Wednesday, February 25, 2009

The Greatest Risks to Banks in 2009

10 Faces of Fraud

Last year was full of stories of criminal activity on the Internet, with hackers and phishers wreaking havoc on computer systems and consumers, causing credit and debit fraud numbers to soar.

What does this year hold for fraud against financial institutions? Here are 10 of the new and old ways criminals will be looking to commit fraud in 2009.

1. ATM Network Fraud

The number one area that institutions will see fraud growing over the next year is in ATM networks. When the criminal gets access to magnetic stripe data and associated PIN values, they are then able to create cards, and basically then it's a license to print money. Another problem for institutions is that their ability to perform risk management is significantly less on an ATM network than online transactions. This is because the ATM delivers the goods to the consumer immediately to them, which is exactly what the fraudsters want -- the cash, rather than a large ticket item they have to then fence or resell.

2. Check Fraud

The area of check fraud is also becoming continuously more sophisticated, and the underlying technological systems haven't kept pace with the sophistication of the adversaries. There won't be a solution for paper-based check fraud, until we have a technological development where the check itself can be authenticated via a chip or code. There are actions that could be taken, such as printing a code on the back of the check that the bank can verify, like a credit card.

3. 'Laser-Guided' Precision Strikes

The organization and sophistication of criminals is increasing, and so is the sophistication of their attacks. Mike Rothman, Senior Vice President of Security Strategy at eIQnetworks, sees a "laser-guided" approach to targeting precision attacks on institution's customers as the next step that these criminals will take.The criminal groups like Russian Business Network - RBN are compiling huge amounts of data in order for consumers to share account information with them. This allows them to entice those customers to "give up the goods" by divulging enough information so they feel comfortable with the scam. The victims include small businesses, which Rothman sees as the next crime front.

4. Phishing Attacks To Continue

In 2008, the financial services industry has seen an increase in the numbers of phishing attacks that are expected to continue into 2009, including sophisticated spear phishing and Rock Phish attacks. The Anti-Phishing Working Group reports that the financial services sector remains the most targeted sector being attacked, with an average of more than 90 percent of attacks being directed at financial services.

Phishers are now sending their phishing messages over cell phones via text messages. This will cause confusion among online banking users, especially those using mobile banking services. The typical banking customer will think, 'My bank won't email me, but they're sending me a text message asking me to click on this link or call a number to verify.

5. Check Image Fraud

Traditionally, after a successful phishing attack, the criminal would extract the needed information and go onto the online account and remove the victim's bank funds. This has changed for some of the more sophisticated criminals in the last year. Instead of looting the victim's account, they don't set up fake bill pay or take money directly from the account. Instead they go to the check image page, where they take a copy of the victim's check.

Many financial institutions are now offering check images as part of their online banking services to their customers. They can either take the copy and make paper counterfeit checks to distribute, or take that information and create PayPal accounts or other online payment accounts that will leave the victim on the hook for any purchases.

6. Zero Day Attacks

Another area that financial institutions will need to keep an eagle eye on is the shift in the way financial fraud is happening. The attacks will change from criminals trying one thing and increasing their attacks against a particular vulnerability or fraud strategy, to where it becomes similar to hackers attacking computer vulnerabilities, where the smartest adversaries will identify a problem, but try to keep what they learn really secret and then attack the target in a very sudden and catastrophic way.

7. Low 'N Slow Attacks

Imagine having the best firewalls, intrusion detection systems and an unbeatable monitoring system installed. But your computer systems are still compromised. What happened? It may have been a "low and slow attack" that happens not over a period of a few minutes or hours, but over a period of days, weeks, or even months. Now the criminals will compromise a machine and sit back and wait, maybe a day, week or even a month before going back to it and see what else they can compromise through it. What is their end goal? To compromise the entire network and perpetrate fraud over a long period of time.

8. Drive-By Attacks Deliver

Institutions need to educated and warn customers and employees to beware the online look-alikes and infected websites. Drive-by attacks that surreptitiously deliver keylogging Trojans to customer's computers are becoming identity thieves' weapon of choice. Machines are infected when users visit bogus bank sites that they've been directed to via phishing emails or, increasingly, legitimate sites that have been hacked.

9. Phones Will Be Ringing

All institutions need to keep a close ear and eye on their phone channel. As online banking security improves through better authentication and back-end anomaly detection, fraudsters are following the path of least resistance and turning to the phone (call centers and interactive voice response technology), where authentication procedures tend to be less stringent.

10. Insider Threat

This is one of the most important issues that financial institutions are going to face in the coming year. In this economy, people are going to be more tempted to steal inside data, to sell it or use it for their own purposes. The insider threat will be more prevalent than in the past there will be more desperate players out there. Proper monitoring of all employees, vendors and contractors with a separation of duties plan will help stop this from happening.

No comments: