- The Washington Times - Monday, September 11, 2000

It was an early July morning, about 3 a.m., and someone was attempting to break into a large financial institution. The renegade's timing may have been traditional but his tools were not. There was no black mask, no lock pick, no getaway car. He used a keyboard.

Despite the stealth, his actions were detected at RIPTech Inc., an Alexandria electronic-security firm that monitors activity on corporate Web sites.

RIPTech is one of a handful of local companies, including Para-Protect Inc. and Axent Tech-nologies Inc., seeking to profit from helping financial institutions stay secure as they move more day-to-day consumer and corporate activity onto the Internet.

Security analysts warn that financial Web sites are under a constant barrage from people probing for cracks in order to access sensitive information. The trend is leaving many consumers skittish about conducting banking transactions on line, despite the possible convenience. Nearly a third of consumers say security concerns are keeping them from paying bills on line, according to Forrester Research, a Massa-chusetts technology consulting firm.

"Financial institutions pro-bably represent the No. 1 industry that is interested in security, no big surprise," said Robert Clyde, vice president of security man-agement at Axent's American Fork, Utah, office.

Symantec Corp., a California maker of virus protection soft-ware, is purchasing Axent, a Rockville publicly traded security provider with losses of nearly $7 million and revenues of $112 million last year, for $975 million.

Cyber break-ins

The early morning intrusion that RIPTech uncovered turned out to be from another security company working for the financial institution. RIPTech contacted that company, and found that one of its employees was testing the financial institution's security system.

"It turned out that the client had hired that company to test their security," said Tim Belcher, executive vice president and chief technology officer at RIPTech.

For security reasons, he would not reveal the name of the client.

Large financial institutions tend to have security staffs, but they take on-line security seriously enough to hire outside firms frequently multiple outside firms to test their systems or provide software or additional services.

But hackers do succeed in getting through. In late August, three men were arrested for breaking into the Egg Bank, Britain's first pure on-line bank.

The perpetrators had inundated the bank's Web site with phony account applications and had stolen a few thousand pounds, according to the British Broadcasting Corp.

In 1992, Russian Vladimir Levin transferred more than $10 million from Citibank accounts to accounts in various countries all via computer.

Security analysts said there are many more breaches, though they may be less serious, than the public never hears about.

"You're not going to hear about it unless it's devastating, but the more devastating, the more the company will try to cover it up," Mr. Belcher said.

Executives at financial insti-tutions said they cannot afford to allow such intrusions.

"We feel that that is our livelihood. . . The integrity of that information cannot be jeopard-ized," said Ron Brown, director of data security and continuity management for the McLean government-sponsored mortgage firm Freddie Mac.

Bruce Schneier, chief tech-nology officer at Counterpane Internet Security Inc. in San Jose, Calif., said smart banks and consumers know how to manage their on-line risk.

"Yes, the Internet's insecure. No, it's not getting any better … There is no magic security dust," he said.

His company acts as an electronic alarm system, warning banks and other companies when their on-line security systems have been breached. His clients know there are risks on the Internet, and work to monitor and manage them, Mr. Schneier said.

One of financial institutions' motivating factors, aside from the threat of losing their own funds, is keeping customer trust.

"The average consumer is still very reluctant to put the keys to their money on line," said Jim Bruene, editor of Online Banking Report, a Seattle-based newsletter. He said about 10 percent of U.S. households, or about 10 million, do some kind of on-line banking, from paying bills to viewing credit card statements.

Managing risk

Local security providers alternately attempt to breach, monitor, or suggest improvements to financial institutions' systems. They may sell software or act as guard dogs. The goal is the same protect against the variety of ways hackers can infiltrate systems.

Mr. Clyde of Axent said that hackers present a risk to banks' Web sites from the outside, but internal attacks are also possible from employees.

He cited the case of the British Barings Bank, which failed in 1995 after its chief of futures trading in Singapore chalked up losses of $1.5 billion in failed trades.

The crisis could have been prevented, Mr. Clyde said, had better security measures been in place, preventing the futures chief from hiding trades and getting access to more money.

He noted that it is not enough for banks to have security policies. They must also have monitoring systems to ensure employees are following those policies.

Financial institutions, like most other companies, now have external fire walls intended to prevent outsiders from getting in and internal protections on their Web sites and other computerized operations.

Para-Protect Inc., an Alexandria electronic-security firm, tests the effectiveness of both types of systems through "friendly hacking," said Pete Hammes, executive vice president and director of engineering.

"If they've got a real tight fire wall, the internal system is protected pretty well," Mr. Hammes said.

But there can be design flaws within the system. For example, one customer might be able to log on to his account, change a few characters in the Web address, or URL, and get access to another customer's account.

Mr. Hammes said that if companies overlook a security measure, it is frequently internal fire walls.

"It's like one big cloud on the inside with no restrictions in a lot of cases," he said.

Para-Protect workers try to hack into and around a site, then consult their clients on how to get rid of those deficiencies.

A group of ex-Department of Defense employees started the firm two years ago and, unlike some other types of area information-technology firms, it is profitable.

Similarly, Mr. Belcher, a private-sector security worker, co-founded RIPTech with Amit Yoran, another ex-Defense employee. Mr. Belcher said, because of the expertise required, the number of competitors in the market has remained relatively small.

"It's still a very technical industry, very engineering-oriented," he said.

Though large consulting and information-technology firms such as Computer Sciences Corp. and Science Applications International Corp. do offer security services, there are fewer companies that specialize in the field, Mr. Belcher said.

