Dave Jevans, chairman of IronKey and the Anti-Phishing
Working Group, outlines why European banks, governments and
regulators should follow the example being set by the FFIEC in the
US if they are really committed to helping protect online banking
customers from the continued onslaught of cybercrime.
Go deeper with GlobalData
While the European media has only recently become aware of
the threat of cybercrime attacks by hackers such as LulzSec and
Anonymous, banks across Europe have long been the target of
increasingly sophisticated cyber attacks.
Although the threat from
cybercriminals has existed for decades, the sheer volume of
successful attacks during the last few years highlights an urgent
need to better protect against such attacks.
Banks across Europe have strived to
improve their security controls in an attempt to protect against
attacks. Unfortunately, many of the of the security improvements in
online banking over the past five years are quickly becoming
obsolete in the face of more sophisticated attacks.
For instance, new authentication
solutions to protect against cyber attack can now be compromised
back-connect and keep-alive Trojans.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalDataBank’s employees are also a growing
target. Fraudsters might simply target a bank’s IT manager via
Facebook, or send them a link in an email from an account
purporting to be from a friend. Using this ‘in’, the cybercriminals
could access a goldmine of data and IT systems extremely
quickly.
While there will be those who may
think this is unlikely, sadly this type of attack was successfully
carried out on one of the largest and most respected IT security
firms only a matter of months ago.
In reality, the cybercriminals are
always looking to innovate to beat the current IT security
measures. By using social media channels to collaborate and drive
new threats, they are closing in on their aim of beating every IT
security solution that a bank can deploy.
Customer PCs are the
weakest link
Unfortunately, nowadays if they
cannot get into a bank’s IT systems, the criminals simply target
their customers instead.
One of the key reasons that this
type of attack reached such levels is the majority of banks will
have relied on authentication and fraud analytic solutions to
protect and alert them. Unfortunately, these types of solutions do
not take into account the latest crimeware infecting bank
customers’ PCs.
Already, we are seeing increasingly
sophisticated malicious software that mimic user behaviour to
specifically defeat behaviour fraud analytics.
For well over a year, criminals
have been successfully circumventing customer authentication by
taking control of bank customers’ browsers.
Without any doubt – the issue of
protecting the customer’s PC is crucial in tackling these
cybercrime threats. One option is to ensure that the layer of fraud
prevention start at the customer’s computer, such secure browsers
run from read-only USB devices to prevent criminals from
circumventing authentication controls by hijacking already
authenticated banking sessions.
These types of solutions are aimed
directly at providing a safe environment that is separate from the
likely infected computer. So instead of trying to detect different
variants of criminal attacks, banks can take online banking out of
the reach of criminals.
Collaboration is
crucial
A key advantage the current
cybercriminal community has over the banking industry, governments
and regulators is the level of collaboration they can rely on.
Criminals are actively involved in
creating new attacks, promoting them on the black-market and
continuously updating their wares based on criminal feedback. And
with organised crime involved, this is very serious business. At
present our ecosystem cannot rely on this level of collaboration to
try and mount a successful defence.
The whole ecosystem – ranging from
government to banks – needs to bring this idea of a marketplace of
ideas to address the threat.
An example of cross industry and
government collaboration is the recent initiative by the United
States Federal Financial Institutions Examination Council (FFIEC).
The FFIEC and other US banking regulators recognised the immense
threat currently posed to the American banking sector, and have
issued internet banking guidance which calls for multiple layers of
security controls to prevent fraud.
While European banks continue to
place emphasis on authenticating customers, the FFIEC is putting
banks on notice that this is not enough.
One of the recommended security
controls is the use of secure browser sessions. This safe browsing
environment increases session security because it enables a secure
link between the customer’s PC and the financial institution,
independent of the PC’s operating system and application
software.
While this guidance is by no means
a silver bullet to rid the US of cybercrime, at least collaborating
in this way demonstrates a positive approach to tackling the
threat.
However, the strongest message
banks should take from the FFIEC guidance is that authentication –
from one-time passcodes to smart cards – is now just another bump
in the road from criminals on their way to steal money.
Banks must provide a secure
computing environment to address today’s ‘threatscape’ or criminals
will continue to have their way.
After all, it is not just the money in customer’s accounts that
the banks need to protect. It is their reputation to provide
customers with a secure environment to conduct their online
banking. And in today’s world, reputation is everything.
