Identity Protection Services

Document Sample
Identity Protection Services Powered By Docstoc
					Identity Protection Services White Paper
Presented by Perimeter eSecurity March 2007

Identity Protection Services
Perimeter offers an industry leading suite of identity protection services that include anti Phishing and Pharming services to protect the most valuable asset to any financial institution - its customers. Since a Financial Institution’s business success is reliant on their customer’s confidence, providing safe and secure transactions is critical. Traditionally, customer trust has been relatively high in their Financial Institution (FI) as indicated by the data below:

Figure 1. Customer Confidence in their Bank’s Security Posture Unfortunately, client confidence in their FI is eroding due to the nature of attacks in today’s hacker environment and the creation of the underground Internet economy. The trust that customers place on their Financial Institutions is being hit hard by several concerns including risk of security breach, risk of intrusion of privacy and risk of misuse of personal information.
Page 2 of 10

Figure 2. Issues Creating Trust Concerns Among Banking Customers What is the real issue if an FI has a security breach? Would customers really leave and find a new place to hold their money? According to an EDS/Ipsos-Reid Online Banking Privacy Survey (see figure 3), the majority of banking clients would terminate their relationship with immediately upon learning of a security breach.

Page 3 of 10

Figure 3. What Customers Would Do If Their Financial Institution Had a Security Breach This tells us that 40% of a Financial Institution’s customers will likely take some or all of their business to a competitor. Added to this pain would be the fact that 32% would cease doing business on-line and start using the branch method thus significantly increasing the costs of doing business for the FI. Just how valid is this threat of a security breach to FIs? We hear all the time about the breaches in large organizations but what about the smaller ones? Let us first take a look at a sampling of breaches that have occurred. See Figure 4 which highlights some of the well publicized breaches, indicating that breaches are not just geared toward the largest institutions.

Page 4 of 10

Figure 4. Summary of Security Breaches

Page 5 of 10

“They Don’t Call’em ‘Bank and Trust’ for no reason:” The Importance of Maximizing Depositor Trust When Transacting Online Whether it’s “Trust your car to the man who wears the star” or “In God we Trust” on U.S. currency, trust is the watchword of good relationships between providers and consumers. In addition to causing billions in actual damages and billions more in reputational damage, the world’s computer hackers are eroding consumer trust in online enterprises. While half of America’s consumers trust their online bankers, nearly half say they’ll move offline upon experiencing a security breach. The loss of that consumer trust, and the cost of acquiring or reacquiring depositors, can be measured in the millions of dollars, even to a small Financial Institution. As hard as client trust is to earn for FIs, (being a fragile, fickle, yet vital commodity), it can be eroded or eradicated in a few minutes with help from one creative hacker. These are among the many elements that can impact depositor-banker trust: A Security Breach: The Financial Institution has been compromised and sacred, confidential customer data has been, or has the appearance of, being mishandled. In the majority of cases, an attack like this is typically a result of a Pharming attack. Loss of data: The Financial Institution has misplaced data or had its customers’ data stolen in transit, either in stored media or files sent over the Internet. This type of loss can be handled through secured data handling and the protection provided by secure socket layer (SSL) technology encryption. Client Fraud: This type of loss occurs when an institution’s customer is tricked into supplying their user name and password to a false site that they think is the real thing. Attacks like this are typically what we refer to as Phishing or Pharming attacks. To maximize its consumer trust, FIs must clearly demonstrate their ability to safeguard bank and customer information assets. Diligent Financial Institutions spend considerable resources to secure these assets, whether they are cash or checks stored in a foot-thick steel vault or bits and bytes securely protected on a server or in a database. The range of protection measures obviously includes hardened physical facilities, vaults, secure back rooms, and the like, as well as powerful network and data security tools. Modern-day threats, unheard of in the days of Jesse James, have evolved as the new generation “techno bad guys” break through the well-guarded network to obtain confidential customer data through the oldest of all techniques: fraud. These techniques involve the time honored tradition of Phishing and Pharming. Phishing and Pharming Defined Phishing attacks try to attract an unsuspecting individual to inadvertently visit a false web site to input their personal information (including login credentials, account numbers, social security number, contact information, even their mother’s maiden
Page 6 of 10

name), thinking they are visiting a legitimate website operated by their trusted financial institution. The data is then used by the “phisher” for financial gain. In many cases the attacker sends out what appears to be an official email from either the institution itself, or from some other well known organization (such as eBay, Paypal, or the government), and asks the recipient to click on a link where they’re asked for an on-line banking user name and password. The email may even suggests that the site is experiencing technical difficulty or is being upgraded and points to a link required to access one’s online banking account. Attackers are “phishing” for the customer’s information, and using a simple announcement (that seems important, official, and implemented by the institution itself) as bait. Corporate logos, colors, and graphics are used with impunity. Once the hacker has the customer’s personal information, they then use it to take either small or large sums of money out of the customer’s account, sell their identity, or worse. The impact of Phishing is significant. Most recent available figures from the Federal Trade Commission indicate that $50 Billion was lost to phishing attacks last year alone—and it’s clearly on the upswing from there. In any given month there may be as many as 30,000 active phishing web sites discovered. Even worse, this number continues to grow. Pharming is the practice of forcing users to a false web site where a user inputs his or her logon credentials, which are then used by the attacker for financial gain. This type of attack does not use a “lure”, like Phishing, but rather uses more subverted methods to redirect users to false site. In this case, the unsuspecting depositor clicks on the institution’s website as usual, and inputs user name and password without ever knowing they’ve just given their information over to a hacker. Although there are a growing number of Pharming methods, currently there are predominantly three types: DNS/Route Poisoning Typically, Pharming attacks either hack into a DNS server and reroute legitimate URL requests, or poison the BGP routes and exchange an SSL certificate with the customer. SSL Digital Certificate An SSL certificate is a one-of-a-kind fingerprint, meant to validate that a website is what it claims to be and that transactions between the site and its users are secure. An SSL attack is referred to as the “man in the middle” attack. In this type of attack, a hacker poisons BGP routes and then exchanges an SSL certificate with the customer, allowing the hacker to covertly eyeball traffic headed toward the legitimate website. The bad guys now see secure traffic in its unencrypted form, including confidential information such as account numbers and passwords.

