Financial Institutions, Merchants, and the  Race Against Cyberthreats
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Financial Institutions, Merchants, and the Race Against Cyberthreats

on

  • 800 views

This Aite analyst report examines the common threats facing financial institutions and retailers, including mobile attacks, DDoS, and malware, and offers recommendations on common defenses deployed by ...

This Aite analyst report examines the common threats facing financial institutions and retailers, including mobile attacks, DDoS, and malware, and offers recommendations on common defenses deployed by players in both industries.

Statistics

Views

Total Views
800
Views on SlideShare
800
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Financial Institutions, Merchants, and the Race Against Cyberthreats Document Transcript

  • 1. Financial Institutions, Merchants, and the Race Against Cyberthreats © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited.
  • 2. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 TABLE OF CONTENTS INTRODUCTION .............................................................................................................................................. 3 FINANCIAL INSTITUTIONS AND MERCHANTS: THE TARGETS ......................................................................... 4 CYBERTHREATS: THE TOP TROUBLEMAKERS .................................................................................................. 7 HACKING ................................................................................................................................................... 7 PHISHING .................................................................................................................................................. 8 MALWARE ................................................................................................................................................. 8 MOBILE .............................................................................................................................................. 10 DISTRIBUTED DENIAL OF SERVICE ........................................................................................................... 11 UPPING THE ANTE ........................................................................................................................................ 13 RSA ADAPTIVE AUTHENTICATION AND RSA SILVER TAIL ........................................................................ 14 CONCLUSION ................................................................................................................................................ 15 ABOUT AITE GROUP...................................................................................................................................... 16 AUTHOR INFORMATION ......................................................................................................................... 16 CONTACT ................................................................................................................................................. 16 ABOUT RSA ................................................................................................................................................... 17 LIST OF FIGURES FIGURE 1: TYPE OF ORGANIZATION RESPONSIBLE FOR CYBERTHREAT ACTIVITY .......................................... 5 FIGURE 2: CYBERTHREAT COUNTRY OF ORIGIN ............................................................................................. 6 FIGURE 3: NUMBER OF UNIQUE NEW ONLINE MALWARE STRAINS .............................................................. 9 FIGURE 4: NUMBER OF UNIQUE NEW MOBILE MALWARE STRAINS............................................................ 10 © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 2
  • 3. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 INTRODUCTION The cyberthreats that menace the global economy are multiplying at an alarming rate. These threats come in the form of malicious software code, waves of distributed denial of service (DDoS) attacks, and insidious corporate espionage, all designed to provide financial or political benefit to criminals. While no aspect of the global economy is immune to attack—everyone from government entities to utilities to e-commerce merchants has hit the headlines with big breaches over the last year—this white paper will focus on two of the most lucrative targets for the organizations behind the attacks: financial institutions (FIs) and merchants. One of the challenges in defending against the onslaught of attacks is the many different players and attack vectors. International organized crime rings seek financial gain; nation-states, individuals, and crime rings are engaged in espionage against governments and businesses; and hacktivists hope to make headlines. There are no clear dividing lines between players' causes, either; many times, the place where hacktivists leave off and fraudsters begin is none too clear. There are a few common elements in the threats and the defenses employed by FIs and merchants, however. • The threats are escalating more quickly than banks or businesses can deploy defenses against them. The bad guys don't have to make a business case in order to innovate and deploy new technology, whereas the forces of good usually do. With new malware being deployed constantly (more than 150,000 unique new strains each day in Q1 2013), it's very difficult for the good guys to keep pace. • The username/password combination as an authenticator is officially broken. With myriad database breaches over the last year compromising tens of millions of usernames and passwords, and consumers exercising very little care or caution, the sole relevant use of this combination is now that of a database look-up mechanism. • Nobody is ever 100% secure. The threat environment is simply moving too fast. Rather than bulletproof security, organizations need to focus on ways to make the cost of breaching their security more trouble than the data that could be obtained is worth, using a layered, risk-based approach to maintain the balance between security and customer experience. To understand the rapidly evolving global threat environment, Aite Group had more than 100 conversations between August 2012 and July 2013 with banks, merchants, vendors, and investigators in the cybersecurity space. This white paper details the myriad threats and presents current and planned solutions for FIs and merchants. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 3
