- Data Breach
- Mobile Threats
- Industrialisation of Fraud
Security firm 41st Parameter describes each threat in turn. The data breach threat is illustrated by the LivingSocial breach earlier this year. 50 million records were compromised in April. Although no financial records were stolen, they probably weren’t the direct target: “consumers don’t realize that the real concern behind the theft of personal data (such as email addresses, birthdates and encrypted passwords) is potential exposure to various forms of identity theft.”
The real problem with large data heists comes in the following months when the attackers use the data they have stolen to engineer compelling phishing attacks “to dupe unsuspecting victims into revealing sensitive data that can be used to open new accounts or take over existing ones.” In this instance there were two difficulties – firstly consumers still tend to reuse passwords over multiple accounts, and secondly LivingSocial’s business model sends out ‘daily deals’ emails to its subscribers. A forged email could look like a genuine LivingSocial mail but actually contain a disguised link to a malicious site.
That malicious site would contain the second of the major threats: malware. Malware delivery from a malicious URL, otherwise known as drive-by downloading, is one of the three top delivery mechanisms of 2012. The others are app repackaging for mobile devices, and smishing. The first takes a genuine app, alters it for bad intent, and then redistributes it via a different channel. Smishing is the use of “unsolicited text messages that prompt users to provide credentials.”
There is no single solution to malware, but the threat can be mitigated by the use of up-to-date anti-malware software, and improved visibility into the devices – especially mobile devices – that connect to the corporate network.
The third threat is DDoS. DDoS attacks are disruptive, driving costs up and reputations down; and there are more than 7000 DDoS attacks every day. But there is a growing issue “more prevalent now than it’s ever been,” when the target site is a bank. Possibly using account credentials stolen by the malware distributed after a data breach, it’s now “common for fraudsters to access a group of accounts, perform reconnaissance and money movement activities and then immediately launch a DDoS attack in order to create a diversion.”
The fourth threat is that posed by and to the mobile market – 700 million smartphones were sold in 2012 alone. “Since fraudsters typically attack the weakest point of ingress,” warns 41st Parameter, “and without the proper device recognition and detection systems in place, the mobile channel may soon emerge as their channel of choice.” Overall, 2012 saw a 163% increase in mobile threats, with 95% of mobile threats attacking the Android platform. In all, 32.8 million mobile devices were infected with malware.
Finally, the report discusses the industrialization of fraud. Since online transactions are by their nature ‘machine-to-machine’ they lend themselves to automation. But just as the banks automate their own processes, so too are criminals automating fraud. “Recently, 41st Parameter has seen the standardization of fraud software building blocks and data formats, which make it easier to collaborate and exchange information between fraud rings.” And there are more than 10,000 of these fraud rings in the US alone.
One of the problems that comes from this automation is that criminals can just as easily perpetrate hundreds or thousands of small frauds to gain the same financial return as a few large ones – but staying small they are more likely to slip under the banks’ fraud detection systems.
All of these threats could stem from that initial data breach: stolen personal data leading to phishing and the installation of malware that steals account data (although the mobile arena is increasingly used to do the same), in turn leading to financial fraud which is increasingly industrialized and disguised by DDoS attacks. In fact, “The increase in large-scale data breaches and high-volume, coordinated fraud attacks are byproducts of the industrialization of fraud driven by the movement of services online,” says Eli Katz, vice president of financial industry solutions at 41st Parameter. “Financial institutions and consumers must each take steps to adjust to this evolving threat landscape.”