Cyberspace invaders

Malicious attacks against banks and their data are growing increasingly intense and sophisticated. What can be done to defend the digital border?

There can't be many people out there who would disagree that our hi-tech, networked 21st century world has brought some pretty big benefits. The ability to remain in constant touch with people all over the world via mobile phone and do all your shopping without even getting dressed have improved our lives immeasurably, but there are downsides. It used to be that if someone wanted to rob you, they'd have to approach you in person or find their way into your home. Now, it is possible for a thief to put his hand in your pocket at a distance of thousands of miles, the first you'll know about it being when your bank account suddenly empties.

Of course, it isn't technology's fault. From highwaymen to snake oil salesmen, unscrupulous individuals have been using every tool at their disposal to part people from their money for centuries. However, the changes wrought by the unstoppable rise of the internet have made it far more easy for the modern day cutpurse to waylay untold numbers of potential victims.

In its 4th Quarter Phishing Activity Trends Report, the Anti-Phishing Working Group, revealed that it had received 92,641 unique phishing reports in the final three months of last year. Similarly, MarkMonitor's 2010 Brandjacking Index tallied up 565,502 attacks over the course of 2009. As significant as these figures are, both only really offer snapshots of the problem's size. It is extremely difficult to pin down exact figures, but as far back as 2005 analysts Gartner estimated US consumers alone received 109 million malicious phishing emails and that American businesses lost US$2.8 billion in 2006 as result of such attacks. Allowing for the increased ubiquity of the networked economy over the past few years, it is reasonable to assume that today's official figures represent just the tip of the iceberg.

What is without doubt is that financial institutions remain the most popular target for online scammers, with around 40 percent of all attacks being aimed in their direction. As banks move more and more services online, so cyber criminals are working to find new ways to penetrate their defences. One of the most worrying of these unwelcome innovations is the man in the browser attack, which has become an increasingly common problem for FIs and their customers over the past few years.

This method sees a users computer infected with a trojan installed through a vulnerability in the operating system or software, quite often a browser. The attacker is then able to manipulate information through that trojan as the user conducts business with their financial institution. Individual man in the browser attacks are created to specifically target to the way different financial institutions work their log in processes and form fields on their own sites.

Becky Pinkard is former Global Head of Attack and Data Leakage Monitoring at Barclays. During her time with the bank and her long experience in the industry, she has witnessed the changing nature of the digital assaults IT professionals have to face down. "The man in the browser attack is definitely evolved from the phishing threats that were the biggest way for attackers to try to take advantage of people by sending them an email link of some type or giving them a malicious link that then the user would have to click on," she says. "The link would either re-direct them to a fake site or it would try to download some software to their computer at that point. With the man in the browser attack, they could have had the trojan installed in a various number of ways."

Users can open the door to man in the browser attacks by visiting another site or they could be infected by a botnet which then allows the master controller to send a trojan direct to their system. What makes this type of attack such a threat is it's key difference to more familiar phishing scams.

"Users don't have to do anything special," Pinkard continues. "They're not going to a site that looks like that of their bank, they're actually going to their bank's site. The trojan is in the background and it's manipulating what they think and what they know to be a legitimate conversation with that bank. That's why it's been such a dangerous evolution."

It is precisely this seamless integration into the everyday banking experience that renders the man in the browser that much more difficult to tackle. As more traditional dangers like phishing have entered the mainstream, web users have become increasingly savvy when it comes to detecting them. "The media has just had a field day with the phishing attacks, for example," Pinkard confirms. "You could have asked my mom what a phishing attack was and while she couldn't give you the technical breakdown, she could tell you that it's bad and it means she's visiting a site that's not legitimate."

In the case of emerging threats like man in the browser, it therefore falls to technology to fill in the gaps the average web user may not be able to see. Pinkard explains that, at Barclays, steps were taken to implement specific authentication processes and form actions in order to block the progress of malicious intruders. "With the man in the browser attack, what we saw was that they would have to understand exactly how the login process works," she says. "They would have to understand exactly what the forms would do when you fill them in and submit them. They have to set up their process so that it goes, literally, step by step with that as the user goes through the process. If they get a form field wrong, or they get a link wrong, the whole thing breaks down and it fails. There's definitely an aspect to trying to stay ahead in terms of the technology."

A function of our ongoing technological revolution is a major shift in what companies consider to be their most important resources. Data is king now, and nowhere is that more true than in financial institutions. "One of the things that we've noticed over the last 30 years is that the ratio of intangible assets to tangible assets has changed dramatically," says Dan Turner, COO and CTO of Vistorm, an HP company. "This has major impacts on the amount of stakeholder damage that can result from these types of online attacks. If you look at some of the banks - certainly before the financial crash of the last couple of years - they were heavily IP orientated. Their shareholder value, their capitalization was mostly made up of intangible assets."

Protecting these assets takes on an increased significance in a world still shaking from the effects of the financial crisis. In the wake of collapsing markets and once indomitable banks revealing hitherto unimagined weaknesses, the battle to regain the trust and confidence of consumers is critical.

"It's a problem for the banks simply because it's an attack against information that the customers trust the banks to hold and to take care of," confirms Pinkard. But it isn't only down to financial institutions to protect their systems. "Simultaneously we have to look to our customers to maintain their systems. I know that several institutions do that. Barclays for example gave out free anti-virus software to try and help customers maintain a clean system whenever they're working with the bank."

Following the turmoil of the financial crisis, many consumers are looking to alternatives to the traditional banking solutions. Retailers such as Tesco have been quick to exploit the dissatisfaction many average consumers feel, setting up their own 'no-frills' banks and siphoning customers from their more venerable peers. "I think the financial institutions that were there previously have to work exceptionally hard to do the security piece right," says Turner. "They don't want to have any kind of additional risk of losing any more trust and hence, customers."

Reputational damage is one thing, but it's when money enters the picture that organisations really start to sit up and take notice. Costs incurred as a result of cyber attacks aren't limited to what thieves successfully steal. An increasingly stringent regulatory system means that organisations which fail to take sufficient care of customer data can find themselves saddled with hefty fines. For example, a recent amendment to the UK Data Protection Act raises the possibility of penalties as big as UK£500,000 for any company judged to have been careless with other people's information. Even before the crisis, the compliance burden facing FIs was taking up ever larger chunks of the IT budget. With the recent G20 meeting promising tougher regulations throughout the world, banks have every reason to be wary of the increasingly ingenious attempts to pierce their digital defences.

"What I see in my work dealing with data breach and information leakage, is that I think we're going to continue to see regulations," says Pinkard. "We're going to continue to see fines associated with regulations. In my experience, any time a company starts to see the costs add up, they really start to sit up and pay attention to what they need to do to mitigate the situation so that they can limit the potential damage or the potential risk of having to pay out these fines."

Network security professionals are not only facing increasingly sophisticated attacks. The growing complexity of the networks they are charged with protecting creates problems of its own. Says Pinkard: "One of the issues that especially larger and global companies are dealing with is the fact that, as more and more companies continue to expand and go through mergers and acquisitions, it gets increasingly complex to bring together not only the networking infrastructure required to get the technology where it needs to be, but to do it within the time frame that's given by the business. And then you have to add the security that's required on top of that."

The challenges involved in meeting the needs of the business while simultaneously keeping adequate security in place are only amplified when mergers and acquisitions - more common in the uncertain past few years - challenge technology professionals with creating reliable and secure links between disparate legacy systems. Building and securing new systems - or even just retrofitting old ones - is an expensive business. Understandably, given the shocks the market has endured over the last few years, budget-holders have become extremely picky about where they spend their money. If an old security system seems to be doing its job, it can be difficult to build support for replacing or overhauling it. "There's a reluctance there by the business, a lot of times, to take that step," Pinkard confirms. "There's the potential that they could lose business, or they could cause outages or tick off customers in the process." However, the aforementioned tightening of the compliance net and the growing sophistication of security threats are definitely tipping the balance. Surely it is better to put up with a little pain now if it will prevent real agony in the future?

