How Secure are Stored Check Images?Fraud Case Exposes Vulnerabilities of Unencrypted Databases
Recent news about the breach of an online check-image archive highlights vulnerabilities related to the way the industry stores check images. A group of hackers out of Russia is believed to be behind the breach, which was discovered last month and is being reviewed by the Federal Bureau of Investigation.
The hackers allegedly gained access to an online check-image database after breaking into the front-end of websites that housed the images. As a result of the breach, investigators estimate that about $9 million in more than 3,000 counterfeit checks were cashed against more than 1,200 legitimate U.S. bank accounts. The crime ring sent fake checks to money mules recruited from online job sites, and then had those mules deposit funds and wire money to members of the ring in Russia.
The key to the hackers' success: They targeted online databases that housed thousands of check images in one place. Andy Schmidt, research director of global payments at Needham, Mass.-based TowerGroup, says the breach emphasizes the need for financial-services companies to encrypt databases - which is not a common practice.
"It brings to mind the disparity between how financial data is handled," Schmidt says.
Encryption Optional?Check and ACH backups and databases currently are not required by regulators to be encrypted - only credit card data backups require encryption. The unidentified sites breached in this check-image case were infected with botnets. Schmidt says the industry is fighting an uphill battle if it continues to merely focus on plugging online security holes, rather than taking more direct action to secure data.
"You fix one hole; another hole is going to crop up," he says. "If you encrypt the data, then there's no weakness to exploit. It makes a lot more sense than trying to patch up the holes."
The National Credit Union Administration, which oversees the nation's federal credit unions, favors encryption of everything. But it only requires that credit unions encrypt member information that is transmitted or stored on networks or systems to which unauthorized individuals may have access. Because of the insecure nature of the Internet and web applications, as well as the ease with which hackers can gain access to stored data "at rest," the NCUA recommends encrypting all databases.
The Federal Deposit Insurance Corp., the largest banking regulator, mandates that banks implement programs to manage and control risk, but encryption is not required. According to the FDIC: "Encryption is useful as a protection when unauthorized individuals have routine access to the data (such as in transit across the Internet) or when there is a likelihood that access controls on a closed system could be compromised, granting unauthorized access. In all cases, the financial institution should conduct a risk assessment and identify those controls that will best protect customer information."
An 'Added Layer'Mike Braatz is the general manager of Memento, a solutions provider that specializes in analytical software for transaction monitoring at banks and credit unions. The company's Memento Security-Check Fraud platform combines analytics and integrated forensic research tools to detect various types of fraud.
"At the end of the day, this is an example of old-fashioned check fraud," Braatz says. "They've essentially automated the process of dumpster-diving."
Braatz says that thwarting online hacks is a waste of time. Banks and credit unions need to assume hackers are going to get in. From a check fraud perspective, institutions must rely on stronger behavioral and transactional analytics, he says. Analytics make identifying a counterfeit check much easier.
"The routing and account numbers may be good, but if the time of day it was deposited or the amount seems off, a flag should go up," he says. "The problem is that check fraud has been around so long, many banks have gotten complacent." Besides, most U.S. institutions still rely on out-dated check-fraud detection methods.
San Francisco-based Patelco Credit Union ($3.75 billion in assets), is using behavioral profiles to spot suspicious activity across a number of channels, including the online banking channel.
"It's a step beyond your typical security methods - it's an added layer," says Anthony Vitale, assistant vice president of information technology development. "I definitely see more institutions moving toward this kind of monitoring."