SRC Insights: First Quarter 2006

Spyware: A Hidden Danger for Financial Institutions

by Frederick W. Stakelbeck, Jr., Training and Development Coordinator

A growing number of American corporations and consumers use the Internet for online banking services. Destructive electronic threats to consumer and institutional privacy, combined with an unprepared or inadequate security infrastructure, have turned “e-commerce” into “e-caution.” One of the main reasons for the growing sense of angst among consumers and corporations is spyware.

Spyware monitors user activity on the Internet and transmits the information collected to an undisclosed and unauthorized third party. It is often bundled with free software that disguises its true intentions, most commonly in the form of adware, a series of pop-up advertisements.¹ Some spyware and adware track keystrokes to capture passwords and logins, social security numbers, credit card numbers, and bank account information. The intentional theft of one or more of these proprietary identifiers poses a profound security risk for any organization, especially a financial institution.

Spyware can be installed on a user’s computer in several ways, including:

Downloading a bundled shareware or other software program, such as a music CD containing a Trojan horse.² The Trojan horse surreptitiously smuggles a damaging spyware program into the user’s computer.
Falling victim to a phishing scam, which uses misleading e-mails to collect personal information.
Viewing a pop-up that later installs spyware programs without the user’s knowledge.
Downloading free preventive spyware software, when spyware is actually installed.

Signs of spyware on a user’s computer include sluggishness, pop-up inundation, hijacked home pages, or redirection to unintended sites. Spyware can resemble a computer virus, but they have some important differences. A virus is a self-replicating program that seeks to infect a computer and spreads by embedding itself into a program code or document, taking advantage of poor user security habits to infect as many computers as possible in a rapid manner.³ While viruses seek to spread unabated, spyware is more stationary. It does not replicate; instead, it takes partial control of a computer’s operation without the user’s knowledge by persuading the user to download and install the malicious program in order to collect personal data.

The inaugural State of Spyware Report released in May 2005 by Webroot Software, a manufacturer of anti-spyware software, shows a troubling trend of spyware infiltration.⁴ Webroot’s analysis showed that 92 percent of all computers were infected with spyware in the last quarter of 2004 and 88 percent in the first quarter of 2005. The report also claims that spyware products generate $2 billion in revenue annually.

The issue of spyware is no longer a case of cyber-scare—it’s cyber-warfare. According to Frederick Feiman, senior vice-president of marketing for Tenebril, a security and privacy solutions company, “Spyware creators are constantly searching for techniques to evade anti-spyware vendors. Spyware creators are applying the techniques used by security software vendors and authors of viruses and Trojans to make their spyware more resilient.”⁵

A Threat to Financial Institutions
Financial institutions are most concerned with the sophisticated array of spyware programs that can be used to track keystrokes, scan files, capture account names, confiscate passwords, and cause general confusion. For financial institutions that rely on the Internet to generate new business, this is a troubling development that has far-reaching effects on the banking industry. A recent Gartner Report noted that theft from personal bank accounts, where account numbers and passwords were stolen, was the fastest-growing type of financial fraud. Unfortunately, IT professionals say that many company executives do not understand spyware’s destructive potential.

Ways to Combat Spyware
The Federal Financial Institutions Examination Council (FFIEC) recommends that financial institutions take a layered security approach for effective risk mitigation. This includes:

Implementing acceptable policies for non-work related browsing and software installation
Performing a regular assessment to verify that controls are effective and performing as intended
Putting security monitoring in place for firewall and internal diagnostic systems to analyze traffic for perceived or actual attacks
Ensuring that licensing agreements are carefully read and peer-to-peer file sharing is avoided

In addition to the FFIEC recommendations, financial institutions can take several other steps to defend against persistent and damaging spyware and adware attacks:

Enforce a no-download policy that discourages users from opening suspicious e-mails and attachments.
Ignore pop-ups so that spyware/adware cannot be downloaded.
Use only well-recognized and approved spyware tools; however, since no single solution prevents adware and spyware, it is best to consider using multiple utilities.
Avoid fake anti-spyware tools offered on the Internet.
Allow IT professionals to fix suspected adware or spyware problems—users should not attempt to fix their own systems.
Lock down all browsers.
Use an alternative browser to Internet Explorer, which is the most widely exploited browser on the Internet. Many other browser alternatives are just as fast, mature, and robust.
Download system updates when available to keep your system safe and secure.

