- Category: July - August 2009
Lured by the convenience and ease of conducting financial transactions with a single click, online banking is coming of age in India and many other parts of Asia. As a result, these geographies represent a ripe new market for cybercriminals who look to launch online attacks and commit fraud.
In fact, recent reports indicate that roughly 10% of all global phishing activities target India specifically. As evidence of this disturbing trend, several Indian banks came under attack in 2008, the targets of over 400 phishing scams in just a few months. Even more alarming is the fact that more than 80 Indian banks lack adequate security measures for protecting their online users, as reported by NASSCOM, an IT trade organization in India.
Online Fraud Continues to Grow
Online fraud has become a vast global network, bringing together bands of cybercriminals to do what they do best – steal money and identities from unwitting online users. Cybercrime does not discriminate; criminals will do whatever it takes to get what they want. They are more manipulative, sophisticated and adaptive than ever.
While new online attacks are becoming more popular, phishing continues to prevail as the most common tactic used by online criminals to target financial institutions and their customers. This is supported by recent statistics released by RSA’s Anti-Fraud Command Center showing that globally, phishing attacks grew by 66% from 2007 to 2008. One of the many scams criminals use to dupe online victims into divulging their personal information, account numbers, and credentials, a phishing scam usually begins with a message that looks like an official email from a bank. The text within the email tells the user that he/she needs to access the bank’s website and update his/her personal information, or risk having his/her account suspended or closed. The email usually contains a link that the user can click on to go to the bank’s website. Once clicked, instead of directing the user to the bank’s website, they are actually brought to a spoofed website that looks nearly identical to the bank’s official website and is intended to steal the user’s information.
Phishing scams are popular within the fraud community because the cost of executing them is low and setting them up requires little technical knowledge. For very little money, a criminal can buy an entire phishing kit on the black market and launch an attack against tens of thousands of potential victims with minimal effort.
Layered Security is the Best Protection
Staying a step ahead of online criminals and being prepared to address new threats is critical to fending off fraud. Financial institutions must establish a layered approach to security which is key to lowering the overall risk posed by phishing and other online threats. A layered security approach has three core elements:
- Understand the threat landscape
- Use multi-factor authentication to protect login
- Monitor user activities and transactions
Understand the threat landscape
Financial institutions must understand the threats that are targeting their businesses and the relative risks they pose. By doing so, financial institutions can mitigate the risk of online fraud or even prevent it from occurring at all. By gathering and sharing intelligence and developing a broad knowledge of potential threats, financial institutions can better evaluate their own vulnerabilities and implement security solutions to protect their customers.
Use multi-factor authentication to protect log-in
Username and password authentication is not enough to stop criminals from accessing online bank accounts. Multi-factor authentication is essential to prevent unauthorized access to a user’s personal data and account information. There are a number of strong authentication technologies available on the market today that have been widely deployed across large online banking user populations and have been highly successful in reducing and preventing fraud. Some of the more popular technologies include risk-based authentication, one-time passwords, and site-to-user authentication.
Monitor transactions and activities that occur post-login
Financial institutions should also consider implementing a transaction monitoring solution that analyzes and challenges high-risk transactions after a user has logged in to his/her account. Transactions typically require more scrutiny and pose more risk to financial institutions than just the act of logging in to an account. Transaction monitoring solutions analyze a combination of factors such as the IP address, characteristics of the user’s computer and the actual behavior of the user (i.e. is the amount of this money transfer typical of the user) to help identify and mark suspicious activities that may require further review by the financial institution.
Educate your Customers
There is an ongoing debate about the impact of customer education and how much it really does to mitigate the threat of online fraud. RSA offers a number of resources to help financial institutions communicate the importance of online security to their customers including guides on phishing and crimeware.
There are a number of public sources available, as well. For example, Carnegie Mellon University developed a new tool called Anti-Phishing Phil. The game teaches users how to identify phishing URLs, where to look for cues in web browsers, and how to use search engines to find legitimate sites. Interactive tools such as this are great ways to engage consumers and raise online safety and security awareness.
By Art Coviello, executive vice president of EMC and president, RSA