News

10:55 AM
Connect Directly
RSS
E-Mail
50%
50%

Fraud: Social Media Heightens New Threats

As fraudsters increasingly seek to exploit weaknesses in consumers' defenses through social engineering schemes rather than hack vulnerabilities in banks' security systems, the need for enterprisewide solutions to detect fraud across channels is greater than ever.

Those online services extend all the way to enabling a customer to open an account online with an electronic signature. "We may open an account with a member and never see their face," Guerrero relates. "The risk is high, but we have measures in place [to ensure] that the person who is applying for a loan or a new account is who they say they are."

In 2006 the company started working with VeriSign to implement the vendor's fraud detection system. The VeriSign solution monitors traffic that comes through the online banking site and develops behavioral patterns for members based on factors such as transaction types and where and when they access their account, explains Sri Balaji, a solutions design and development manager at Addison Avenue. "Everybody has a unique behavioral map. Whenever the system detects a deviation from that existing map, it challenges the member to authenticate themselves," says Balaji, who managed the team that implemented the VerSign solution.

On top of the behavior engine, the VeriSign solution allows Addison to provide rules to, for example, target specific high-risk transactions for additional authentication. "Everything is happening in this online system, so we really want to put a lot of rigor in place in terms of validating and authenticating the user who is submitting those requests," Balaji comments.

Addison Avenue's enterprisewide fraud mitigation practices are augmented by specific security layers that aim to ensure users are who they are purporting to be. Like Bank of Hawaii, the credit union introduced one-time pass codes to the authentication process. According to Balaji, when additional credentials are required the company sends users the one-time pass code via phone, e-mail or SMS text message.

Addison also rolled out hardware tokens that generate random one-time pass codes, Balaji adds. The tokens are available to members in various form factors, including key fobs and a credit card-size device. BlackBerry and iPhone users can download software to their mobile devices that serves the same function as the hardware token.

Addison first went live with the VeriSign solution in late 2006 and since the initial deployment has continually updated the system's functionality, adding features such as rules, phone OTP (one-time password) and SMS OTP, Balaji reports. The most recent addition, she notes, was the hardware token rollout, which went live in June 2009.

That progression perhaps best sums up the constantly evolving battle financial institutions face when it comes to fighting fraud. Yesterday's secure practice can become tomorrow's security liability, especially with the advent of cross-channel threats.

"It's a constantly evolving landscape, and our own evolution with the [VeriSign] system speaks to that. When we started off, sending a one-time code to an e-mail was acceptable. Now you have Trojan [horse viruses] and key-loggers, and people's e-mail accounts are getting compromised," Balaji says. "There isn't any one answer that is going to lead to complete security. We have to constantly tweak rules and work toward the next generation [of security solutions] to try and keep up with the hackers."

Previous
4 of 4
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.