Online financial security threats: What can we expect in 2010?
Ori Eisen, Chief Innovation Officer at 41st Parameter, highlights the top five financial security threats which emerged as the biggest money makers for fraudsters and where he believes they will make their next move.
2009’s top 5 threats:
1) Proliferation of phishing and emergence of SMShing – fraudsters now use more realistic emails and other points of ‘e-contact’ to try and entice credentials from unsuspecting victims. Previously, SMS was considered to be a solution to the problem of unauthorised account access, since it was assumed sending a one-time use password to a mobile phone would create a barrier to scammers trying to gain access to accounts. Instead, however, it provides a new way for them to get their hands on credentials. Since many customers don’t expect to be targeted in this way, they simply assume and accept the practice as safe when they see a message that appears to be from their bank.
2) Fraud staging – the bad guys now do much more background homework before trying to access a bank account and are more in tune with many of the triggers. They understand maximum wait periods before a bank accepts profile changes, such as new email, phone number and home address.The length of time accounts are groomed for future use has increased and many breached accounts may not show any traditional signs they are a part of a future scam.
3) Mule recruitment – online job hunters are being used as unwitting “money mules” to launder the proceeds of criminal activities. Those looking for work during the recession needed to be on their guard against “too-good-to-be-true” earning opportunities which could actually be scams run by scammers. Criminals make use of legitimate channels, including mainstream recruitment websites, to offer jobs such as financial manager, money transfer agent, shipping manager or even mystery shopper. Some criminals issue official-looking “employment contracts” to be signed by those offered jobs. They then transfer money into their account and pay them a percentage or a set fee for making payments to other organizations.
4) Bot attacks – like viruses, bots spread by installing themselves on Net-connected computers. The difference is that, while viruses act individually according to an inflexible program, bots respond to external commands and then execute coordinated attacks. The operational software, known as command and control, or C&C, resides on a remote server. A botnet is like a terrorist sleeper cell: its members lurk silently within ordinary desktop computers, inert and undetected, until C&C issues orders to strike. The controlBots can monitor keystrokes to collect passwords and other sensitive data for identity theft and credit card fraud. This is a very cheap and easy way to access multiple accounts on a regular basis.
5) Online account opening – the availability of Demand Deposit Accounts (DDA) online provides fraudsters with a number of advantages, including ease of account opening – making the creation of cash repositories easy and convenient – and multiple accounts – used to keep balances from becoming suspicious.
What should we be aware of in 2010?
1) Remote deposits – next year more banks will allow customers to deposit funds into their accounts using a homemade image/scan of a cheque or note. As with other new channels, this too will quickly be exploited by criminals, forcing those offering the service to implement ways of securing the capability.
2) Mobile banking – the first confirmed fraud via the mobile channel will be reported soon – if it hasn’t been already. This will force banks to reconsider how they secure this access point into their enterprise, for example, the lack of flash shared objects on smart phones requires a new way to authenticate via device characteristics.
3) Cross channel fraud – using online channels to gain valuable account information and then executing crimes at the ATM or branch will be exploited even more. The lack of visibility and speed with which funds are transferred and made available will make this type of fraud even more attractive.
4) Sensitive data masking – as remote deposits increase, banking institutions are going to have to adopt more stringent practices of concealing cheque images and other vital records online for identity protection and fraud prevention – as it is inevitable that unless institutions keep evolving their security methods fraudsters will find ways to get round them.
5) More trojans like ‘URLZone’ will emerge – the 2009 ‘URLZone’ trojan not only retrieved banking credentials but also stole money from compromised accounts. Such trojans are, in many cases, nearly impossible to detect. The increased emergence of such threats makes BOT detection critical for online banking.