The same vulnerabilities that have made the online banking channel an easy target for fraudsters also will soon plague mobile banking, says Julie Conroy of the consultancy Aite.
Fraudsters are using cross-channel methods to compromise accounts, says Conroy in an interview with Information Security Media Group [transcript below]. And weak usernames and passwords have allowed attackers to easily perpetrate cross-channel and cross-vector schemes, because consumers too often use the same credentials across multiple sites and online relationships.
"We're seeing the institutions taking account takeover-based losses in the mobile channel," says Conroy, who recently spoke at Information Security Media Group's Fraud Summit. "The e-commerce merchants are taking the brunt of it right now because the banks tend to have their mobile channel a little bit more tied down with rules and controls."
The criminals are taking the time to study their targets, she says. Once they see technologies and policies deployed to the online channel to mitigate fraud risks, the fraudsters will move over to the mobile channel, Conroy predicts.
"As they see that basic lifecycle flow, they will time their attacks and, as the opportunity dries up online, they will move to mobile and maximize their opportunity there until those opportunities dry up as well," she says.
Fraudsters are also taking advantage of mobile's unique properties, developing malware that's specifically designed to capitalize on mobile.
"In many cases, unfortunately, they're finding some of the loopholes before we do and seal them up," Conroy says.
During this interview, Conroy discusses:
- How fraudsters are combining technology with in-person social engineering to compromise accounts;
- Why the same vulnerabilities that have made the online channel an easy target also will soon plague mobile; and
- How fraudsters are monitoring e-mail traffic for communications between banks and their customers.
Conroy has more than a decade of product management experience, working with financial institutions, payments processors and risk management companies. Before joining Aite, she was the senior vice president of product management with Golden Gateway Financial, where she developed and managed new financial services lines of business. Previously, she was vice president of product solutions with Early Warning Services, where she managed a suite of fraud prevention services. Conroy also formerly led operational process improvements for NextCard, where she identified points of compromise and implemented solutions to reduce fraud and operational expenses. She began her career as a research analyst at E*Offering.
Outdated Authentication Methods
TRACY KITTEN: How have outdated authentication methods impacted account takeover fraud trends in the last 12 months for banking institutions and e-commerce merchants?
JULIE CONROY: To the extent that anyone was considering username and password an authenticator, right there is a key point of vulnerability. The use of username and password as an authentication tool is dead. It's a great database lookup mechanism, but that's about it. Part of that is just the weakness of the passwords themselves, but most of that is the fact that 55 percent of consumers use the same set of credentials across all of their online relationships. They get compromised in one place and that basically gives the keys to the kingdom to the bad guys to make use of them across the Web. The myriad database breaches that we've seen over the last 18 months or so, credentials were compromised and in many cases they were just stored in a very basic hashed format, making it very easy for the bad guys to decrypt them. As soon as they do that, they load them into their bots and dress them against as many properties as they can, trying to see where they're going to work. That's a key reason why, as I talk to e-commerce merchants, many of them have seen account takeover-related fraud eclipse stolen card fraud as their greatest source of pain over the last year.
Changing Account Takeover Attacks
KITTEN: How have account takeover attacks adapted in the last 12 months to circumvent some of the new security controls that institutions have put into place?
CONROY: I've had repeated conversations with a number of these banks over the last few years now. There were some banks that I spoke with a year or two years ago that hadn't really been hit that hard by corporate account takeover, and their controls were strong enough and sufficient enough that the bad guys were going to other less-protected banks. But there were a few of them that I spoke with for this latest round of research where they had dual control deployed, they had dual control in conjunction with one-time password tokens, all of the stuff that you think are pretty strong controls, in association with the other layered defenses, and the bad guys are combining their traditional attack vectors using malware, Trojans, keylogging and then also working in some social engineering.
There's one case where the bank was requiring dual authentication for wire transfers. The bad guys would basically get the malware on one computer, would get the one-time password key log and would use that to do the first step of the wire release. Then they would place a phone call to another authorized user at this small business, convince them that there was something amiss with the account and that the person needed to go and log in from her colleague's computer to fix it, whatever it happens to be. In so many cases, the fact that somebody was placing the phone call, they just automatically believed it was the bank. At the end of the day, the bad guy only had to get his malware onto one computer and then, using social engineering tactics, was able to get the second approver to initiate a transaction using their one-time password token from that same malware-infected computer. That gave him the second password he needed to affect the dual controls. It just shows that they study their targets and there's so much money in it for them that they will be patient, they'll do their homework and they will do what it takes. If it takes making a phone call to the business and pretending to be a bank, they will do that.
Committing Fraud via E-mail
KITTEN: Ultimately, fraudsters compromise e-mail log-ins and passwords, they monitor the e-mail traffic and they're watching for communications between the e-mail account holder and that account holder's banking institution. But how is fraud committed?