It is often said that change is the only constant. If that is true, then the last few decades have been some of the most constant in human history. In around 30 years, the world - and the financial industry - has moved from largely analogue to almost completely digital. The rate of development has accelerated so much that keeping up with it has become more and more difficult. "It's a constant challenge not only from a security perspective, but just from a CIO's office in general to sort of stay ahead of that and stay abreast of what's the latest and greatest technology?" Pinkard explains. "It's about what's going be here and work for us not only now, but as we go forward? When I first got started in this business about 15 years ago, people were looking at making five year plans and seven year plans. Nowadays you're lucky if you can make a plan that's 18 months to two years down the road."

Take mobile banking. Widely thought to be one of the big growth areas for financial institutions in the next decade, it raises a raft of new problems for information security professionals including, from how they authenticate mobile devices to how data is protected if a device is lost or stolen.. There needs to be a clear understanding of the vulnerabilities of the medium, followed by a huge amount of work to mitigate these vulnerabilities. According to Pinkard, this is not a simple process.

"The problem is that a lot of times, we get out there in front of the technology and we think we've found all the holes, or that we have all the fixes, or we have all of the fences that we need in place," she says. "Then you know, you put your something out there. Once it's up and running attackers are starting to pound on it day in and day out. They're the ones that are doing the real work for you, but they're doing it to their benefit, not yours. Because they're the ones who will eventually find the holes, or somehow create the hole, and then take advantage of them. It's a constant battle."

Essentially letting cyber attackers illustrate the weaknesses of a security system might sound like the digital equivalent of testing a bullet proof vest by putting on and inviting someone to shoot you. However, it is one of the surest ways of identifying potential vulnerabilities, provided the response to them is quick and decisive. "Speed is definitely essential," Pinkard agrees. "It's an age-old joke that the only secure computer is one that's completely disconnected and buried in a concrete bunker. If any company wants to do business in today's environment and in the networked world of today, it has to assume a certain measure of risk."

That is one of the hardest realities to grasp. No matter how much is spent, how many man hours are devoted and how much technology is developed, a 100 percent secure networked environment is little more than a pipe dream. There will always be chinks in the armour, and it is up to individual organisations to ensure they have the best possible protection to respond swiftly to weak spots when they appear.

"It's a relentless and dynamic threat environment out there," says Dan Turner. "Malware just gets more and more sophisticated, almost changing shape nearly every few hours. As new operating systems come out, people will continue to aggressively exploit them. While the general economy is kind of in a downturn, I would say the cyber criminal world is in fairly healthy spirits."

As information becomes a global currency, a source of business success and a sought-after prize for thieves, IT security needs to step up its game. The attacks aren't going to stop. In fact it's much more likely that they will becomes increasingly intense. Those at the sharp end will have to redouble their efforts to repel the invaders. "The data is truly the thing that is most valuable," says Becky Pinkard. "It's all about maintaining the sanctity of that data and taking care of it so you can continue to build the reputation of your company, and maintain the trust of you end user or your customer."

Know your enemy:

Man in the browser

Differs from phishing in that, rather than directing users to a fake website, it secretly captures data as it is entered into a legitimate portal without interfering with the transaction.

Know your enemy:

Phishing

Creates fake emails and websites purporting to be from trusted organisations, tricking users into entering personal data such as bank details.

Know your enemy:

Packet sniffer

Intercepts routed data and examines each packet in search of specified information, such as passwords transmitted in clear text.

Know your enemy:

Trojan

A program that conceals harmful code, tricking users into installing malicious software on their computer.

Know the score - 2009 in phishing

1. 36%.........Growth of attacks targeting financial brands

2. 598%........Average number of attacks per organisation

3. 154%.......Growth of attacks targeting payment services

4. 44.7%......Proportion of phishing sites hosted in US

5. 62%.........Total growth in attacks since 2008

Source: MarkMonitor Brandjacking index