Online Fraud Threats Show Constant Evolution

MBA (2/19/2008 ) Palaparty, Vijay
As financial institutions implement increasingly complex security measures to prevent online fraud, fraudsters work equally hard to gain access by using more scalable and effective ways to work around new protections, according to RSA Security Inc., Bedford, Mass.
“With the issuance of government mandates and regulation, such as the U.S. FFIEC, [Federal Financial Institutions Examination Council] guidance demanding the implementation of stronger measures to protect electronic transactions, financial institutions have moved to secure the online banking channel in order to protect customer identities and keep the fraudsters out,” said Mark Gaffan, director of product marketing in the identity and access assurance group at RSA. “As a result, fraudsters predictably are making their own moves.”

RSA observes that emerging threats, multi-channel fraud and exploitation of unprotected applications are among the latest patterns and trends this year.

Phishing remains the most popular method used by fraudsters to attack online users—a simple and cost-effect means to reach numerous individuals to yield what fraudsters are seeking, according to the RSA report, Where Online Fraud is Going; An Insight into Emerging Threats and Changing Fraud Patterns. Microsoft Security Intelligence reported 31.6 million phishing scams in the first half of 2007—an increase of 150 percent over the prior six months.

“Evidence that fraudsters are continuing to invest in making phishing more effective is clear in the abundance of new plug-and-play phishing kits, universal man-in-the-middle phishing kits, fast-flux attack hosting networks, IRC command bots and other advanced tools that have come on the market to make phishing attacks easier to implement,” Gaffan said. “These ‘next generation’ phishing technologies are being used by fraudsters for the sole objective of stealing personal information and credentials from the customers of financial institutions, regardless of type, size or geography.”

Crimeware is also on the rise—apparently so much so that crimeware developers are even offering upgrade packages to buyers in the fraudster underground. When crimeware becomes detectable by anti-virus providers, developers will deliver a new ‘undetectable’ variant at a minimal cost, the report said.

RSA recommends an integrated security approach that incorporates external threat protection with stronger authentication at login and transaction levels. Additionally, it called for stronger relationships with partners such as anti-virus firms, ISPs, browser developers and enhancing identification, blocking and shutdown capabilities.

While online banking fraud has been reported to have grown exponentially, telephone banking is also a means for fraud—what many believed was a thing of the past.

“Leveraging the knowledge they gain through phishing attacks and other credential-gathering mechanisms, fraudsters are increasingly attacking IVR systems and call centers, both of which typically have weaker processes established to authenticate customers and are more prone to social engineering,” the report said. “Financial institutions continue to face challenges including growing threat of phone fraud, increased regulatory requirements, the rising costs associated with manually authenticating callers and ongoing pressure to attract and retain customers. As long as the phone channel continues to be a key vehicle for financial institutions to interact with their customers, it must be assigned the same level of importance in terms of security as the online channel.”

According to Javelin Strategy and Research, Pleasanton, Calif., 67 percent of banking customers used the telephone last year to conduct business in the last one year.

“Multi-channel fraud is often overlooked because the online and telephone banking channels are typically separate operational units within the structure of most financial institutions,” Gaffan said. “Therefore, identifying fraud attempts across channels remains a challenge. Properly securing this channel can help reduce fraud. Most importantly, securing the phone channel can improve customer confidence in telephone banking.”

Financial institutions also face increased risk when dealing with new customers, RSA said.

“Despite the implementation of strong authentication and stringent FFIEC examinations, many U.S. financial institutions remain vulnerable with regard to the enrollment and account origination processes offered through their online banking platforms,” the report said. “While some institutions have implemented protection and FFIEC examiners have called for additional measures to be put in place to secure the processes, many financial institutions still lack comprehensive protection in these areas. The combination of risk-based transaction protection and identity proofing is the ideal combination to mitigate the risks in the enrollment and origination processes.”