Published in Bank Info Security
Monday, January 03, 2011
Beware of Trojans, Malware and Attacks Via Mobile - Linda McGlasson, Managing Editor
As 2010 came to a close, Information Security Media Group caught up with a handful of leading industry experts to get their takes on the top security threats of 2011. Among the experts: Avivah Litan of Gartner Research, Julie McNelley of Aite Group, Uri Rivner of RSA Security, Rod Rasmussen of Internet Identity, Jasbir Anand of ACI Worldwide and Ori Eisen of 41st Parameter.
The top 9 threats of 2011 include:
1. Mobile Banking Risks
Mobile phones used for banking are on the rise, but mobile security is proving increasingly challenging for banks and credit unions, as controls put in place to protect traditional online banking do not translate well when applied to mobile.
Mobile banking applications from Bank of America, Chase, Wells Fargo and TD Ameritrade have all suffered from security flaws, and CitiGroup in 2009 noted vulnerabilities when it learned some banking apps stored sensitive user details in hidden files on smart phones.
Until recently, functionality for mobile banking was fairly limited. But as mobile application robustness has increased, so, too, have security risks. McNelley, an analyst at Aite Group, says, "Many banks seem to be reliving all the hard lessons of the early days of online banking." Mobile malware is an emerging threat, and Zeus attacks, such as Mitmo, aimed at mobile, have already been identified.
But RSA security researcher Rivner slightly disagrees. "Mobile banking apps will not be a primary target for fraudsters," he says. Instead, he believes mobile browsing will be more targeted in the coming year, since most mobile users continue to use their online banking sites to conduct banking functions.
2. Social Networks and Web 2.0
The connection between mobile phones and social media is growing, with Twitter and Facebook apps offered for mobile users. Institutions embracing mobile also are embracing social networking, says Rasmussen, Internet Identity's chief technology officer. "With more banks on social networks, expect to see more fake sites using social networks, like Twitter and Facebook, to try and trick people into giving up vital personal information," including banking login credentials and Social Security numbers, he says.
But external threats aren't the only risks. Social networking sites are also a venue for an institution's own employees to intentionally or inadvertently expose sensitive information. To mitigate internal risks of data leakage, it's important for organizations to spell out social networking policies to employees. They must know when and how to use social networks in the course of their jobs, as well as what information is/is not appropriate to share.
3. Malware, Botnets and DDoS Attacks
Distributed denial-of-service, or DDoS, attacks, as seen in the wake of the recent WikiLeaks incidents, are likely to increase. In fact, the WikiLeaks-inspired attacks against leading e-commerce sites have fueled interest among fraudsters, says RSA's Rivner. Botnet operators now see opportunity for additional income.
Even with the takedown of the Mariposa Botnet earlier this year, banking institutions are expected to face growing challenges in the fight against DDos attacks.
Attacks are also getting more sophisticated. The No. 1 banking-credential-stealing Trojan, Zeus, is used by hundreds of criminal organizations around the world, so "add-ons" are prevalent. This year alone, Zeus has been linked to some $100 million in financial losses worldwide, according to the Federal Bureau of Investigation. Rasmussen says Zeus' anonymous programmer, who launched the Trojan in 2007, is likely to come out with a new and improved Zeus variety in 2011. "There is a good chance that he will soon emerge with even more powerful ways to steal," he says.
Concerted attacks launched against online banking sites will likely make stronger authentication a necessity, says Eisen, founder of 41st Parameter. "The amount and velocity of fraud could force new and stronger authentication methods and more stringent procedures, such as dual-signatures and dual authentications," he says.
Sophistication in phishing, smishing and vishing attacks also is increasing, McNelley says. "Fraudsters now create very polished messaging that targets everything from bank accounts to Amazon accounts," she says.
In fact, respondents to the recent Faces of Fraud survey say phishing/vishing attacks rank No. 3 among fraud threats.
To fight these incidents, inroads in consumer education have been made, but the social engineering techniques that have made phishing a success are now trickling down to land-line and mobile phones. "Phishing will be used as a general purpose tool that leverages a recognized brand, but doesn't try to attack them directly," Rivner says. Nonetheless, the damage to the brand's reputation (in the eyes of the victimized consumers) could be costly.
5. ACH Fraud: Corporate Account Takeover
In 2010, ACH fraud resulting in corporate account takeovers saw a dramatic increase and made for some of the year's most compelling reading. We witnessed banks suing customers and customers suing banks over the responsibility for fraud incidents and losses.
In 2011, commercial banking attacks are expected to rise, experts say, especially as man-in-middle or man-in-the-browser, also known as MitB, schemes increase.
MitB attacks targeting two-factor authentication intensified in 2010, requiring commercial banks to deploy additional lines of defense, such as out-of-band authentication, desktop hardening and anti-Trojan services. "With some gangs stealing millions from just a few victims, expect more and more criminals to pile on the 'easy money' bandwagon," Rasmussen says. As the MitB attacks get easier, less sophisticated criminals are expected to target consumer accounts, too, despite smaller returns.
