Wednesday, 22 October 2008

Phishing attacks rise as banks are distracted

With banks focused on shoring up liquidity and preventing runs on their shares, it seems online fraudsters are taking advantage of this opportunity to launch an ever increasing number of phishing attacks.

Brand monitoring specialists,
Envisional identified almost half a million (460,000) separate phishing emails sent to bank customers in the six month period from April to September, with more than 170,000 in June alone (up 117% on June 2007).

According to Envisional, overall volumes of phishing emails sent to bank and insurance company customers were up 40% compared to 2007. It reports that one bank was hit by 350 separate attacks in one day.

Phishing emails which try to trick customers into giving away passwords and PINs, also demonstrated different targeting strategies, with 135,000 phishing emails targeting one specific bank in June. Phishers then changed tactics in July targeting two banks.

Who should be liable for online fraud?

Posted by Anita Hawser

Who should be liable/responsible for personal internet security? It is a subject that has stimulated much debate in the UK Houses of Parliament with the House of Lords Science and Technology Committee publishing its damning Personal Internet Security report last year.

Highlighting the increasing incidence of online fraud, ID theft and phishing, the report recommended establishing a framework for collecting and classifying data on e-crime, and “more rigorous and co-ordinated analysis” of the incidence and costs of such crime. The latest APACS figures show that online banking fraud losses increased 185% to £21.4 million in the six months to June.

It also talked about deployment of security software at ISP level, the need for a dedicated regulator for the online world, and for Government to increase banks' fraud liability. In essence the report said that instead of the weight of responsibility for online security falling on individuals, responsibility should be "distributed".

More than a year since the committee published its report, there is talk of
a specialised e-crime police unit being established. Other recommendations such as the passing of legislation to ensure banks take responsibility for losses incurred by electronic fraud and rules forcing software companies to accept culpability for damage caused by security flaws, which would allow individuals to report online fraud to the police rather than to their bank, have not been implemented.

With banks already having to receive a lifeline from the government just to finance their normal operations, it seems unlikely that the government (who is now a shareholder in UK banks) will pressure them into incurring liability for losses resulting from online fraud.

It comes back to that all important question I asked at the beginning - who should be culpable? And as responsibility for online fraud is distributed - amongst banks, ISP providers and hardware and software vendors - who is the most liable or culpable at any given point in time?

Phil Hickman, chairman of ValidSoft – internet security and transaction verification experts – argues that service providers should take responsibility for the security of users:

“Traditional security provisions employed online have been shown time and time again to be ineffective at protecting users from the threats presented by advanced fraudulent techniques. Authentication techniques used by financial institutions, for example, have so far proved unsuccessful at preventing identity theft and electronic fraud. Defence techniques currently used are simply not sophisticated enough to counter Man-in-the-Middle/Man-in-the-Browser attacks or information stealing techniques like phishing.”
The Parliamentary Committee has debated the idea of a "code of conduct" or "kite mark" for ISPs, this may be difficult to enforce and could increase costs for internet access. And given the "layered" nature of the internet, attribution of liability is problematic.

With the banks already focused on anti-money laundering and issuing customers with one time only password generators for online banking,it seems that UK politicians favour raising "the bar of expectation" on software vendors, either voluntarily or at the EU level.

Surely more needs to be done around giving the Data Protection Act more teeth, and in the case of government leakages or breaches of personal customer data imposing hefty fines equivalent to those imposed on private companies?

This is likely to become more of an issue given that the UK government wants to compile a huge centralised database containing personal details of people's communications in order to supposedly combat terrorism.

Securing laptops remotely

Posted by Anita Hawser

Mobile security is one of the biggest problems companies face. Employees taking laptops out of the company firewall and securing remote workers can be challenging to say the least.

And one does not need to point out that increasingly regulators are taking a dim view of customer data that is loss through company or employee negligence. Last year, the Financial Services Authority in the UK fined Nationwide Building Society £980,000 for the loss of a laptop which contained "confidential customer data" on 11 million customers.

Telecoms/network provider Alcatel-Lucent Bell believes it has the answer to securing remote workers and lap tops with its
OmniAccess 3500 Nonstop Laptop Guardian. Invented in Bell Labs, the solution is an "always-on mobile security solution card that remotely secures, monitors, manages and locates a mobile computer and protects laptops and the data that resides on them".

