New kids on the block: Novel tactics and perpetrators

This blog is about some of the tactics used to target individual customers’ accounts, so I won’t be talking about two of the biggest existential threats any institution faces just now: Insiders and Nation State Actors.

Insider threats (both malicious and unintentional) can lead to widespread issues, and organised, often nation-state backed, actors have recently moved to staging large scale attacks targeting infrastructure like payment systems, and away from individual account compromise. But that forgets one thing: hacked customers are vocal, angry and sometimes betrayed customers, and it really is in the best interest of an institution to ensure their security is maintained.

Mobile technology allows customers complete control over their banking security via their smartphones, however recent fraud cases have seen criminals virtually hijacking mobile phones to intercept alerts and texts.

“Phones were never intended to be verification devices, so they are now the weakest security link in a lot of ways,” explains Richard Graham, Head of Business Solutions (Americas) at BAE Systems Applied Intelligence. He adds, “If you change your password, your bank will send a verification message. If you log into your online banking account from a new computer, you get a text sent to your phone.”

Clever hackers are now able to compromise identities to log into existing mobile phone accounts and convince phone companies to port the number to a new device. Some use insider intelligence in the phone store or strategically placed call-centre employees to facilitate the takeover. However they do it, says Graham, “Your phone no longer works and someone else has been able to send fraudulent payments out of the bank through your account with their device getting all of the authentication messages.” Moreover, this mobile technology is affording criminals the type of anonymity they used to only dream of: “You can walk down the street and use your neighbour’s Wi-Fi or go to a coffee chain,” he says.

We are seeing that video is increasingly becoming an appealing device for social engineering and phishing, with social-media users being told to watch a video message from a “friend” and then entering their login details to proceed.

Banking biometrics, developed as a security measure, could mean that criminals resort to more violent means – physically forcing their victims to comply with checks. While biometrics is a boon to financial security, it could also provide criminals with another technology to exploit. Graham believes that we might see criminals using increasingly high-powered cameras to take photographs: “If you can get a person’s fingers at a great enough resolution, you could ‘print’ their fingertips, rendering fingerprint biometrics useless for certain people in the long run.” New opportunities for crime will always present themselves, with every new technology: “Where there’s a will, there’s a way.”

(Editor's Note: The article was written by Michelle Farr; original article here. Reposted with permission.)