  • 4. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 FINANCIAL INSTITUTIONS AND MERCHANTS: THE TARGETS The financial services value chain—everyone from the consumer all the way up to the merchant—consists of lucrative and high-profile targets for the many entities intent on chaos and financial gain. Figure 1 shows a breakdown of the types of entities responsible for the bulk 1 of 2012 data breaches, as measured in the Verizon Data Breach Investigations Report: • Organized crime rings are responsible for 55% of attacks. They are highly structured, operating as efficient businesses with similar profit and margin objectives as those in the legitimate economy. • State-affiliated entities are responsible for 21% of attacks. These attacks often have very different methods and motives than those initiated by organized crime rings, for whom near-term financial gain is the primary impetus. Attacks sponsored by nation-states are often looking for intelligence rather than credentials or card data. This intelligence can be obtained via external attacks that plumb the depths of databases, seeking political or financial advantage (e.g., for insider trading), or via internal employees leaking information (Edward Snowden is the current poster child of this category). • Lone hackers, who are in it for either individual financial gain or the thrill of the chase, still initiate a small percentage (8%) of cyberthreats. This group represents a decreasing minority as the penalties become more severe and the barriers, higher. • Hacktivists such as Anonymous and Izz ad-Din al-Qassam Cyber Fighters (the group responsible for the high-profile and highly successful waves of DDoS attacks launched against U.S. FIs in September 2012) have certainly garnered plenty of headlines as a result of their attacks. This classification represents a fairly small portion of actual breach activity, however: only 2%. Hacktivist groups are typically more interested in headlines than in financial gain, and they have spent more time executing disruptive attacks such as DDoS than in actual breach activities. • Former and current employees are an insidious threat. While only 1% of breaches appear to be linked to insider activity, the methodology for this measurement was binary, requiring that responsibility for breaches be assigned to only one category. Another section of the Verizon data breach report permitted multiple root causes to be assigned, and this measurement indicates that insiders are responsible for as much as 14% of the breaches, highlighting the extent to which the categories are intertwined (e.g., organized crime rings bribing or otherwise inducing the participation of insiders). • Many of the attack vectors are simply unknown, even after an FI discovers a breach. This reality highlights the complexity associated with cyberthreats, which can linger 1. Verizon Data Breach Investigations Report, 2013, http://www.verizonenterprise.com/DBIR/2013/ © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 4
  • 5. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 undetected for months or years, thus exacerbating their impact. Once discovered, the data trail is often so complex that it is impossible to detect its origin. Figure 1: Type of Organization Responsible for Cyberthreat Activity Variety of External Actors Unknown, 13% Former employee, 1% Activist, 2% Unaffiliated, 8% State-affiliated, 21% Organized crime, 55% Source: Verizon Data Breach Investigations Report, 2013 Figure 2 provides an overview of the countries behind the cyberthreats. Different types of threats tend to emanate from different regions. The vast majority of China's activity is espionage-related, while virtually all of Romanian and other Eastern European nations' activity results in direct attacks on payment cards and online banking activity. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 5
  • 6. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 Figure 2: Cyberthreat Country of Origin Origin of Top 10 External Actors China 30% Romania 28% United States 18% Bulgaria Russia 7% 5% Netherlands 1% Armenia 1% Germany 1% Colombia 1% Brazil 1% Source: Verizon Data Breach Investigations Report, 2013 Much of the data that cybercriminals glean from illicit attacks on the financial services value chain is monetized via underground Web forums. This is the digital underworld where crime rings transact, exchange data (for a price), and trade secrets and insights into how to best pilfer from legitimate enterprises. These forums are essentially the Facebook for bad guys, where trust and a social network are the means for gaining admission and staying in the club. Transactions can be consummated in a number of ways, either via exchanges of funds set up via the forum itself or via instant messaging facilities such as Jabber. Payment can take place via traditional banking mechanisms, although digital currencies, such as Bitcoin, the erstwhile Liberty Reserve, and WebMoney, are increasingly favored due to their untraceable nature and the relative ease with which they can be converted to hard currency. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 6
