As technology has revolutionized the process we do banking, the boundary for hackers to play has also increased equally. But never the less, significant amount of R&D efforts are there to address all odds in banking security. But besides technology usage, users are also advised to follow safety principle to achieve maximum security.v

Doing banking via the Internet has become a natural feature for almost all banks in the world today. The no.of online banking users have grown dramatically in last few years globally including India. In the last five years online banking users have grown significantly in India. There are good reasons for the increasing acceptance of online banking: Internet usage is increasing irrespective of the generation gap. Fast broadband connections are increasingly reaching even countryside regions. Furthermore, in the Internet the bank is open round the clock, so that banking transactions can be carried out comfortably from the couch during the evening.

At the time of online banking, many people still believe in the conventional PIN/TAN system. However these methods are not sufficient to suppress organized cyber crime. The market is lucrative and fraudsters are creative in the development of perfidious methods of stealing data, such as phishing, pharming and Trojans. As online banking has revolutionized the way we have done banking in past, it has also thrown major challenges in securing transaction and e-payment. The dimensions of attacks have gained added length and momentum has grown into multifold. In this article, we will discuss the current state of banking security and different potential attacks and their impact.

Skimming – How serious is this threat?

ATM fraud or skimming is one of the financial industry's fastest-growing crimes, according to the U.S. Secret Service. The worldwide ATM Industry Association reports over $1 billion in annual global losses from credit card fraud and electronic crime associated with ATMs.  

Credit and charge card skimming fraud is still a $45 million business, forcing banks to step up security at ATMs. The Commonwealth Bank recently announced a raft of new measures designed to stem the problem, including anti-skimming devices across its ATM network and voice activated telephone alerts for suspected fraudulent credit card transactions.

Skimming is the unauthorized capture of magnetic stripe information of your credit / debit cards. It could be either by modifying the hardware or software of a payment device or there have been instances where through the use of a separate card reader. The initial targets were primarily off-premise ATMs. It is typically an inside job where a fraudster can procure a victim’s credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (skimmer) to swipe and store the victim’s credit card number. He can then use the credit card number to his advantage and carry out transactions of an illegitimate nature. Such scams are on the rise simply because of the rise in usage of credit cards across the country. In fact, the same applies to debit cards, the use of which has become very common lately since almost all banks offer patrons a debit card and of course it offers ample convenience to a user.

The skimming scams at various point of sales are sometimes attributed as the deed of a corrupt disgruntled employee, who skims your card with a small hand held electronic device equipment that captures the magnetic strip and keypad information. So, once you slide your card and enter your pin and any ATM, restaurant etc. your account details are immediately pulled and sold to various corrupt sources for a price. The skimming attacks are conducted by highly-organized groups and sometimes dummy cards are created using the data they capture. These attacks sometimes go undetected until the individual check their account balance.

Card-not-present (CNP) fraud, which involves the use of stolen credit and debit card details to make telephone and online payments, increased by 25 percent in the 12 months to June 2009, according to new data from the Australian Payments Clearing Association. RBI already issued directions last year and introduced a second factor of authentication for all CNP transactions. Card presence fraud remains an issue, even a bigger one than online fraud. Banks are very conscious of the risks at the ATM. Usually they forewarn the customer: check the ATM for signs of tampering, look out for people standing nearby, don’t let people assist you, shield your keystrokes, check for cameras, make sure the transaction is complete, check your ATM receipt against your bank statements, it is best to use the ATM’s you are familiar with etc.
CNP fraud has been shown to grow exponentially in international markets where banks and other card issuers have rolled out chip cards to replace their less secure magnetic stripe equivalents. A report by APCA released this week showed that fraud has grown by more than 200 percent in the last three years. The Commonwealth Bank recently announced a raft of new measures designed to stem the problem, including anti-skimming devices across its ATM network and voice activated telephone alerts for suspected fraudulent credit card transactions.

With banks deploying Chip and Pin technology which claims to prevent theft of credit card information. Unlike normal cards there is an embedded security microchip. A credit card with a security chip is more secure than one with just the magnetic stripe on the back of the card, as the security chip makes it more difficult to fraudulently copy the credit card details.

Phising and Vishing – Up growing Momentum

The intensity of Phishing and vishing has increased tremendously in our country over the past year. Leading banks and their clients have been targeted aggressively. Vishing is a form of phishing, where instead of people receiving an email trying to lure them into giving personal information, the criminal uses a phone call, either live or automated, to attack the bank or get critical information.

