New Year, New Hacks?

The new year is likely to bring more of the same when it comes tocriminals siphoning funds from consumers and banks. "I'm not seeing too much innovation," says SecureWorks senior security researcher Don Jackson. "Sophistication's evolving but there's been nothing revolutionary."

If only same stuff, different day meant that the industry has quashed the threat of loss from criminal enterprise. Alas, no. In a recent survey of customers, authentication vendor PhoneFactor found that Zeus-style malware that results in man-in-the-middle attacks are viewed as the greatest threat to online banking today, and they're getting more common. Nearly 70 percent of survey respondents say these attacks increased in frequency in 2010. But within the "same old" vectors, there are some new variants worth talking about:

Zeus-like Attacks. Gartner security analyst Avivah Litan predicts criminals will improve their ability to mimic PC and device identification credentials, thwarting this method of security.

Operation PayBack. Distributed denial of service attacks aren't new, but seeing Mastercard, Visa, PayPal and others fall victim to DDOS as a result of their stance against WikiLeaks was an interesting twist. Will the Anonymous hackers latch on to a bigger agenda, or disband after their 15 minutes of anonymous fame? Either way, DDOS attacks will be increasingly used to distract bank security teams while attackers simultaneously conduct financially rewarding attacks, says Jackson.

Mobile Intercepts. A small botnet group is using SMS to install malware on smartphones, which then steals the transaction authorization numbers sent via SMS. The intercepted TANs are used to log in to online banking accounts, according to SecureWorks research.

Skimmers That Text. Brian Krebs of KrebsonSecurity.com has been writing about the newest variant of ATM skimmers, devices that communicate with the fraudster's phone or PC, sending track data and PINs via SMS so that the criminal never need risk retrieving the device from the compromised ATM. Gartner's Litan predicts that skimming at POS systems and unattended self-service terminals will increase next year, "sending the card companies and PCI Council into a tizzy over what to do about it."

Remote Deposit Capture. Jackson hasn't seen any mobile RDC hacks yet, but he fully expects them in 2011.

The good news? Security pros need not worry about job security.

The bottom line? Device identification tools, some out-of-band techniques, and new channels like RDC are ripe for attack, adding to the 'same old' arsenal being targeted against banks and their customers.

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER