The banking industry needs to gear up for sophisticated multi-channel attacks by cyber criminals, says security firm IronKey.
"To protect customers, banks must accept there is no longer any concept of a safe network perimeter and that every device is compromised to some degree," said Kapil Raina, virtualisation and senior product manager at IronKey.
Raina, who is in the UK to brief the UK Payments Council on cyber threats, said banks needed to adopt a multi-tier approach to combat attacks that are no longer limited to stealing credentials from desktops, but are also targeting fax, voice and mobile channels.
In a relatively short time, he said, attacks have moved from simple phishing and keylogging to polymorphic malware, exploiting smart phones and social networks to carry out highly targeted attacks.
These attacks are evolving rapidly to using intelligent malware that can analyse targeted machines and users to modify their behaviour accordingly, and they are becoming increasingly automated.
"One component can be downloaded through one social networking site, for example, and then based on what other social media accounts a user has, it can download other small components that will slip under the security radar," said Raina.
Although it was aimed at particular proprietary system control software, Stuxnet demonstrates the ability of cybercriminals to develop malware that can penetrate tightly-controlled systems similar to electronic payment systems, which could be the next evolution, he said.
In the face of this kind of sophistication, banks need to look at technologies that can isolate financial transactions from host and work environments, said Raina, such as sandboxed virtual environments and virtual private networks.
"Because we have to assume that every device and network is compromised, it is only by putting a wrapper around transactions that they can be protected," he said.
The continual evolution of attack methods also means banks cannot rely on static security systems, said Raina, but needed to implement something that can be updated independently of end users and that allows for multiple authentication methods for different types of transaction.