The number of malware infections has increased by 10 times in
the past year, but banks are managing to limit attacks on their
online customers through multiple lines of defence, say
researchers.
Cybercriminals have rapidly increased their capability to
exploit browser vulnerabilities to pass on infections to website
visitors without requiring any interaction.
But online banking fraud is not increasing at the same rate,
growing by 55% in the UK, compared with the 1,000% increase in the
malware infection rate.
Multiple lines of adaptive and dynamic defence are the key to
the financial sector's strategy, says Uri Rivner, head of new
technologies, consumer identity protection at RSA, the security
division of EMC.
"The financial services sector
understands that multiple lines of defence is much more
effective than any single technology or approach to fighting
cybercrime," he says.
Any single technology will be obsolete in a very short time,
says Rivner, so banks and other financial institutions are combing
technologies in dynamic systems of defence that can evolve with the
threat.
Typically, financial institutions will do a risk analysis of
each transaction based on a number of factors such as the IP
address and geo-location of the PC involved, transaction amount and
past behavioural patterns.
Higher risk transactions, for example, will trigger more
sophisticated authentication mechanisms such as a one-time password
sent by text to a customer's mobile phone, says Rivner.
In addition to the visible authentication methods that involve
interaction with the customer, banks also use invisible
authentication methods which are far more difficult for criminals
to circumvent.
"If criminals cannot see what the bank is doing to authenticate
a customer, it is extremely difficult to find ways of faking
identity," says Rivner.
These invisible authentication methods include things like
building up a profile of the PCs that a customer commonly uses and
using that as a factor to determine risk in future
transactions.
"The fact that a customer is using an unknown computer to access
accounts is not that unusual, but in combination with other
factors, it may trigger additional authentication processes," says
Rivner.
Some banks are using knowledge-based authentication for higher
risk transactions, in which the bank will call the customer and ask
for several pieces of personal information.
"These answers to these questions cannot be easily researched by
would-be fraudsters," says Rivner.
Together with malware and phishing technologies, these kinds of
risk assessment and authentication mechanisms provide the financial
sector with the multiple lines of defence needed to be effective,
he says.
"Banks and other financial institutions have proved that this
approach works, now enterprises should learn from that and apply
the same principles to improve their defences," says Rivner.