CONROY: This goes back to the value of all of these credentials we've seen compromised. Those credentials aren't only valuable for logging into online banking or e-commerce accounts and draining the funds that way. Also, many times the same credentials work to get the bad guy into the G-mail accounts or whatever's being used by that small business. They will use those credentials. They will find a business that's communicating regularly with their banker via e-mail and they will just monitor the traffic. Then, at the opportune time, they will insert themselves in the conversation while logged in as that small business. The banker sees the e-mails coming, thinks that he's still communicating with the controller at the small business and, when that controller makes a request to send a wire to a new account, even though in many cases it's clearly against bank policy, the banker has his service cap on and so they're doing it. It shows the flexibility and the capability of adjustment of these guys. We're seeing that as banks deploy things like mandatory secure browsing software and effectively making it very difficult to perpetrate the malware-based account takeover attacks; they're resorting to different tactics, and unfortunately they're succeeding.
Authenticating Online Users
KITTEN: Multilayered and out-of-band authentication methods have been noted by regulators as offering more security than usernames and passwords alone, but these methods also have been compromised. What would you say is the best approach to authenticating online users?
CONROY: You can't rely on any one-point solution. The bad guys have found ways to burst through any single-point solution. It goes back to the need to deploy multiple complimentary technologies in a risk-based manner. If you think of it as a funnel, you have your transparent and unobtrusive technologies at the top that can basically help to validate or verify a chunk of the users, and then keep deploying those technologies at the session level, at the transaction level, at the endpoint level, all the way down, and have the capability to do some risk-based, stepped-up authentication with that end user. Deploy ... a web of technology that makes it more and more difficult for the bad guy to get through.
If it becomes more time-consuming and more expensive to compromise your institution than the guy down the street, they're going to leave you and your customers alone. It's also a matter of there's never an end point to this journey. There's no destination. You have to continually iterate forward what you're doing. Just as the bad guys are innovating, there are also some really interesting and innovative technologies that continue to be developed and deployed to the market and FIs need to keep abreast of these.
They also need to make sure it's not just about the technology, but it's also about the rules and the policies. As I said earlier, the bad guys do their homework; they study their targets. But if you're making tweaks here and there to how your policies work and how your stepped-up practices work, it's going to be harder for them to get the lay of the land. If it becomes too difficult and too time-consuming, they're going to move on to easier targets.
Mobile Banking Trends
KITTEN: How do mobile fraud trends connect to the account takeover trends that we've discussed here?
CONROY: Mobile is just another channel and it requires username and password in most cases. We're seeing the institutions - the banks and e-commerce merchants alike - taking account takeover-based losses in the mobile channel. Certainly the e-commerce merchants are taking the brunt of it right now because the banks tend to have their mobile channel a little bit more tied down with rules and velocity controls. But, as the bad guys study their targets, they also recognize that often preventative technologies ... or preventive policies, in many cases, are first deployed online and then moved over to the mobile channel. As they see that basic software-developed lifecycle flow, they will time their attacks and, as the opportunity dries up online, they will move to mobile and maximize their opportunity there until those opportunities dry up as well.
The other thing that we're seeing is that the bad guys are taking advantage of some of the unique properties of that mobile environment. Some of the malware that's popping up there is very specifically designed to capitalize on some of the unique properties of mobile. In many cases, unfortunately, they're finding some of the loopholes before we do and seal them up.
Compromising Consumer Apps
KITTEN: Are there any specific social-engineering schemes that are being used to compromise mobile users?
CONROY: The socially engineered schemes tend to arise more in the business banking environment, and right now that's fairly tied down with rules and with velocities. We're not necessarily seeing the social engineering pop up quite so much yet in the mobile environment; it's just a matter of time, especially as higher-risk functionality is being deployed in that environment.
Where the e-commerce merchants are feeling extreme pain in mobile is more the mass consumer applications, which is the bulk account takeover, the use of stolen card data, some of the capabilities to deconstruct the mobile app and write transactions directly into the database in that way. It's not so much social engineering; it's just pain is coming because you have these masses of consumer accounts that have been compromised and are being leveraged in the mobile channel.
One of the most interesting things that came out of this latest round of research was that as much as the threat environment is moving so fast, there are some very interesting technologies that are available to the banks and the merchants, and there are also opportunities to collaborate among these groups. These groups aren't traditionally two groups that collaborate together. Banks, issuers, merchants - sometimes it is oil and water. But as I'm talking to these groups, I'm finding examples of where they're collaborating, sharing threat intelligence and at times bringing joint cases to law enforcements to get the prosecution. To the extent that we really are up against the same foes, I think it's incumbent for the industry to find ways to better collaborate with one another. It's going to take every tactic and every strategy that we can come up with to potentially just keep pace with the bad guys, let alone get ahead of them.