Phishing, malware to strain banks in 2009

Interview

Phishing, malware to strain banks in 2009

Marcia Savage, Features Editor, Information Security magazine

    Requires Free Membership to View

    Login

    SearchFinancialSecurity.com members gain immediate and unlimited access to in-depth technical advice, strategies, and expert guides for securing data in high-risk financial environments. Join me on SearchFinancialSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchFinancialSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchFinancialSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

Cybersecurity outlook:
Financial firms fight cyberthreats, brace for difficult year: Increased regulations, growing cyberthreats and tight budgets will challenge financial firms in 2009.

Cisco: Cybercriminals more savvy than ever in 2008: The annual Cisco security report shows increases in hacker tactics, Web threats, Internet cybercrime, email spam and virtualization vulnerabilities.
What were some of the major fraud trends that financial institutions dealt with in 2008?
Fraudsters proved in 2008 that they are increasingly tenacious and sophisticated in their fraud schemes. Phishing and malware continued to be popular methods for acquiring online account and personal information. … While it is clear that accounts are being compromised in great numbers, financial institutions must also deal with the myriad resulting schemes to steal victims' money. The schemes vary, but share a common theme of using the online channel for an initial, critical component of an overall scheme. We have seen numerous ways that account information has been used, including:

  • Counterfeit check fraud: Criminals look at account balances and check images and then commit counterfeit check fraud. We have seen a particular spike in this problem, and one bank we spoke to recently was amazed at how good the fraudsters are at getting the right sequence number for fraudulent checks.
  • Wire transfer fraud via fax: Fraudsters look at account balances and check images online, then fax in a wire transfer request.
  • Call center transactions: Fraudsters look at account balances, personal contact information, and recent transaction history and then call the call center to request a wire transfer or change the address and request a new debit card.
  • Debit card theft: Criminals change the account address and request a new debit card via online banking application. They then use the new debit card to steal money.
  • Multiple institution schemes via Automated Clearing House (ACH) transactions: Fraudsters use contact info, account numbers and signature blocks to open an account in the victim's name in another financial institution. Then, they establish an ACH connection between the two accounts, transfer money out of the victim's account, and withdraw the money from the account they control either through the ATM or branch. Because the accounts share the same name, and because the fraudster can verify "ownership" of the victim's account (because they can confirm the micro-deposit the ACH account registration process entails), the transfer is easy to pull off.

    Indeed, check ACH and other types of "offline" fraud seem to be on the increase in the last several months, but these cross-channel schemes frequently have undetected online account takeover at their root. Institutions rarely have the resources to piece together the overall fraud scheme. We're hearing a lot of reports about cybercriminals taking advantage of the economic crisis and upheaval in the financial industry. What are you seeing so far?
    Cybercriminals are certainly finding new ways to steal sensitive data and exploit consumer confusion around the banking meltdown. The Federal Trade Commission recently published examples of phishing scams that attempt to capitalize on the turmoil in the financial services industry by asking consumers to "update, validate, or confirm" account information. Consumers are more likely to provide information to these scammers because they look like they're coming from financial institutions that are part of the recent bank consolidation, so it appears credible. Fraudsters are also exploiting consumers' increased interest in new job opportunities as unemployment rates skyrocket, leading consumers to bogus sites that promise new job offers or "work from home" opportunities where the victim becomes an unwitting mule in a fraud scheme, typically using their legitimate online banking account to transfer money around. Is the recession affecting financial institutions' security budgets and/or antifraud efforts?
    While overall budgets have declined, we have not seen a decrease in security and antifraud investments. Fraud will continue to remain a problem that financial institutions need to address, especially as criminals get more desperate and savvy in the current economic climate.

    SearchSecurity radio:
    What fraud issues do you expect financial institutions to be dealing with in 2009?
    Phishing scams, malware and identity theft are all trending upwards in volume and sophistication that will only get worse in 2009, forcing all financial institutions to be more diligent in the ongoing fight against fraud. Moreover, as more large-scale bank mergers are announced and the ones already in motion begin to finalize, fraudsters will be lurking in the shadows, eager to capitalize on the confusion and uncertainty that comes with industry consolidation. Consumers will be distracted by the economy, and their misguided attempts at frugality will lead to poor decisions. For example, many consumers will let their antivirus protection expire to save $50, jeopardizing the safety of the broader online ecosystem in the process. With the economy in flux for the foreseeable future, banks and consumers must be made more aware of the dangers of online fraud and take action to protect themselves accordingly. What compliance issues do you think will be priorities for your customers next year?
    Just as SOX emerged from the previous major economic downturn, I predict that Washington will begin issuing more regulations for financial institutions in particular. Increased regulation in the financial sector is inevitable, given the economic crisis was in a large part, borne of deregulated activities. In addition, Obama's administration will likely make some regulatory changes that will impact the financial institutions and their vendors and service providers.

    One particular compliance issue that our customers will be prioritizing is the Red Flag regulations, which calls for the "establishment of an Identity Theft Prevention Program that is appropriate to the size and complexity of each organization," and is required of any financial institution. The Nov. 1, 2008 deadline has passed, but compliance will be an ongoing and evolving concern.