Traditional network security measures were once very successful. Due to tight control, data breaches were not too common and the attack vectors were well understood. With enterprise data moving to cloud-based applications outside the enterprise firewall, the “tight” control is increasingly hard to maintain and the security of internal systems is greatly limited by the “security” of any external systems used (the weakest link).
As a direct consequence, cybercriminals increasingly exploit weak links such as customer logins and insecure personal devices outside of the IT department’s control. It’s much easier to hijack a trusted login or plant a keylogger on a personal device, for example, than to attack a firewall. However, companies are still accountable for protecting customer data and transactions, no matter where the data is accessed. How can this be dealt with effectively?
While no individuals or businesses can lower their defenses against direct penetration attacks, security professionals have to expand their mandates to prevent stolen identities, account hijacking and fraudulent transactions that can be used to advance more complex attacks. Fraud is part of the new perimeter-less threat environment.
Fraud is the New Objective
Cybercriminals are creative. According to The Aite Group, unique strains of malware topped 100 million in 2012, and the growth continues at an accelerated pace. Among those new malware variants, fraud is replacing online notoriety or political objectives as a primary motivation for cybercrime.
Fraud can be perpetrated in a number of ways, but one of the most efficient variant is to fully automate the attack using malware: Attackers steal identities to use in other, larger attacks. For many malware variants, fraudulent transactions are the key objective. For example, man-in-the-browser (MitB) attacks compromise a legitimate, authenticated login session to redirect funds or gain control of accounts. Some malware is all about scaling up and automating fraud, which uses malware to automate fraudulent wire transfers.
This is all bad news for security professionals because threats come from seemingly trusted sources (authenticated users) and from devices outside their control (personal computers, tablets and smartphones). Most consumers are less rigorous than IT staff about protecting their personal devices and keeping them updated with the latest security software. Many Macintosh users, for example, feel that their devices are exempt from malware, while iOS and Android smartphones are more likely targets for cybercriminals.
This new reality has three significant implications for security professionals to be aware of.
1. Everyone is in the Online Fraud Prevention Business
Fraud prevention used to be the domain of e-commerce and financial services organizations, where fraud prevention started in the days before online banking and gradually adapted to new online realities.
Financial sites and e-commerce have done a great job at extending fraud prevention to the online world. Many employ automated, real-time risk scoring using device identification technologies to look for account takeover and fraudulent transactions. Teams of fraud analysts review suspicious or high-value transactions before completing them. These practices are spreading to other sites that make their revenues online, including social networks and online gaming.
In today’s world, every business needs to concern itself with fraud prevention, because compromised login credentials can put even the best security defenses at risk. When it comes to corporate email accounts, attackers can compromise other company systems. With insecure password change mechanisms, something as ubiquitous and ordinary as enterprise email can hold the ‘keys to the kingdom’ when it comes to online identities for other sensitive systems.
Financial Institutions have had to deal with very targeted attacks for years and have experience to do so. How can other industries that are now targeted by cybercriminals provide similar levels of protection?
2. There is No Single Fix to Security and Fraud
It’s tempting to believe that you can ‘fix’ the problem with some new technology – better password policies, stronger authentication, encrypted devices, etc. Yet with the layered attack strategies employed by today’s cybercriminals, no single technology is enough.
For example, you might deploy strong authentication to protect corporate login applications. But malware on the user’s device can erode the protection offered by strong authentication. A MitB Trojan hijacks an authenticated session, altering its data on the fly. For some applications (such as consumer-facing websites), imposing strong authentication requirements may be impossible – it does not prevent fraudulent account creation using stolen identity information.
Device identification technologies can go a long way to finding suspect logins and transactions – but cannot find a legitimate user on a legitimate device that’s infected with a Trojan intercepting the transaction.
Companies of all types need to take a blended approach to security and fraud that integrates not only traditional, perimeter focused security measures, but also device identification and malware detection for web-based sessions and devices not owned by the business.
In the financial services industry, this type of layered defense is now the standard, as FFIEC guidelines require financial institutions to adopt a layered approach to fraud prevention. It’s a practice that many other industries will have to adopt as well.
Technology is not the cure to fraud prevention, but it is certainly a necessity. You need to have a strong and powerful technical solution that provides the basis and the fundamentals to deal with the problem.
3. Communication and Collaboration is the Secret Ingredient
A layered approach and deploying multiple defenses can shut down many avenues of attack. Yet many businesses worry about the additional costs of fraud detection and prevention measures. Businesses that already have fraud prevention practices may not want to expand them to other applications, while other businesses consider fraud prevention a new practice.
They key to efficiency turns out to be communications and collaboration – both within your own organization and with the broader global community.
Within your organization, sharing information between malware detection and fraud prevention technologies makes each more effective and limits the number of manual reviews required. For example, device identification technologies can find anomalous devices for trusted users that might indicate identity theft. Malware detection can find legitimate devices used by legitimate users that are compromised by malware. The more information used to filter incoming logins or transactions for problems, the more accurate the results and the less manual work companies have to do. Weeding out false positives and reducing the number of manual reviews required can return significant cost savings.
Within the global community, businesses can benefit from the “network effect” in finding and blocking malware. Spotting known malicious devices and botnets, for example, can help businesses weed out many potential fraudulent logins from the start.
The good news is that more and more providers recognize this trend and provide integrated and cost-effective solutions that will not only be affordable, but will pay for itself. One example is the consolidation between device identification and malware detection, which delivers unified solutions that share information between security and fraud, making it easier to implement blended defenses customized to their business needs.
Just as network perimeters are dissolving, so are the boundaries between traditional fraud prevention technologies and broader security concerns. Today’s security protections have not kept pace with online innovation and maintaining a narrow focus is no longer practical in today’s converging and evolving threat environment. To avoid fraud attacks today, businesses must do their best to assure their security measures are always at least one step ahead of cybercriminals.
To learn more, visit ThreatMetrix (threatmetrix.com) in Booth 3203 at the RSA Conference, February 25 – March 1, Moscone Convention Center, San Francisco.