“At the end of the day, we are talking about an emerging crime type and you have to do your utmost to try and keep ahead of the game. Criminals are developing new and different technologies to perpetrate basically the same old crime types,” says Mike Phelan, acting director of the Australian High Tech Crime Centre (AHTCC).
“That means we have to continually develop our repertoire of preventative measures to attack them back.”
Are banks coping
It remains unclear exactly how well the banks are coping. Some, like Meta Group’s Michael Warrilow say the answer is unknowable in the absence of any metrics about the scale of loss.
Bankers MIS spoke to acknowledged the theft of funds but said the amounts were small, and still significantly less than those from other forms of fraud. But what scares them all is the potential.
Already, take-up rates for online banking are declining and security concerns are being blamed.
The most common view from within the banking security fraternity – none of whom will speak on the record – is that, at best, the banks are treading water.
This view holds they are only just keeping pace with a threat that is both gathering speed and evolving towards disturbing virulence.
The most pessimistic assessment, and it’s a minority view, is the franchise is failing. Those with this opinion suggest the current overriding focus by banks on access control ignores the emerging threat from identity theft and the damage these twin assaults will deliver to banking’s most fundamental asset – trust.
Peter Bottomley is the National Australia Bank’s manager of internet banking. The NAB’s internet business is currently adding about 4000 new online registrations a week and processing about 12 million transactions a month.
“The complexity of the threat has certainly changed over the past 12 months, as has the sophistication. If you look at the early phishing sites, the grammar was appalling, and some of the screens that they built were not very clever,” he says.
“But that is now changing. Their screens are a lot more convincing. They have started cutting and pasting from our own websites and if you don’t look into it closely, it all looks terribly genuine.”
A recent scam targetting the NAB even included a hotline number to call for information about internet security threats. When Bottomley rang the number and listened in, he eventually realised the syndicate behind the phish had simply copied the interactive voice system recordings from rival Westpac to add to the authenticity of the sting.
It is not just presentation skills that have improved. Early phishing scams sought to entice their victims to willingly enter their login details at a spoof site. Now, according to Bottomley, the banks increasingly see the blending of spam and spyware with email being used to deliver malicious payloads of Trojans and key loggers.
Robert Lowe, computer security analyst at the Australian Computer Emergency Response Team (AusCERT) based at the University of Queensland, confirms this. He describes the current threat posed by Trojans as insidious, rather than aggressive.
“This usually involves the victim being enticed to a malicious website, generally by a spam email, and then exploiting weaknesses in the operating system and/or web browser to download and install a program without the user’s knowledge. The programs then log this information to a remote website or send it to attackers via email,” says Lowe.
The past few months have seen the threat ratchet up another level with hackers now able to deliver the payloads directly without recourse to email.
The early examples of this technique did not target online banking, but it’s just a matter of time.
It’s getting worse
The social engineering underpinning phishing attacks is even evolving quicker than the technology, warns Bottomley.
Ross Murray, Bendigo Bank’s senior manager of online solutions agrees. “There is no doubt the criminals have become more sophisticated – six months ago,
the hoax email were even written in ‘pidgin’ English; today, they are pretty well spot-on with the ‘bank lingo’. These email have also become more believable in content. We have even seen hoax security warnings.”
NAB’s Bottomley says another area of steadily improving sophistication centres on the recruitment of the mules and the couriers.
“The Trojan fraud comes in two parts. First, the attacker has to get the money out of your account. And once it’s out, they have to do something with it.”
The latest trick in Australia involves online recruitment sites. Bottomley says phishers advertise for a local partner on the basis they are a legitimate company setting up in Australia requiring an agent to manage their transactions during the transition. Thus have some of Australia’s best-known media companies become unwitting accomplices to fraud.
The key players in the war against internet fraud are not technologists or security specialists; they are marketers.
Education is the critical first line of defence. According to David Bell, CEO of the Australian Bankers’ Association (ABA): “All banks are working on educating customers and businesses regarding security and becoming cyber savvy.”
He points out many banks offer security guides on their websites and provide customers with advice that can mitigate the risk of attack.
Westpac’s strategy included a national advertising campaign earlier this year. Bank spokesperson Julia Quinn told MIS Westpac “had been very active in educating customers about threats. That activity is now feeding back into the bank with customers now much more likely to report activity they consider suspicious”.
Other banks say they have noticed a similar trend. ANZ Banking Group’s Kate Gore says, “We have a key role in terms of education about internet banking security – through our website, and through making sure call centre and branch staff are informed so they can adequately deal with customer concerns and queries.”
It is important to keep a sense of perspective. Criminal activity by its nature is clandestine, isolated and insecure. Even the best-resourced syndicates have but a quantum of the technology and skill sets at the disposal of even a single bank. On top of that, the banking sector in Australia has moved quickly to pool its resources.
Indeed, one of the most impressive aspects in the cyber crime space is how quickly and easily companies who would like nothing more than to devastate their competitors in the marketplace, have collaborated to counter the common threat.
MIS understands one of the Big Four banks has for several months been deploying a search bot to identify phishing sites targeting Australian institutions. When it finds them, it shares the information with its competitors.
At the formal level, the most obvious manifestation of collaboration can be found within the AHTCC, which operates out of the Australian Federal Police facilities in Canberra.
Westpac and ANZ confirm they have staff at the AHTCC and NAB’s representative will be joining shortly. All major Australian banks are expected to have staff attached to the centre by the end of the year.
Each of the state police forces have people seconded to the centre, while organisations like AusCERT are regarded as strategic partners.
There is also some very heavy artillery on call in the form of the Defence Signals Directorate (DSD). AHTCC’s Phelan confirms DSD’s relationship with the AHTCC, saying, “While I would rather not talk about the role of individual agencies, certainly they are part of the High Tech Crime Centre and, certainly, if we need to utilise their specific skills, then we do so from time to time.”
One of the DSD’s specific skills is email interception via the classified Echelon network, which is believed to monitor the vast majority of the world’s email flow each day in partnership with other spy outfits overseas.
The AHTCC also works closely with overseas partners including the London High Tech Crime Centre, the FBI and the US Secret Service, according to Phelan.
Education and collaboration are essential, but their benefits are to be found mostly in the long term. Banks also have to deal with the barbarians already at the gates.
The answer they are all looking at today is two-factor authentication, which is an additional step independent of login and password that effectively can’t be hacked. The move to implement two-factor authentication has taken on renewed urgency as the phishers’ sophistication increases.
For instance, in the 18 months prior to July this year, Westpac issued only 15,000 RSA tokens, mostly to business customers. In the next four months, it will issue an additional 60,000.
Bendigo Bank, with more than 100,000 registered internet banking customers is going even further, becoming the first bank in Australia to make two-factor authentication mandatory.
“The tokens will be gradually rolled out to all e-banking customers, a process that will take some months,” says Moss.