Kevin Dougherty has seen his share of spam and phishing scams, as has any IT leader in the financial services industry. But the sender’s name on this particular e-mail sent a shudder down his spine: It was from one of his board members at the Central Florida Educators’ Federal Credit Union (CFEFCU).
The e-mail claimed in convincing detail that there was a problem with the migration to a new Visa credit card that the board member was promoting to the credit union’s customers. The fraudulent message urged customers to click on a link—to a phony website set up by criminals—and enter their account information to fix the problem.
More On Cybercrime
But what happened later that Friday afternoon—after Dougherty, who is senior vice president of IT and marketing, had wiped the credit card migration information off the website and put up an alert warning customers of the scam—really scared him. Around 2 p.m., the site suddenly went dark, like someone had hit it with a baseball bat.
That’s when Dougherty realized that he was dealing with something he hadn’t seen before. And he couldn’t describe it with conventional terms like phishing or spamming. This was an organized criminal conspiracy targeting his bank. “This wasn’t random,” he says. “They saw what we were doing with the credit card and came at us hard.”
Dougherty’s website lay in a coma from a devastating distributed denial-of-service (DDoS) attack that, at its peak, shot more than 600,000 packets per second of bogus service requests at his servers from a coordinated firing squad of compromised computers around the globe. That the criminals had the skill and foresight to launch a two-pronged attack against Dougherty and his customers was a clear indication of how far online crime, which is now a $2.8 billion business according to research company Gartner, has come in the past few years.
Though this dark business largely targets financial services companies, there are signs that criminals are beginning to covet new victims. Since January, phishers have been documented going after “many types of websites not typically targeted,” such as social networking and gambling sites, according to the Anti-Phishing Working Group, a research group.
As cybercrime enters this second wave, criminals with no programming experience can buy illegal packaged software to carry out sophisticated attacks, and information security can no longer be addressed merely with a firewall. It has become not just an IT risk, but a business risk. The threat extends beyond systems, affecting everything from marketing and the customer relationship to government compliance, insurance costs and legal liability. Beyond IT and a trusted cadre of security vendors and consultants, information security requires understanding, involvement and consensus from all parts of the business at all levels, right up to the board, before problems occur. Security to combat cybercrime needs to be part of a company’s disaster and business continuity plans, with security spending based on the overall threat cybercrime poses.
If security is viewed simply as an IT cost and responsibility, companies will never be truly ready for the risks they face. “If you do have an attack, it’s never just the data that you lose or the customers who are victimized, it’s [also] the larger effects that the attack has on everything else,” says Ian Patterson, CIO at online brokerage Scottrade. “It’s the marketing effects, the customer service effects, the business effects.”
How Cybercrime Is Changing
The crooks are still after the money, but they are developing more sophisticated ways of getting at it. They’re willing to hang around longer and in places where the money isn’t immediately available. For example, the breach disclosed earlier this year at retailer TJX unfolded during more than a year, as criminals accessed the system multiple times to extract customer credit card numbers, using technology that has, “to date, made it impossible for us to determine the contents of most of the files we believe were stolen in 2006,” according to TJX’s annual report filed with the Securities and Exchange Commission. (For a possible way the TJX breach was accomplished, see How Organized Crime Uses Technology to Make Money.) “The new paradigm is to not make big, noisy attacks,” says Chris Painter, principal deputy chief of the Computer Crime and Intellectual Property Division at the U.S. Department of Justice.
Phishing attacks increasingly use subtle ways of gleaning information that are not apparent to even the most educated computer users. As the sophistication of the attacks continues to improve, the percentage of consumers who click where they shouldn’t has risen from 18.6 percent in 2004 to 24.9 percent last year, according to Gartner. Online crime “will spread from financial services as the use of indirect attacking grows,” says Markus Jakobsson, a security consultant and associate professor of informatics at Indiana University. “For example, perhaps you go to a funny cartoon website where it asks for information that mimics what’s needed to impersonate you on eBay.”
That threat is mounting every day. The number of people who believe or know they received phishing attacks doubled between 2004 and 2006, from 57 million to 109 million, according to Gartner. Although fewer victims are losing money, the losses per victim have more than quadrupled since 2005 and the percentage of that money recovered has dropped from 80 percent in 2005 to 54 percent in 2006. Even if victims don’t lose money, there is a cost. The Federal Trade Commission estimates that it takes consumers an average of 30 to 60 hours to clean up a credit history damaged by identity theft.
For businesses, the unseen costs are even higher. For 56 organizations studied by the Ponemon Institute that experienced the loss or theft of customers’ personal data, the loss of business resulting from the breach eclipsed by nearly $400,000 the combined cost of detecting an attack, notifying customers and helping them work through any resulting problems (on average, $128 per compromised record and $2.6 million in total).
