Digital Transactions Authoritative, insightful and timely information for payments professionals
A recent survey of financial institutions and service providers shows that while attempted takeovers of financial accounts by computer hackers and thieves increased last year, the percentage of successful takeovers dropped. Meanwhile, PayPal Inc. announced a program to pay security researchers for finding flaws in its system.
In its second survey of account takeovers, the Financial Services Information Sharing and Analysis Center (FS-ISAC), a nonprofit association that shares information about physical and online threats in the financial-services industry, reported that the number of takeover attempts at responding companies increased to 314 on an annualized basis in 2011 from 239 in 2010 and 87 in 2009.
But the percentage of cases where monetary transactions were initiated and funds moved out of the targeted institution fell to 32% in 2011 and 2010 from 70% in 2009. Similarly, transactions were initiated but halted before funds left the institution in 41% of cases in 2011, down from 44% in 2010 but well above the 24% rate in 2009.
The American Bankers Association conducted the survey for the FS-ISAC’s Account Takeover Task Force by querying 95 banks and five service providers. The survey period covered all of 2009 and 2010 and the first half of 2011. While methods can vary, account takeovers often happen when a fraudster sends a “phishing” e-mail to a consumer asking for the person’s online-banking log-in credentials, and the unsuspecting victim supplies them.
The aggregate losses of institutions hit by account takeovers were $777,064 on an annualized basis in 2011, well below the $3.13 million they lost in 2010 but slightly above 2009’s losses of $732,101. The institutions’ customers sustained losses of $489,672 (annualized) in 2011, down from $1.16 million in 2010 and $943,551 in 2009.
When asked about which anti-account-takeover solutions they implemented had proven effective, the top four answers from the surveyed companies were: customer education, cited by 91.7% of respondents; installation of a different multifactor authentication system, 66.7%; shutting down the customer’s online access once anomalous activity is detected, 58.3%; and modification of the existing multifactor authentication system, 50%.
Meanwhile, leading alternative-payments network PayPal announced Thursday that it would now pay outside security researchers to report flaws on sites or products on PayPal’s network through what it calls its ‘bug bounty’ program. PayPal already had a process by which researchers could report security flaws.
“The experience from other companies such as Facebook, Google, Mozilla, Samsung, and others who have implemented similar programs has been very positive,” Michael Barrett, chief information security officer, wrote on The PayPal Blog. “I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong–it’s clearly an effective way to increase researchers’ attention on Internet-based services and therefore find more potential issues.”
PayPal did not say how much it would pay those who find security holes. “The amount paid for each bounty is determined by the security team on a case-by-case basis,” a spokesperson tells Digital Transactions News by e-mail.
The purpose of the original reporting program was for PayPal to use information from what Barrett calls “responsible security researchers” to find and correct flaws “before anyone else is even aware.”
Under the updated, paid program, researchers will report bugs through an existing encryption system. PayPal will sort the reports into four major categories based on the type of flaw: XSS, for cross-site scripting; CSRF, for cross-site request forgery; SQL injection, and authentication bypass. PayPal staff will assess the severity of the reported problem and make the appropriate fixes.
Payments will be made to the first person who finds a previously unknown bug in an honest manner. PayPal says regarding those who meet the program’s guidelines that “we will not bring a private action or refer a matter for public inquiry.”
And, naturally, payments will be made only into a PayPal account.