  • 7. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 CYBERTHREATS: THE TOP TROUBLEMAKERS Bad guys create turmoil and steal money and data in a number of ways. Hacking, phishing, malware, and DDoS attacks are chief among the cyberthreats causing trouble for FIs and merchants. Unfortunately, these problems only promise to get worse. As the United States migrates to EMV and the highly lucrative counterfeit card business largely dries up for organized 2 crime rings, attacks on digital channels will only intensify. H AC K I N G Hacking consists of brute-force attacks in which the bad guys poke and prod to discover portions of systems and networks that are inadequately secured. At many large organizations, the data is spread across multiple databases in many different spots throughout the network. Sometimes, where the data architecture is highly sophisticated and mindful of the value the data represents, this is by design. All too often, however, this sprawling data architecture is the product of decades of iterative product development and operational efforts that have resulted in data stored in isolated pockets and systems across the enterprise. This ad hoc architectural approach proves incredibly difficult to secure on an ongoing basis. Many times, the back door that cybercriminals are looking for is opened by an oversight in a new product release. Cybercriminals also identify vulnerabilities in commonly used programming languages, such as Java or Adobe, and use those vulnerabilities as their way in. While card numbers and personally identifiable information (PII) remain highly desirable, criminals also actively target login credentials, cognizant of the fact that an estimated 55% of all 3 consumers use the same set of login credentials across all of their online relationships. Many ecommerce companies do encrypt those passwords in their databases, but the encryption is often a simple hash function, designed more for transaction speed than high-grade security. Many companies will also "salt" the passwords, modifying the password hash with a random string of data. This makes the passwords more difficult to crack en masse, but they are still by no means invincible. When those credentials are compromised and decrypted, criminals typically load them into automated bots and direct them against as many online properties as possible. For this reason— due to the many database breaches in which credentials have been compromised—many of the e-commerce merchants that Aite Group interviewed saw a sharp uptick in account takeover fraud in 2012. 2. For more details on the U.S. migration to EMV, see Aite Group's report, EMV: A Roadmap and Guidebook for the U.S. Market, June 2013. 3. Ofcom Adult Media Use and Attitudes Report, 2013. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 7
  • 8. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 PHISHING Phishing is a tried and true means of inducing end users to reveal their online credentials. Emails with Web links are sent to end users in an attempt to get them to click the link and input their credentials into the resulting Web page, which is hosted by the criminals for the express purpose of harvesting credentials. While various industry groups have made concerted efforts to educate consumers about the risk, and despite the success of cross-industry initiatives such as the AntiPhishing Working Group in combating phishing, this attack vector is still quite successful for cybercriminals. This success has bred a number of equally, if not more successful, variants. Spear phishing, for example, is a more targeted and effective form of phishing in which attackers send highly targeted emails designed to compromise user credentials by either directing recipients to a bogus website or enticing users to download malware to their computers. Many of the data breaches that include email addresses are later leveraged in spear phishing campaigns. Spear phishing is more effective than traditional phishing because the criminal knows that the consumer has a relationship with a particular brand (e.g., Zappos), so he or she can tailor a very convincing email that will induce the consumer to click through. Phishing is not limited to the online environment, either. Criminals have extended their phishing to include SMS to mobile devices, an attack form known as "smishing." Rogue apps in mobile app stores, purporting to be the mobile banking app for a particular bank or e-commerce brand, are also increasingly common. One FI executive interviewed for this white paper stated that her FI is detecting and taking down an average of 300 rogue apps per month that imitate the FI's brand. M A LWA R E 4 Malware is another favored tactic of cybercriminals, who do their homework and adjust their tools and techniques rapidly. The number of unique, new strains of malware released by criminals is growing rapidly. These new forms of malware have new and different signatures and are able to slip by antivirus and antispyware programs resident on end users' computers (Figure 3). 4. For more details on malware-based attacks, see Aite Group's reports Endpoint Protection: Secure Browsers, a Key Element of a Layered Strategy, November 2012, and Banks and Businesses in the Crosshairs: Cybercrime and Its Impact, September 2011. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 8
  • 9. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 Figure 3: Number of Unique New Online Malware Strains Unique New Online Malware Strains Released Per Year, 2011 to e2017 (In millions) 165.8 138.2 106.3 81.8 58.4 35.6 24.7 2011 2012 e2013 e2014 e2015 e2016 e2017 Source: McAfee Labs, Aite Group Unfortunately, there is little in the way of disincentive for the crime groups behind the production of the malware, and much to gain. Here are just a few examples of the lucrative ways in which malware is used for illicit gain: • Corporate account takeover: Man-in-the-Browser (MitB) attacks, deployed in the form of the ZeuS Trojan, Citadel, and others, have rapidly turned into the bane of FI fraud executives' existence. These keylogging Trojans are designed to capture online banking credentials, which are then used to drain the bank accounts of small and midsize businesses. ZeuS, one of the most successful strains, has spawned