advertise here



Industry Comment Research   RSS Feed

Webinars Buyers' Guide Podcasts

Related Publications Foward Features




  In partnership with:

January/February issue

Crooks gang up to beat banks


Paul Gosling

Citibank, Royal Bank of Scotland, Lloyds TSB and Halifax Bank of Scotland. Plus Visa, PayPal, SwiftPay, eBay and Amazon. Quite a roll-call of famous victims of the “phishing” email scam (see note) that has set back by years the carefully constructed public confidence in online banking and ecommerce.

Nor are phishing emails by any means the only online attacks banks and financial services companies face. There are also the counterfeit websites which the phish emails link to. These can easily fool the unwary with their apparently authentic web addresses and corporate logos. And there are virus attacks and hacks into computer systems which can either distort data or create denial of service (DOS) failures for anyone trying to access banks’ websites. By the end of last year, nearly 50 banks and financial services providers had been “passed off” by spammed phishes. The total damage from the various forms of online attacks was probably around $3 billion, says security analyst mi2g.

But while the targets, both corporate and consumer, are obvious, there is a raging debate about the profile of the culprits. Is it the 14 or 17 year old sitting alone at a computer in Bucharest or Bogata, or is it masterminded by a mafia hardman in Sicily or Serbia?

Feeding the wolf

Neil Barrett, technical director at Information Risk Management (IRM) and a professor at Cranfield University, believes that organised crime is probably now heavily involved in attempting to extort money from banks, either through DoS attacks or through phishing emails. The rise in the number of attacks makes Barrett suspect that some corporations are paying up. This is despite the longer term impact on the corporate sector that payment encourages.

“Nobody has sat down with me and said that they have definitely paid out on a extortion demand,” concedes Barrett. “But I have seen attacks disappear, which I can see no reason for unless the attackers were paid off. So I have to believe that this is what happened.”

Barrett, like other analysts, believes that organised crime is a much bigger threat than political activists with anti-capitalist or even pro-Al Qaeda sympathies. This is suggested by the number of attacks that originate in Russia, Bulgaria and other former Soviet countries, where former KGB technical specialists operate on a freelance basis, suggests Barrett. Some may be demanding a pay-off, others are obtaining information to order, or delving into banks’ databases to find evidence with which to blackmail business leaders or politicians, such as evidence of mistresses, for example..

DK Matai, executive chairman of intelligence advisor mi2g, suggests that banks face threats on three main fronts: the so-called phishing emails, denial of service attacks, and distributed viruses. “The most worrying development is the financial fraud scams setting up look-alike web sites,” he believes. “The objective here is simple fraud at the expense of bank and customer. The success of this fraud is evident by the way in which banks and customers have been targeted in much of the world, including the UK, US and the Baltic states.”

But, argues Matai, the biggest threat in the future may be from denial of service (DoS) attacks on banks’ websites, as organised crime attempts to extort money. Up to now the main targets have been online gambling and other e-commerce websites, says Matai, but banks can expect to suffer more of this type of attack in coming months.

mi2g's predictions for 2004

  1. Forms of attack — denial of service, hackers, viruses, worms and spam
    — will integrate. Most targeted countries will be US, UK, Germany and
    other NATO members. Most attacks will come from developing
    countries.
  2. Spam will become a propaganda tool for rogue states and militant and
    religious groups.
  3. Spam will increase and may constitute two-thirds of emails. Productivity
    loss from spam will grow to $60bn in year. Executives will revert from
    email to fax.
  4. Motivation for viruses, hacking and spam will be financial gain. Identity
    fraud will proliferate, aimed at online bank accounts and electronic
    payment facilities.
  5. Command and control attacks will target financial services and other key
    sectors, combining “malware”, hacker attacks and insiders, taking out
    ATMs and other services.
  6. Offshore outsourcing centres will be at risk from local organised crime,
    with staff involvement.
  7. There will be more attacks by fundamentalist Islamists based in Morocco,
    Egypt, Saudi Arabia, Kuwait, Pakistan, central Asian republics, Indonesia
    and Malaysia.
  8. There will be three major forms of “malware” — virus or worm —
    attacks in 2004, each costing $30bn.
  9. Governments and large businesses will set up early warning centres and
    begin to migrate from proprietary to open source solutions. Transnational
    criminal syndicates involved in drug trafficking, contraband,
    counterfeit goods, illegal immigrants, credit card and other financial
    fraud and computer crime will be busted.
  10. Fixed connection computing will give way to wireless connectivity.

“There is no published evidence that any bank has been hit by DoS attacks, but we believe that the biggest threat in 2004 is the combination of extortion demands with DoS attacks,” says Matai. “We believe that the most advanced hackers are Russian or from part of the Russian Federation, including the Ukraine. The most prolific are from Latin America.”

