Bracing your browser: how to keep the fraudsters at bay
Whether through loss of financial assets or damage to an organisation's brand, online fraud is becoming more of a problem and has the capacity to significantly and negatively impact a business, says Gad Elkin.
Gad Elkin, head of EMEA security, F5 Networks
According to figures from the ONS, an estimated 3.8 million adults in England and Wales were victims of online fraud in the year to August 2015. This included 2.5 million incidents where the victim's internet-enabled device was infected by a virus or where a social media account had been hacked. Malware, phishing and other forms of credential grabbing all have the potential to disrupt businesses, particularly as specific organisations are aggressively targeted. To prevent online fraud, it is important for businesses to recognise where their infrastructure is most vulnerable, educate employees effectively and work with the right partners to keep up with an evolving cyber-security landscape.
Securing data in the age of IoT
Despite high profile security incidents regularly hitting the headlines in 2015, the modern data centre is actually quite secure compared with other potential access points to sought-after data. Consequently, hackers are drawn towards the weakest element, which today is the often-neglected browser. Gartner predicts that 6.4 billion connected devices will be in use this year, perpetuated by the growth of BYOD. As the number of active browsers rises, so does the number of access points to the browser, making it an ever-more viable gateway to sensitive customer data.
Given the volume of transactions and financial data at stake, the financial services are likely to remain the primary target for these attacks. Unfortunately, it is also one of the hardest to protect, largely due to automated transactions becoming the norm. Preventing infected platforms from conducting automatic transactions into bank accounts will always be a primary concern for financial organisations in particular. Beyond the financial industry, a scenario we are beginning to see more of is the targeting of online applications with large customer databases (such as Ashley Madison), which may contain either financial information or other sensitive data that could be used for future extortion.
Whilst traditional online fraud is still on the up, 2015 saw a significant increase in attacks on mobile devices. Essentially the same threat, fraud in this form is becoming more relevant despite not being front of mind for consumers, as we rely on our mobile devices for more areas of our lives such as mobile banking. In just the same way as traditional fraud, customer browsers on mobile devices are vulnerable to malware, phishing and other forms of credential grabbing. The range of devices through which browsers can be accessed, combined with the variety of attack types, contributes to a very complex picture that requires equally advanced security.
Helping businesses to help themselves
An all too common facilitator of fraud is the lack of appropriate means to deal with today's threats. In the current context, anti-virus programmes just aren't enough to protect your browser; businesses need a range of tools and expertise at their disposal to keep up with the methods used by fraudsters.
Beyond access to appropriate technical solutions, an alarming lack of user education is another area contributing to rising fraud levels, which can have serious consequences in a corporate environment. Credential grabbing and phishing incidents are often associated with a lack of employee awareness, having the potential to cause significant reputational and monetary damage to organisations and their customers. Therefore, it is vital that employees are educated on the dangers awaiting them on their own corporate networks.
Fraud security shouldn't have to be your problem
There are particular solutions that can be implemented by businesses to alleviate the risk of fraud, such as detection of malware and phishing threats. Whilst there are also more advanced solutions that can encrypt credentials to defend against credential grabbing, the rapidly developing arsenal of the fraudster is such that these methods are becoming less effective. Unfortunately, threat protection is not a one-size-fits-all approach; defending against malware, phishing and other dangers requires a combination of solutions.
So, how can businesses hope to stay on top in the battle to keep sensitive information and customer data safe? The answer is, they shouldn't have to. The combination of the high level of expertise required to counteract fraud and the increasing demand for seamless solutions has heralded a rising dependence on external vendors and consultants. Access to 24/7 expertise, threat reporting and analysis is now a requirement to keep businesses and end-consumers safe and satisfied. Above all, what businesses really want is the capability to translate the deluge of data into real business insights and solutions that can be easily implemented.
When we examine the organisations that have been targeted by these attacks, most have fallen victim to very basic threats. This demonstrates that application security, as well as fraud detection, is nowhere near where it should be. Businesses often develop security solutions based on the latest threat or strain of malware on the scene. By focusing on reinforcing the security of your architecture instead, rather than catering to a specific threat, organisations can best prepare themselves for increasingly varied online dangers. Therefore, applying security that is specific to your applications, rather than the premise where they reside, is the way to mitigate attacks. Working alongside a team of experts can also assist businesses in dealing with new updates and threats and ultimately provide real business solutions in a time when the threat is constantly evolving.
Contributed by Gad Elkin, head of EMEA security, F5 Networks