Threats are becoming more sophisticated, and cybercriminals are getting smarter at evading new authentication controls, according to an RSA Conference panel of security practitioners representing three major financial institutions.
Members of the panel, comprising experts at Bank of America, PayPal and JPMorganChase, agreed on Wednesday that the burden is on them to secure their systems for customers - many of whom are being greeted with slick new attempts to take over accounts. Securing systems includes implementing a defence-in-depth approach that offers multifactor authentication on the front end and fraud detection capabilities on the back end, the panellists said.
"The bad guys invested in a spell checker," joked David Shroyer, senior vice president at Bank of America's online security and enrolment division. "I'd love to combat phishing in 2004 versus what we're facing today."
He added that many of today's phishing messages do not just lead to sites trying to mimic the financial institution, but also to pages attempting to foist malware onto users' machines.
Customer education is also important, the panel held. Shroyer, for example, is working with the non-profit Anti-Phishing Working Group on an initiative that would replace pages of known phishing sites that have been taken down by internet service providers with an industry-accepted page designed to educate people about social engineering attacks.
"We have the opportunity to educate," Shroyer said. "It's a teachable moment. 'Hey you're getting phished. Here's how you can prevent it in the future.'"
Stan Szwalbenest, remote channel risk director at JPMorganChase, said his company - like most financial institutions - has fraud detection technologies in place that will alert if a user's account is being misused due to malware on his or her machine. Then, a representative will call the victim and educate them about the need to update their security patches and anti-virus solution.
"We really take a negative and turn it into a positive," he said.
In the end, though, the panel agreed that customers have an expectation of security and do not want to be involved in the process, said Allison Miller, senior manager for PayPal's account risk and security department.
"A lot of malware and attack vectors are essentially invisible to our users," she said. "They can't see them coming. It's our job to see them coming."
As a way of reducing risk, many financial institutions have begun using a technique known as "out-of-band" authentication (such as calling a customer on the telephone) to verify highly sensitive account transactions, the panel pointed out. But the cybercriminal community has responded, for example, by forcing phone calls to victims to be forwarded to them, or by spoofing their numbers when calling the bank themselves.
Shroyer said many criminal web forums are seeking "confirmers" to play the role of actual customers should the bank call to verify a fraudulent transaction. Often, the crooks will seek out a person whose voice would resemble the victim's ethnicity, he said.
It all comes down to social engineering, Szwalbenest said. When in doubt, assume you are getting duped. Banks should assume someone trying to open an account is a fraudster, and consumers should assume the person claiming to be the bank is actually a crook, he said.
A version of this article first appeared on the SC Magazine US website.