A good example for red team testing is MFA (multi-factor authentication) and even basic OTP authentication. Everyone wants good multi-factor authentication, but not everyone has it or knows how to deploy it. There can be a large number of ways to bypass MFA (e.g., theft of session authentication token) or OTP (weak code, social engineering).
- Most retail online banking MFA today is simply User ID/password and SMS OTP. SMS OTP authentication is riddled with holes. And that is before you start to look at how the SMS OTP can be bypassed. The red team can test and tell you how good the code deployment is.
- Several financial institutions (FIs) have moved to push notification. There have been difficulties with ‘push bombing’, where the fraudster quickly repeats the request for verification and the user finally approves the transaction.
- Some FIs are planning to add full MFA, including even phishing resistance. This will require completely new coding of the interface to support the new MFA.
Unfortunately, improper coding can make any form of MFA less secure than the FI thinks it is. Good red team testing, sometimes including even conducting a code review, can help to identify weaknesses.
Another example would be consumer scam transactions. Yes, for the most part, customers are not reimbursed by the FI for these losses, but that does not mean FIs should not have good controls. A red team could be very effective here in finding weaknesses. And starting in June 2023, U.S. receiving banks will be liable for certain types of Zelle impersonation scam losses. Plus, we could start to see lawsuits by scam victims against receiving banks, as we saw starting in the previously discussed BEC case in blog 2. Are you ready for this shifting liability environment? Or should you bring in the red team to test receiving bank inbound controls, along with money mule testing and account opening? Receiving bank Zelle scam reimbursements could exceed $100 million per year in the U.S.
Here are some additional areas that are obvious candidates for red team testing:
- The new FedNow faster payments solution- this is a high-risk service with high dollar real time payments. Expect a reasonable amount of fraud and scams with FedNow. As an example, 97% of the UK’s authorized push payment scams (approximately £485 million per year- US equivalent of $625 million per year) occur over the UK’s Faster Payment rails, like FedNow.
- Use of bogus identity documents for branch account opening and check cashing.
As you can see, there are a number of areas around the activities in the online and branch channels that can be riskier than the FI thinks. Based on the FFIEC online security guidance, every FI should be annually reviewing new threats, looking for gaps in the online security controls and addressing these weaknesses. In addition to selecting new fraud and scam controls, FIs should build in conducting independent red team testing as part of the ‘security gap’ assessment.
Part 1 and Part 2 of this series linked here.
Click here to learn more about Greenway Solutions and their Fraud Red Team services. If you are interested in how our team can help your organization, contact us today!
About the Author
Since 2005, Ken has been in Online Security. He was a Director at MUFG Union Bank, retiring in early 2019. He helped shape the initial responses to the U.S. 2005 and 2011 FFIEC Regulatory Guidance to improve online security for US Banks. He is an early adopter and has selected and implemented a number of online security products. Ken was an advisor to the RSA eFraud Global Forum and a Program Committee member for the annual San Francisco RSA Conference. He is currently on The Knoble Scam Committee. He has recently published three white papers—one on the need to focus on online customer safety, one on online authentication and one on how to select a multi-factor authentication solution. He has been blogging on consumer financial scams and focusing on when financial institutions offer reimbursement. He also was the editor for the complete list of definitions of financial scams, published by The Knoble in 2022. In 2019, he received the Legends of Fraud Award at the 3rd annual FraudCON conference in Israel. He is currently consulting to banks and to online security vendors.