numerous variants, which add additional nuances such as HTML injection and the ability to take over users' Web sessions to help further elude detection. Trojans are prolific, thanks to their ability to be automated. • Intelligence gathering: Numerous forms of malware are deployed for the express purpose of gleaning information from the target. This information can be used later, in more targeted attacks, for insider trading activities or for espionage. • Harvesting card data: Point-of-sale (POS) systems are a favorite target of malwaremakers. Once downloaded onto a merchant's computer, the malware enables cybercriminals to easily access unencrypted card data. One bank investigator Aite Group interviewed stated that this malware is becoming so prevalent that postbreach forensic investigations are often discovering multiple forms of unrelated malware on merchants' systems, meaning that the data has been compromised and sold on the black market multiple times by different crime rings. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 9
  • 10. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 Cybercriminals are not limiting their attacks on merchants to credit card-based fraud. To the extent that rewards, sweepstakes, and coupons are available on a merchant's website, cybercriminals will program their bots to attack this functionality as well, and endeavor to use it in ways that are unintended. These business logic abuses impact merchants in a number of ways. First, there is the hard cost (e.g. paying out a sweepstakes prize to a crime ring who has submitted hundreds of thousands of entries for the prize). Business logic abuses can also adversely impact the genuine customer experience, can lead to revenue or data loss, and can have a negative impact on the merchant's brand. There is an infrastructural cost to consider as well. The server load imposed by business logic abuses is often more difficult to measure, but ultimately more costly. The large volumes of traffic caused by bots often requires merchants to implement extra server capacity to be able to maintain response time and uptime service levels unless some sort of behavioral analytic technology can be leveraged to detect and block the devices responsible for the attacks. MOBILE While the mobile environment currently has far fewer strains of malware, the mobile malware population is growing at a much faster rate. In 2011 there were only 792 new strains of malware deployed; that number jumped nearly twentyfold in 2012, and at the current pace, nearly 90,000 unique strains of malware will be deployed in 2013 (Figure 4). Mobile will continue to be an area of continued focus and innovation by cybercriminals as the number and value of transactions originating in the mobile channel continue to increase. Trojans designed to steal data and compromise banking credentials represent the bulk of the new malware deployed. More than 95% of mobile malware is directed at the Android platform, a result of the openness of the Android app store, the popularity of the devices themselves, and the fragmentation of the supply chain, which makes it very difficult for Google to push the latest security patches and updates to the end user. Figure 4: Number of Unique New Mobile Malware Strains Unique New Mobile Malware Strains Released Per Year, 2011 to e2017 11,864,379 5,158,426 1,612,008 792 14,259 89,556 403,002 2011 2012 e2013 e2014 e2015 e2016 e2017 Source: McAfee Labs, Aite Group © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 10
  • 11. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 The pain in the mobile channel is manifesting in different ways for FIs and merchants. Merchants have not locked down the mobile channel to the extent that FIs have from a functionality perspective, and as mobile transaction volume rises, many merchants are seeing a spike in fraud related to the mobile channel as well. One merchant interviewed by Aite Group just launched its mobile app in May 2012 and is already seeing fraud rates that are many multiples higher than those in its online channel. Another merchant reports chargeback rates in its mobile channel that are twice that of its online channel. A third merchant is bracing for an influx of mobile fraud; it is preparing to deploy its native app, which will effectively expose the application programming interfaces (APIs) for all to see, thus presenting fraudsters with a whole new range of attack possibilities. There are a couple of significant challenges inherent in the exposed APIs: • Man-in-the-Middle attacks will become a much bigger threat, as cybercriminals have a proven ability to use the exposed elements to recreate the app and insert themselves in the transaction stream. • Visibility into the API will enable the fraudster to mass enroll large quantities of accounts or feed fraudulent orders en masse into the merchant's system. This is a problem of scale that most merchants aren't prepared to address—even when the problem is detected, it takes a fraud analyst five to 10 minutes on average per order to roll back the order. A large attack that feeds 10,000 bad orders into the system in this way would be akin to a denial-of-service attack on a merchant's fraud operation, essentially paralyzing the operation. The merchant experience could be a harbinger of things to come for FIs. FIs are not yet seeing much fraud that can be solely attributed to the mobile channel—most of the losses are the result of cross-channel fraud, in which the credentials are harvested from the mobile channel (often via phishing or smishing), and then used online. Risk has been contained by limiting the risk level of transactions that can be performed from the mobile channel. For higher-risk transactions that are enabled, the risk is contained via velocity controls and rules. This containment strategy has a limited shelf life, however, as FI customers increasingly expect the mobile channel to have the same capabilities as online. D I ST R I B U T E D D E N I A L O F