The fraudulent mails that induce you to part with your personal financial information have been using new and profound tactics. Use of natural calamities and other high profile events as a mask is one of prevalent trend among these deceitful individuals, who generally send mails requested for funds for a cause and thus steal your financial details.

Amit Nath, Country Manager — India and SAARC, Trend Micro

Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. Some nasty hackers have also routed themselves towards net phone systems to maliciously acquire personal details. Vishing is the criminal practice of using social engineering over the telephone system, most often using features facilitated by Voice over IP (VoIP), to gain access to private personal and financial information from the public for the purpose of financial reward. The term is a combination of "voice" and phishing. Vishing exploits the public's trust in landline telephone services, which have traditionally terminated in physical locations which are known to the telephone company, and associated with a bill-payer. The victim is often unaware that VoIP makes formerly difficult-to-abuse tools/features of caller ID spoofing, complex automated systems (IVR), low cost, and anonymity for the bill-payer widely available. Vishing is typically used to steal credit card numbers or other information used in identity theft schemes from individuals. 

Commenting on these threats, Amit Nath, Country Manager — India and SAARC, Trend Micro, said “Vishing is very hard for legal authorities to monitor or trace. To protect themselves, consumers are advised to be highly suspicious when receiving messages directing them to call and provide credit card or bank numbers. Rather than provide any information, if speaking to a human ask them for an incident number and then hang up. Then place a call to the number printed on your credit card or billing statement from a telephone number the bank has on file, usually your home land line. While consumer caller id is trivial to fake the bank's call center gets much more reliable billing information provided by trunked 1-800 service and thus both parties have high confidence the other party is who they claim to be.”

Bhaskar Bakthavatsalu, Country manager, India & SAARC, Check Point Software Technologies

Botnets are another set of autonomously run robots that have been increasingly used for unlawful purposes. The originator of a botnet can control groups remotely especially through internet relay chat programmes that are mainly used for group communication. A botnet can be innocent until it is formulated to be used in a criminal manner, thus providing for maliciously acquiring information from a group of individuals.

One can say that the root cause for these malicious attacks is lack of awareness among the net bank users.  Another area that has been newly targeted is the brands of online auction marketing tools. The pishers are now trying to obtain financial details of the online auction customers by attacking legitimate brands providing auction-marketing tools.

Addressing this issue, Bhaskar Bakthavatsalu, Country manager, India & SAARC, Check Point Software Technologies, said “Organizational vulnerabilities can be drastically reduced if a combination of strategy-based, behavioural-control based, and resolution-based approach is employed. Provision of security for the banking industry is a never ending procedure as new threats crop up every time.”

Rana Gupta, Director, India & SAARC, SafeNet India

Online banking still garners the most concern among consumers, as a result, a large no. of consumers feel that banks should implement a stronger form of security beyond a username and password when they log into online banking. Consumers also responded that they expected their banks to conduct some level of transaction monitoring on their online banking accounts to detect unusual activity. Major portion of Indian consumers expect their banks to monitor their Internet banking transactions.  While awareness of phishing and Trojans is high globally, there are still very low levels of awareness among global consumers regarding newer threats such as vishing (voice phising) and smishing (phishing via SMS messaging), however in India there is a high awareness on smishing (43%). This is particularly concerning to RSA as the incidence of vishing and smishing are rising rapidly and may be a cause for concern over the next year.

According to Rana Gupta, Director, India & SAARC, SafeNet India, “Vishing and Phishing pose real threats to the security of financial worth. More the banking industry facilitates easier ways of undertaking the financial transactions (through on-line banking, phone banking etc) more real these attacks become. As Banking Industry in India undergoes the expansion of its infrastructure for facilitating remote financial transactions, it will do well to the stability of overall financial setup if Security is “built” into the infrastructure rather than adding it later-on as an after thought.”

Samir Dahotre, Sales Manager, e-banking, Vasco India

Identifying these growing issues, Samir Dahotre, Sales Manager, e-banking, Vasco India, said, “usually people receiving those phishing e-mails do not even have an account at that bank. However if people did have an account and went to the fraudulent site, the consequences are serious. Phishing works on the premise that even if a small percentage of respondents give their account information on the fake site, the fraudsters can make enough money for this.  Phisihing is an important threat for banks because it completely distorts the trust relation between banks and its customers.”

