Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
Members of the panel, comprising experts at Bank of America, PayPal and JPMorganChase, agreed that the burden is on them to secure their systems for customers -- many of whom are being greeted with slick new attempts to take over accounts. Securing systems includes implementing a defense-in-depth approach that offers multifactor authentication on the front end and fraud detection capabilities on the back end, the panelists said."The bad guys invested in a spell checker," joked David Shroyer, senior vice president at Bank of America's Online Security and Enrollment division. "I'd love to combat phishing in 2004 versus what we're facing today."He added that many of today's phishing messages do not just lead to sites trying to mimic the financial institution, but also to pages attempting to foist malware onto users' machines.Customer education is also important, the panel held. Shroyer, for example, is working with the nonprofit Anti-Phishing Working Group on an initiative that would replace pages of known phishing sites that have been taken down by internet service providers with an industry-accepted page designed to educate people about social engineering attacks."We have the opportunity to educate," Shroyer said. "It's a teachable moment: 'Hey you're getting phished. Here's how you can prevent it in the future.'"Stan Szwalbenest, remote channel risk director at JPMorganChase, said his company -- like most financial institutions -- has fraud detection technologies in place that will alert if a user's account is being misused due to malware on his or her machine. Then, a representative will call the victim and educate them about the need to update their security patches and anti-virus solution."We really take a negative and turn it into a positive," he said.In the end, though, the panel agreed that customers have an expectation of security and do not want to be involved in the process, said Allison Miller, senior manager for PayPal's Account Risk and Security department. "A lot of malware and attack vectors are essentially invisible to our users," she said. "They can't see them coming. It's our job to see them coming."As a way of reducing risk, many financial institutions have begun using a technique known as "out-of-band" authentication (such as calling a customer on the telephone) to verify highly sensitive account transactions, the panel pointed out. But the cybercriminal community has responded, for example, by forcing phone calls to victims to be forwarded to them, or by spoofing their numbers when calling the bank themselves.Shroyer said many criminal web forums are seeking "confirmers" to play the role of actual customers should the bank call to verify a fraudulent transaction. Often times, the crooks will seek out a person whose voice would resemble the victim's ethnicity, he said.It all comes down to social engineering, Szwalbenest said. When in doubt, assume you are getting duped. Banks should assume someone trying to open an account is a fraudster, and consumers should assume the person claiming to be the bank is actually a crook, he said.See original article on scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.