Meanwhile, the administrative savings that make the online channel so attractive for businesses are being eaten up by consumer fear and avoidance. A recent Gartner survey found that 23 percent of online banking consumers have fled the channel because of security concerns. Nearly 24 million people won’t even consider online banking because of them. “That means you have people doing transactions at the bank that cost $15 each when they could be doing it online for pennies,” says Tim Renshaw, vice president of product solutions for TriCipher, a security software company. In addition, plummeting trust in e-mail has made it a dicey customer communications vehicle. More than 85 percent of respondents to the Gartner survey said they delete suspect e-mail without opening it. Dougherty says CFEFCU has abandoned e-mail altogether. “We have had to go back to snail mail,” he says, noting that it’s about 90 percent more expensive and much slower and less flexible than e-mail.
What Happens When You’re Unprepared
Dougherty faced these broad risks on that awful Friday afternoon last August, when a criminal website intent on stealing the identities of Dougherty’s members was his only operating face to the world on the Web.
Obviously, the first thing Dougherty had to do was stop the attack. He had to hurriedly assemble a coalition of vendors and consultants to help him, and then he had to convince his CEO that drastic steps were needed—steps that would temporarily cut off customers from any possibility of getting to their accounts online until the problems were completely eradicated. (To find out why companies rely more on vendors than on law enforcement for help, see CIOs Look Beyond Cops for Help Fighting Cybercrime.)
Dougherty wanted to have the site temporarily blacklisted with his telecom provider, BellSouth, to deflect the attack, thereby reducing pressure on the site and giving him the time and flexibility to make protective changes. But his CEO resisted—as might anyone who has not experienced an attack. “He wanted to keep it up so we could service the members,” says Dougherty.
At 11 p.m., after a long night of battling the attackers and plotting strategy, Dougherty finally convinced his CEO to have the site blacklisted and to take a break until morning. Continuing in a tired and emotional state would have played into the attackers’ hands. “It’s a mind game,” says Dougherty.
By Saturday morning, Dougherty had RSA, a security vendor he called in when the attacks began, working to set up a “take-down” service that seeks out and dispatches criminal websites (in this case, more than 30) with its own cyber baseball bat. Meanwhile, BellSouth began beefing up security around the credit union site to try to thwart attacks. Dougherty also began planning with RSA to build multifactor authentication into the website. As these solutions emerged, the CEO became comfortable with Dougherty’s blacklisting decision. “We built heightened awareness with the board and the executive management team,” says Dougherty. The site was back up by Saturday evening. In the end, 22 customers gave up their information to the thieves and the total losses were “less than five figures,” says Dougherty. (To learn why it’s hard to prevent customers from falling for phishing scams, see Stop End-Users Before They Click Again on Risky Websites.) Though the credit union had averted disaster, “it was a rude awakening,” he says.
Firewalls Aren’t Enough
Dougherty also woke up to the fact that he needed to communicate more with his executives and the board about IT security and its link with the bank’s risk and security strategies. Now he scans banking conference agendas for security content and encourages his executives and board members to attend. Sometimes he accompanies them. “I was with our chairman at a conference and there was a security presentation and so I said, Why don’t you come down and we’ll go to this together? Then, when he had questions, I was there to answer them. Sometimes the technology scares them and you have to get them comfortable with it.”
Every month, Dougherty also sends three or four security articles to executives and the board that he encourages them to read. He has subscribed to a fraud intelligence information service from RSA that gives updates on the latest threats and suggested responses, and he passes that information along too. “It’s vital to have data to relay to my management team,” he says.
Dougherty is also in charge of all training for employees and has broadened that educational effort to include security. He now demands that at least one security article go in each edition of the bank’s quarterly newsletter.
He doesn’t think he has a choice because the auditors have become tougher. In the wake of the attack, the bank strengthened its audits that tested for vulnerabilities, both online and off. One of those tests inside branches found that crooks didn’t need the Internet to gain access to data. “We had guys sling monitors over their backs and tell the tellers they needed to fix the computers. They got past our tellers in three branches,” Dougherty sighs. “But I would rather have the auditors find these things than someone else.”
With so much at stake, however, CIOs have to move beyond such traditional defensive strategies. They need a protection strategy for the data too. The threat of security breaches by rogue employees or contractors has always been higher than the threat from criminals outside. But now the outsider threat is increased due to the greater portability of data via mobile devices, says Joe Nackashi, CTO of Fidelity Information Services, which hosts data not just for Fidelity but for other financial services companies as well.
In 2004, Fidelity began encrypting all of its financial data, not just on its internal systems, but on any device that enters or exits the data center, including laptops, thumb drives and magnetic tapes for mainframes. This way, “even if you lose the data, it will be scrambled when someone tries to recover it,” says Nackashi.