Hold on, don’t open that email.
Hackers have known for years that bank employees are the best way to gain access to bank’s system. All a bad guy has to do is send an inviting email and trick the employee into opening it.
A nefarious new approach has come to the attention of security analysts employing “typosquatting,” the practice of picking versions of bank names with typographical errors — for example, bankofamerca.com, which is actually owned by Bank of America — and setting up fake bank sites there. The new wrinkle, according to Carl Leonard, principal analyst for Websense Security Labs, employs phony internal emails. Employees used to receiving dozens of internal emails a day might not look carefully at the sender’s address, and in some cases, the From address can be “spoofed,” or made to appear different than it actually is.
A routine email appearing to include a meeting invite attachment, for example, may actually contain an exploit kit that installs itself on a bank’s system, and wreaks havoc from within the bank’s walls.
“FIs are attacked 300% more than other industries,” Leonard said. “The reason is simple — financial data is more valuable than other kinds of data.”
Websense released a report on security for financial services earlier this week.
A common attack method, Leonard said, is to perform reconnaissance, then send a lure, usually an email. If that lure gets a bite — meaning it’s opened — another is sent, containing an exploit kit. This kit will allow the machine to install malware to harvest data, and potentially attack other machines. In some cases, an email server can be taken over, and fraudulent emails sent from there, either internally to employees, or externally to customers.
Whether this ominous scenario has actually happened to any FIs, Leonard didn’t say.
The next frontier beyond email is text messages. Websense is currently tracking efforts to infect mobile devices of bank employees. FIs need robust “Bring Your Own Device” policies, Leonard said, “to close as many security loopholes as possible.”
Authentication methods employing biometrics are gaining popularity in part because people are over the “creepiness factor,” said Micah Willbrand, director of global AML product marketing at NICE Actimize. Banks are also moving increasingly toward automated processes that lessen the risk of social engineering and human error.
“Sales guys cut corners to make sales,” Willbrand said. “Humans cut corners.” Software doesn’t.
Still, effective software or not, some fraud will always happen. “You set initial controls to scare off the lazy,” Willbrand said. “You push the fraud down the street. You’re trying to create a barrier online, but this can result in customers going to other places where the barriers are lower.” Willbrand was referring to nonbank players who don’t (yet) face the regulatory pressure than banks do.
For FIs though, it’s a delicate balancing act between security and convenience, but there can be few compromises where security is involved.
“Security has to be all-pervasive,” Leonard said. “Malware authors are always adapting.”