OPINION: Where online fraud is going
The basic workings of online fraud can be directly correlated to “real-world” crime. Geoff Noble looks at the emerging threats and changing fraud patterns in the online environment.
What happens when a would-be robber attempts to enter a home through the front door, only to discover it is locked?
Does he just walk away?
Or does he attempt to use another method to enter the home, such as through a window or the pet flap?
The same scenario rings true for online fraud; just because there is a lock on the front door to prevent a fraudster from entering does not mean that alternative ways of gaining access are unavailable.
Beyond the existing regulatory climate, there are many other factors that directly contribute to the evolution of online fraud today.
First, consumer awareness has increased and financial institutions have taken a proactive stance in educating their customers about the threat of online fraud.
Second, the scope of targeted attacks has broadened beyond financial institutions and now regularly includes industries such as healthcare, education, and social networking sites.
Finally, fraudsters continue to evolve their methods of attack to overcome the mitigation efforts being implemented.
So where is online fraud going? Let’s explore the emergence in the first of three new trends in the world of fraud.
The Evolving Threat Landscape
Phishing still remains a popular method used by fraudsters to attack unsuspecting online users; it is a simple and cost-effective means of reaching tens of thousands of individuals and has the potential to yield lucrative results.
According to the latest Microsoft Security Intelligence Report, 31.6 million phishing scams were identified in the first half of 2007—an increase of more than 150 per cent over the previous six months.
Recent fraudster intelligence discoveries of new Plug and Play phishing kits, universal Man-in-the-middle phishing kits, fast-flux attack hosting networks, IRC command bots, and other advanced tools strongly support the notion that fraudsters are continuing to invest in making phishing more effective and easier to implement.
These are not merely primitive spamming tools sending out quantities of emails hoping to acquire online banking credentials; they are designed to readily target any institution, in any industry, with the sole objective of stealing personal information.
The demand for crimeware on the black market has also increased dramatically in the last year.
It is such a hot commodity that crimeware developers are even offering upgrade packages to buyers in the fraudster underground so that when crimeware becomes detectable by anti-virus providers, they will deliver a new “undetectable” variant at minimal cost.
Coupled with the fact that most crimeware today is rootkit-based—and nearly impossible to remove from an infected computer—there is all the more reason for organisations around the globe to take proactive measures to mitigate the threat of crimeware “in the wild.”
Solutions
There are several solutions available on the market today to help financial institutions combat the threat of new innovative attack methods and the spread of crimeware.
Some of these include anti-trojan services, software toolbars, out-of-band phone authentication, and risk-based transaction protection for the web.
Anti-Trojan Services
Regardless of the extent of education provided to online users, many are still going to click on links in emails, download suspicious files, and curiously visit unscrupulous websites.
By employing an anti-Trojan service, financial institutions fight back against the threat of crimeware and Trojans by detecting and stopping them at the source.
An anti-Trojan service allows financial institutions to stay ahead of fraudsters and provides insight into the crimeware that is targeting their customers and how it operates.
Software Toolbars
A software toolbar is a one-time password authentication solution embedded within a standard Internet browser such as Internet Explorer or Mozilla Firefox.
Some software toolbar tokens protect against the threat of phishing and Man-in-the middle attacks by operating a “trusted sites” list.
With such a list, a customer who accesses or is redirected to a malicious site is prevented by the browser toolbar from entering their one-time password because a code will only be generated or visible when the browser is at a trusted site.
Out-of-band Phone Authentication
Out-of-band (OOB) communication methods are a powerful weapon against fraud because they circumvent the communication channel fraudsters typically use.
OOB methods might include the telephone or text messages.
Out-of-band phone authentication is easy for customers to use and understand.
It does not require the purchase or download of new hardware or software; all that is required is an ordinary analog, VoIP, or mobile telephone.
Out-of-band phone authentication is most often used in the event of a high-risk transaction or when an institutional policy triggers it (e.g. “Challenge all transactions originating in Country X or Country Y”).
In both scenarios, customers are challenged to confirm their identity thereby maintaining the security inherent in an OOB solution.
Risk-based Transaction Protection (for the Web)
Transaction protection refers to a financial institution’s ability to monitor and identify suspicious post-login activities—a capability most often provided by a risk-based authentication solution.
Transactions typically require more scrutiny and pose more risk to financial institutions and their customers than just the act of logging in to an account.
By either actively authenticating or passively monitoring post login activities or events, financial institutions can provide comprehensive protection for their customers’ identities and assets.
While the nuances of actively verifying versus passively investigating suspicious transactions and activities are relevant, the overall concept remains much the same—by implementing a risk-based transaction monitoring solution, financial institutions will directly benefit from identifying and challenging high-risk activities and protecting the most vulnerable areas of their online channel.
In short, phishing is not going away; it is still an effective and low-cost means to steal online banking credentials and other personal information.
In addition, crimeware is being used more regularly and has become easier for fraudsters to implement.
As long as there are threats that can circumvent existing authentication methods, financial institutions need to utilise alternate technologies that go a step further in curtailing crimeware and other emerging attacks or simply prevent them altogether.
About the author: Geoff Noble is a banking and finance specialist with security vendor RSA, the Security Division of EMC.