Agreeing to the scenario of rising threats through these problems, Surendra Singh, Regional Director, SAARC & India, Websense, said, “Trojans and phishing attacks led to $100 million in attempted losses as of October 2009, with actual losses totaling around $40 million. While the FBI announced indictments of 100 people in the U.S. and Egypt in the largest cybercrime investigation to date in the U.S. - the simple fact is that this type of fraud is only going to escalate. As they are blended threats that span Web and email attack vectors in order to steal confidential data, the only way for organizations to protect themselves is through a unified security platform that integrates email, Web and data security functions.”

Surendra Singh, Regional Director, SAARC & India, Websense

Apart from these regular threats, new threats are emerging as strong as never you can imagine

Emerging Threat Vectors in Banking Security

Organised crimes hitting financial institution is not far and this is the result of current state of information systems - insecure endpoints. Net banking has become the order of the day especially in the Metros. People have taken to online transactions because it the easiest way to pay your bills, deposit your money without having to stand in a queue, thus saving on a lot of time and effort. But this has its adversaries, as net banking is increasing in popularity and becoming more innovative, so are the malevolent schemes undertaken by hackers.

Bhaskar from Checkpoint Software said, “The already existing vulnerabilities have taken to a whole new level. Phishing has resorted to sending fraudulent mails using high profile event that is occurring around the world as cover. For instance with the pretext of requested for funds for offering aid to victims of a natural calamity they steal you account information.  Spear Phishing is another technique that is fast catching up, wherein, the mails appear authentic and is circulated within employees of a particular organization or members of a particular group. The message might look like it has been sent by a colleague or an employer, but infact is to maliciously obtain login information and gain access to the organizations system.”

Currently criminals adapt their methods to more effectively attack online banking and get around current protections used by banks. Trojans demonstrated new tactics that go well beyond the rather simple keylogging-with-screenshots efforts that we had seen in previous years. Most Trojans now use rootkit techniques to hide on a victim’s system and disable anti-virus software or prevent signature updates. Often the victim’s computer becomes part of a botnet and receives malware configuration updates.  

More troublesome is the Silentbanker family. These Trojans can silently change the details a user enters to transfer the money to the attacker during a transaction. The user is not aware that anything is amiss until the next account statement arrives.  

According to Amith Nath, the latest, and perhaps most worrisome, development comes from the Zeus family. These Trojans are frequently updated with new versions and are sold on underground forums to anyone interested in starting a career in crime. Zeus comes with a command and control server and is extremely flexible in its configuration, allowing easy adjustments to a criminal’s specific needs. One variant of Zeus is JabberZeus, which has a complex structure for providing near real-time stolen information to an attacker. This version is most often used to steal one-time passwords, which certain banks require to add another layer of protection for large transactions.  

A new, unique type of phishing attack targeted against online banking customers was discovered last year. Nicknamed the "Chat-in-the-Middle" phishing attack, this attack presented a more advanced layer of perpetrating online fraud.

The phishing attack starts out as a normal phishing website that prompts customers for their usernames and passwords. After providing access credentials, victims are usually redirected either to a second fake page or the genuine bank website. However, with this attack a fake live-chat support window appears launched by the fraudster as part of the attack.

During the live chat session, the fraudster behind the attack presents himself as a representative of the bank's fraud department and attempts to dupe customers who are online into divulging sensitive information - such as answers to secret questions that are used for online customer authentication. This attack is currently targeting a single U.S.-based financial institution. The addition of a bogus live chat support window can obtain even more credentials via a live chat session initiated by fraudsters.
According to Samir, Vasco India, Man-in-the-middle attacks are constantly growing attacks on online banking systems. The fraudster is nestling himself in the communication flow between the customer and the bank with the aim of manipulating the transaction data to his own advantage leaving the bank and the customer unaware. Technically speaking, man-in-the-middle attacks can take two forms: remote and local man-in-the-middle attacks.

With remote man-in-the-middle attacks, the fraudster will use a myriad of techniques, such as phishing and pharming, to lure the banking customer to a rogue website. When the banking customer logs onto his account to make a transaction, the rogue website is obtaining the password and transaction details, such as the beneficiary’s bank account number and the monetary amount of the transaction. The transaction details often will be altered and used by the fraudsters on the real banking website to their financial benefit.  

