Authentication & Fraud Detection

Malvertising — or malicious advertising — is getting a bit more attention as of late. In essence, it’s just another method by which criminals attempt to infect user PCs with some form of malware — albeit a very scary form as it can reach so many users so easily.

The important point is that criminals will continue to exploit new methods to infect users with malware. Regardless of the method (e.g., malvertising, spear-phishing, infected websites, drive-by downloads, etc.), the objective remains the same: criminals want to obtain control over online identities.

So, what do you do to help protect against malvertising? As an end-user? As an organization seeking to protect employee information and identities? As a service protecting online customers?

Unfortunately, regardless of how careful we are as end-users, enterprises, customers or governments, the malware will get through. Again, even if we:

• Avoid certain websites
• Adhere to strict online practices
• Protect corporate networks with firewalls and intrusion detection
• Secure access to online customer accounts

The malware will infiltrate the perimeter — and it’s best to assume this has already taken place. And, the more sensitive the transaction or information at risk, the more sophisticated the attack.

Here are some best practices to help protect against malvertising and any other online threat.

End-Users & Online Customers

• Be safe. Practice safe browsing and always keep all your software up to date. Be educated and share good practices with others.
• Use suspicion. Don’t assume SMS, email and social networking messages are necessarily from legitimate acquaintances or businesses. Be suspicious and never reveal account or personally identifiable information.
• Switch it up. Where passwords are your only choice, use a passphrase technique such as taking the first letter of an easy-to-remember phrase AND use different ones for different sites.
• Take advantage. Always take advantage of advanced security controls offered by online providers. So many online thefts can avoided.
• Go mobile. To access online services, consider downloading and using mobile applications from legitimate app stores (i.e., no jailbreaking) versus traditional PC browsers.

Employers & Service Providers

• Secure in layers. Implement layered security controls for networks, employees and online customers. Perimeter security is just step No. 1.
• Protect identities. Ensure identities are well protected with controls beyond username and passwords with some form of two-factor authentication that is dynamic in nature.
• Go OOB. For higher-risk transactions, make sure they are confirmed on an out-of-band (OOB) channel to defeat malware that has initiated or modified transactions.
• Be smart. Consider both security and usability when introducing controls — the technology exists.

I just read an interesting court ruling on an online-banking fraud case where a federal court ruled in favor of the bank.

Long story short, Choice Escrow Land Title had $440,000 stolen from their accounts about three years ago via fraudulent wire transfers. Choice was quick to accuse BancorpSouth, but Choice had twice refused to take advantage of BancorpSouth’s dual-control service, which is specifically designed to help prevent fraudulent wire transfers.

So, the courts (and any reasonable human being as well) came to the conclusion that Choice was at fault and the bank should not be held liable. While the logic is sound, I can’t help but raise the question: why didn’t Choice take advantage of the dual-controls service? Did they not care if money was stolen from their account? Were they overly naïve thinking that they would never be a fraud target? Did they not want to be burdened with cumbersome processes?

In the varied discussions I have had with clients, market analysts and peers in the industry, I often hear that security controls are burdensome. They delay or slow business and demand actions from end-users that their jobs more difficult. In the end, security is at best a necessary evil. But, it doesn’t have to be.

Banking security solutions have come a long way over the past years and no longer do end-customers need to be burdened with hardware tokens, being forced to log in to complex computer systems to release wire transfers, or visiting a bank to sign documents and contracts.

Mobile, when implemented correctly, has the power to deliver unmatched security and user convenience, while also enabling new business processes that actually lead to delighting customers and engaging them in the fight against fraud.

While Choice should have perhaps known better, I think the banks also need to step up and start rolling out mobile-based security solutions that enable, rather than hinder, business. My bet is that they’d be pleasantly surprised; not only in the decrease in fraud, but also in the new opportunities to improve customer interactions and implement new revenue-generating services.

From where I blog, €36 million ($46.8 million) is a pretty successful bank heist.

Last week, news was released that cyber-criminals executed a multi-stage attack that compromised user PCs and the SMS channel on their mobile phones to execute fraudulent transactions, affecting more than 30 different banks across Europe.