"The mobile blind spot is defined as a condition where enterprises have no visibility or control over the location, use or configuration of employee laptops, increasing the risk of government fines, company reputation and hampering day-to-day operations of organisations. With this technology, enterprises have 24/7 access to employee laptops – enabling them to automatically enforce policies for compliance and deliver software patches and upgrades to their increasingly mobile workforce even if the laptop is turned off."
Forty-five percent of respondents in a recent study of 255 executive level IT, security and compliance decision makers from the US and Germany, admitted they have to deal with mobile blind spots. “The study shows nearly three out of four IT security managers have had to help their company deal with the consequences of a lost or stolen company laptop,” explained Tom Burns, head of Alcatel-Lucent enterprise activities.

An additional 76% said a lost or stolen laptop needed to be protected with more than encryption – for example, having the ability to locate the device using GPS and remotely revoking access to data. This is particularly useful if the laptop has been stolen, although looking at the picture of the mobile security card, a question that springs to mind is what happens if someone removes the device from the lap top?

According to the survey, 50% of companies state they would switch their wireless service to a provider with a security solution that protects lost or stolen laptops used remotely. No surprises then that
SingTel of Singapore, Magyar Telekom of Hungary, and broadband carrier IIJ (Internet Initiative Japan Inc.) of Japan have announced they plan to offer the Laptop Guardian as a value-added service over their high-speed HSPA mobile data communications network.

The Laptop Guardian has its own processor, power supply and operating system, and it leverages wireless broadband networks, including next-generation, high-speed 3G GSM/HSPA networks. It has also been integrated with McAfee's Endpoint Encryption software.

Monday, 20 October 2008

Getting serious about money laundering

Posted by Anita Hawser

With banks' IT budgets stretched to breaking point and likely to come under increasing strain in the wake of the credit crunch, where does this leave current efforts around combating financial crime and money laundering?

In a webinar on AML trends 2008-2010, Neil Katkov, managing director, Asia research, Celent, says increasingly, banks are looking too "kill two birds with one stone" by seeking solutions that help solve multiple financial crime and compliance issues. Global spend on anti-money laundering was estimated to be $3.6 billion in 2006, with the bulk of the cost tied up in personnel training and reporting.

According to Katkov, some firms, particularly in Europe, are consolidating their financial crime efforts under one umbrella - a “Group Integrity” department that combines anti-money laundering (AML), fraud and, in some cases, security. US banks tend to lead their European and Asian counterparts in terms of AML technology spend - this may have something to do with strict enforcement and interpretation of the US Patriot Act, which places considerable focus on uncovering sources of terrorist financing.

Katkov says Asian banks have "only recently got serious about AML" (although their spending on AML is likely to grow at a faster pace) and that small banks in all regions are grappling with "manual approaches" to AML. At the lower end of the scale firms may prefer to implement an outsourced or ASP AML solution, which is slowly starting to gain traction. According to Katkov, at least one major bank in the US has outsourced its AML compliance operations

While various channels such as the diamond and arms trades are sometimes used to launder money, Katkov maintains that 82% of all money laundering activity goes through banks and brokerages. Insurance companies account for an estimated 10% of activity.

One of the biggest challenges Katkov identifies is applying existing anti-money laundering strategies and techniques to brokerage money laundering, which he says is typically part of the "layering" process - banks are the front line for money laundering. "You can’t just transfer bank AML techniques to brokerage," says Katkov, adding that trading behaviours are different.

For example, transaction peaks may not have the same significance on the brokerage side as they do on the banking side. It is also more difficult to profile customers as "execution only brokerages" may be executing trades on behalf of other firms.

Friday, 17 October 2008

A rogue trader's view on the credit crunch

Posted by Anita Hawser

Ex-rogue traders have a habit of crawling out of the woodwork in the midst of one of the worst collapses of the global financial system. Former rogue trader, Nick Leeson whose "unsupervised speculative trading" resulted in the collapse of the UK's Barings Bank in 1995, was speaking at a conference of European corporate treasurers in Barcelona recently.

Reminiscing about the good old days as an unsupervised derivatives trader in Singapore, Leeson leveled significant blame for the global credit crisis at central banks and the regulators, who he says don't understand the markets or risks they are supposed to be regulating.

