Social engineering replaces guns in today's biggest bank heists

Australia's banking industry is under threat due to a heavy reliance on Single Socket Layer (SSL) encryption that hackers increasingly find their way around.

There are no 'stick-em-up' dramatics in today's million-dollar bank heists, it simply involves the use of SSL-evading Trojans and refined phishing techniques.

While banks are reluctant to quantify financial losses, Australia's Computer Emergency Response Team (AusCert) admits its own research proves attacks are on the rise.

AusCert general manager Graham Ingram said a false sense of security surrounds SSL encryption, a technology in use right across the financial services industry.

This reliance on Internet browser encryption means banking sessions can be hijacked by Trojans and key-logging programs especially if users engage in lax security protocols and don't use current anti-virus signatures.

The bottom line is that social engineering tricks are circumventing Internet banking encryption (see our special report on E-commerce in crisis, on page 20)

Ingram said there is a belief that customers are safe and privacy is protected through the use of SSL but "this is not the truth".

His statement was backed up by AusCert's analysis and assessment manager Kathryn Kerr, who said it is a serious issue for any organization offering Internet banking as well as anyone using VPNs or remote work.

Neal Wise, director of security firm Assurance.com.au, said SSL does serve a good purpose but leaves users prone to a "man in the middle"-type attack.

"Unfortunately the only controls a bank can rely on for users to transport data is SSL encryption; it leaves them in an interesting situation having to cover related security issues they have not created," Wise said.

"We will see financial institutions, as part of shoring up their own risks, providing cut-price antivirus and content checking tools for their clients, because right now if someone manages to put a keystroke logger on a client computer, and a banking session gets recorded, banks have to cover that risk and it is not their fault."

While security experts claim Internet banking fraud drains as much as 2 to 5 percent of revenue, the financial services industry isn't as forthcoming when it comes discussing online threats, and the Australian Bankers Association (ABA) refuses to comment.

A spokesperson for the Commonwealth Bank said SSL encryption has served them, and their customers well and it is confident it will continue to do so.

The spokesperson pointed out that SSL encryption is a global industry standard.

"We are constantly reviewing and assessing our Internet security measures so that our customers can have the utmost confidence and trust in our service," he said.

Paul Jennings, head of channels and systems management for Westpac Bank, said the latest threats - like phishing - doesn't defeat SSL encryption, only tricks the customer into revealing their identity. He said this occurs before the SSL encryption begins.

"SSL is still required for a secure session, but one cannot rely on it as a panacea to all fraud and security or privacy issues," Jennings said. "We have fraud detection tools, screen high-risk payments, run education campaigns and recommend our customers use antivirus tools so we are quite comfortable with Internet banking security, but SSL encryption is just a cornerstone.'

The National Australia Bank has taken a more holistic approach to online security. A NAB spokesperson said there is a need for multiple layers of protection between customer and bank transactions - a primary driver behind the move to two-factor SMS authentication - adding there is also a need for consumers to be aware of their own responsibilities when it comes to protecting data and their own PC.

Peter Dowley, ANZ Bank IT security architect, said using SSL encryption for online banking ensures that bulk attacks cannot be conducted by compromising either the Internet backbone or Internet service providers.

"The next vulnerable point is the customer's computer and so attackers have to concentrate their efforts at this point."

Claiming SSL encryption will stand the test of time, Matthew Warren, Deakin University head of the School of Information, said social engineering techniques are shaking customer confidence.

"It does not matter if someone cracks an encrypted SSL key, because it would take so long and by the time it was cracked the data would be worthless," he said.

"While encryption protects the data in transport, spyware can record passwords and e-mail them to another party. The banks need to look at three-tier authentication that includes a swipe card because you cannot rely on a user name and password."

Webroot uncovers thousands of stolen identities

Spyware researchers at Webroot Software have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery. The FBI is investigating the stolen information, which was discovered on a password-protected FTP (File Transfer Protocol) server in the US. The information, organized by country, includes names, phone numbers, social security numbers, and user log-ins and passwords for tens of thousands of Web sites.

The discovery is just the latest evidence of rampant identity theft by online criminals.

The Rebery malicious software is an example of a "banking" Trojan, which are programmed to spring to life when computer owners visit one of a number of online banking or e-commerce sites, said Gerhard Eschelbeck, CTO at Webroot. Rebery is still "running wild" on the Internet, Webroot said. The company believes there are more than 12,000 systems infected with the Trojan.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about ABAANZ Banking GroupAusCertAustralia's Computer Emergency Response TeamCommonwealth Bank of AustraliaComputer Emergency Response TeamCornerstoneDeakin UniversityDeakin UniversityFBIFinancial InstitutionsHISIngram MicroINSNABNational Australia BankSocketWebrootWebroot SoftwareWestpacWestpacWestpac Bank

Show Comments
[]