Global fraudsters will choose attack weapons based on the level of security they are likely to encounter. If security is more high level, then they will invest in advanced technological tools to break through the barriers. If the security is more low-key, then their tools will also be of a similar nature.
Richard Booth, IPV business manager for Australia and New Zealand at RSA says, “Much like any other business, fraudsters look for economies of scale. If there are businesses with stronger fences and sophisticated tools, then to overcome those defences, fraudsters will use advanced Trojans and other mechanisms. In situations where businesses are operating with weaker security measures, then it does not make economical sense for them to use advanced tools. Phishing will do.
“They have their own business cases. If they can rob one bank over the other for half the cost with the same rewards, then that is what they are going to do.”
Phishing remains the largest threat by volume to NZ consumers, but threats even within the realm of phishing are evolving, according to Booth.
“Phishing is evolving and the level of sophistication involved in these attacks is moving upwards. We saw man-in-the-middle attacks, where a person’s credentials could be compromised and used by the fraudster. Then there are man-in-the-browser attacks, which involves the download of malicious software that captures information.
“The level of automation in these Trojans have increased. Some of them encrypt the stolen credentials and many of the advanced ones even have the ability to transfer funds and manage mule accounts.
Booth says fraudsters are not only phishing via email, they are also starting to send SMS messages and make phone calls. He said this form of phishing is not popular yet, but RSA is seeing instances of it in New Zealand and Australia.
“We are also seeing man-in-the-mobile attacks now, where malicious software that is downloaded to the phone can be used to manipulate the device, and divert calls and SMS messages to another device, where the fraudster can pretend to be the original user," he says.
“The worrying thing for businesses in New Zealand is that these advanced attacks have already proven to be effective against defences. So when they move to more sophisticated security solutions here, they might find their window of effectiveness is reduced. Previously, the solution could be effective for five or six years. Now, that has been reduced to 18 to 24 months, before fraudsters figure out a way around the technology or even find a loophole in the security process."
More than just technology
Booth recommends that businesses should approach security in a three-pronged manner, covering people, process and technology. Each of it has to be adequately covered in order to ensure that an organisation remains secure.
“Mere technology cannot help an organisation much. The business has to educate its customers and staff on process and best practices. The demographic profile of the people should also be kept in mind when delivering education. Digital natives, who have grown up connected and using multiple devices, might need different levels of education, compared to digital migrants, who are still new to the threats that connectivity brings.
“The security policy in an organisation should also be well-understood and have sufficient C-level executive support. Without top-down support from executives, security is a difficult thing to drive in an organisation. These are our focus areas, and we are seeing some good change for the better from our customers in the A/NZ region,” says Booth.
RSA is working with organisations to help them with creating and implementing security policies in the region, even as it is working with regulators to influence some of the policies that surround financial transactions and breach disclosures from affected organisations.
“Regulations might feel like the proverbial stick. But there are bigger threats out there. And in the age of social media, even one customer’s knowledge and complaints can potentially go viral. It might be better for the company to disclose to the customer in a positive manner and put out the message that they value the customer, their data and their trust,” says Booth.
His comments come off the back of a recently released RSA report that highlights the growing incidence of fraud-as-a-service (FaaS) and fraud schools that operate in the underground, providing information and knowledge on fraud tools and techniques for a fee.