Cyber Security Institute
§ Current Worries
Top 3 Worries
- Regulations
- Old Firewall Configurations
- Security Awareness
§ Listening
For the best information
- The underground
- Audible
- Executive Excellence
- Music (to keep me sane)
§ Watching
For early warnings
- 150 Security Websites
- AP Newsfeeds
- Vendors
Monday, May 15, 2006
Social engineering replaces guns in bank heists
Australia’s banking industry is under threat due to a heavy reliance on Single Socket Layer (SSL) encryption that hackers increasingly find their way around. There are no ‘stick-em-up’ dramatics in today’s million-dollar bank heists, it simply involves the use of SSL-evading Trojans and refined phishing techniques. While banks are reluctant to quantify financial losses, Australia’s Computer Emergency Response Team (AusCert) admits its own research proves attacks are on the rise. AusCert general manager Graham Ingram said a false sense of security surrounds SSL encryption, a technology in use right across the financial services industry. This reliance on Internet browser encryption means banking sessions can be hijacked by Trojans and key-logging programs especially if users engage in lax security protocols and don’t use current anti-virus signatures. The bottom line is that social engineering tricks are circumventing Internet banking encryption.
Ingram said there is a belief that customers are safe and privacy is protected through the use of SSL but “this is not the truth”. His statement was backed up by AusCert’s analysis and assessment manager Kathryn Kerr, who said it is a serious issue for any organization offering Internet banking as well as anyone using VPNs or remote work.
Neal Wise, director of security firm Assurance Pty Ltd., said SSL does serve a good purpose but leaves users prone to a “man in the middle”-type attack. “Unfortunately the only controls a bank can rely on for users to transport data is SSL encryption; it leaves them in an interesting situation having to cover related security issues they have not created,” Wise said. “We will see financial institutions, as part of shoring up their own risks, providing cut-price antivirus and content checking tools for their clients, because right now if someone manages to put a keystroke logger on a client computer, and a banking session gets recorded, banks have to cover that risk and it is not their fault.”
While security experts claim Internet banking fraud drains as much as two to five percent of revenue, the financial services industry isn’t as forthcoming when it comes discussing online threats, and the Australian Bankers Association (ABA) refuses to comment.