Banks Targeted for Malicious AttacksNew Report Says Organized Crime Targeting Mobile Devices, Social Networking Sites Financial institutions should brace themselves for more malicious attacks, as the recent Threat Horizon 2010 report from the Information Security Forum (ISF) warns of an increase in such threats -- including attacks from organized crime and industrial espionage.
"In general, financial services probably represent the most attractive target," says Andy Jones, CISSP and ISF's Principal Research Consultant, who was the report's primary author. The report draws on the knowledge and hands-on experiences of ISF members, representing more than 300 of the world's largest business and public sector organizations. (The global financial services industry makes up 35% of ISF members.)
The ISF is already seeing a shift from indiscriminate events to highly targeted and planned attacks by organized crime groups, says Jones. These organized groups are developing more sophisticated 'business' models to extort the online businesses, and using these models for money laundering. A combination of social engineering and technical attacks are increasingly being used to steal identities and information in order to commit fraud.
The ISF report also warns of the spread of malware targeting mobile devices, which often don't have the same anti-virus or security controls as traditional networks and PCs. The growing trend of mobile and remote working will inevitably attract new forms of mobile malware designed, for example, to create fraudulent payments or denial of service attacks.
Financial institutions that are already offering mobile banking or are considering offering it to their customers need to put security first. "The mobile internet is still in its relative infancy, and it is important that consumers do not lose confidence in mobile transactions," says Jones "Given the current high level of public concern over identity theft, any weaknesses in mobile phone security will be very damaging to the customer acceptance of mobile-based channels. It is possible to exploit weaknesses in early versions of Bluetooth to take over control of mobile phones."
While the vulnerabilities of early versions of Bluetooth have been addressed, some early Trojans (such as Flexispy) have been reported and demonstrate that the mobile platform could be vulnerable, he warns. "There are also several hundred reported types of mobile malware. Most are fairly immature and rely on user action to install (usually achieved by social engineering techniques)," Jones says.
The third area of increasing risk is the rise of social networking sites such as Facebook and MySpace that are popular with employees. Along with being another way for accidental leaks of an institution's data, Jones believes that cyber criminals will adapt new methods of attack to target the vulnerabilities of social networking sites. Virtual worlds such as Second Life may also present new risks if brand damage in the virtual world translates back into the real world.
Jones says institutions should also consider other threats such as:
For more information on the report, https://www.securityforum.org