Twenty-first century bank robbers don't hide behind masks and wield guns. Rather, they attempt to evade detection by using their computer prowess to steal funds and misappropriate sensitive data, eroding consumer and corporate confidence in financial institutions in the process. And, as perpetrators and their methods grow ever-more sophisticated, banks increasingly are vulnerable to attacks.
And banks quickly are learning that security breaches are no longer solely an unidentified hacker's game. As employees and external business partners access sensitive corporate data regularly, banks are much more susceptible to internal security breaches. Eager to feign off both internal and external threats, banks are changing their information security operations. By adding automated information security monitoring and auditing tools, banks are in a stronger position to fight the bad guys - regardless of where they may be hiding.
One of the most feared cyber-thieves is a phisher. According to Needham, Mass.-based research and consulting firm TowerGroup, more than 31,300 phishing attacks were launched in 2004, and that number is expected to more than double this year to as many as 86,000 as assaults spread to smaller institutions. But phishers don't directly target banks; their victims are unwary consumers.
"Scam artists are after the path of least resistance. An uneducated online consumer is that path," says William Hummel, director of security and storage for Verizon Enterprise Solutions Group (New York). Phishers' booty is sensitive, customer-specific information, such as credit card and account numbers. "Once a hacker has a victim's personal information, the criminal can gain access to the victim's bank, move through firewalls and tap into the e-banking system," Hummel explains.
Buffalo, N.Y.-based M&T Bank Corp. ($52.9 billion in total assets) is one of the latest institutions to be targeted by phishers. In April, a phishing attack originating from Japan duplicated M&T's e-banking site structure and coding and prompted online users to input their personal information. The cyber attack caused little damage, however, thanks to the bank's newly implemented fraud detection service from Symantec, an information security software provider based in Cupertino, Calif., according to Matthew Speare, the bank's corporate information security officer.
Symantec's Online Fraud Management service - an Internet service provider-level antispam solution - detects fraudulent e-mails and helps to reduce corporate subscribers' exposure to spam, spyware, phishing and identity theft attempts. The service analyzes millions of known e-mails each day and alerts corporate subscribers about fraudulent e-mails that could threaten their companies' brands and reputations. The application also provides filtering services to prevent fraudulent e-mails from reaching the recipients.
"The application is a proactive measure that will protect the security and integrity of our customers' online transactions," says Speare. "This service provides M&T Bank insight into fraudulent online activity and it allows us to pursue shutting down fraudulent Web sites."