PCQuest : Tech and Trends : Emerging Trends in Online Fraud

Emerging Trends in Online Fraud

As Internet and online activities evolve, so does the threat from scamsters, closely watching each and every move of yours, and waiting to pounce at the first available vulnerability. We discuss the latest threats and some options to protect your data

Thursday, September 03, 2009

Print Comment Email Digg Del.icio.us Reddit Twitter

The convenience and ease of conducting financial transactions with a single click is increasingly witnessing online banking coming of age in India and many other parts of Asia. As a result, these geographies represent a ripe new market for cyber criminals who look to launch online attacks and commit fraud. Recent reports indicate that roughly 10% of all global phishing activities specifically target India. As evidence of this disturbing trend, several Indian banks came under attack in 2008, targets of over 400 phishing scams in just a few months. Even more alarming is the fact that more than 80 Indian banks lack adequate security measures for protecting their online users, as reported by NASSCOM. Phishing first gained traction in 1996. Today, it has evolved into a far more menacing criminal enterprise, with bands of fraudsters working together to create schemes that dupe unsuspecting online users into divulging personal details-most often, their online banking credentials. The popularity of phishing scams within fraudster circles is mainly driven by a low execution cost and the fact that little technical knowledge is required to set them up.

Online fraud continues to grow
Online fraud has become a vast global network, bringing together bands of cyber criminals to do what they do best – steal money and identities from unwitting online users. When we think about the evolution of Internet and the new types of, and methodologies for, crime, we can quickly conclude that Internet has not only enabled businesses to develop new routes to market and explore new business models, it has also done exactly the same for fraudsters. In the case of the criminal underworld they have the added bonus of working in a completely unregulated global economy – a true free market! These fraudsters are full-time professionals, ably supported by an economy of goods and services that has evolved to support their needs.

This unique characteristic of the fraudster economy lowers the barriers to entry for those seeking an induction into this criminal underworld as they only have to offer expertise in one specific area and can buy or partner for the rest of what they need.

We expect to see more 'spear phishing' – highly targeted attacks against specific individuals for key pieces of information. It usually begins with a message that looks like an official email from a bank. The text within the email tells the user that he/she needs to access the bank's website and update his/her personal information, or risk having his/her account suspended or closed. The email usually contains a link that the user can click on to go to the bank's website. Once clicked, instead of directing the user to the bank's website, they are actually brought to a spoofed website that looks nearly identical to the bank's official website and is intended to steal the user's information.

Layered security is the best protection
Staying a step ahead of online criminals and being prepared to address new threats is critical to fending off fraud. Financial institutions must establish a layered approach to security which is key to lowering the overall risk posed by phishing and other online threats. A layered security approach has three core elements:

Understand the threat land scape
Use multi-factor authentication to protect login
Monitor user activities and transactions

Understand the threat landscape
Financial institutions must understand the threats that are targeting their businesses and the relative risks they pose. By doing so, they can mitigate the risk of online fraud or even prevent it from occurring at all. By gathering and sharing intelligence and developing a broad knowledge of potential threats, they can better evaluate their own vulnerabilities and implement security solutions to protect their customers.

Use multi-factor authentication to protect login
Multi-factor authentication, coupled with username and password authentication is essential to prevent unauthorized access to a user's personal data and account information. Some of the more popular technologies in this area include risk-based authentication, one-time passwords, and site-to-user authentication.

Monitor transactions and activities that occur post-login
Financial institutions should also consider implementing a transaction monitoring solution that analyzes and challenges high-risk transactions after a user has logged in to his/her account. Transactions typically require more scrutiny and pose more risk to financial institutions than just the act of logging in to an account. Transaction monitoring solutions analyze a combination of factors such as the IP address, characteristics of the user's computer and the actual behavior of the user (ie, is the amount of this money transfer typical of the user) to help identify and mark suspicious activities that may require further review by the financial institution.

Information risk mgmt
Financial institutions can also use a strategy based on information risk management to protect against online fraud. Managing information risk in the IT setup is distinguished by three key characteristics:

Risk is information-centric. Information has been recognized as one of the most important assets in our economy and is increasingly becoming a key factor in perpetrating many types of fraud. Focusing on information clarifies business context, and following its path across the IT infrastructure reveals where it is potentially vulnerable.
Using risk as a lens for security investment decisions ensures that the most significant challenges in mitigating fraud are addressed first.
It is repeatable. The emphasis should be on implementation of processes and solutions based on standards, frameworks and best practices that can be leveraged across multiple security and compliance initiatives – saving time, money, and effort.

When a financial institution adopts a framework holistic analysis, methodology and plan for dealing with security requirements, it is essentially putting a security program in place to solve these problems: it can take advantage of the commonalities between security and compliance programs, while at the same time reduce opportunities for a fraudster.

Educate your customers
There is an ongoing debate about the impact of customer education and how much it really does to mitigate the threat of online fraud. There are a number of public sources available that can be used to make people more aware. For example, Carnegie Mellon University developed a new tool called Anti-Phishing Phil. The game teaches users how to identify the phishing URLs, where to look for the black holes in web browsers, and how to use search engines to find legitimate sites. Interactive tools such as this are great ways to engage consumers and raise online safety and security awareness amongst all stakeholders.

Arthur W Coviello, Jr, President RSA, The Security Division of EMC

Page(s) 1




	Kerala also has IT in Abundance
	Citizen-centric IT projects in Kerala
	Next Generation Networks: Beyond 10G
	Storage: What's in 'Store' for the Future

Untitled Document

ZTE:Leading CDMA Technology

Extraordinary Networks:Freedom of Choice

	Other CyberMedia web sites [Dataquest] [Voice&Data] [CIOL] [Living Digital] [IDC India] [DQ Channels] [the DQweek] [CyberMedia India] [Global Services Media] [CyberMedia Events] [Cybermedia Digital] [CyberAstro] [BioSpectrum] [BioSpectrum Asia] [Computer Shopper] [College Buying Guide] [Voice&DataConnect]