The convenience and ease of conducting financial transactions with a single
click is increasingly witnessing online banking coming of age in India and many
other parts of Asia. As a result, these geographies represent a ripe new market
for cyber criminals who look to launch online attacks and commit fraud. Recent
reports indicate that roughly 10% of all global phishing activities specifically
target India. As evidence of this disturbing trend, several Indian banks came
under attack in 2008, targets of over 400 phishing scams in just a few months.
Even more alarming is the fact that more than 80 Indian banks lack adequate
security measures for protecting their online users, as reported by NASSCOM.
Phishing first gained traction in 1996. Today, it has evolved into a far more
menacing criminal enterprise, with bands of fraudsters working together to
create schemes that dupe unsuspecting online users into divulging personal
details-most often, their online banking credentials. The popularity of phishing
scams within fraudster circles is mainly driven by a low execution cost and the
fact that little technical knowledge is required to set them up.
Online fraud continues to grow
Online fraud has become a vast global network, bringing together bands of
cyber criminals to do what they do best — steal money and identities from
unwitting online users. When we think about the evolution of Internet and the
new types of, and methodologies for, crime, we can quickly conclude that
Internet has not only enabled businesses to develop new routes to market and
explore new business models, it has also done exactly the same for fraudsters.
In the case of the criminal underworld they have the added bonus of working in a
completely unregulated global economy — a true free market! These fraudsters are
full-time professionals, ably supported by an economy of goods and services that
has evolved to support their needs.
This unique characteristic of the fraudster economy lowers the barriers to
entry for those seeking an induction into this criminal underworld as they only
have to offer expertise in one specific area and can buy or partner for the rest
of what they need.
We expect to see more 'spear phishing' — highly targeted attacks against
specific individuals for key pieces of information. It usually begins with a
message that looks like an official email from a bank. The text within the email
tells the user that he/she needs to access the bank's website and update his/her
personal information, or risk having his/her account suspended or closed. The
email usually contains a link that the user can click on to go to the bank's
website. Once clicked, instead of directing the user to the bank's website, they
are actually brought to a spoofed website that looks nearly identical to the
bank's official website and is intended to steal the user's information.
Layered security is the best protection
Staying a step ahead of online criminals and being prepared to address new
threats is critical to fending off fraud. Financial institutions must establish
a layered approach to security which is key to lowering the overall risk posed
by phishing and other online threats. A layered security approach has three core
elements:
- Understand the threat land scape
- Use multi-factor authentication to protect login
- Monitor user activities and transactions
Understand the threat landscape
Financial institutions must understand the threats that are targeting their
businesses and the relative risks they pose. By doing so, they can mitigate the
risk of online fraud or even prevent it from occurring at all. By gathering and
sharing intelligence and developing a broad knowledge of potential threats, they
can better evaluate their own vulnerabilities and implement security solutions
to protect their customers.
Use multi-factor authentication to protect login
Multi-factor authentication, coupled with username and password
authentication is essential to prevent unauthorized access to a user's personal
data and account information. Some of the more popular technologies in this area
include risk-based authentication, one-time passwords, and site-to-user
authentication.
Monitor transactions and activities that occur post-login
Financial institutions should also consider implementing a transaction
monitoring solution that analyzes and challenges high-risk transactions after a
user has logged in to his/her account. Transactions typically require more
scrutiny and pose more risk to financial institutions than just the act of
logging in to an account. Transaction monitoring solutions analyze a combination
of factors such as the IP address, characteristics of the user's computer and
the actual behavior of the user (ie, is the amount of this money transfer
typical of the user) to help identify and mark suspicious activities that may
require further review by the financial institution.
Information risk mgmt
Financial institutions can also use a strategy based on information risk
management to protect against online fraud. Managing information risk in the IT
setup is distinguished by three key characteristics:
- Risk is information-centric. Information has been recognized as one of the
most important assets in our economy and is increasingly becoming a key factor
in perpetrating many types of fraud. Focusing on information clarifies
business context, and following its path across the IT infrastructure reveals
where it is potentially vulnerable. - Using risk as a lens for security investment decisions ensures that the
most significant challenges in mitigating fraud are addressed first. - It is repeatable. The emphasis should be on implementation of processes
and solutions based on standards, frameworks and best practices that can be
leveraged across multiple security and compliance initiatives — saving time,
money, and effort.
When a financial institution adopts a framework holistic analysis,
methodology and plan for dealing with security requirements, it is essentially
putting a security program in place to solve these problems: it can take
advantage of the commonalities between security and compliance programs, while
at the same time reduce opportunities for a fraudster.
Educate your customers
There is an ongoing debate about the impact of customer education and how
much it really does to mitigate the threat of online fraud. There are a number
of public sources available that can be used to make people more aware. For
example, Carnegie Mellon University developed a new tool called Anti-Phishing
Phil. The game teaches users how to identify the phishing URLs, where to look
for the black holes in web browsers, and how to use search engines to find
legitimate sites. Interactive tools such as this are great ways to engage
consumers and raise online safety and security awareness amongst all
stakeholders.
Arthur W Coviello, Jr, President RSA, The Security Division of EMC