Spyware Risks

Guidance on Mitigating Risks From Spyware

FDIC Financial Institution Letters
FIL-66-2005
July 22, 2005

The Federal Deposit Insurance Corporation (FDIC) is issuing the following guidance to financial institutions to inform them about the risks posed by spyware within an institution's network and on customers' computers. The guidance also recommends actions to mitigate those risks.

The attached informational supplement recommends best practices that financial institutions can use to prevent spyware from being downloaded to their computers and for mitigating the risk of thieves obtaining online banking IDs and passwords from spyware installed on customers' computers.

Introduction

The term spyware refers to technologies that collect information about a user without his or her knowledge and reports that information to a third party. Certain forms of spyware can intercept sensitive and confidential information about an organization or user, including passwords, credit card numbers and other identifying data. As a result, spyware has significant confidentiality, integrity and availability implications for both a bank and its customers. Financial institutions should consider anti-spyware strategies for their enterprise information security programs and customer awareness programs.

Risks Associated With Spyware

Financial institutions should be aware of the risks of spyware on their own computers and on computers used by customers connecting to online banking Web sites. Spyware increases the risk to financial institutions by:

• Compromising confidentiality by allowing attackers to eavesdrop and intercept sensitive communications, such as customer IDs and passwords.
  
  
• Damaging an institution's reputation by potentially allowing unauthorized access to user accounts.
  
  
• Misappropriating bank resources and permitting unauthorized access to bank systems.
  
  
• Increasing vulnerability to other Internet-based attacks, such as phishing and pharming.
  
  

Recommended Actions to Mitigate the Risks Associated With Spyware

Financial institutions should evaluate the risks associated with spyware and strengthen enterprise information security programs by:

• Considering threats from spyware as part of the risk assessment process. This ensures that the financial institution considers all risks to private customer information and takes appropriate steps to mitigate those risks, such as implementing anti-spyware technologies.
  
  
• Enhancing security and Internet-use policies to address risks associated with spyware and acceptable user behavior (e.g., prohibiting Internet downloads and visits to inappropriate Web sites). In addition, management should take steps to enforce these policies and reprimand staff who fail to comply with them.
  
  
• Expanding employee training to include the risks associated with spyware so that users will become cognizant of the behavior they should adopt to prevent spyware on bank computers and on personal computers that are used to connect to the bank's network.
  
  
• Educating customers about the risks associated with spyware and encouraging them to implement steps to prevent and detect spyware on their own computers. In addition, advise customers of the risks in using public computers – such as those in hotels, libraries or Internet cafés – to connect to online banking Web sites because of the uncertainty of what spyware may have been installed on the public equipment.
  
  
• Investigating the implementation of multi-factor authentication methods, which would limit the ability of identity thieves to compromise customer accounts, even when a thief has a customer's ID, password and account numbers.
  
  

Conclusion

Spyware poses a significant risk to financial institutions and its customers. Practices to prevent and detect spyware should be regularly reviewed to ensure that an institution is aware of all risks to its systems and to sensitive customer information.