A local man-in-the-middle attack is carried out by malicious software that is installed on the end-user’s computer. This software, also called spyware or crimeware, typically infects the computer through downloads or e-mail attachments. Once the software is installed, it tracks which websites the end-user visits. When the crimeware detects that the end-user is visiting an online banking website, it waits for the user to be logged on and then initiates or alters financial transactions without the user knowing.

Pharming is a hacker's attack aiming to redirect a website's traffic to another, bogus website. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. Trojans and associated crimeware are responsible for severe damage too. Phishing has an impact but it often lacks sophisticated crimeware, although that is changing. We are also seeing big growth in Man-in-the-Middle attacks. They can be more sophisticated – they can come in through a phishing email, and instead of bringing the user to a webpage designed to look like a bank, it directs to a server for a real-time attack. Online fraudsters will try and prolong the length of the attack, such as multiple re-directs. They are also obtaining SSL digital certificates so that more educated people who look for these for validation will see it - and this establishes more credibility and increases the rate of fraud.

We are also seeing advanced development of the online fraud global supply chain. The fraudster might be in Eastern Europe but taking over a PC in China in order to attack an American bank.

Vikas Desai, RSA India

Vikas Desai, RSA India, believes that fraudsters always go after the weakest link. If a bank puts anti-fraud measures in place, the fraudsters will move on to the next less-protected organization. It’s a complete fraud supply chain; different fraudsters perform different parts of a scam. There are three main groups of the crime-ridden ecosystem. First, there are the Tool Builders who are hackers and techies who create the fraud infrastructure. Second, there are the Data Collectors who are the Phishers and Pharmers that collect passwords, credit card numbers. Third, there are the Money Grabbers who are well established crime gangs and deal in the actual theft of funds.

There is also growth in online credit card “stores” where online fraudsters can buy and sell stolen credit card information. These websites are in multiple languages, and they even have an affiliate program. If the fraudster drives traffic to the credit card store website from other websites, they get paid a fee. There is an area called click fraud, using botnets to automatically increase the traffic to those sites – which means there are fraudsters going after fraudsters

Internal Threat – Are Banks Prepared Enough?

India's top banks have fallen victim to identity theft in the recent past. Online security is one of the top three security concerns for Indian banks this year. Stronger online security is a business issue, and Indian banks are increasingly focusing on improving online security. However online security at Indian banks is well below that of global banks.

Phishing is also a growing cause of concern for Indian banks, where 30 percent of those surveyed said they were victims of phishing attacks. According to Trend Micro, many banks in the country have been victims of "man-in-the-middle (MITM) attack" during the same period. This is an emerging type of attack, in which a fraudster or malicious hacker intercepts the transaction between the user and Web-banking server. The hacker compromises and modifies the electronic communication link between the user and the bank's Web server in a bid to obtain financial gain.

Over 70 percent of Indian banks have implemented stronger security solutions, however, more than 57 percent of the banks still do not have a dedicated budget for online security, choosing instead to include online security as part of their overall IT budget.

Similarly, only 57 percent of the Indian banks have a formal plan in place for creating customer awareness against online identity theft and financial frauds. However there is awareness that integrating stronger user authentication, with fraud detection and risk-based transaction verification, was the strongest form of defense against online identity theft and financial frauds.

For the banking industry, protecting customers’ information and other confidential data from malicious and accidental leaks is one of the top business and IT security challenges today. Banks are investing heavily in technologies to protect their customers’ information, securing Internet Banking, ATM and credit card transactions. But broken business processes, employee errors, and gaps in security often put this data at risk— both from regulatory and corporate compliance and also customer and competitive pressures. According to Forrester, about 80% of leaks occur inadvertently. This suggests employees are simply unaware of an organization’s policies rather than deliberately leaking data through malicious intent. DLP solutions must therefore be able to set and enforce policies based on content or context. To ensure complete data leak prevention they should also be able to recognize data in motion, data at rest and data at end points.

Internal security threats have been a menace for a long time and have gradually increased in their intensity as well as innovation. Most times the employees of an organization are responsible for the leak in information. Though this is extremely hard to regulate, organizations are trying their level best to prevent escape of information by initiating regular internal audits. Apart from this, classification of information ensuring that at no point in time does one employee have access to all the information guaranteeing safety to the customers.

There are also instances where employees become insider threats but may not even know they are involved. There are many endpoints of bank employees which could be a PC, laptop or a mobile device infected with malwares that may have targeted them as consumers. There are also thousands of infected endpoints at home for remote access via a VPN.

