Although the threat from cyber-criminals has existed for decades, the sheer volume of successful attacks during the last few years highlights an urgent need to better protect against such attacks.
There is growing evidence that criminals can make huge sums from this type of fraud. A recent case – the biggest phishing operation ever to be prosecuted in the UK – saw heavy sentences handed out to three men for a sophisticated £4m cyber attack on a number of UK banks.
And Britain is home to one of the most infamous online bank cyber-crime gangs – a single gang is accused of attempting to steal over £100m from online bank accounts here in the UK and worldwide.
Banks across Europe have strived to improve their security controls in an attempt to protect against attacks. Unfortunately, a recent Gartner blog I read stated many of the of the security improvements in online banking over the past five years are quickly becoming obsolete in the face of more sophisticated attacks. For example, new authentication solutions to protect against cyber attack can now be compromised back-connect and keep-alive Trojans.
Bank’s employees are also a growing target. For instance, fraudsters might simply target a bank’s IT manager via Facebook, or send them a link in an email from an account purporting to be from a friend. Using this ‘in’, the cyber-criminals could access a goldmine of data and IT systems extremely quickly.
Now some of you may think this is unlikely, but sadly this type of attack was successfully carried out on one of the largest and most respected IT security firms only a matter of months ago. In reality, the cyber-criminals are always looking to innovate to beat the current IT security measures. And by using social media channels to collaborate and drive new threats, they’re closing in on their aim of beating every IT security solution that a bank can deploy.
Customer PCs are the weakest link
Unfortunately, nowadays if they can’t get into a bank’s IT systems – the criminals simply target their customers instead. For the case I mentioned earlier, the criminals simply took over the customers PCs and replicated the online banking webpage to steal the customer’s banking credentials. It’s estimated the cyber-crime gang carried out this attack on thousands of customers to steal millions before the attack was identified.
One of the key reasons that this type of attack reached such levels is the majority of banks will have relied on authentication and fraud analytic solutions to protect and alert them. Unfortunately these types of solutions don’t take into account the latest crimeware infecting bank customers’ PCs.
Already we’re seeing increasingly sophisticated malicious software that mimics user behaviour to specifically defeat behaviour fraud analytics. And, for well over a year, criminals have been successfully circumventing customer authentication by taking control of bank customers’ browsers.
Without any doubt the issue of protecting the customer’s PC is crucial in tackling these cyber-crime threats. Recently Gartner recognised this by recommending the layer of fraud prevention start at the customer’s computer.
One of these new controls is including secure browsers run from read-only USB devices to prevent criminals from circumventing authentication controls by hijacking already authenticated banking sessions. These types of solutions are aimed directly at providing a safe environment that’s separate from the likely infected computer. So instead of trying to detect different variants of criminal attacks, banks can instead take online banking out of the reach of criminals.
Collaboration is crucial
A key advantage the current cyber-criminal community has over the banking industry, governments and regulators is the level of collaboration they can rely on. Criminals are actively involved in creating new attacks, promoting them on the black-market, and continuously updating their wares based on criminal feedback. And with organised crime involved, this is very serious business. At present our eco-system cannot rely on this level of collaboration to try and mount a successful defence.
The whole ecosystem – ranging from government to banks – needs to bring this idea of a marketplace of ideas to address the threat.
An example of cross industry and government collaboration is the recent initiative by the United States Federal Financial Institutions Examination Council (FFIEC). The FFIEC and other US banking regulators recognised the immense threat currently posed to the American banking sector, and have issued Internet banking guidance which calls for multiple layers of security controls to prevent fraud. While European banks continue to place emphasis on authenticating customers, the FFIEC is putting banks on notice that this is not enough.
One of the recommended security controls is the use of secure browser sessions. This safe browsing environment increases session security because it enables a secure link between the customer’s PC and the financial institution, independent of the PC’s operating system and application software. The idea for this approach originated from 2009 collaboration between the FBI and NACHA, the US electronic payments organisation.
While this guidance is by no means a silver bullet to rid the US of cyber-crime, at least collaborating in this way demonstrates a positive approach to tackling the threat.
However the strongest message banks should take from the FFIEC guidance is that authentication – from one-time passcodes to smart cards – is now just another bump in the road from criminals on their way to steal money.
Banks must provide a secure computing environment to address today’s threatscape or criminals will continue to have their way.
No matter what internal steps banks take to protect their infrastructure or analyse transactions – all communications can and will be compromised because customers PCs are the point of criminal attack and control.
I have no illusions that the battle is one that could be won overnight. But, I believe we all need to collaborate more closely, and look to new processes and technologies, in an effort to set a bench mark for protecting the online banking system. In the US, the FFIEC and banking industry are now embarking on this.
After all, it’s not just the money in customer’s accounts that the banks need to protect. It’s their reputation to provide customers with a secure environment to conduct their online banking. And in today’s world, reputation is everything.
By Dave Jevans, chairman of IronKey and the Anti Phishing Working Group. CBR spoke to Jevans last year, you can read the full Q&A here.