Gartner's Avivah Litan on Fraud Trends in Banking

Credit EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

What are the top fraud trends facing financial institutions in 2010?

Gartner's Avivah Litan shares her insights in an exclusive interview with Information Security Media Group's Linda McGlasson, discussing:

Litan has more than 30 years of experience in the IT industry and is a Gartner Research vice president and distinguished analyst. Her areas of expertise include financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications, as well as other areas of information security and risk. She also covers the security related to payment systems and PCI compliance.

LINDA MCGLASSON: Hi, this is Linda McGlasson, Managing Editor at Information Security Media Group. We are talking today with Avivah Litan, Gartner Analyst, about fraud trends. Avivah, what are the key trends that you are focused on in 2010?

AVIVAH LITAN: From a fraud prospective, I see a lot more attacks using social networks as the vectors. So for example, not just Facebook account takeover, but also different kinds of social networks where users come together like dating websites, classifieds or games. We are getting calls from several companies in those sectors, and there are a lot of takeover happening in those accounts. Also, those accounts are vectors for planting malware on customer PC's. So the use of social networking is a great attack vector for the criminals, because it brings together millions of unsuspecting users.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

Some of the other trends I see is once they get the credentials or account data, the criminals are now focused on cross-channel fraud. That started last year and a little bit in 2008, but they are getting better at figuring out how to call call-center operators and get their way through accounts using information that they gather on the internet to commit different kinds of fraud, whether it's through phone banking or debit card fraud. So the criminals are figuring out how to go about cross-channel fraud.

The other thing we're seeing is these crooks are getting really good at what they're doing. So, they've been studying these bank websites, and they probably know more about how particular bank security works than many people at the bank themselves. They basically are mimicking their systems. They know how many seconds it takes for them to prompt users for authentication credential. So they've just gotten really good, some of them, at knowing how to penetrate bank security by studying them, copying them and figuring out how to socially engineer their customers to get through any of the security controls that are there. So those are the main trends. There are others, but using social networking as an attack vector, using the credentials stolen for cross-channel fraud, and figuring out how these bank websites work just studying them, you know the criminals are studying them and figuring out exactly how they work and how to penetrate through security.

MCGLASSON: What are your thoughts on strong authentication?

LITAN: I've talked to lots of banks over the past year, and I was surprised to find out just how pervasive attacks on strong authentication are. So in countries, for example, such as Scandinavia, where they've been using strong two-factor authentication, the criminals have had to circumvent those controls to get into the bank accounts, and they've really done that and they're starting to do that in the United States, too, when there is two-factor authentication involved.

So, what do I mean by two-factor authentication? It is basically when the user has a token or something in their hand. Most probably it's a one-time password token that generates a new number every 60 seconds. The crooks have figured out how to get through that, and so some banks will react by saying, 'Well, oh, maybe we should use a smart card instead, or a USB token instead?' The bottom line is all these factors are going through the user's browser, and nothing is safe going through the user's browser because the new malware is now sitting inside that browser and is acting on behalf of the user. So you can put a biometric on your PC, you can put smart card, it doesn't matter. As long as it is going through the browser, the crooks have figured out how to beat it.

MCGLASSON: What can we learn from the recent Google hack? Would fraud prevention technology help an organization catch or stop this kind of intrusion?