IT rackets are favourite for organised crime

It rackets are rivalling drugs in criminal chic stakes

IT-based racketeering and thievery has almost replaced drugs as the currency of favour for organised criminals, with slow-moving and tight-fisted banks letting phishing crooks run amok, warns Sophos CEO Jan Hruska.

He said the reluctance of banks to implement dynamic passwords on transactional websites has continued to make them premium targets - with plenty of headaches to come.

"Any financial institution that is offering fixed passwords will be in real trouble will have to use dynamic passwords. If you have dynamic passwords, the [effectiveness of] phishing goes away.

"Financial institutions are about 10 years behind the sort of security offered to consumers. They haven't done it because of the cost, [but] RSA will be selling those tokens like they are going out of fashion," Hruska said.

However, Hruska avoided any suggestion that banks put security behind profits, noting bank systems by nature were large, complex and long-term investments.

On the crime talent front, Hruska said, crime syndicates are buying spamming capabilities to mass distribute identity theft scams to obtain fake documents and access to credit. Meanwhile, the crooks are fighting back.

"Organised crime has the incentive to fight police with a different set of weapons at their disposal [such as denial-of-service attacks]. Spammers are definitely teaming up with virus writers. They have learned to live together," Hruska said.

Hruska's warning comes only weeks after Australia's big four banks agreed to embed their own security specialists within the Australian High Tech Crime Centre in an effort to gather intelligence on phishing attacks.

Co-ordinator of the Australian Bankers' Association's Fraud Taskforce Tony Burke said his organisation did not believe there was "a silver bullet which will stop these criminal attempts to defraud [banks] and [their] customers".

However, when it comes to dynamic passwords, Burke said the decision rested with individual institutions.

"Banks do not report this information to the ABA and they are under no obligation to do so. The decision to make a purchasing decision or whether to proceed with a certain type of technology is a business decision which is in the hands of the bank," Burke said.

Burke also defended banks' efforts to educate customers about online scams, arguing that banks had increased security and contact with customers.

"The ABA or individual banks do not discuss specific security measures as this gives too much information to criminals who may attempt to defraud a bank and its customers," Burke said.

Last month, Commonwealth Bank executive general manager of financial and risk management John Geurts told AusCert conference delegates that despite accusations of poor security, internet banking produced a lower rate of fraud than other means of transactions and was here to stay.

Julian Bajkowski writes for IDG News Service

Read more on IT risk management