The international character of those attacking major corporations’ websites can perhaps be gauged by one incident. The US Attorney’s office in California has been pursuing a Ukrainian national for the last three years. It alleged he caused losses of $100 million through various offences, including credit card fraud, counterfeit software production and money laundering. The man was eventually arrested in Thailand, where he was travelling on a false identity.

Many of the more sophisticated operations are part of organised crime syndicates, where the gangs may also traffic in humans, drugs and other extortion schemes, says Matai. Typically, the online operations are part of a wider attempt at mass identity fraud which may be used for a variety of purposes, he says.

Peter Yapp, director of IT services at the Control Risks Group, another security consultancy, agrees that banks need to view attacks on them as part of concerted campaigns of identity theft. The first symptom may be the use of someone’s credit card for a fraudulent transaction, but the second incident may be an application for a duplicate passport that will enable an illegal immigrant to enter the European Union.

“Fraud based on identity theft is the number one issue,” says Yapp. “There is a lack of education of the public and they are falling for this (through phish emails) all over the world. Banks have got to raise the awareness level so that all customers understand that they would never be contacted in this way, asking password information and PIN numbers by email.

“This type of crime has been around for a long time. Crooks do go through people’s bins. Customers have to be taught never to throw credit card slips away. But if you couple this with online account information you can do everything a lot quicker. People are very lax with what they do with their personal details.”

Yapp warns that if a scammer can obtain the personal information banks typically hold on customers, such as name, address, date and place of birth and mother’s maiden name, then they are well placed to obtain a false passport too.

But, he argues, it is easy to overstate connections between the phishing fraud and major organised crime. “Some of the counterfeit websites have been fairly sophisticated,” he concedes. “There is a chance that organised crime sees this as a quick win. But I suspect most of this is at the low level, younger end
of the market, or carried out by part time hackers. It’s fairly easy to do.”

While Yapp’s analysis is at odds with other observers, most agree that there is a link between online attacks against the banks and Islamic fundamentalist and/or anti-capitalist terrorism. “We have looked at whether there is linkage between IT attacks and bombers, and so on,” explains Yapp, “but the feeling is that it is not organised. People might be inspired by teachings to do something, but they are not the same as the bombers, and there are no organised links.”

mi2g takes the same view, even though its statistics show an upsurge in attacks on Western targets after military actions against targets in Islamic countries.
So what should banks do now? As well as educating the public, as Yapp suggests, mi2g’s Matai argues that banks will have to challenge the assumption that consumers have the right technology for conducting online transactions. He argues that banks must accept that their existing online security systems are inadequate, and that only a step-up in technology will resolve this. He believes that banks must take a lead in improving online authentication. Ultimately this will have to involve either smart card readers attached to PCs and laptops, or else by the use of a mouse which allows biometric authentication of identity.

“These developments have not taken off as yet because banks say they have five million customers online and the cost of moving them onto higher level of authentication is too great. And there is a learning curve,” says Matai. But he believes that at some point banks will be forced to make the investment as more customers are put off online transactions because of the perception of high fraud risk.

Banks may also be forced to re-examine their use of operating systems. mi2g’s analysis found that companies that use Microsoft operating systems were the most susceptible to denial of service attacks, but those which adopted Linux systems had the highest number of hacker intrusions.

IRM’s Barrett believes that the level of sophistication of the attackers is such that banks cannot afford to operate in isolation. He argues they must co-operate more. “Banks must work together to solve this in the same way they work together to counter credit card fraud or scams relating to money laundering,” he says. “No individual bank can hope to fix this themselves. And it is not something banks should seek to compete on. They need to show a united front.”

Barrett also believes that the vulnerability of banks indicates that most fail to give IT security specialists the enterprise-wide access they need to implement fraud prevention policies more effectively.

If you listen carefully you might hear a chorus of IT professionals around the world agree.

Paul Gosling is a freelance journalist who specialises in finance and information technology, and who is author of several books. He writes for The Independent, Public Finance, Accounting & Business (news editor), and First Voice.

NOTE

Antiphishing.org, a web-based group set up to stop phishing attacks, says
“Phishing attacks involve the mass distribution of 'spoofed' e-mail messages
with return addresses, links, and branding which appear to come from
banks, insurance agencies, retailers or credit card companies. These
fraudulent messages are designed to fool the recipients into divulging
personal authentication data such as account usernames and passwords,
credit card numbers, social security numbers, etc. Because these emails look
“official”, up to 20% of recipients may respond to them, resulting in
financial losses, identity theft, and other fraudulent activity.
For more details see the website at www.antiphishing.org

 

Back to features index



 

 
Search this Site:
Google Custom Search



Click here...