If you thought we’d ever catch a break from the onslaught of cyber crime, think again: Cyber criminals never sleep, and Senior Fraud Prevention Strategist Etay Maor of Trusteer, an IBM company, illuminated this reality during his webinar “Cybercrime Threat Landscape: Cyber Criminals Never Sleep.” Maor began his discussion with a bit of humor, demonstrating how a security team operating in isolation is doomed to work-arounds from both the constituency and the adversary with a visual: a security gate on a road with open field on either side. The visual shows tire ruts to the left and right of the gate, illustrating the fact that driving around the gate was just as effective as waiting for it to open. The cyber criminals are hoping that your company’s fraud prevention strategy is exactly like this gate. Why go through it when they can just drive around it?
The growth of cyber crime and the ease with which cyber criminal syndicates are creating and proliferating their tools is demonstrative of the maturation of online crime. Criminals have evolved their mechanics to achieve a more holistic view with two end goals: monetization and expansion of capability. Maor shared two specific areas in which this is possible: the online/mobile banking landscape and intellectual property/business data.
In the event of a hack of a consumer’s bank account, current U.S. banking procedures protect the consumer, but should a consumer fall victim to personally providing a wire transfer or similar to the criminal, that money is nonrecoverable. The banking procedures for businesses, however, are not so generous. A loss caused by a compromised infrastructure or an employee hack can be lethal for a small business. One small, rural hospital lost $1.3 million to organized criminals who accessed the 96 separate bank accounts controlled by the hospital. When the criminal was apprehended some time later, he noted that he would have taken more, but he did not have the means to launder or process the funds.
Phishing is the art of getting someone to do something they may otherwise not have been inclined to do — setting the hook in the phish (the individual user), so to speak. Throughout the webinar, the recurring theme was Defense in Depth with multiple layers and steps. Criminals are working hard to defeat these various levels of defense, but as good as they may be, a robust fraud prevention infrastructure coupled with user education goes a long way toward fraud prevention. Some of the areas worthy of approbation are:
- External and perimeter defense
- Virtual machines (VMs)
- Credential protection and encryption
- OTP SMS (One-Time-Password via Short Message System, aka text message)
- Device ID
- Behavior-anomaly detection
- Clickstream analysis
Maor visits cyber neighborhoods that the average user would not be able to begin to navigate. These neighborhoods operate on the unindexed “darknet” of the Internet. There, one can find the bazaars of the cyber criminals that provide stolen data or properties (personal identifying information or credit cards), tools and scripts for use (for a fee) and training sessions on how to use these tools, all created to be engaged when the bait hooks the target phish.
The criminals’ arsenal of tools continues to mature and evolve. They are well aware that more fraud prevention entities are coming online and that more individuals are taking steps to protect their assets. The malicious tools presented during the webinar would induce heart palpitations for even the most seasoned business executives. The tools included: scripts to determine whether malware is detectable by specific anti-virus software, virtual hosting environments from which to launch the criminal activities, spoofing specific device nomenclature to give the “right responses” on what device is trying to access an environment and lessons on behavior.
There is a common misconception that the cyber criminal is simply a “script kiddie” running scripts they bought online. While those who are caught can oftentimes be just that, advanced cyber criminals are well educated, have substantial resources and build tools and capabilities to guarantee their monetary flow for the long term; their investment in behavior-profiling countermeasures is indicative of this. One bank reported 1.5 million accounts were reviewed after 10 million login attempts. The cyber criminals did not attempt to conduct fraudulent behavior on the first login; indeed, they worked to season the account so that it would fall into the middle of the bell curve and not be considered an anomalous account worthy of attention from a fraud prevention specialist.
As we move our banking from our laptops and desktops to our mobile devices, we should be asking, “Did I also migrate all the security protection I had in place on my laptop or desktop to my mobile device?” And for the organizations who are being touched by those mobile devices: Does your fraud prevention solution provide real-time intelligence to the analytic team? Are false positives minimized and the customer experience uninterrupted? When security becomes inconvenient, security becomes nonexistent, since users will quickly seek work-arounds. Thus, a decision must be made: Do you build your own solution or find a partner with experience and capability? The recent “2014 IBM Cyber Security Intelligence Index” indicates that in 2013, there were 91 million events that resulted in 17,000 potentially critical attacks, which IBM’s analysts determined averages out to about 109 security incidents for the average company. How many security incidents did your company have? Would you even know?
The webinar provides food for thought and a great deal of education on the arsenal of options available to those who wish to separate their funds or information from their persons and companies. The Cyber Security Intelligence report makes it very clear that the criminals are not going away. Knowing what you are up against is the first step; doing something about it needs to follow.