The Fraud Blog with Tracy Kitten

2011's Answers to Fraud?

Expect Stronger Authentication and Cloud Computing
2011's Answers to Fraud?

One thing 2010 was not short on -- fraud. ACH breaches, card skimming and a host of malware attacks topped the year's news. And industry experts say we can expect more of the same in 2011. The outlook sounds grim.

The financial industry is taking steps to fight back, but it seems the fraudsters are always a pace ahead. And the security steps the industry has taken so far might be misguided, I'm told. What we need more of in 2011 are stronger cardholder authentication and more computing in the cloud.

Let's take a quick look at the year. In 2010, ACH fraud led to marked increases in corporate account takeovers. The Federal Bureau of Investigation estimates 205 separate businesses have reported incidents of corporate account takeover since 2004, most of which occurred in the past 12 to 18 months, with estimated losses totaling $40 million. Those estimates are probably low, since many cases of ACH fraud, until recently, have flown under the radar.

And then there is card skimming. According to the Identity Theft Research Center, 45 skimming and payment-fraud incidents were reported in the U.S. in 2010. Increases in attacks were reported at points of sale, and most experts agree those reports, too, are probably low. "POS fraud is rising, and it's likely because of skimming," says distinguished Gartner analyst Avivah Litan.

Finally, let's not forget malware and Trojans like Zeus. Zeus has unquestionably gotten more sophisticated in its attacks against online banking, and now it's broadening its range, aiming at the emerging mobile channel. Mobile malware is a new threat, and Zeus attacks, such as Mitmo, aimed at mobile devices have already been identified.

Industry experts say banks and credit unions can access the right technology to thwart those attacks, but many are not making the right investments. Banks can put an end to many card attacks, Litan says, if they can identify points of compromise, "but many have a hard time doing that with current fraud-detection solutions."

Stronger cardholder authentication, through contactless or contact chip technology such as EMV, could significantly cut card fraud, but banks have not made significant moves in that direction. Fraudsters have already figured out how to get around two-factor authentication, which often incorporates online banking logins with one-time pass codes or tokens. In 2011, banks will have to move beyond mere two-factor authentication if they expect to curb fraud.

Josh Corman, research director at security consultancy The 451 Group, says banking institutions spend way too much money on relatively useless security solutions. The recent breach of payment card data at City Sights NY, an online tourism company, highlights security gaps in data protection, he says. Hackers accessed information for 110,000 credit cards with an SQL injection -- one of the most common known modes of attack.

Why is payment card data still vulnerable to SQL injection? Good question, Corman says. "We should know better by now, but we don't," he says.

A web application firewall would have prevented the City Sights breach, but most banks and retailers like City Sights don't invest in that level of security. "We don't spend enough money on app security and we spend way too much on antivirus software, which is basically worthless," he says.

Stronger application security is the only solution. "Everyone focuses on protecting the services and the infrastructure, but no one focuses on the software," Corman says. "Rugged software that protects the application is what we need more of."

I'm not hearing a great deal about rugged software, but I am hearing more about the cloud. And industry insiders tell me banks are warming to the cloud computing phenomenon.

Andy Greenawalt, the CEO and founder of Continuity Control, a New Haven, Conn.-based provider of web-based software, says many banks are now using Google Documents for shared access, rather than relying on traditional sent-and-received correspondence that can easily be traced, intercepted and/or intentionally or unintentionally compromised by an employee. "By putting traffic in the cloud, you make the security and access equation fundamentally more solvable," Greenewalt says. "It helps to keep you from missing a gap."

The cloud eliminates the need to store information on a hard drive or to a thumb drive, which also limits chances for breaches, he says.

I find it hard to believe that banking institutions would rely on something like Google Docs, since cloud security is something they've questioned for years. But perhaps that reliance is a good sign that the industry is moving in a modern, more secure direction.

If nothing else, 2011 will prove to be a year of interesting investments and directions.



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.