08:00 AM
Connect Directly

Three Ways to Deter Cyber Crime

By Joe Spatarella, Online Banking Solutions Ironically, as businesses move from risky paper check payments to a safer means of electronic B2B payments, the online banking systems through which payments are originated have become an attractive fraud target. Although businesses are using payment fraud control devices such as ACH Positive Pay and ACH Debit Filter, they only mitigate fraud after it occurs. There are at least five fresh reasons to step up the security investment.

By Joe Spatarella, Online Banking Solutions

Ironically, as businesses move from risky paper check payments to a safer means of electronic B2B payments, the online banking systems through which payments are originated have become an attractive fraud target. Although businesses are using payment fraud control devices such as ACH Positive Pay and ACH Debit Filter, they only mitigate fraud after it occurs. There are at least five fresh reasons to step up the security investment.1. The browser is the weak point. Trojans and other malware like man-in-the-browser attacks that are difficult to detect hijack the transaction inside of a browser session, and subsequently attack the application and database on the server. According to FinServ Strategies, most of the top 100 banks have experienced similar incidents. Man-in-the-browser attacks are becoming mainstream, RSA reports in its whitepaper, "Business Success in a Dark Market: An Inside Look at How the Fraud Underground Operates," especially in the U.S. and Europe where two-factor authentication is already densely deployed.

2. The customer is the endpoint. Banks deliver services to business customers through the browser; however, they aren't in control of the business's computing environment. Businesses are legally responsible for their transaction banking environment, but 20 million U.S. small businesses are particularly vulnerable to cyber fraud as they don't have the experience or resources to combat fraud, yet they initiate high risk payments transactions (e.g., ACH, wires). Many banks provision online services to small businesses on consumer systems with inadequate security for business activity.

3. Tweet this - multichannel banking is here. The cyber threat environment is growing more complex, especially as Web banking expands from Web and file transfer to mobile/smart phone and social channels and as the workforce grows younger. An integrated multichannel approach to information, transactions and fraud is necessary to lower costs and increase effectiveness.

4. Single sign on lags business banking. Banks are seeking new corporate/business portal solutions or independent SSO applications to solve the security usability problem. If the bank looks for an SSO solution in an existing packaged online banking offering, it may not get the integrated authentication and entitlements it needs. "Most solutions secure the session," says Nick Owen of WiKID systems. As malware is now attacking at the application level, transaction authentication needs to be cryptographically distinct from the session.

5. Fuhgettaboudit - cyber crime is organized crime. According to RSA , Internet fraudsters have created an end-to-end supply chain to advance malware attacks and the online vector used to efficiently deploy them. While the security technology market is creating security-as-a-service solutions, criminals are creating fraud-as-a-service and fraud has moved from the consumer to businesses that initiate payments and bank online.

But new approaches are emerging to tackle 21st century online banking problems. Among them are the secure browser and integrated single sign on. Banks are taking three positive steps in the right direction:

Organizing to combat fraud. Business fraud incidents are significant (albeit under reported) as related by major security companies and members of industry entities such as the Financial Services-Information Sharing and Analysis Center. Formed by presidential directive in 1999, FS-ISAC, now has 4,100 members from institution, brokerage and insurance sectors. "Members successfully share threat vulnerabilities through a network of trust that guarantees anonymity, while reporting important threat information to financial industry, government and other industry sectors," says FS-ISAC president William B. Nelson.

Implementing secure browsers. The secure browser solves the openness problem of the Internet without plunging the world back into private networks. Much like a dedicated business to bank connection, the secure browser uses only the rendering portion of the browser and restricts URL destinations with a bank and company controlled list through entitlements and self-tests for changes indicating malware such as Trojans. This creates a secure connection akin to a virtual private network, but without the technical requirements and cost overhead. Like a regular browser, the secure browser performs site authentication, but it shuts the user down if a site is not authenticated, rather than asking the normal user to decide whether it is okay to continue during an abnormal event.

Using integrated, single sign on. Independent integrated SSO solutions are appearing to fill the security gaps of online business banking and cash management solutions, which were never intended as portal or SSO solutions. The new integrated SSO combines user credential management for entity Websites with browser validation with a multi-layered security approach including strong authentication, software based keyboards to thwart keyloggers, one-time perishable passcode generation and utilization, and strong authentication of destination Websites to prevent DNS poisoning and pharming.

The global economic costs of cyber crime are estimated at more than one trillion dollars and costs to the U.S. at about $8 billion. The banking industry is moving to shared fraud analytics to detect cyber crime in flight, but it should also be prevented at the outset. Financial products with built-in security are absolutely essential. Industry groups, banks and technology companies are emerging to fill the gaps and build the online experience with the proper foundation to mitigate threats that have moved beyond network perimeters to applications and data.

Joe Spatarella is vice president of sales and marketing for Online Banking Solutions.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.