"There is plenty of risk, but no one managing it," said Leeson. "After Barings there were new regulations by the Bank of England and they spoke about responsible lending, but it clearly hasn't happened."

As the financial system now has to grapple with the concept of heightened global regulation, Leeson suggests that central banks may not be the best candidates for enforcing these regulations. "Central bank understanding is very poor," he said. In his days as a derivative trader for Barings in Singapore, Leeson said the Singapore Monetary Exchange did not have people that understood the business.

"The monetary exchange knew my position. They had a process of non-disclosure but all they had to do is look up the rates on Bloomberg and see what my [total] position was. If they had done that they would have seen that I risked the capital of the bank." In 1994 Barings was capitalised at $250 million and Leeson had $500 million in Singapore.

Although the subprime crisis, which triggered the credit crunch has been attributed to the lack of transparency and complexity of mortgage-backed collateralised debt obligations, Leeson says it is not the instruments that are the problem. "It is the people operating them. Some of the biggest banks employ the best mathematicians, but their risk calculations haven't worked."

Leeson said he got away with so much during his time at Barings because management of the bank did not deem themselves to be in a position to challenge him - in other words they did not understand the markets he was investing in so he was pretty much given free reign as long as he was bringing in profits for the bank.

While rogue traders have not been directly linked to the credit crunch, the exposure of the $7 billion in losses Jerome Kerviel racked up at Societe Generale came at a time when the crunch was starting to bite and highlighted the precarious risk-taking counterculture within investment banks - some traders were literally betting the bank and getting away with it if those bets paid off. " Jerome Kerviel was a shock to me," said Leeson. "He was given far too much autonomy for a junior trader."

Tuesday, 14 October 2008

Chip and PIN is failing banking customers

Posted by Anita Hawser

With banks around the world distracted by the global credit crunch, plunging share prices and government bail-outs, this can be a time when fraudsters up the ante hoping that banks will be too distracted to notice the rising incidence of fraud.

According to risk management software provider, Actimize,
the number of mass data breaches, particularly those involving ATM and debit fraud, has accelerated, and a at time when banks' balance sheets look compromised, the reputational and direct costs of replacing lost or compromised cards, is an unwelcome additional cost for any bank to have to deal with.

Just as banks need to restore confidence in one another so interbank lending can resume, so too do they need to restore customer's confidence in debit and credit cards. But in a heightened threat landscape where the threat level is becoming increasingly sophisticated and insidious, banks appear to be on the back foot.

Fighting card fraud is not just about compromised ATMs or phishing emails anymore, as recent incidents have borne out. For example, according to Actimize, in Ireland recently fraudsters posing as bank workers, replaced credit card readers in a number of retail stores with fake readers that captured the data on 10,000 credit and debit cards.

In Calgary, Canada, local businesses were
defrauded of approximately CAN $2 million by fraudsters that broke into company databases and inflated the value of pre-paid debit cards. They then withdrew money at ATMs with "cloned" cards.

Authentication specialists,
GrIDsure, highlight a recent incident where MasterCard users were the victims of sophisticated Chip and PIN fraud involving up to 40 stores across Britain including Asda, Tesco and Sainsbury’s. It has called for affirmative action to avoid "further embarrassment" for the UK banking industry.

"While Chip and PIN scams are becoming more and more frequent, it seems that nobody is willing to address the issue head on," says Jonathan Craymer, chairman of GrIDsure. "It is blatantly obvious that Chip and PIN’s reliance on a fixed PIN number is leaving the system vulnerable to attack through sophisticated scams such as this recent one involving MasterCard customers. I wonder how many more people will fall victim to scams like this before the industry stands up and takes action."
Recent incidents highlight the vulnerabilities of Chip and PIN, which were introduced to try and prevent fraud, but Craymer seems to be saying that the industry needs to improve the security of the Chip and PIN system with the introduction of one-time PINs.

UK banks have sent smart card readers that generate one-time PINs to online banking customers, however, Craymer says it is time to find a solution that effectively addresses transaction authentication, not just on the UK high street, but also online and abroad. “Chip and PIN was introduced to put a stop to high street fraud, but as fraudsters begin to find their way around the system we have seen total card fraud losses increase by 14% in the first half of this year alone.”