A new era of banking has emerged strongly through mobile connection. Mobile banking has definitely added new dimension in banking space but at the same time it has been identified as one of the most lucrative opportunities for hackers. We will discuss the length and breadth of this new opportunity.

Mobile Banking – Identifying Trust level

Mobile Banking is one of the most marketed services among leading banking firms in the country. As the penetration for the same is currently low and hence it will take awhile for potential troublemakers to induce fraudulent activities. The move towards mobile banking by financial institutions offering instantaneous access to their accounts is slowly catching up. There is definitely trouble ahead when banks starts allowing more than just account balance checks to happen. Exploits against the ever-growing base of smart phones are on the rise. We can attribute part of the problem to the users as many of us don't pay attention to what we receive on our mobile devices. With exponential increase in mobile devices and smart phones becoming more and more sophisticated, it is expected that the number of attacks will grow too.

Threats on Mobile Banking are still emerging. Banks first need to adopt mobile banking channels: Bank IT may focus on buying the solution however they need to understand weather the customers will accept/ not accept these solutions. They need to understand demographics of their customers, e.g. an older person, can he really download mobile banking client to his PC and transfer it to his mobile via mobile USB cable?  Next to the adoption challenge, m-banking channels are facing the same fraud attacks as e-banking channels. Fraud schemes are similar, however done on different platforms. Therefore it is important to secure both the back-end central infrastructure and the handheld in the customer's hand.

Far from being less secure, mobile banking may even be more secure than logging on to your bank Web site over your PC, Trend Micro believes. And the consensus is that it's probably less risky than using checks, which can be forged, and credit cards, which can be stolen or skimmed at ATM machines for clones to be made. Apparently the rules regarding liability in mobile banking are the same as they are for other methods of banking. Credit card companies have zero liability policies that apply regardless of channel.

In mobile banking you get information that is not transactional. In most instances, if someone found your phone and logged into your mobile banking account, the worst they could do is pay your electricity bill. However, things will change as more transaction functions are enabled on mobile devices. For instance, point-to-point transactions and cross-border money transfers are on the horizon.

To safeguard against security risks, mobile users should use their device PIN codes, download mobile apps only from their financial institution, switch Bluetooth off when not in use, and avoid lending their phone to strangers to minimize the chance of someone downloading a malicious app onto the device.

In the 2010 online threat predictions, RSA listed mobile banking fraud amongst the top most threats. More customers enroll to mobile banking, and more services are offered via mobile channels. Banks in Asia and Europe are already experiencing mobile Trojans and SMS redirection attacks. Banks will start funding the extension of their online banking protection to the mobile channel.

As mobile banking services proliferate, fraudsters will increasingly seek to exploit vulnerabilities in the handsets and associated platforms. It is important to consider banking security risks, since the data being transferred during a transaction such as the PIN number, credit card number, account balance, home address, bank account number, etc. are highly sensitive.

Many banking applications have been affected by typical hacks such as session hijacking, SQL injection and non-random session keys. Wireless transaction gateways, if not encrypted, can be easily collected by anyone within wireless range.  Mobile devices present many of the same risks as laptops and computers, maybe worse. Many of the services delivered on the mobile are through the internet and hence they will have similar security concerns like Phishing and Pharming attacks.
 
Also, just as desktops and laptops containing protected data may be lost or stolen, so can information stored on devices like smartphones, other hand held and it is easier to get away with mobiles than a laptop or desktop.  There’s also the possibility that mobile devices are remotely intercepted/penetrated by other devices, or that viruses similar to Trojans - programs that seem safe but install malicious code on a device - will spread among devices via messaging or e-mails. Information can be stolen from devices using the short-range wireless networks of Bluetooth. Even if I am not online, my mobile device can still be hacked if my Bluetooth is on.  
 
Based on these concerns The Reserve Bank of India has recognized this growing need for security and come up with a set of guidelines for banking institutions to ensure that the technology used for mobile payments is secure.

Conclusion

As banking process has come forward a long way with introduction of new methods and technology, the scopes of security lapses also have grown in multifold. But thanks to relentless effort of vendors globally, who are always in search of innovative solutions to prevent customers’ interest and business. Experts predict that near future will see development of technologies and solutions for safer online and mobile banking but vendors also will have to face tough challenges from intelligent and cunning hackers. Technology alone can not prevent your hard earned money to be theft, you have to also follow rules and tips to be safe from online thieves

—By: 'InfoSecurity' Bureau.