The Expert's View with Tom Wills

Fraud Fighting: What We're Doing Wrong

Why Online Security Is Not Just a Technical Issue
Fraud Fighting: What We're Doing Wrong

There's a saying that's heard often in the security trade: "You build a wall - the fraudsters build a higher ladder." It describes those situations where the good guys and the bad are continually battling to outdo each other.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

Take, for example, the warfare going on today in the world of Internet banking. I can't think of any place where this so-called "higher ladder" syndrome is more entrenched. This has a great deal to do with the fact that there's a lot of money to be made, and that robbing a bank from the comfort of your living room in some distant ex-Soviet Bloc state is much more convenient, not to mention safer, than robbing a branch office with accomplices, guns, masks and a getaway car.

Electronic fraud is as rampant as ever, after bouncing back from Microsoft's big push last year to purge Zeus-type banking Trojans from the Internet by zapping their command and control botnets.

For a while, those takedowns looked like they had really had a positive impact. But, in the end, Microsoft's effort's only disrupted these malware attacks; they did not dismantle them. The security team at Trend Micro, which tracks botnet takedowns, on May 25 blogged about this, saying Zeus-class malware had re-emerged with a vengeance.

One-Time Passwords Compromised

Not only is Zeus back, but it's now been released with some new features - features that have just surfaced in the last year.

One new feature that particularly stands out is the ability to defeat currently deployed bank authentication systems that rely on out-of-band one-time passwords sent via SMS/text to mobile phones.

One-time passwords are among the higher security walls many U.S. banking institutions have built to keep fraudsters out - and conform with the Federal Financial Institutions Examination Council's updated 2011 authentication guidance for Internet banking.

The update to the guidance was banking regulators' response to fraudsters' use of man-in-the-browser attacks that bypassed previously deployed multifactor authentication systems. And those early multifactor recommendations, issued by the FFIEC in 2005, were made in direct response to the keylogging Trojan epidemic that first flared up early in the last decade. That document, ultimately, prohibited the sole use of usernames and passwords for authenticating Internet banking sessions.

But the fraudsters keep getting better. They keep building higher ladders. These attacks are not going away.

Building Higher Walls

For all the higher ladders out there, as we would expect, there are also some higher walls going up in the form of advances in security technology. A new crop of startup companies have come forward with products to thwart some of the latest exploits. These products will be potent weapons in the industry's anti-fraud arsenal. But what they won't do is shut down fraud completely.

No technology in the world will do that - at least not until someone comes up with a solution that stops end-users from being gullible. That's because technology is only part of the problem. The other part is psychological, which is why most phishing and Trojan attacks have a social engineering component. The technology - the Trojans and their botnets - wouldn't work unless consumers were easily being fooled into giving out their usernames, passwords and other personally identifiable information.

Today's cybercrooks are extremely smart. They take a creative and holistic approach to the challenge of robbing online banks. They don't sit there saying: "The money we want is protected by computers, so we can only use computers to get at it." They understand that Internet banking is made up of both computer systems and people, so they build higher ladders that exploit both - computer systems and people.

Our reaction, however, at least on the banking side, has been only to build walls that emphasize technology, rather than building walls that address both technology and human factors.

Today, our adversaries have the upper hand. In order for us to turn the tables in our favor, we will have to think more like they think.

We must be vigilant, to keep up the good work on the technology side, which I'm sure will happen anyway. But we need to start giving the psychology side the attention that it's due. Ask the question: "How can we get customers to have better security habits?" Writing PINs on stickies and clicking on links in e-mails is bad security, yet too many consumers continue to do both.

A lot of people think that more customer education isn't worth the effort. As a group, we in the banking industry are still pretty uncomfortable talking about security with anyone, let alone the general public. But we need to change our way of thinking.

In a future post, I'll outline some proposed strategies for doing just that. It won't be easy, quick or cheap. But it will offer a way to build a wall that's a lot higher than it is now, and, I'm guessing, one that will be well worth the cost.

Tom Wills is director of Ontrack Advisory Group, a technology firm that focuses on innovative online security solutions. For more than three decades, he has helped companies navigate and balance the often opposing forces of security and compliance.

About the Author

Tom Wills

Tom Wills

Director, Ontrack Advisory Group

Wills is a Fintech architect and strategist specializing in payments, security and digital identity. For more than two decades, he has guided organizations such as Visa, Bank of America, Wells Fargo Bank, UnionBank of the Philippines, VeriFone, Intuit, Richemont, Ping Identity and multiple startups to build and secure their digital platforms. Career highlights of Wills include leading the development, launch and operation of Visa's core transaction fraud management services and VeriFone's digital wallets, merchant e-commerce platforms and payment gateways, as well as secure platform/product design for Visa's prepaid card management system, national mobile payment networks in the Dominican Republic (tPago), Bangladesh (bKash), a Philippines' major credit card issuer and the Manila public transit network. He has also served as a CISO for CrossCheck and Intuit subsidiary, and as a mentor for StartupBootcamp FinTech and four Asian payment startups. In addition, he is a tenured speaker and media commentator on security in digital transactions. He holds both CISSP and CFE certifications. A resident of Singapore, Tom has also lived and worked in the US, UK, UAE, Philippines and Dominican Republic.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.