Blog article
See all stories »

Combating global cyber crooks

This week two large-scale fraud scams caught my attention.

The first scam sees fraudsters using new and improved Zeus and SpyEye malwares to infiltrate people’s computers, enabling them to steal their personal details so that they can siphon large amounts of money into their own bank accounts. This isn’t the first time that malware has conquered innocent victims’ computers, but what is more malicious about the new version is that money transfers are automated. Criminals are evolving with technology and targeting cloud-based servers.

Fraudsters needn’t lurk around the internet and wait for people to log on to their bank accounts anymore (classic Man-in-the-Middle type fraud), instead  with the process computerised, criminals can now drain bank accounts more quickly and efficiently making it even more difficult to detect.

The second criminal activity focuses on the buying and selling of stolen credit card and other personal details, a scam which spans the globe. The FBI has been investigating the criminal organisations involved for two long years and this week made 24 arrests. Again, this type of fraud isn’t new, we know it exists, but what is worrying is the global scale of the problem. Authorities in over 30 jurisdictions were involved which lead to the arrests in several countries including UK, Norway, Italy and Japan.

Both scams clearly show that organised criminal gangs are tactical and ambitious, targeting high net worth individuals and business accounts with large sums of money. It’s been reported by McAfee that $78 million was stolen worldwide in the Zeus and SpyEye scam.

So how do we stop them? Granted the FBI’s plan to lure fraudsters into a “honeypot” website where criminals were made to believe that they could buy and sell personal details, was very smart, but the real worry is the sheer scale of this global  problem that we are dealing with which is now a major a core revenue generator for organised crime.

Perhaps, what the security industry needs to admit that alongside efforts to prevent fraud, the industry needs to focus increasingly on detection and what it can do is make it very difficult for fraudsters to actually use the stolen data to access bank accounts.

As I’ve said before, two factor authentication is no longer viable. The industry needs to move towards a multi-layered approach to authentication, using a mix of visible and invisible layers such as voice biometrics and Proximity Correlation Logic. Also, detection needs to work in real-time so that victims and their banks are alerted to attacks immediately and thereby given the chance to prevent it from happening, saving them the inconvenience of being out of pocket and their banks from the costs of fraud investigation.

4938

Comments: (1)

A Finextra member
A Finextra member 28 June, 2012, 18:23Be the first to give this comment the thumbs up 0 likes

Layered approach is a good way forward, as it allows to implement situational scenarios (the basic example - PINless floor limit for NFC transactions).

The problem is not with 2-factor authentication (2FA) methods, but with the way they are implemented (i.e. security protocol). GSM security is based on 2FA (furthermore, one of the factors is used purely as ID), yet the level of fraud is less than 0.01%.

Pat Carroll

Pat Carroll

Founder/Executive Chairman

ValidSoft

Member since

17 Mar 2011

Location

London

Blog posts

79

Comments

40

More from Pat

This post is from a series of posts in the group:

Information Security

The risks from Cyber cime - Hacking - Loss of Data Privacy - Identity Theft and other topical threats - can be greatly reduced by implementation of robust IT Security controls ...


See all