A good example for red team testing is MFA (multi-factor authentication) and even basic OTP authentication. Everyone wants good multi-factor authentication, but not everyone has it or knows how to deploy it. There can be a large number of ways to bypass MFA (e.g., theft of session authentication token) or OTP (weak code, social engineering).
- Most retail online banking MFA today is simply User ID/password and SMS OTP. SMS OTP authentication is riddled with holes. And that is before you start to look at how the SMS OTP can be bypassed. The red team can test and tell you how good the code deployment is.
- Several financial institutions (FIs) have moved to push notification. There have been difficulties with ‘push bombing’, where the fraudster quickly repeats the request for verification and the user finally approves the transaction.
- Some FIs are planning to add full MFA, including even phishing resistance. This will require completely new coding of the interface to support the new MFA.
Unfortunately, improper coding can make any form of MFA less secure than the FI thinks it is. Good red team testing, sometimes including even conducting a code review, can help to identify weaknesses.
Another example would be consumer scam transactions. Yes, for the most part, customers are not reimbursed by the FI for these losses, but that does not mean FIs should not have good controls. A red team could be very effective here in finding weaknesses. And starting in June 2023, U.S. receiving banks will be liable for certain types of Zelle impersonation scam losses. Plus, we could start to see lawsuits by scam victims against receiving banks, as we saw starting in the previously discussed BEC case in blog 2. Are you ready for this shifting liability environment? Or should you bring in the red team to test receiving bank inbound controls, along with money mule testing and account opening? Receiving bank Zelle scam reimbursements could exceed $100 million per year in the U.S.
Here are some additional areas that are obvious candidates for red team testing:
- The new FedNow faster payments solution- this is a high-risk service with high dollar real time payments. Expect a reasonable amount of fraud and scams with FedNow. As an example, 97% of the UK’s authorized push payment scams (approximately £485 million per year- US equivalent of $625 million per year) occur over the UK’s Faster Payment rails, like FedNow.
- Use of bogus identity documents for branch account opening and check cashing.
As you can see, there are a number of areas around the activities in the online and branch channels that can be riskier than the FI thinks. Based on the FFIEC online security guidance, every FI should be annually reviewing new threats, looking for gaps in the online security controls and addressing these weaknesses. In addition to selecting new fraud and scam controls, FIs should build in conducting independent red team testing as part of the ‘security gap’ assessment.