6. Cloud Computing
Cloud computing is touted for its ability to curb fraud, but fraudsters are working overtime to create new threats in what Rivner calls "the Dark Cloud." He predicts fraudsters will hone their ability to exploit new and yet-unknown cloud vulnerabilities. Rivner says institutions can expect in 2011 to see cloud-targeted Trojans, like Qakbot, that focus on a geographic region and/or specific banking sectors.
But movement to the cloud is definitely on the horizon, as more financial institutions gradually warm to non-localized content management. Jeff Reich, director of the Institute of Cyber Security at the University of Texas in San Antonio, says the biggest barrier to cloud computing has been the fear of data security. Now that fear is diminishing, the use of cloud computing by banks and credit unions is expected to take off. But, like any new or emerging technology, the cloud will face challenges, Reich says.
"Cloud computing, in particular, is thought to be failsafe," he says. "People sometimes think there is no hardware involved ... and, as a result, it will never fail. So it's one thing to keep in mind: Cloud computing is not limitless. Every cloud has its own boundaries."
7. Inside Attacks
Malicious attacks or hacks are often launched inside an organization by a disgruntled employee. But the inside threat also may be posed by an outside person who uses false credentials to pose as an insider to illegally gain access to internal servers and systems.
Kirk Nahra, a privacy expert and attorney, says most compromises of internal data can be traced back to an employee. That's especially true when the information that's been compromised involves the theft of an identity. But Nahra is quick to point out that not all compromises are intentional and malicious. The problem: companies and financial institutions have not properly limited access to databases and files that contain sensitive information.
"Go into your company and do a real thorough audit or a review," he says. "Doing that kind of a survey or audit, I think, can really do a very significant job of reducing -- not eliminating, but reducing -- these problems, because it cuts down so many of the places where information just simply doesn't need to be."
WikiLeaks serves as a prime example of how insider threats can pose significant security risks. The controversy brewed when an Army private allegedly accessed and downloaded classified information that he later sent to WikiLeaks. Though the private had some security clearance, he did not necessarily have authorization to access and download the classified files he leaked.
Aite's McNelley says it's often all too easy for employees to illegally grab sensitive information. "It's the little things that lead to most internal compromises, like walking away from your desk and not locking your screen," she says. "A lot of that kind of thing slips through the cracks." Internal fraud is still one of the biggest issues in financial services, she says, especially since the embezzlement of funds and the compromise of consumer financial information is so tempting.
As RSA's Rivner points out, the challenges posed by outsiders are just as alarming, since many take aim at government and bank employees. Noting Operation Aurora as an example, Rivner says insiders can unknowingly pose threats, especially when they are targeted by sophisticated hackers. "Some of those affected were from the financial sector, which shows bank employees are a valid target for cybercriminals," he says. "At times, I see these hijacked resources communicating with the Trojan mother ship, while within the corporate firewall."
8. First-Party Fraud
First-party fraud continues to pose security challenges. Also known as "advances fraud," "bust out fraud," "application fraud," "friendly fraud" and "sleeper fraud," first-party crime typically involves a customer applying for and accepting credit with no intention of repayment. First-party fraud applicants can use synthetic identification or misrepresent their real identities.
Jasbir Anand, a senior solutions consultant and security expert at ACI Worldwide, says the British Bankers Association estimates between 10 percent and 15 percent of bad debt losses may result from first-party fraud. "Specialized criminal gangs now target financial institutions with counterfeit identification and advanced knowledge of lending practices," he says. Once an identity is established, the fraudster builds credit and applies for multiple financial products.
In 2010, card skimming of all types took off, including traditional ATM skimming and new incidents at merchant point-of-sale systems and self-service gasoline pumps. Even though skimming incidents are localized, they represent a growing problem. The advent of ATM "blitz" or "flash" attacks reveals growing sophistication and coordination among counterfeit-card operations. Blitz or flash attacks involve the simultaneous withdrawal of funds from multiple ATMs in different locations, sometimes scattered throughout the world.
Avivah Litan, vice president and distinguished analyst at Gartner, says flash attacks will pose increasing challenges, since they "fly under the radar" of most fraud-detection systems. "Banks can stop it if they can figure out the point of compromise, but many have a hard time doing that with current fraud-detection solutions," she says.
The technology behind skimming is reaching new levels of sophistication, says Jeremy King, European regional director for the Payment Card Industry Security Standards Council. Fraudsters throughout the world rely more on wireless communications to transmit skimmed card data. "Improving awareness is important," King says, "and the PCI PED standard is addressing some of the global card skimming trends we are seeing."
Stronger cardholder authentication through contactless radio-frequency identification payments or contact chip technology such as EMV could address some of these emerging fraud concerns, says Chuck Somers, vice president of ATM security and systems for Diebold Inc. "Anything beyond better authentication would involve changing the whole infrastructure," Somers says.
For more on the topic, see: ATM Fraud: Skimming is #1 Threat.
Managing Editor Tracy Kitten contributed to this report.