S E R V I C E The DDoS stakes have officially been raised. The waves of DDoS attacks against major U.S. financial institutions that started in September 2012 have been unprecedented in size and scale. They successfully brought down the websites of some of the biggest financial brands, resulting in irritated customers and overwhelmed call centers. Using a combination of "zombie" devices (i.e., devices compromised by malware and controlled by the hacktivists) and application servers to form a botnet, perpetrators were able to flood bank websites with a high volume of traffic, at times exceeding 30 million packets per second. The attacks used legitimate IP addresses and combined a mix of attack vectors, simultaneously targeting both infrastructure and application layers. The initial DDoS attacks contained 10 times the volume of a typical denial of service attempt, and major brand-name banks all saw their sites go down. The Izz ad-Din al-Qassam Cyber Fighters claimed credit for the attacks, a claim that carries credibility since the attacks were publicly announced prior to the websites crashing. The © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 11
  • 12. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 group has not only unleashed subsequent waves of attacks but has also effectively created a roadmap for other groups intent on disrupting commerce, garnering headlines, and creating new opportunities for fraud. As banks build plans to defend against this new form of attack, their efforts need to focus both on shoring up the online channel and on understanding the collateral impact on other channels. When a critical channel goes down, other channels—particularly the call center—feel the impact. Fraud-mitigation capabilities should be a particular area of focus; fraud filters need to be able to handle the higher volume that will flow through the call center. The call center already represents a point of vulnerability for many FIs, with many fewer lines of defense than the online and mobile channels typically employ. When a flood of traffic hits the call center, there are many opportunities for fraudsters to take advantage of the chaos and slip fraudulent requests in with the genuine. If FIs are unprepared, it will be all too easy for these requests to slide through 5 undetected. While merchants have largely been exempt from these attacks thus far, they are by no means immune, especially as banks have strengthened their Web defenses and are harder to take down. To the extent that their brand is high profile and successful, merchants should consider themselves targets and ensure they have a solid DDoS contingency plan in place. 5. See Aite Group's report, Look Who's Talking: Financial Institutions' Contact Centers Under Attack, April 2013. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 12
  • 13. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 UPPING THE ANTE The sad reality is that no business can ever truly achieve 100% security. The threat environment is moving too fast, and the insidious ability of external and internal criminals is too great for any type of silver-bullet assurance. The strategy that many FIs and merchants are undertaking is to continue to increment their security infrastructure, with complementary layers of technology that make it more trouble for the bad guys to penetrate the defenses than the data that the criminals are seeking is worth. As noted earlier, organized crime rings are behind many of the attacks, and these highly efficient businesses have the same requirements of profitability that legitimate businesses do. If it is too expensive to penetrate a target's security layers, the criminals will usually move on to easier prey. That said, a layered, risk-based combination of technology and policy can serve as highly effective means of cybercrime deterrence and detection. Behavioral analytics is a leading technology used by FIs and merchants alike to serve as the underpinning of a risk-based approach. Behavioral analytics can be deployed in a variety of ways to detect anomalous behavior indicative of not only the fraudulent activity itself but also the reconnaissance tactics that often lead up to the fraud. Through rules and/or analytics, behavioral analysis tools detect fraud by monitoring the user session to detect suspicious activities or patterns. Behavioral analysis technologies can also examine Web navigation techniques to highlight anomalies indicative of suspicious activity. Behavioral analytics represent a great way to detect pattern anomalies and are a key technology for FIs seeking to bring their fraud-mitigation technologies down to the transaction level. As with any tool, there is a certain level of false positives, which is where the importance of layering comes in (i.e., the ability to prompt the user to perform additional levels of authentication in a manner appropriate to the transaction). Here are a few examples of behavioral analytics in action: • Bot-based attacks: Automated bots do not behave in the same way as do legitimate users. They move faster, and navigation patterns will differ from those of a legitimate Web user. Behavioral analytics can detect these anomalies and either prompt for stepped-up authentication or just invoke actions to block the offending IP addresses altogether. • Trojan-based attacks: Cybercriminals will often not transact in patterns consistent with those of a legitimate end user. Behavioral analytics can detect many of the hallmarks of a Trojan-based attack (for example, a US$200,000 wire transaction is being initiated, when the typical wire amount for that user is US$20,000) and can execute on either a series of stepped-up authentication prompts or can block the transaction entirely and flag it for manual review. • DDoS: Hacktivists and cybercriminals will often perform reconnaissance prior to many of their attacks to study their target and understand points of weakness. DDoS is no exception, and behavioral analytics can be used to detect these patterns of reconnaissance, which again have distinct navigational patterns (going to an unusual combination or sequence of Web pages) and unusual IP address frequencies. During an © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 13
