Trojan Horse schemes and session hijacking systems have surged markedly over the past months, supporting the Anti-Phishing Working Group's (APWG's) view that automated phishing systems are the way of the future for this criminal enterprise.
This is a dangerous trend for the financial industry, which is currently the target of nearly 91% of all attacks, because educational programs cannot help consumers detect or stop this new breed of attacks in most instances. As people slowly learn to look for the SSL lock on a site or to type the site address manually instead of following a link in an e-mail, the sophistication of attacks are evolving at an astounding rate.
Between April and June of this year, the number of phishing-related Trojans that planted a keylogger to silently monitor and record access to online financial accounts doubled. And the number of websites hosting malicious code meant to steal identities doubled in the period as well. Also on the upswing have been redirectors, which exploit browser vulnerabilities to send users to spoofed sites rather than the real ones.
Financial institutions can expect that the return on investment from continued education campaigns will diminish as the shear complexity of attacks expands at a greater rate than the average consumer is capable of technically comprehending much less defending against. In the meantime, consumer online fraud fears continue unabated despite the industry's move to curb the growing pandemonium and down play the severity of the situation. A recent study by Lightspeed Research revealed that 82.7% of all respondents felt threatened or extremely threatened by identity theft and 83.2% felt threatened or extremely threatened by online fraud.
A Cure for Phishing?
Most industry experts agree that there is no silver bullet solution that will annihilate all forms of phishing. Instead a layered approach to security is required to curb the proliferation of online identity theft and mitigate the associated risks. While consumer education will remain important, fraud monitoring and blocking technologies along with the usage of two-factor authentication is required to further protect consumers from these latest attacks and guard against future threats.
Monitoring technologies can work in one of two ways: 1) by continuously scanning millions of Internet websites looking for indications that the financial institution may be the target of a phishing attack, or 2) by scanning and analyzing the financial institution's own servers for suspicious activity that may indicate that the institution is the victim of a phishing attack. Blocking technologies can be used to selectively block access to suspicious websites based on defined filter rules or block the download of potentially malicious software such as Trojans or spyware.
While both of these technologies can play a vital role in the fight against phishing, financial institutions should keep in mind that the implementation of these preventative technologies alone cannot compete with the growing sophistication of attacks. These technologies still enable a window of opportunity for fraudsters to capture a user's information and to perpetrate fraud.
The great weakness of the authentication systems currently in place is that they rely on a piece of information that is unchanging, and which, once discovered, can be used again and again: the user's password. The password may be long, it may be short, the credit union may try to reduce the re-use of parts of it by requesting only certain digits-but if it is compromised, then the attackers have unrestricted access to what they want.
Finding a Better Authentication System
The Federal Deposit Insurance Corp. (FDIC) is now recommending that financial institutions upgrade their existing password-based, single-factor customer authentication system to a two-factor system. The implementation of stronger authentication systems has the potential to render a fatal blow to the current proliferation of online phishing attacks, but the debate continues on what type of technology is best suited for the security, cost and usability requirements of the consumer market.
One approach under consideration is to enhance existing weak login processes with additional layers of images, audio recordings, or other user-supplied information. Unfortunately, adding an additional piece of static data may make the login process more complex but it does not improve the security of the system -once the static piece of information is compromised, the attackers will still be able to hijack user accounts.
To strengthen the system, credit unions may choose to use a dynamically produced one-time password (OTP). This is used only once and changes based either on time or an event such as the customer pressing a button. This means that passwords, once used, are useless to attackers-harvesting them is pointless. However, a determined and resourceful attacker might, via a man-in-the-middle attack, harvest and use OTPs in real-time to hijack a user's account. Once logged in, the attacker can access the account information or change the details of a payment, for instance, to credit a different account, in a different currency, for a different amount.
To protect against keyloggers, man-in-the-middle attacks and emerging forms of malware, financial institutions should consider implementing a system that not only authenticates the user but also protects the integrity of transactions. There are online fraud solutions available today that utilize software or hardware tokens to create tamper-proof transactions by digitally encoding transaction details.
"Even if a hacker managed to gain access to information through the use of malware or a man-in-the-middle attack, employing a unique code for each user could serve as an electronic business card, to verify and protect the user's identity and transactions across the Internet," said Charlie O'Rourke, senior vice president, First Data. "Our customers are confident that the use of this type of authentication token ensures any attempts by the fraudster to use hacked data will fail."
Strong Authentication Made Simple
Technological advances and innovation in authentication solutions and tokens now make strong security affordable and easy to use. Instead of requiring phone calls, or other means of manual intervention to provide strong protection against fraud, these products provide an enhanced layer of security throughout the communication chain to ensure the integrity of every transaction. Credit unions can minimize their IT costs by investing once in an online fraud solution that offers their consumers long-term protection rather than deploying multiple short-term patches or weaker security offerings in an attempt to play a continuous game of catch up with fraudsters.
There has been some concern by financial institutions that their customers/members will not sacrifice convenience for security, but security does not have to be inconvenient. The user interface can be similar to today's password systems-but the presence of the token will ensure the integrity of the system and the security of transactions throughout the user session.
By offering a range of tokens, these online fraud solutions address the security and cost considerations of the consumer market while providing CUs and their members seamless protection against fraud schemes today and those coming in the future.
Consumers are anxious for financial institutions to put an end to the growth of online fraud. Utilizing a combination of anti-phishing tools, including a two-factor solution that addresses emerging attacks, financial institutions can be successful in staying ahead of the fraudsters no matter how advanced their methods become.
Curtis Beeson is Chief Technology Officer with The First Data Secure Signing Group.
