Australians continue riding a growing wave of Chinese investment in resources, while helping to stave off much of the GFC or recession other countries had to deal with. Now it seems with all this success they are now becoming more of a target from international
online crime gangs targeting Aussie wealth.
Last week Aussie TV personality and larrikin builder Scott Cam's face was reported to have been used by a Chinese crime gang to lure Aussies to hand over bank details online. Scott is the face for one of Australia's largest Credit Unions which positions
itself as big enough to win traditional banking customers to switch.
The trouble is that the issue this Credit Union faces, is no different to many financial institutions around the world that rely on outdated authentication methods to give their customers confidence and better security over their confidential credential
details. However one main issue arises that is often missed by those using authentication to verify a customer when accessing their accounts. AUTHENTICATION IS NOT SECURITY!
Authentication is authentication and this method which has been very powerful in verifying customer details during a transaction, it is now being cleverly being circumvented by criminals employing social engineering or man-in-the-middle techniques that compromise
the computer used by the customer or simply just trick the customer to authenticate the malware as it completes a real-time transaction.
Secondly, CONSUMERS ARE NOT SECURITY EXPERTS and therefore often unaware when their computer is potentially compromised prior to beginning a transaction as the consumer relies on their stand alone Anti Virus solution that usually operates in isolation to
find a potential threat and alert them! Unfortunately also, the financial institution is unaware of the security health of the computer the customer is using so it relies on the authentication process. For the criminal to beat these systems and methods, the
criminals are employing real-time social engineering techniques to beat Anti-Virus solutions, scramble pads and even SMS or physical token based out of band authentication methods.
The challenge now is to raise the bar and verify not just the account holder using one or more authentication methods, but verify in real-time the security health of the computer used by the customer before the transaction begins. While in the back ground
the financial institution can apply business rules and policies in real-time based on the security health of the customers computer prior to the customer beginning as transaction. A simple step to include the customer computer in the overall security chain.
Therefore until the financial institutions and even all online business who require customer confidential details to complete a transaction, provision a more robust methodology that combines REAL-TIME RISK BASED SECURITY with AUTHENTICATION (optionally with
real-time feedback to the customer based on the security health of their computer prior to the transaction beginning), only then will we begin to stem the flow of online criminals who focus their attacks on the weakest link. If not, we will continue to see
the same online criminals target the unwitting consumer.