  • 14. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 attack, behavioral analytics are instrumental in detecting the offending IP addresses and shutting them down rapidly. RS A A DA P T I V E AU T H E N T I C AT I O N A N D R SA S I LV E R TA I L RSA Adaptive Authentication uses risk-based authentication to measure the risk associated with a user's login and post-login activities. Using risk modeling and a rules-based approach, a unique risk score is assigned to each activity. If the score exceeds the risk threshold as determined by each organization, a user may be asked to provide additional identity assurance such as out-ofband authentication. RSA Adaptive Authentication is currently used to protect more than 350 million users across a number of websites, portals, mobile applications, virtual private networks (VPNs) and Web access management applications. RSA Silver Tail utilizes Web session intelligence to help distinguish legitimate user behavior from suspicious activity within online sessions. Used to identify a number of attacks, including account takeover, DDoS, password guessing, and business logic abuse threats, RSA Silver Tail captures and analyzes user clickstreams on a website to build behavioral profiles and compares activity within each Web session to profiles of legitimate user behavior to identify fraudulent or disruptive activity. Together, RSA Adaptive Authentication and RSA Silver Tail provide risk-based security threat detection—from initiation of a Web session through site navigation to transaction monitoring to session end. Using proven authentication and fraud detection technology with behavior, velocity and threat analytics, the combined solutions offer threat and fraud mitigation throughout the entire Web session. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 14
  • 15. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 CONCLUSION With the knowledge that 100% security can never be assured in the face of cyberthreats, the strategies of leading FIs and businesses instead focus on making the effort to breach their security more trouble than the underlying data is worth (or more difficult to garner than it is to compromise the bank or business down the street). Here are a few suggestions for FIs and merchants: • Look for tools that can be leveraged in different ways to solve multiple problems. While there is no such thing as a one-size-fits-all tool when it comes to security, tools such as behavioral analytics can be leveraged in various ways to solve different problems. • Encrypt sensitive data both in storage and in transmission. This includes PII as well as credentials. • Build a robust feedback loop so that in the event that your security is compromised you can quickly assess how and why, and adjust your defenses accordingly. • Don't put all your eggs in one basket. Cybercriminals have proven adept at bypassing virtually every form of online fraud mitigation and authentication when deployed as a single point solution. To be effective in the war against cybercriminals, FIs need to adopt a layered approach that protects not only the session but also the transaction itself. • Continue to perform ongoing risk assessments. It's important to stay abreast of the latest malware capabilities and understand how current defenses can (or cannot) be effective against them. • Proactively interface with marketing and technology. Ensure you have input and buy-in from all stakeholders when new functionality is planned via online and mobile channels so you have preparation time instead of being in a reactive mode after its introduction. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 15
  • 16. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 ABOUT AITE GROUP Aite Group is an independent research and advisory firm focused on business, technology, and regulatory issues and their impact on the financial services industry. With expertise in banking, payments, securities & investments, and insurance, Aite Group's analysts deliver comprehensive, actionable advice to key market participants in financial services. Headquartered in Boston with a presence in Chicago, New York, San Francisco, London, and Milan, Aite Group works with its clients as a partner, advisor, and catalyst, challenging their basic assumptions and ensuring they remain at the forefront of industry trends. AU T H O R I N FO R M AT I O N Julie Conroy +1.617.398.5045 jconroy@aitegroup.com C O N TAC T For more information on research and consulting services, please contact: Aite Group Sales +1.617.338.6050 sales@aitegroup.com For all press and conference inquiries, please contact: Aite Group PR +44.(0)207.092.8137 pr@aitegroup.com For all other inquiries, please contact: info@aitegroup.com © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 16
  • 17. Financial Institutions, Merchants, and the Race Against Cyberthreats October 2013 ABOUT RSA RSA, The Security Division of EMC, is the premier provider of intelligence-driven security solutions. RSA helps the world's leading organizations solve their most complex and sensitive security challenges: managing organizational risk, safeguarding mobile access and collaboration, preventing online fraud, and defending against advanced threats. Combining agile controls for identity assurance, fraud detection, and data protection, robust Security Analytics and industry-leading GRC capabilities, and expert consulting and advisory services, RSA brings visibility and trust to millions of user identities, the data they create, the transactions they perform, and the IT infrastructure they rely on. For more information, please visit www.RSA.com and www.EMC.com. © 2013 RSA. All rights reserved. Reproduction of this report by any means is strictly prohibited. 17