments. This information is not intended to constitute legal advice or to substitute for obtaining legal advice from an attorney licensed in your state.

Back to Newsletter