Emerging Mobile Banking RisksBAE's Jim Anderson on Latest Threats, Solutions
Mobile banking brings new opportunities to institutions and customers alike - but also a host of new security risks. Jim Anderson of BAE Systems Applied Intelligence discusses the emerging landscape.
In addition to the risks brought by mobility, Anderson is struck by the commoditization of cybercrime, where fraudsters can easily leverage proven Cyber Kits to commit crimes. They just need access to the fraud underground, where exploits are readily available.
"What that's done is lower the barrier to entry with regards to bad actors out there," says Anderson, president for the Americas region. "So, it's leading to a much riskier environment out there where people just have to be aware of what's happening and on the lookout for something that might go wrong."
In an interview about the threat and solutions landscapes, Anderson discusses:
- Fraudsters' latest techniques;
- Advanced security solutions to protect banking consumers;
- Emerging threats and how to prepare to defend against them.
Anderson, President of the Americas region, BAE Systems Applied Intelligence, brings over 25 years of experience of sales and consulting with organizations in the high tech industry. Most recently, he served as Global Sales Director, Unified Computing at Cisco, Inc. Prior to that, he was with Dell, Inc. where he served as VP, Server and Storage Sales for the Public Sector. Before his tenure at Dell, he served in various leadership roles at Hewlett-Packard for 14 years.
Threats to Banking Consumers
TOM FIELD: How have the threats to banking consumers changed over say the past 18 months?
JIM ANDERSON: There are really three main trends that are affecting the threats that banking consumers are facing over the past 18 months. First, we all know that consumers have many ways to interact with their bank, right? There's cloud, mobile apps, and what that has led to is a convenience for the customers. But it's also added a little risk with regards to the information being shared via those many channels. And so the first thing I've observed is that the number of mobile Trojans has really increased over the past year. So in essence, it's just become a more risky environment for people using their mobile devices out there, and bad actors are trying to take advantage of that.
The second thing that's an interesting trend out there is the criminals have developed a lot more sophisticated techniques, and they are involving these to do things like steal money from you. So there is an increasing financial risk that we face as consumers when we try to do transactions that way, and once again something you just need to be aware of.
The third thing that is interesting is just the commoditization in general of the cybercrime market. You can go out in the cybercrime market today and get kits. What that's done is lowered the barrier to entry with regards to bad actors out there. Again it's leading to a much riskier environment where people just have to be aware of what's happening and on the lookout for something that might go wrong.
Less Effective Techniques?
FIELD: Do you find that these changes mean that techniques banks have used historically are now less effective?
ANDERSON: No I wouldn't say that they are less effective. I would say that these techniques really just need to evolve, like the techniques criminals use to take advantage of the environments of freight. A lot of companies today have signature-based authentication techniques, and are trying actual monitoring techniques. Those are how I look at the categories out there. But I think what has to happen here is, they have to evolve to take advantage and deal with an increasing threat. For example, signature-based techniques need to be more involved with threat intelligence so they are more effective. Likewise, authentication techniques have to look not just externally, but internally, and make sure we're validating on both sides of the house. And with transaction monitoring, we have to take advantage of more analytics and big data. So we can look at the anomalies associated with our environment, and then make sure that we act on them. So I wouldn't just say they are less effective. I would say they need to evolve just like the techniques criminals are using evolve, and there are ways that companies can do that so they can be more effective.
FIELD: What are some specific incidents you see where digital criminals are using weaknesses to exploit existing security defenses?
ANDERSON: I just think it's evolving over time. So an example might be social engineering that they're using for phishing techniques. In the past, emails were pretty basic. Now using social engineering, they make them look a lot more legitimate, so they are able to get information from the customers by making the email seem like it is coming from a legitimate source and act on it. Social engineering is one of the things that has evolved over time.
I also look at the fact that malware is not simply delivered by email anymore. So in the past, it was delivered by email. You knew where it was coming from. Now you have web-based exploit, you have watering hole attacks, and so there are many different ways that bad actors can deliver malware to the environment, and this is something that we need to be on the lookout for.
The other interesting thing I have found is that there are reports that bad actors are using multiple attack vectors to address or infiltrate a particular target. So people combining DDoS attacks with cyber kits to get information, [or commit] identity theft. We have to look at a broader perspective with regards to the mini-vectors that we're now being attacked [from]. And last but not least, people can go out and purchase malware, build on top of that malware and go out there. So whatever works in the environment, someone can go in today's commercial market, buy it, add to it, and try to create new techniques to really infiltrate an environment. So it's all about evolution of our defensive techniques and proactive techniques to monitor what is going on in the environment.
Shoring Up Security Gaps
FIELD: In terms of defense, what are some of the things that banking institutions can be doing to shore up their security gaps?
ANDERSON: I think it begins with a couple of things. First of all, we talked about signature-based types of defenses. I think the key to moving forward is threat intelligence. The more you know about your adversary, the better. One of the things that all banks should take a look at, whether you are big or small, is how you are going to integrate threat intelligence into your defense system right now so that you can act on it and be more effective.
The other that shows a lot of promise is analytics. How can you take the analytics associated with data? People should look at network forensics at both the network and end points, and then try to look for some behavior aspect or anomalies associated with that. I think that's a promising technology.
The third area that even we've looked at is the concept of web virtualization. You try to separate out some of the aspects and threats associated with the bad actor, and in essence remove their ability to command and control. We talk about if you assume that the actor or bad actor is going to get into their environment, what we really want to do is limit what they take out. And things like web virtualization can help prevent establishing command and control in environments and actually taking data out of the environment without the customer knowing.
Using Security Techniques
FIELD: How have security techniques been used in other applications, and how well have they worked there?
ANDERSON: They have been using another application in good areas like fraud. What you see is a combination of fraud and cybercrimes coming together and with regards to fraud, we do things like social network analytics. We take a look at the behavior analytics or social networks analytics associated with the environment and try to look for anomalies. You see a lot of web virtualization happening across many technologies today, but a good example is VDI environments; they've created a virtual environment to try to make their environment more efficient. We see the same things from several companies that create this web virtualized environment; you're interacting with a virtual browser and you're limiting the ability for someone to do damage in your environment even if they do get in. So I do see that the techniques are being used, and it's good that with the combination of fraud and cyber that we're bringing the best of both worlds together to try to manage the risk associated with data in our environment.
Digital Criminals' ReactionFIELD: How should we expect digital criminals to react to the latest security techniques we have in place?
ANDERSON: There is no silver bullet. The criminals will evolve as well as the technologies that we use to protect our assets. This is a journey that will go on where we must continually assess the environment, look for the latest techniques out there. That's why intelligence is very important; what are the bad actors doing? Let's make sure we're educated on that side of the house. What are the anomalies we should be looking for in our environments? How can we collect data, network forensics, end point forensics, and try to stay ahead of the criminals and what they are trying to do on a proactive basis? This is something that's going to be going on for a while. We can all agree on that, but we just have to balance the risk associated with the environment, and encourage all the banks to partner on the business side with the IT side. We need to [investigate] what the trade-offs are and what the priorities are of the assets we want to protect and make sure that we put our energies into that. We don't want to create an overall experience that is bad for our customers either. So we've got to balance all these challenges out there.