Criminal minds

By Julian Rogers

Experts agree that cyber crime against banks is no longer the sole work of pasty-faced teenagers hunched over their bedroom PCs looking for street cred amongst the hacking fraternity. Instead, organised criminal networks are increasingly behind these attacks due in no small part to the money that can be made. In fact, cyber crime a multi-billion dollar industry thought to be more profitable than drug smuggling. A teenager in New Zealander hit the headlines recently when he was arrested on suspicion of being the mastermind behind an international cyber gang. ‘AKILL’, as he is known in cyberspace, is alleged to be responsible for infecting more than one million computers, stealing bank and credit card information, and embezzling more than US$20 million. His arrest – part of a joint operation between the FBI and police forces in New Zealand and the Netherlands – is far from an isolated case however. Criminals and hackers are more devious and ruthless than ever before in their efforts to steal information or inflict havoc an organisation’s systems and individuals’ home PCs.

“Most of the time, today's cyber-crime is no longer spotty teenagers simply intent on demonstrating their computing prowess; rather, it is gangs run by sophisticated criminals for financial gain," says Carole Theriault, Senior Security Consultant at Sophos. Although for some hackers breaching an organization’s defences is seen as badge of honour – many of whom are young whiz kids out to just to wreak havoc without any financial gain. ‘AKILL’ however is said to have used botnets (also known as zombie computers) to launch distributed denial-of-service-attacks (DDOS), spread spam or steal confidential information. Bank customers need to stay on their toes. Annick Loks, ISO at ING, says that techniques employed by the con artists are evolving. “It used to be that you would get emails saying that bank had to update its database and you had to click on a link. I think this is in the past. What we are seeing now is criminal organisations spreading malicious code by using very attractive channels for the customers.”

She points out how popular sites like YouTube are now being used a vehicle to spread malicious code. “They [the criminals] analyse the behaviour of the user and based on that they will insert malicious code in a movie that you can download from YouTube. So you or your family will not know that this malicious code is inside your computer; not only will the criminal capture what you are doing, but he will modify what you are doing.” What makes these sorts of attack so attractive for the hackers is the cost of developing and spreading this code is virtually nil.

An analogy to consider would be the sniper attacks in the US five years ago that left 10 people dead. All that was required was a cheap car and a rifle and John Allen Muhammad and his accomplice Lee Boyd Malvo were free to pick off their victims from the vehicle’s boot. So for a modest outlay the pair were able to strike fear into communities; people stayed at home, children didn’t go tot school, and businesses closed. The same ratio of small investment-maximum effect is what the cyber criminals are trying to achieve.

Take the bait

Perhaps the biggest problem facing the institutions is phishing. It’s a huge money-spinner for the crooks behind the bogus emails that clog inboxes all over the world 24/7. Educating customers to be suspicious of unsolicited emails will go some way to reducing fraud. “We tell people to have anti-virus software installed and kept up to date,” Loks explains. “Also, they [our customers] need to make sure they have a firewall and spyware. So we are trying to raise the awareness amongst our customers but we also use internal initiatives to raise awareness with our employees. We have developed web applications guidelines to make the developers aware of the vulnerability of malicious code being inserted without anyone knowing.” ING also created an anti-phishing strategy two years ago to inform customers about the risks and what the bank is doing to combat the problem. “We invest a lot in how we communicate with our customers,” Loks reveals. “Our brand is so misused and abused that we have to tell them how will communicate with them so that they can check that we are indeed ING when they are contacted by us.”

Brian Barbour, CISO at Standard Life, stresses that making customers aware of the threats is key. “There are things that we have to do as an industry to promote the appropriate behaviours for customers because these customers can inadvertently, though a lack of knowledge, do things that could open them up to fraud.” He continues: “Phishing is threat to us but probably not as much as others in the industry because we are not a retail bank. There is an interaction with our customers but customer awareness is still an issue.”
Of course, it’s not just the public that needs some helpful advice: staff training is vital too to prevent a data leak or security breach. “We are in the middle of revamping our training for staff in order to make it easier for them to handle information,” says Barbour. “I also believe that educating our staff does not only help to protect our customers and the company, but protect themselves and their families.”

Barbour says that at Standard Life there is a push to get staff to be aware of protecting their own personal information when away from the office. “I know some companies that have given free anti-virus software and firewalls away free to staff, while we gave away cross-cut shredders recently. If you make things interesting for staff you will get a reasonable response.” He continues: “I am a firm believer that if you make clear what you expect from your staff and you make it easier for them to the right thing you actually get a lot of buy-in and you can then focus your attention on the controls that identify when people might be doing the wrong thing.”

For the banks the technology behind security is easy to control – it is the people that are not so easy to predict. Mistakes can be made and highly sensitive data misplaced. With all the personal details of millions of customer being stored sometime on mobile devices there is the increased risk of this information going ‘missing’ and falling into the hands of criminals. The infamous case of a laptop, containing account details of 11 million customers, stolen from a Nationwide employee’s home is a case in point. This theft (and subsequent UK£ 980,000 fine) demonstrates an inherent problem the banks face – how to protect confidential details when taken off site. Though quite why an employee needed 11 million people’s account information on a laptop is another question.

Nevertheless, staff are more mobile today than ever before with the ubiquitous Blackberry the favourite mobile device amongst executives. And of course emails pinging back and forth between a bank chief and HQ could contain easily sensitive information. As Barbour puts it, “there are limited technical solutions for keeping emails secure”. Then there is the danger that a laptop, PDA or phone could be stolen or lost. “You have to assume that devices will go missing from time to time, either through theft or loss,” says Paris-based Ashley Bear, Head of Information Security at insurance giant AXA Group. “People can leave a Blackberry in a taxi or have their laptop stolen in a robbery. I think it is important to have standard industry processes in place to build and manage such devices – and make sure these standards are enforced. So this is a universal challenge facing us all.”

USB memory sticks are a headache too. These light and compact devices could easily be slipped out of a building holding a mountain of information without anyone knowing. On top of this, aspects of a bank’s operations are outsourced, making it increasingly difficult for the security professionals to keep the boundaries secure. “We have to be careful that technology does not make data leakage easier,” Barbour notes. “If you are the customer affected it does not matter whether it was done by telephone or by the loss of a printout or something electronically. So technology has made it easier for large amounts of data to be stolen, and there is clearly a market for such data.” Another clear threat is from planting criminals inside a firm or by bribing an employee with access to sensitive information to pass on data to the fraudsters. For a few thousand euros the criminals could get their hands on enough data to commit fraud worth millions. Industry experts agree that this scenario is on-going concern and one that is extremely hard to prevent.

Damage done

But with the newspapers full of stories of fraudsters stealing customer bank details, raiding accounts and racking up huge credit card bills it is little wonder that confidence in the institutions is being eroded somewhat. A serious security breach can have enormous financial implications, but the reputational damage to the organisation can be immeasurable. “People trust these companies with their money and their information,” says Barbour. “If companies break that trust you see how quickly that trust can be lost and how long it can take for it to be regained – and it may never be regained.” Indeed, a survey carried out in the UK by the Post Office found that fear of fraud was the biggest barrier preventing people over the age of 50 from going online. Around 41 percent were scared about Internet fraud and other half preferred having direct contact with someone.

To counteract this, the banks have to keep investing in expensive security measures and implementing strong authentication on its website and mobile channels to both deter the fraudsters and reassure the public. And that reassurance is key for some customers. Indeed, banks are reporting customers asking for stricter security. “The customer really wants to see security made visible,” Loks acknowledges. “I think you have to hide the difficulty of the technology, but at the same time, show that security is extremely important for the bank. It is very similar to the security of your house – when you have something to protect you install a safe; It’s the same with electronic funds.” Despite this, UK insurance firm Norwich Union was one financial firm that failed to protect its clients’ account information. In December the company was fined UK£1.26 million by the Financial Services Authority (FSA) after customer lost a whopping UK£3.3 million through identity fraud. Poor security checks allowed crooks to impersonate customers over the phone and cash in their policies.

This case highlights the importance of strict security checks. The problem is the trade-off between tighter security and maintaining telephone and online banking platforms that is quick and simple to use. It’s the same when someone chooses to bank with a mobile device: lengthy and laborious security procedures will have people logging off in their droves. Bear’s primary users at AXA are the company’s advisors who service the customers. He elaborates on the trade-off: “The user already thinks that it [security] is too difficult and often they are right because all of the institutions have a certain amount of complexity,” he comments. “As part of simplification we need to factor in the user experience because security good practice is their perceived burden.” He adds: “If you can reduce the perception you can proportionately improve compliance. So anything that we can do that makes it easier for people to do their jobs, makes it easier for us to do business with our advisors, whilst maintaining or improving security will dramatically improve user behaviour. Indeed, user behaviour is the frontline of security.”

In the meantime the myriad of threats to the industry continue to escalate with no sign of slowing down. The institutions are juggling between providing intuitive banking channels for the customers whilst adhering to the raft of legislation being dished out by the regulators. “Today the regulators are there, they are ever-present, and they clearly want to maintain the confidence in the sector,” stresses Loks. So what’s the focus for ING in 2008? “I think we have to be pragmatic about phishing and Trojans, especially with the development of wireless technologies and VoIP,” she explains. “We will have to ensure that the solution that we create now will be able to mitigate these sort of threats, whilst everything relating to ID theft will clearly be the focus.”

Barbour says good planning continues to be paramount: “The criminals are getting more cunning,” he remarks, “however, if security becomes an enabler it helps you to do things efficiently. One of the worst things that can happen is if you always develop controls after the event, so it is a case of getting the balance right between preventative measures and detecting and working with business managers to make sure that we can do what we want to do securely.” He goes on to say: “The standards expected of us by our board and stakeholders are just as rigorous as any other financial company. Part of the culture here is getting people to recognise that customer service includes helping to protect the customer.”