A growing number of American corporations and consumers use the Internet for online banking services. Destructive electronic threats to consumer and institutional privacy, combined with an unprepared or inadequate security infrastructure, have turned “e-commerce” into “e-caution.” One of the main reasons for the growing sense of angst among consumers and corporations is spyware.
Spyware monitors user activity on the Internet and transmits the information collected to an undisclosed and unauthorized third party. It is often bundled with free software that disguises its true intentions, most commonly in the form of adware, a series of pop-up advertisements.1 Some spyware and adware track keystrokes to capture passwords and logins, social security numbers, credit card numbers, and bank account information. The intentional theft of one or more of these proprietary identifiers poses a profound security risk for any organization, especially a financial institution.
Spyware can be installed on a user’s computer in several ways, including:
Signs of spyware on a user’s computer include sluggishness, pop-up inundation, hijacked home pages, or redirection to unintended sites. Spyware can resemble a computer virus, but they have some important differences. A virus is a self-replicating program that seeks to infect a computer and spreads by embedding itself into a program code or document, taking advantage of poor user security habits to infect as many computers as possible in a rapid manner.3 While viruses seek to spread unabated, spyware is more stationary. It does not replicate; instead, it takes partial control of a computer’s operation without the user’s knowledge by persuading the user to download and install the malicious program in order to collect personal data.
The inaugural State of Spyware Report released in May 2005 by Webroot Software, a manufacturer of anti-spyware software, shows a troubling trend of spyware infiltration.4 Webroot’s analysis showed that 92 percent of all computers were infected with spyware in the last quarter of 2004 and 88 percent in the first quarter of 2005. The report also claims that spyware products generate $2 billion in revenue annually.
The issue of spyware is no longer a case of cyber-scare—it’s cyber-warfare. According to Frederick Feiman, senior vice-president of marketing for Tenebril, a security and privacy solutions company, “Spyware creators are constantly searching for techniques to evade anti-spyware vendors. Spyware creators are applying the techniques used by security software vendors and authors of viruses and Trojans to make their spyware more resilient.”5
A Threat to Financial Institutions
Financial institutions are most concerned with the sophisticated array of spyware programs that can be used to track keystrokes, scan files, capture account names, confiscate passwords, and cause general confusion. For financial institutions that rely on the Internet to generate new business, this is a troubling development that has far-reaching effects on the banking industry. A recent Gartner Report noted that theft from personal bank accounts, where account numbers and passwords were stolen, was the fastest-growing type of financial fraud. Unfortunately, IT professionals say that many company executives do not understand spyware’s destructive potential.
Ways to Combat Spyware
The Federal Financial Institutions Examination Council (FFIEC) recommends that financial institutions take a layered security approach for effective risk mitigation. This includes:
In addition to the FFIEC recommendations, financial institutions can take several other steps to defend against persistent and damaging spyware and adware attacks:
The Federal Deposit Insurance Corporation (FDIC) has advised banks to reduce online fraud by upgrading existing single-factor authentication systems (password) to two-factor authentication.6 Two-factor authentication involves a password (something the user knows) and a smart card or token (something the user possesses). It could also involve biometrics, which are automated methods used to identify a person based on physilogical or behavioral characteristics. In the U.S., eTrade, US Bancorp, and Bank of America have already announced plans to provide authentication tokens to corporate customers.
In October 2005, the FFIEC issued updated guidance entitled Authentication in an Electronic Banking Environment to support greater risk management controls for Internet-based financial services. The updated guidance stresses the need for financial institutions to conduct risk-based assessments, implement robust customer authentication measures, and evaluate customer awareness programs.7
In its study, Putting an End to Account-Hijacking Identity Theft, the FDIC made the following additional recommendations for protecting consumer information online:
Financial institutions are also in ongoing discussions with consumer groups and government agencies concerning who should pay for losses associated with spyware attacks. No consensus has emerged on this issue; however, some banking industry analysts have called on banks to follow the model established by credit card companies—where the financial institution is liable for all but the first $50 of fraudulent transactions. However, if two-factor authentication standards are adopted industrywide, an increasing share of the burden may be placed upon the online customer.
In the Third Federal Reserve District, legislation was introduced on February 16, 2005, by Pennsylvania State Representative Victor John Lescovitz ( D-Allegheny County) to combat the pervasive threat of spyware. The proposed bill (H.B. 574) would amend Title 18 (Crimes and Offenses) of the Consolidated Pennsylvania Statutes, making it illegal “to use a computer or computer network without authority and with the intent to falsify or forge electronic mail transmission information or other routine information in any manner in connection with the transmission of unsolicited electronic mail through or into the computer network of an electronic mail service provider, Internet service provider or its subscribers.” Fines for violations of the proposed law would range between $2,500 and $15,000, depending upon the damage inflicted from the assault. The bill has been referred to the House Committee on the Judiciary for consideration.
A summary of current efforts to control the proliferation of spyware and adware for all 50 states can be found at www.benedelman.org/spyware/legislation/.
An End to Spying
Positive signs in the fight against Internet fraud have emerged. The 2005 e-Readiness Rankings, a white paper released in April 2005 by the Economist Intelligence Unit and written in cooperation with the IBM Institute for Business Value, ranked the United States second in its survey of 65 countries for its e-readiness.9 Indeed, this is a positive sign that corporate America is taking steps to combat emerging cyber threats, such as spyware, which pose serious obstacles to a vibrant e-commerce environment. The U.N. Conference on Trade and Development estimated that nearly $600 billion will be spent on IT-related outsourcing in 2005. With this type of investment, organizations must continue to fight fraudulent activity like spyware.
The views expressed in this article are those of the author and are not necessarily those of this Reserve Bank or the Federal Reserve System.