April 5, 2016

Online Security – The Weakest Link

For all the technological defences, people persist as a principal vulnerability in the cyber environment. Mandy Kovacs tests for gaps along the perimeter.

As cyber-attacks on online banking become advance in sophistication, anti-fraud experts are advising firms to defend themselves not only with the latest technology, but through more careful due diligence.

Inimitable traces

Biometric authentication is one approach. “We’ve been using physical biometrics, which includes fingerprint scanning, and voice or facial recognition, for quite a while, but I think the industry is headed toward passive biometrics, or behavioural biometrics – a system where a user is not necessarily asked to participate directly,” said Ross Hogan, global head of fraud prevention at Kaspersky Lab, the Russia-headquartered cyber-security group. “Essentially, this method involves the bank monitoring a myriad of ways the user inherently interacts with the online or mobile banking application. It’s a continuous silent authentication mechanism.”

Every user action, from the orientation of a tablet to the velocity or angles of mouse movement, to how someone would refresh their computer if it goes to sleep, is tracked. The system ‘remembers’ the account-holder’s typical behaviour – built from statistical analysis of every logon session; the bank is then able to risk-assess whether the party trying to access the account is human, robot, authorised or a potential fraudster.

“For a financial institution, the priority is user experience, but many authentication methods, and physical biometrics like fingerprints, are contributing to its degradation,” explained Hogan. “Behavioural biometric systems can generally avoid this. For a user, it’s wonderful; they’re not asked to speak into the phone or provide a fingerprint – it’s business as usual, and that’s exactly what they want from their online banking system. They want simplicity, convenience and for it to work. And if they’re happy, the bank also benefits.”

Yet in its infancy, behavioural biometrics is gaining momentum, especially when paired with some of the existing authentication methods.

Two, three, four factors

Experts recommend using two or even three-factor authentication – when available – to enhance security. Factors include: something you know – usually a password, passcode, passphrase or personal identification number (PIN); something you have, such as a chip-enabled bank card; and something you are – fingerprints, iris patterns, voice prints, or similar mechanisms that require physical confirmation.

A fourth factor

Four factor authentication would also expect approval in response to a notification of request for access, said Ron Hulshizer, MD of information technology risk services at BKD, the US accounting and advisory firm.

The best technology notwithstanding, Hogan and Hulshizer agree that the most common security lapses involve human error.

The human factor

“People are the weakest link,” said Hulshizer, “The technologies that banking institutions use are fairly secure. That’s not where we’re seeing the fraud and large issues, it’s usually people falling for a fake email that leads to malware or phishing attacks, or using bad passwords.”

Atif Ghauri, chief technology officer at Herjavec Group, a security services provider, based in Toronto, Canada, says that email is currently the most common delivery vehicle. Skimming attacks, which involve stealing a consumer’s banking details and making low-value across thousands of cards can net a significant return for the fraudster.

Spear phishing campaigns are the hardest to protect against, said Ghauri: the user is sent a lengthy message with a call to action that will compromise their device, such as click on a link infected with malware, or provide sensitive information on a fake website that simulates a trusted service provider. The most common targets are high-profile individuals whose details are  publicly available, as this makes it easy to curate a specific, believable message.

Penetration attempts are certainly becoming more numerous. According to Kaspersky Lab’s 2014 Security Bulletin, 6.2 billion malicious attacks on user computers and mobile devices were blocked by its antivirus products that year, one billion more than in 2013. In the first quarter of 2015, Kaspersky Lab says its products blocked attempts to launch malware capable of stealing money via online banking on the computers of 929,082 users, a 64.3% increase on the previous quarter (565,515).

Hidden depths

Malicious attacks are hard to track: they generally originate on the dark web – the area of the Internet not indexed by popular search engines – or sites protected by encryption.

“The origins of many attacks can be traced there,” said Ghauri. “The criminal networks seed their attacks by using proxy servers, which, by acting on behalf of another computer, can support anonymity. If you proxy 20 times, trying to figure out who gave the original request is very hard. They’re used to mask identities.”

Unfortunately for consumers and businesses, the dark web has become a community, if not a full industry, for banking and financial fraud. Ross Anderson, professor of security engineering at the University of Cambridge’s Computer Laboratory, says the picture changed about 10 years ago as cybercriminals started to become more organised and efficient.

Criminal outsourcing

“Before then, online criminals did everything themselves, like running a one-man business that does all the manufacturing, distribution, selling, and so on, which isn’t efficient,” he explained. “Now, some will steal credit card numbers, some will write malware, some will build ATM skimmers, and they all trade with each other.”

American retail giant Target was the victim of one such breach in 2013, in which hackers stole 40 million debit and credit card numbers from its point-of-sale system. Before the issuers were able to cancel the cards, the criminals probably generated US$53.7million in income, according to Brian Krebs, a former Washington Post staffer who writes extensively on cyber security.

“These companies don’t have industrial-strength security – it’s much less than you would expect. They get compromised easily and quickly. The criminals will observe the company’s activity for a period of time, and then take over just one computer – usually with a Trojan malware that’s come from an email,” Hulshizer explained. “By doing this, they have full access to whatever information is stored on the device.”

Caught in the middle

Despite the illicit profitability of large company data breaches, Professor Anderson warns that medium-sized businesses, with 200-400 employees, are most at risk.

“The modus operandi of typical organised criminals attacking firms is to take over the computers of a medium-sized business’ accounting department – a firm that’s not big enough to employ anyone with a particular knowledge in cyber security, but is beyond being small enough to check every transaction,” he said. “I would suggest having someone in the accounts department whose sole purpose is to examine the accounts and reconcile them every morning. It’s just good financial practice.”

Divide and conquer

He also suggests having separate devices for financial transactions and for general purposes, like emails and browsing the web. Having different brands of devices also helps, Anderson says. Criminals are rational actors, and write malware for machines used by majority of the population, making PCs, not Apple products, more susceptible to malicious attacks.

Originally posted on Counter Fraud.