Page 7 of 10

Web Site Defacement While Pharming attacks often redirect users to look-a-like “spoofed” site, another type of pharming attack makes a subtle change to a legitimate site in order to redirect users to the false site to harvest confidential data or insert malicious code. Successful Pharming is a more daunting challenge, but if successful it can reap significant financial rewards because all customers are redirected or otherwise compromised. In February of 2007, 50 top banks across the world were attacked in an organized Pharming scam. While this number may seem small, there are over 400 Pharming attacks discovered each month…and this number is growing. Phishing and Pharming facilitate theft of an institution’s customer information without any breach/hack or failure of core institutional network security defenses. In one fell swoop, these events can impact the customer’s trust in their personal financial institution, no matter how thick the vault door may be or how tight network security is. Worse, an event like this often impacts not only how a client does business with an institution, but whether they do business with the institution at all. Addressing Phishing and Pharming To address these new and rapidly emerging data security issues, institutions need to look at different services beyond the traditional hardened measures or other traditional Internet security services such as firewall, IPS, IDS and Gateway AV. The ways to mitigate these threats include use of a dedicated, single-purpose anti-phishing service. An anti-Phishing service should be easy to use and install. The powerful, comprehensive service should include escalation to CERT and other authorities, and must operate on a 24X7 basis since so many hackers are either international or nocturnal. Any service should address Phishing attacks in multiple languages and remove Phishing sites within an average of under 12 hours of validation. The chore is so daunting and complex that few small and mid-sized institutions tend to protect against Phishing and Pharming in-house. There just aren’t enough resources to go around, and the complexities and international nature of hacker attacks—plus their constantly-changing methods—make it an impossible task for a sole manager or small group. Any Anti-Phishing Service Should Include: • • • • Monitoring of SPAM e-mail and DNS registrations. A take-down team to eliminate Phishing sites on a 24X7 international basis. Browser blocking databases are updated continuously. Provides a real-time reporting interface.

Page 8 of 10

Benefits of the Service • Fraudulent web sites are validated and taken down quickly, protecting account users’ personal and confidential information. • • Early detection of Phishing attacks mitigates reputational damage. Incident details are tracked and recorded, reducing costs of compliance and reporting. A Pharming attack compromises a vulnerable network or system when a hacker takes control of the system and makes changes that provide the attacker with access to customer information or allows the redirection of legitimate traffic to an alternate malicious site. Sometimes, the attacker can even hijack the customer’s computer. AntiPharming service should provide monitoring of critical Internet accessible systems for unauthorized changes that may lead to the compromise of sensitive information. Monitoring of specific systems should occur every two minutes, 24X7. The service should include: • • • DNS name resolution verification SSL Digital Certificate monitoring Monitoring of customer’s web site for unauthorized changes

When an unauthorized change occurs, alarms are sent to appropriate security personnel who ensure the system is restored to its proper configuration. Conclusion: Phishing and Pharming attacks must be addressed by all Financial Institutions. The FIs need to deploy products, procedures and services that will mitigate these attacks and help maintain and enhance trust with their customers. As is the case with all security threats, it is not a matter of if but when these attacks will occur. Having a proactive stance to limit customer identity exposure with these attacks will pay off in customer trust and limit customer losses during these attacks.

Page 9 of 10

Perimeter’s Solution to the Phishing and Pharming Attacks BENEFITS of CounterPhishSM and Pharming Shield CounterPhishSM 1. Monitors SPAM e-mail and DNS registrations for early detection of phishing attacks to mitigate theft of confidential, regulated customer data and resulting reputation damage 2. Functions on a 24X7 international basis. Fraudulent web sites can be validated and taken down on a timely basis, protecting account user’s personal information. 3. Provides a real-time portal interface. Incident details are tracked and recorded reducing cost of compliance and other reporting. Pharming Shield 1. Monitoring of specific systems occurs every two minutes 24X7. Features of Perimeter’s Pharming Shield include: a. Monitoring of customer web site for unauthorized changes b. SSL Digital Certificate monitoring c. DNS name resolution verification 2. Pharming Shield logo allows real time certification that pages are verified by clicking on the logo 3. Verification page will affirm the status of the website and reveal the last time the page was verified [see above] FEATURES of CounterPhishSM and Pharming Shield: Monitors your email, and web site for any malicious attacks to gain access to your systems or to modify your systems Disables Phishing emails by making sure the false link is no longer active. Notification of any changes to your website Take down of rogue DNS servers 24X7X365 Monitoring and Notification Verification that your web site is safe for on-line transactions

Page 10 of 10

Shared By:
Laura Trunk Laura Trunk