FDIC Warns Finance Firms on Spyware

Some IT managers say they're already taking precautions

Spyware is being recognized as a major security threat across the financial services industry, prompting warnings from the Federal Deposit Insurance Corp. and analysts about the risks posed by the information-seeking software.

IT managers such as Matthew Speare, chief information security officer at M&T Bank Corp. in Buffalo, N.Y., said last week that they had already begun taking steps to better protect their systems before the FDIC issued a set of guidelines on July 22 for avoiding spyware downloads.

Speare said he noticed a performance drop among the 15,000 desktop computers at M&T as spyware and adware infiltrated systems in recent years. But without measurement tools or enterprise-class spyware blockers, he was unable to quantify the full extent of the problem and prevent further infiltrations.

For the past six months, Speare has been beta-testing Symantec Corp.'s AntiVirus Corporate Edition v10, which includes protection against adware and spyware. The antivirus software quarantines about 90% of the spyware coming through M&T's firewalls, Speare said. But often, the spyware that Symantec's tools don't catch forces the bank's IT staff to reinstall software images on end-user PCs.

"These programs are very sophisticated and well written," Speare said. "Unlike viruses that are more of an ego-driven piece of software, there's a financial model around spyware. [The authors] make money off of it. And anything a criminal can make money at, he's going to do."

A Growing Problem

Jered Green, a senior systems engineer and lead security assessor at Miami Lakes, Fla.-based InfoSight Inc., which does network penetration testing for corporate clients, said the spyware problem is becoming worse.

"The people with bad intent are realizing how powerful spyware can be," Green said. "I'd say better than 80% of the PCs I've scanned have significant spyware on them." In many cases, laptops and handhelds get left out of corporate protection plans, he noted.

The FDIC warned banks that spyware can be a conduit for hackers to get into their systems and collect sensitive data. "It is critical that banks stay vigilant about the risks involved with this malicious software and take appropriate action so that they and their customers do not fall victim to it," Michael Zamorski, director of the FDIC's Division of Supervision and Consumer Protection, said in a statement.

The guidance from the FDIC spells out the risks associated with spyware and recommends actions that financial institutions can take to mitigate the problem both internally and on the computers that online customers use.

For example, the FDIC suggested the use of multifactor end-user authentication technologies and said that banks should warn customers about the risks of using public-access computers.

Jim Hochstatter, vice president of technology at Ulster Savings Bank in Kingston, N.Y., said that until a year ago, the bank kept separate networks for core processing and external communications, offering computer kiosks to employees who wanted to surf the Web. But with the increase in Web-enabled applications for customer use, it was inevitable that spyware would become a concern, he said.

Hochstatter said Ulster Savings last year outsourced its data protection activities to Perimeter Internetworking Corp. in Milford, Conn. The bank uses Perimeter's e-mail protection services and is now considering two-factor authentication for end users.

Speare added, though, that he and many of his industry peers are "cringing" at the thought of using multiple authentication factors. "We're all struggling with that," he said. "We don't want to be in the business of supporting tokens or digital certificates, because we'd have to have a whole support infrastructure around them."

Recommended Actions

The FDIC said that financial services firms should take the following steps:

Consider spyware threats as part of their risk-assessment processes.

Enhance their data security and Internet-use policies to address the risks associated with spyware and specify acceptable end-user behavior.

Expand employee training to include information about spyware.

Educate customers about spyware risks and encourage them to take protective measures on their own computers.

Evaluate multifactor authentication methods, which could limit identity thieves’ ability to compromise customer accounts.

Copyright © 2005 IDG Communications, Inc.

Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon