From Hannaford Brothers to Countrywide, this year has been full of stories of criminal activity on the Internet, with hackers and phishers wreaking havoc on computer systems and consumers, causing credit and debit fraud numbers to soar.
What does next year hold for fraud against financial institutions? Here are 10 of the new and old ways criminals will be looking to commit fraud in 2009.
1. ATM Network Fraud
According to Paul Kocher, president and chief scientist of Cryptography Research Institute, the number one area that institutions will see fraud growing over the next year is in ATM networks. "When the criminal gets access to magnetic stripe data and associated PIN values, they are then able to create cards, and basically then it's a license to print money," Kocher explains. Another problem for institutions is that their ability to perform risk management is significantly less on an ATM network than online transactions. "This is because the ATM delivers the goods to the consumer immediately to them, which is exactly what the fraudsters want -- the cash, rather than a large ticket item they have to then fence or resell," he concludes.
Kocher predicts that until U.S. financial institutions and credit card companies roll out either a contact or contactless-based smart card infrastructure, there won't be a great reduction in the amount of fraud being perpetrated against U.S. consumers. "Once they decide to do this, it will cause a great reduction in the amount of fraud, because we've seen it happen in Europe," says Kocher.
2. Check Fraud
The area of check fraud is also becoming continuously more sophisticated, and the underlying technological systems haven't kept pace with the sophistication of the adversaries, says CRI's Kocher.
"Initially there will be more pain and losses on the part of institutions, and then more technological changes on their part to try and catch up to the criminals' ability to perpetrate check fraud," he observes. There won't be a solution for paper-based check fraud, Kocher says, until we have a technological development where the check itself can be authenticated via a chip or code. There are actions that could be taken, such as printing a code on the back of the check that the bank can verify, like a credit card,
"Eventually we'll end up with something similar to that, but the question is how long will it continue to grow until it becomes financially painful enough for banks to implement this?" Kocher asks.
3. 'Laser-Guided' Precision Strikes
The organization and sophistication of criminals is increasing, and so is the sophistication of their attacks. Mike Rothman, Senior Vice President of Security Strategy at eIQnetworks, sees a "laser-guided" approach to targeting precision attacks on institution's customers as the next step that these criminals will take. "They will use data already collected from previous attacks on companies, including ChoicePoint and others to build their attacks." One information security researcher told Rothman that organizations like the Russian Business Network, RBN, have built demographic databases "that rival some of the biggest and most significant demographic databases in the financial services industry that are used here in the States legally."
The criminal groups like RBN are compiling huge amounts of data in order for consumers to share account information with them. This allows them to entice those customers to "give up the goods" by divulging enough information so they feel comfortable with the scam. The victims include small businesses, which Rothman sees as the next crime front.
"Most small business owners are not sophisticated enough or wary to emails that would offer services," Rothman notes. Especially in the tough economic times facing all business, he sees there will be a marked increase of fraud targeting the small businesses. "We're always going to see criminals targeting consumers. The small businesses that are already being pushed to the wall in these hard economic times won't realize they've fallen prey to a slick targeted attack until it's too late, and there is a lot of fertile ground out there that could be attacked." One example Rothman says could be the offer of online applications for small business loans, or credit lines. In many cases, these attacks could be launched under a generic social engineering attack. Proactively, financial institutions can continue to train employees and offer information to customers making them aware of these types of attacks.
4. Phishing Attacks To Continue
In 2008, the financial services industry has seen an increase in the numbers of phishing attacks that are expected to continue into 2009, including sophisticated spear phishing and Rock Phish attacks. The Anti-Phishing Working Group reports that the financial services sector remains the most targeted sector being attacked, with an average of more than 90 percent of attacks being directed at financial services.
According to Terry Gudaitis, PhD, Cyber Intelligence Director at Cyveillance, a cyber intelligence firm specializing in phishing takedown and monitoring services, one area she and others see as a growing threat area for phishing attacks is "Smishing" or SMS phishing. "Phishers are now sending their phishing messages over cell phones via text messages. This will cause confusion among online banking users, especially those using mobile banking services," she says. "The typical banking customer will think, 'My bank won't email me, but they're sending me a text message asking me to click on this link or call a number to verify,'" Gudaitis says. While the SMS attack vector is different, the object of the phisher is the same. This type of attack will pose a credibility issues and will impact banks with mobile banking services, especially as the more reliant customers will become and more trusting of their mobile phone."
5. Check Image Fraud
Traditionally, after a successful phishing attack, the criminal would extract the needed information and go onto the online account and remove the victim's bank funds. This has changed for some of the more sophisticated criminals in the last year, says Ori Eisen, Founder and CIO of 41st Parameter. "Instead of looting the victim's account, they don't set up fake bill pay or take money directly from the account. Instead they go to the check image page, where they take a copy of the victim's check.
Many financial institutions are now offering check images as part of their online banking services to their customers. The customer can go online to see what checks have cleared, Eisen notes. "So what is on those checks? The victim's bank account number, signature, address, phone," says Eisen. It's a treasure for most criminals. They can either take the copy and make paper counterfeit checks to distribute, or take that information and create PayPal accounts or other online payment accounts that will leave the victim on the hook for any purchases.
Eisen says check image fraud is hitting the top financial institutions around the world to the "tune of millions of dollars per month. The amount they're being hit with is significant," he says. Banks are on the hook for these losses, especially with the proliferation of Trojans, keyloggers and other malware, that find their way onto customers' computers, banks can't hide behind the statement that the customer didn't protect their account information. As more institutions begin losing money to check image fraud, they'll need to look to find ways to mask the check images online, especially with the increased phishing that is occurring, Eisen warns.
6. Zero Day Attacks
Another area that financial institutions will need to keep an eagle eye on is the shift in the way financial fraud is happening. CRI's Kocher sees the attacks will change from criminals trying one thing and increasing their attacks against a particular vulnerability or fraud strategy, to where it becomes similar to hackers attacking computer vulnerabilities, where the smartest adversaries will identify a problem, but try to keep what they learn really secret and then attack the target in a very sudden and catastrophic way.
He sees criminals going for these "zero day type exploits," rather than gradually building up over a period of time. Reasons for this type attack are easy to figure out, "If an attack gradually comes out, a patch will invariably be developed and deployed to stop it."
With attacks gradually increasing, so does the increase of the response to stop them. However, Kocher points out that this response approach works well to a point. "Once the criminals realize that the fast and furious type of attack strategy will work and doesn't give the financial institution time to respond, it may end up that we will end up with a more toxic attack that we've never seen before," he predicts. The types of attacks could range from a single attack against a bank's network, or on its ATM network.
Before when there was a breach of an ATM switch, the stolen data was used gradually over a period of time, rather than rapidly in a coordinated fashion, he says. "At some point it will become more profitable for the criminals to use the data immediately so that the risk management programs won't have time to respond." Should that become the preferred strategy of attack, it won't become more profitable for the criminal because they will have to deploy the stolen information to large numbers of drug addicts on the street, he says. This group is the majority of the people who commit ATM fraud. But the bad news for financial institutions: "If it happens once or twice to your competitor, then you better take it seriously. These sorts of attacks that come out of the blue are much scarier than those that you see coming, building gradually over time that you can do something about, or have a week's debate about how to solve it before anything too serious has happened."
7. Low 'N Slow Attacks
Imagine having the best firewalls, intrusion detection systems and an unbeatable monitoring system installed, says eIQnetwork's Rothman. But your computer systems are still compromised. What happened? Rothman says it may have been a "low and slow attack" that happens not over a period of a few minutes or hours, but over a period of days, weeks, or even months.
Financial institutions have bolstered their defenses against the quick "smash and grab" attacks, similar to robbers running into a jewelry store stealing jewels out of cases. "Now the criminals will compromise a machine and sit back and wait, maybe a day, week or even a month before going back to it and see what else they can compromise through it," Rothman says. What is their end goal? "To compromise the entire network and perpetrate fraud over a long period of time," he says.
In a time dimension, these criminals realize that is far less likely for them to get caught if they're doing it over a long period of time. "Obviously, most companies evaluate data coming over their networks in a two to three day period, not over a period of weeks or months. So there is no correlation if they wait," Rothman explains. The institution won't "connect the dots" that they've got a criminal with spyware on a computer, sitting picking up passwords and user names and then three weeks later those user names and passwords are used to get into the database server. "If the company is only evaluating data over a two or three day period, those guys are flying WAY under the radar," he notes. Rothman recommends institutions to look for anomalies and begin to evaluate and search the cause out. "Unless you're gathering data to look for these types of actions, say over a 21- or 30-day period or even extending it out to 60 or 90 days, you'd never make the connection in order to raise the red flag within the organization," he says.
In the financial services industry there are no currently known examples of "low and slow" attacks, Rothman says. But the most famous "low and slow" this year was the Hannaford Brothers grocery chain breach, where the attackers waited and pulled down information off about customers over a three month period of time.
8. Drive-By Attacks Deliver
Institutions need to educated and warn customers and employees to beware the online look-alikes and infected websites, says Tom Wills, Javelin Strategy Research's Senior Analyst for Security & Fraud. "Drive-by attacks that surreptitiously deliver keylogging Trojans to customer's computers are becoming identity thieves' weapon of choice." Machines are infected when users visit bogus bank sites that they've been directed to via phishing emails or, increasingly, legitimate sites that have been hacked, he notes.
Javelin's Wills also predicts there will be an increase in the number of "amateur" hackers and criminals, looking to purloin cash or personal information from institutions' customers, mainly due to the bad economy. "Institutions should expect an uptick in amateur fraud. These 'crimes of opportunity' will occur among customers and employees as more people are financially stressed as a result of the economic downturn," Wills notes.
9. Phones Will Be Ringing
All institutions need to keep a close ear and eye on their phone channel, says Wills. "As online banking security improves through better authentication and back-end anomaly detection, fraudsters are following the path of least resistance and turning to the phone (call centers and interactive voice response technology), where authentication procedures tend to be less stringent," he notes. Wills stresses that all customer access channels need industrial strength security, not just some of them.
10. Insider Threat
This is one of the most important issues that financial institutions are going to face in the coming year, says Jody Westby, Adjunct Distinguished Fellow at Carnegie Mellon University's CyLab and CEO of Global Cyber Risk, a Washington, DC-based cyber intelligence firm. "In this economy, people are going to be more tempted to steal inside data, to sell it or use it for their own purposes. The insider threat will be more prevalent than in the past there will be more desperate players out there," Westby notes. Proper monitoring of all employees, vendors and contractors with a separation of duties plan will help stop this from happening, but as was seen in such cases as the Countrywide insider case, a determined insider is one of the hardest types to stop.
By Linda McGlasson