He said financial firms pay particular attention to security because they have more to lose, whether it be money or reputation.

"All financial firms have developed security requirements and staff almost like no other industry," Mr. Belcher said.

"They have more direct liability," he added. Whereas hackers typically attack other types of companies looking for software, information, or generally to cause mischief, they target banks for money and consumer information.

Mr. Belcher said the financial institutions his company monitors typically see 10 to 20 electronic probes a day. He likened a probe to a robber casing a house before an attempted theft. The actual attempts, he said, happen less frequently.

The next wave security providers may focus on is digital signatures in the wake of President Clinton's signing of the Electronic Signatures in Global and National Commerce Act in June, which provides a uniform signature standard.

Digital signatures are a type of PIN, or personal identification number, that is touted to make on-line transactions more secure. The signatures utilize encryption technology to protect the user's personal information.

Now that the legislation has passed, banks await the technology's evolution to make digital signatures more viable.

"We are now ready to move to the next level … It was the kickoff for legitimate use of digital signatures across state lines and for transactional activity," said Chuck Hawkins, director of information security services at SunTrust Banks Inc. in Atlanta.

On-line self defense

Security firms and financial institutions attempt to protect themselves and their customers, but security analysts said consumers must also take security steps.

Computer users' hard drives can be "scanned" probed by an outside party with relative ease if they are logged onto the Internet. These scans can find financial data, personal information anything on someone's hard drive. That leaves the person wide open to monetary or identity theft.

"You will get scanned if you have a Windows system today and have nothing to secure it," Mr. Belcher said.

More computer users are leaving Internet browsers open all day with the rising popularity of digital subscriber lines, or DSL, and cable modem connections, because they don't tie up phone lines, said Mr. Hammes of Para-Protect.

That gives scanners a wider window of time to probe users' hard drives.

Consumers should use the security locks available on most computers and be wary of downloads of games or other software from Web sites, which could leave them open to intrusions.

Mr. Clyde of Axent warned against saving passwords on home computers. He said when people access bank accounts on computers in cybercafes or at work, they should completely exit the browser.

Mr. Schneier of Counterpane said that consumers' fear of losing all of their money by using credit cards on line is misplaced.

"The risks are great. It's important to understand who the risks belong to," he said.

If a customer uses a credit card in an on-line transaction and the number is stolen, the person is typically liable for only $50. If she uses a debit card, the risk is greater all of the money in the account can be stolen.

Mr. Schneier said consumers should find out their banks' policies on stolen credit or debit cards, as well as stolen account information.

Protecting image

The reports of serious security breaches, as at Egg Bank or Citibank, are few and far between.

But security analysts said breaches do happen the public just doesn't know about them. Banks are so concerned about public image and trust that they do not publicize breaches, especially if they can contain them, analysts said.

Financial institutions are required to report intrusions to regulatory agencies, said Dean DeBuck, a spokesman for the Office of the Comptroller of the Currency. The agencies do not always make that information public.

"It's considered to be law-enforcement material," Mr. DeBuck said.

On June 21, the OCC and a number of other banking regulatory agencies sent a reminder letter to financial institutions, reiterating the fact that they must report hacking incidents.

The General Accounting Office conducted a survey of banking regulatory agencies last summer, and concluded that the agencies had no reports of monetary losses.

Cynthia Bonnette, an examination specialist with the Federal Deposit Insurance Corp., said banks may not detect all breaches, or may not want to over-report.

"What is suspicious? That is going to be a judgment call in some cases … A bank wouldn't want to report unnecessarily if the activity is innocent," she said.

For example, if a customer tries to access his account and fails because of a forgotten password, that might show up as an attempted security breach which does not necessarily need to be reported, Ms. Bonnette said.

Her agency is aware of a few minor on-line infractions, she said.

But security analysts are skeptical that breaches are so rare they said financial institutions are motivated to hush intrusions because they damage their reputations and spook customers.

Mr. Belcher said that many banks know how to manage fraud the cost for credit card fraud, for example, has been built into customer fees for years.

"You can accept insecurities and figure out how to do business anyway," Mr. Schneier said.

"Of course in the end it passes through," he added the customer pays for the bank's liability.

The problem of on-line theft especially of identity-related information only seems to be growing, Mr. Schneier said.

In a July 12 testimony before the Senate Judiciary subcommittee on technology, terrorism and government information, Federal Trade Commission officials said their identity theft hot line was receiving 800 to 850 calls a week.

In March, the FTC told the subcommittee that a Social Security Administration hot line received reports of almost 39,000 incidents of misused Social Security numbers, whether they were obtained on line or off line.

The officials told the panel that identity theft entails a perpetrator stealing a person's name, address, credit card or Social Security number to open new charge accounts, order merchandise, or borrow money.

The practice both obtaining personal information and using it has gotten easier with the advent of the Internet, the FTC said.

Ron Brown of Freddie Mac said there is certainly risk associated with electronic transactions.

"It's not possible to be 100 percent confident about everything being protected all the time" because of new viruses and other threats, he said.

"The key to those situations is having an incident response team in place … to limit damage."

But bank executives stressed that security is a high priority after all, if customer confidence in security is low, banks can lose clients.

When it comes to security measures, "The question is always asked, Can we do that? The question is never asked, Should we do that?" said Jim Nelms, information security officer at the World Bank's treasury department.

LOAD COMMENTS ()

 

Click to Read More

Click to Hide