More than four out of every five (85 percent) U.S. businesses have experienced a data breach, according to a recent study by Colchester, Conn.-based law firm Scott + Scott, putting millions of consumers' Social Security numbers and other sensitive information in the hands of criminals. Last summer, TD Ameritrade became the latest financial firm in a long list -- that also includes JPMorgan, Fidelity Investments and Ameriprise Financial -- to report an incident. Not surprisingly, the growing problem is taking a toll on consumer confidence.
Experts suggest that while financial firms may be securing the front doors of their companies with encryption and authentication technologies, hackers are constantly looking for new ways to compromise systems through unguarded, and sometimes not so obvious, side doors. But how can financial institutions plug hidden security gaps and protect their customers' data and assets?
While most security breaches on Wall Street stem from lost laptops or a careless employee (who, in the case of JPMorgan, allegedly dumped customers' intact personal information in the garbage on the street), industry insiders were stunned by the TD Ameritrade incident, in which the personal data of some 6.3 million customers was stolen. In this instance, a hacker or rogue employee actually planted malware on the company's server, where it lay undetected for weeks. As a result, a stream of personal information was quietly leaked to criminals, who were potentially able to act on the data unnoticed -- although no incidents of identity fraud resulting from the breach have been reported yet by the online brokerage, which has hired San Diego-based identity risk management solutions provider ID Analytics to monitor for identity theft.
According to experts, sophisticated attacks such as the one perpetrated against TD Ameritrade are becoming more common. In particular, criminals are intensifying their efforts to gain legitimate access to financial platforms by using multistage attacks, says Scott Kisser, manager, financial services - information security, at BearingPoint. "Attackers gain access to third-party financial sites in order to hop to a legitimate banking or financial site," he explains. "For example, attackers use services like PayPal, Western Union, Coinstar and GreenDot to gain a legitimate account then go onto larger sites like a Citi or Wells Fargo."
Unfortunately, traditional security measures, such as encryption, cannot prevent such back-door attacks. "Encryption is not a fix-all," stresses one operational risk director at a buy-side firm, who, like many others on the Street, would speak only on the condition of anonymity given the sensitive nature of the topic. "Plus, if you start encrypting everything, you're going to be losing milliseconds when you send out information, and you're going to lose money."
Tom Kellermann, a former senior data risk management specialist at the World Bank, agrees that encryption alone doesn't solve the problem. "With encryption, you're basically taking a secret message from a man on a park bench to another man sitting in a car," he suggests. "If you can't protect the park bench on either side, you can't protect the system."
Stronger user authentication is not a panacea, either. "It does nothing to stop the crimes," says Avivah Litan, vice president and distinguished analyst at Gartner. "It is possible for a bank to reauthenticate users before executing any money transfers. But that would not stop the first inside-job crime committed by a disgruntled employee. It might not even stop the second crime."
One technology that can plug loopholes and is starting to make inroads on Wall Street is pattern analysis, or anomaly detection. While it has been used in the credit card industry for some time, the technique is new to the capital markets. With hackers increasingly going online to buy and sell stocks fraudulently using the accounts of innocent customers to carry out so-called pump-and-dump schemes, security experts are finding that pattern analysis can be a big help in detecting anomalies, particularly when high-volatility data is moved.
The method involves running server-based processes in the background that authenticate users based on what types of transactions they are executing and/or from where. The information is then compared with a profile of what is expected of each user. If an individual's behavior is out of range with what is expected, the transaction can be immediately flagged.
These background services operate much like credit card fraud-detection applications, which have helped cut U.S. credit card fraud to all-time lows of 0.05 percent, according to Litan. "Often using neural networks, the card fraud-detection systems analyze the behavior of card transactions and compare them with what is expected of the cardholder and with what constitutes normal behavior," she says. If a customer regularly uses a credit card to buy groceries in New York and rarely travels, for example, the fraud-detection system will notify the credit card company if the same card is suddenly used to buy a digital surround sound system in London.Melanie Rodier has worked as a print and broadcast journalist for over 10 years, covering business and finance, general news, and film trade news. Prior to joining Wall Street & Technology in April 2007, Melanie lived in Paris, where she worked for the International Herald ... View Full Bio