IT-based racketeering and thievery has almost replaced
drugs as the currency of favour for organised criminals, with
slow-moving and tight-fisted banks letting phishing crooks run
amok, warns Sophos CEO Jan Hruska.
He said the reluctance of banks to implement dynamic passwords
on transactional websites has continued to make them premium
targets - with plenty of headaches to come.
"Any financial institution that is offering fixed passwords will
be in real trouble ...you will have to use dynamic passwords. If
you have dynamic passwords, the [effectiveness of] phishing goes
away.
"Financial institutions are about 10 years behind the sort of
security offered to consumers. They haven't done it because of the
cost, [but] RSA will be selling those tokens like they are going
out of fashion," Hruska said.
However, Hruska avoided any suggestion that banks put security
behind profits, noting bank systems by nature were large, complex
and long-term investments.
On the crime talent front, Hruska said, crime syndicates are
buying spamming capabilities to mass distribute identity theft
scams to obtain fake documents and access to credit. Meanwhile, the
crooks are fighting back.
"Organised crime has the incentive to fight police with a
different set of weapons at their disposal [such as
denial-of-service attacks]. Spammers are definitely teaming up with
virus writers. They have learned to live together," Hruska
said.
Hruska's warning comes only weeks after Australia's big four
banks agreed to embed their own security specialists within the
Australian High Tech Crime Centre in an effort to gather
intelligence on phishing attacks.
Co-ordinator of the Australian Bankers' Association's Fraud
Taskforce Tony Burke said his organisation did not believe there
was "a silver bullet which will stop these criminal attempts to
defraud [banks] and [their] customers".
However, when it comes to dynamic passwords, Burke said the
decision rested with individual institutions.
"Banks do not report this information to the ABA and they are
under no obligation to do so. The decision to make a purchasing
decision or whether to proceed with a certain type of technology is
a business decision which is in the hands of the bank," Burke
said.
Burke also defended banks' efforts to educate customers about
online scams, arguing that banks had increased security and contact
with customers.
"The ABA or individual banks do not discuss specific security
measures as this gives too much information to criminals who may
attempt to defraud a bank and its customers," Burke said.
Last month, Commonwealth Bank executive general manager of
financial and risk management John Geurts told AusCert conference
delegates that despite accusations of poor security, internet
banking produced a lower rate of fraud than other means of
transactions and was here to stay.
Julian Bajkowski writes for IDG News
Service