The Federal Deposit Insurance Corporation (FDIC) has advised banks to reduce online fraud by upgrading existing single-factor authentication systems (password) to two-factor authentication.⁶ Two-factor authentication involves a password (something the user knows) and a smart card or token (something the user possesses). It could also involve biometrics, which are automated methods used to identify a person based on physilogical or behavioral characteristics. In the U.S., eTrade, US Bancorp, and Bank of America have already announced plans to provide authentication tokens to corporate customers.

In October 2005, the FFIEC issued updated guidance entitled Authentication in an Electronic Banking Environment to support greater risk management controls for Internet-based financial services. The updated guidance stresses the need for financial institutions to conduct risk-based assessments, implement robust customer authentication measures, and evaluate customer awareness programs.⁷

In its study, Putting an End to Account-Hijacking Identity Theft, the FDIC made the following additional recommendations for protecting consumer information online:

Financial institutions must share the responsibility of educating their customers regarding the potential hazards of online scams.
New technologies must be encouraged to help protect financial institutions and consumers from such threats.
The technology and financial services industries, along with the government, must foster the sharing of information on defensive technologies.⁸

Financial institutions are also in ongoing discussions with consumer groups and government agencies concerning who should pay for losses associated with spyware attacks. No consensus has emerged on this issue; however, some banking industry analysts have called on banks to follow the model established by credit card companies—where the financial institution is liable for all but the first $50 of fraudulent transactions. However, if two-factor authentication standards are adopted industrywide, an increasing share of the burden may be placed upon the online customer.

Legislative Responses
In the Third Federal Reserve District, legislation was introduced on February 16, 2005, by Pennsylvania State Representative Victor John Lescovitz ( D-Allegheny County) to combat the pervasive threat of spyware. The proposed bill (H.B. 574) would amend Title 18 (Crimes and Offenses) of the Consolidated Pennsylvania Statutes, making it illegal “to use a computer or computer network without authority and with the intent to falsify or forge electronic mail transmission information or other routine information in any manner in connection with the transmission of unsolicited electronic mail through or into the computer network of an electronic mail service provider, Internet service provider or its subscribers.” Fines for violations of the proposed law would range between $2,500 and $15,000, depending upon the damage inflicted from the assault. The bill has been referred to the House Committee on the Judiciary for consideration.

A summary of current efforts to control the proliferation of spyware and adware for all 50 states can be found at www.benedelman.org/spyware/legislation/. External Link

An End to Spying
Positive signs in the fight against Internet fraud have emerged. The 2005 e-Readiness Rankings, a white paper released in April 2005 by the Economist Intelligence Unit and written in cooperation with the IBM Institute for Business Value, ranked the United States second in its survey of 65 countries for its e-readiness.⁹ Indeed, this is a positive sign that corporate America is taking steps to combat emerging cyber threats, such as spyware, which pose serious obstacles to a vibrant e-commerce environment. The U.N. Conference on Trade and Development estimated that nearly $600 billion will be spent on IT-related outsourcing in 2005. With this type of investment, organizations must continue to fight fraudulent activity like spyware.

¹ Adware is a type of advertising display software whose primary purpose is to deliver advertising content in a manner or context that may be unexplained to and unwanted by users (Anti-Spyware Coalition, Definitions and Supporting Documents, July 2005).
² A Trojan horse is a nonreplicating malicious program designed to appear harmless or even useful to the user, but, when executed, harms the user’s system (Anti-Spyware Coalition, Definitions and Supporting Documents, July 2005).
³ A virus is a self-replicating code that propagates by reproducing and inserting itself into other programs, documents, or e-mail attachments (Anti-Spyware Coalition, Definitions and Supporting Documents, July 2005).
⁴ FinFacts Team, Spyware Generating Billions of Dollars: Report , May 3, 2005.
⁵ Jack Germain, “First State of Spyware Report Shows Bad Guys Winning,” TechNewsWorld , May 11, 2005.
⁶ Federal Deposit Insurance Corporation, Putting an End to Account-Hijacking Identity Theft , December 14, 2004.
⁷ Federal Financial Institutions Examination Council, Authentication in an Internet Banking Environment , October 12, 2005.
⁸ Federal Deposit Insurance Corporation, Putting an End to Account-Hijacking Identity Theft , December 14, 2004.
⁹ Economist Intelligence Unit, The 2005 e-Readiness Rankings, 30 April 2005.

The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.

SRC Insights: First Quarter 2006

Spyware: A Hidden Danger for Financial Institutions

In This Issue

Contact Us