As online fraud attacks grew in sophistication, and desktop malware became capable of modifying and initiating transactions unbeknownst to the end-user, the process of confirming transaction on an out-of-band channel (something other than the PC) started to emerge.

While some security vendors and banks worked diligently to engineer an out-of-band solution that was secure and leveraged advanced capabilities in the mobile phone, other approaches took the “quick and dirty” route and made use of the SMS channel to confirm the transaction out-of-band.

While SMS vulnerabilities and fraud attacks first emerged more than two years ago with the Zeus MITMO (man in the mobile), banks continued to rely on the SMS channel believing the threats were too complex to execute and, therefore, treated them as “edge cases.”

With more than 30,000 customers across consumer and wholesale/commercial banking, I think it’s safe to say the criminals refined the attack vector.

So, does this mean out-of-band transaction verification is useless? Does this mean we ditch the mobile device as a secure mechanism to protect against advanced cyber threat?

No. The problems are not with the concept of out-of-band authentication or the mobile device. It’s about developing a security feature on an insecure channel (e.g., SMS) that provides a less than optimal user experience for reviewing transaction integrity.

A far better approach would be to develop native smartphone applications that leverage the security features built into the mobile OS (e.g., code-signed applications and application sandboxing) and can establish a secure, mutually authenticated encryption channel between the device, the  transaction confirmation application and the bank server before transaction details are provisioned to the phone.

Couple that with a simple, easy-to-navigate user interface and you have effective protection against MITB and malware-based session-riding attacks. It’s a security approach that is both robust and simple to use.

Today, it’s Twitter. And it’s not surprising as we have seen username and password breaches at many online service providers over the years: Sony PlayStation Network,  Gawker,  Zappos,  DropBox, Epsilon, LinkedIn, Yahoo and the list goes on and on.

The problem stems from two main facts:

1) Internet-based services/applications continue to grow and expand every single day and consumers take advantage of them

2) These services are all independent of one another and each maintain their own set of user credentials and put forth “best efforts” in protecting those credentials

Each online service issues their own set of credentials and need a simple method to onboard users so typically defer to usernames and passwords. End users have so many usernames and passwords, they tend to re-use them.

Unsurprisingly, usernames and passwords are commonly re-used across services, allowing criminals to execute database attacks to harvest accounts credentials that can then be used (or sold to other criminals) to obtain data or money from other online services. While online service providers do their best to protect user credentials, they just don’t have the breadth of resources to effectively provision a solution that is both secure and simple for end-users.

Let’s face it, the Internet, and all of its applications, services and information, is mature, mainstream, and has achieved mass adoption. It’s clearly proven its ongoing value to the world, but the security underpinning it has not received due attention and is slowly becoming the true Achilles heel.

Online service providers need to come together and start moving toward a stronger, easier approach to identity-based security. HTTPS will not cut it; database firewalling will not cut it; encrypted usernames and passwords won’t cut it.

The giants of the Internet need to move toward strong user credentials that:

• Cannot be stolen or replicated
• Can be easily leveraged across multiple service providers
• Are simple to use on an ongoing basis (preferably by leveraging something the user already has, like a smartphone)

The good news is that the underlying technology exists, is proven and it’s standards-based. The bad news? An event more significant than a Twitter breach will have to occur before we wake up and smell the coffee.

Another easily preventable cyber heist on small business was reported this week by Brian Krebs. Primary Systems Inc. had $180,000 stolen from their coffers after thieves compromised their online banking by adding 26 “new” employees to the payroll and transferring funds ranging from $5,000-$9,000 per individual.

In reading the article, I find it simply fascinating that so many processes and controls that should have been in place were simply were overlooked, avoided or not understood at all. It made me immediately thing of the sinking of the Titanic and how it wasn’t just one issue (an iceberg in the ocean), but rather a series of unfortunate and avoidable events.

For Primary Systems and their bank, St. Louis-based Enterprise Bank & Trust, there are some simple, clear lessons that all small business owners AND banks need to understand. Read the rest of this entry »