Stolen Data Bring New Risk to Banking Authentication
Hackers have recently acquired the keys to a few million castles and it is up to the banks to keep the drawbridges up.
The “keys” in this case are millions of stolen e-mail addresses. Since these now-compromised addresses in authentication, the responsibility to protect against account hijacking has become an even heavier operational issue.
The IDC has posted a great overview of the Epsilon breach and how it impacts retail banks and financial institutions. The e-mail address, a valuable piece of personally identifiable information (PII), is now where real value is for hackers. This is a strong deviation from the actual “account number / PIN Code” theft, which was the sweet spot until recently. This attack is consistent with this year’s Javelin report that highlighted account hijacking as the new golden ticket in fraud.
Phil Hochmuth, Research Manager of Security Products, did a great job of setting the stage for understanding how millions of e-mail addresses have been stolen. Clearly, as Michael Versace, Global Risk Analyst, points out, the biggest danger is that hackers have access to the banking institution and their clients. The combination of which e-mail is associated with what bank gives hackers all they need to launch an aggressive e-mail “spear phishing” and “man-in-the-middle” attacks.
Additionally, e-mail addresses are an authentication factor for many banks. As discussed in our password policies article, passwords are often re-used from site to site. Hackers have the banking institution and the e-mail address, and now just have to snoop around less secure lifestyle sites to get a password. Account hijacking has never been easier!
Versace also discusses how banks are trying to leverage “relationship” based data to authenticate the banking relationship. Some caution is warranted against this strategy. Banks are trying to educate the public about security via “is this your key” and “Confirm this information before logging in” type security. As discussed in our review of EMI vs. Comerica, neither the government nor public opinion is looking to take a caveat emptor approach to banking security. Tech-savvy customers will watch for SSL security and special keys. It can’t be assumed all are that careful. Banks need to leverage device signature or even basic IP address checking to trigger strong two-factor authentication when access attempts are irregular in source. They should check known fraudulent device databases to ensure they aren’t dealing with a known hacker. They need advanced behavioral modeling to ensure that the most obvious account hijacking techniques don’t succeed.
This is the second breach in as many months appear to be more about the value of creating cracks in other infrastructures than the value of breaching the obvious target. The focus for the broader secondary targets is to shore up their front line defenses.