Author: Simon Cadbury
Malware harvesting online banking details
It’s been a pivotal week for banks in the fight against cyber-crime. The National Crime Agency has revealed that hackers have stolen £20 million from UK bank accounts using a new virus, known as Dridex malware, which works by harvesting online banking details. Immediately after this finding, the Office of National Statistics (ONS) released its crime statistics for the year, which included cyber-crime for the first time ever.
While cyber-crime is by no means a new threat, it is one that is growing at an alarming rate. To put it in context, £20 million is a third of the reported online banking loss, by Financial Fraud Action UK, in 2014.
Cyber-criminals, phishing and social engineering scams
Worryingly, understanding of these forms of attacks remains limited. In addition, Mike Penning, the Home Office minister responsible for policing and crime recently admitted that his own bank account was targeted by criminals last year, stating that he didn’t fully understand how to protect himself, and labelling hackers as extremely clever.
It’s clear that cyber-criminals are more sophisticated than ever before. A variety of factors have contributed to this increase in online banking fraud, but it has been driven by a change in attack methods. Criminals are now using phishing and social engineering scams, such as vishing (phishing over the phone) and smishing (phishing via SMS), in combination with more advanced online attacks such as infecting computers with malicious software or malware.
How the banking industry is fighting back
It’s now time for In order to fight back banks to play a leading role in both educating and protecting their customers.
The good news is that vital steps are already being taken. One great step the industry has recently taken is launching the .bank domain, which banks can use for their websites instead of .com. The idea behind this move is to protect customers from thieves that set up spoof websites to steal information and money from them. Because only vetted banks can have a website ending in .bank, those that shift their websites to the new domain provide more safety to their customers, who know they are going to the real site. Given the concern that genuine bank URLs could be used as phishing sites, this is a welcome development.
Keeping banking customers safe
The Cyber Streetwise initiative is another positive move in helping to raise awareness and keep customers safe. It is a cross-government campaign, funded by the National Cyber Security Programme, providing consumers, and SMEs with vital information and steps to take to stay safe online.
However, more needs to be done. Our research reveals that 69 per cent of banking customers would like their banks to put more security measures in place. As criminals find new ways to intercept customers’ details, banks need to be rapidly exploring alternative, safer and more dependable security methods.
Better banking security
Barclays has been leading the way in terms of introducing advanced biometrics, such as voice recognition or finger vein technology, as part of the authentication process.
At Intelligent Environments, in addition to supporting clients with biometric authentication, we have led this year on two initiatives.
In February, we launched AppSensorFS, a real-time security detection and response tool that monitors for unusual behaviour within the banking application; enabling unusual behaviour to be spotted once a hacker has penetrated the perimeter of defence.
More recently we launched Emoji Passcode, allowing users to log in to their digital banking accounts using emoji rather than numbers. Given there are 480 times more permutations using emojis over traditional four digit passcodes, this security technology has been proven to be mathematically more secure as well as easier to remember.
As cyber-security becomes an ever bigger issue, banks can play a vital role in both educating customers of the risks and introducing new mechanisms that make life more secure but also more intuitive for the end user.