Bangkok--6 Jan--PC & Associates Consulting
by Apisit Kuparatana, Country Sales Director, Oracle Thailand
Imagine this…
A hacker creates a look-a-like site of a well-known bank. He sends across e-mails to customers requesting for confidential information claiming the bank’s website is undergoing a revamp or reconstruction. The information sought is critical and confidential customer data. The e-mail has a link embedded in it, which, by default, directs the customer to the fake site that the hacker has created. The customer, thinking it to be a genuine communication from the bank, provides the details, which the hacker saves and later uses for fraudulent transactions such as money transfers or procuring critical passwords.
Not a secure situation to be in!
The rapid growth of online commerce has brought increasing sophistication in Internet fraud. Fraud is being conducted across multiple access channels. Threats from Phishing (criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication), Pharming (a hacker's attack aiming to redirect a website's traffic to another, bogus website), Trojans (type of malicious software), Key Logging (useful to retrieve online password entries), and Proxy Attacks, combined with regulations and mandates (HIPAA, PCI) governing online data piracy, place online security at a premium.
If you take a closer look at the instance I brought up at the beginning of this article, you will realise that a simple login procedure makes it easy for a hacker to access online accounts and transactions. To thwart hackers, banks are adopting stringent levels of login procedures, which are more personalised and secure. Some of them include the introduction of additional levels of passwords, personalised background image for login, virtual keyboards or even a virtual mouse among others. .
Whatever you type on the physical keyboard can be tapped by hacking, through keylogging. Keylogging provides a means to obtain passwords or encryption keys by bypassing security measures. To prevent this, financial transaction sites are installing virtual keypads and virtual mouse. As part of the login process, while a bank designs its’ normal login password — instead of typing that password on the keyboard, the user will be able to use the cursor to select his/her password on the virtual keyboard. This process will circumvent the key locking setup enforced by the hacker.
While user access has been established, it is equally important to prevent frauds and enable real time risk assessment. The tools available today profile the historical behavior into a “virtual finger print” of a user, and now with automated rules one can decide the risk and threat associated with the user transactions. Such automation is what we refer to as ‘fraud detection and risk assessment technology’.
It enables proactive, real time fraud prevention and strengthens transaction security for enterprise and consumer web applications. It makes it safer for businesses — any business — to interact with partners and consumers, expose business functions to remote employees or partners, and also protect them against threats.
Online fraud detection requires the use of multiple IT security tools. It needs to be able to evaluate risk by analyzing data from a variety of sources, including profiles, device fingerprints, IP and other network forensics data, geo-location information, and transactional data. By bringing together various risk factors in a single policy, a well-implemented solution can score the relative risk of a transaction, proactively prevent fraud, and instantly alert the organisation to threats. Such technology provides real time and offline risk analysis to maximize the efficiency of capturing and analyzing real-time transaction data, matching the risk profile of the current transaction against historical patterns.
To define and refine fraud prevention policy, investigation and forensic tools are also needed to simplify inherently difficult administrative tasks such as policy authoring, risk monitoring, incident investigation or audit data analysis. Security policy needs to be able to adjust to new threats without needing to bring down a production system. Specialised fraud detection technologies gives security administrators the ability to experiment with different security policies, assess their usefulness at blocking fraud, determine the potential performance impact or specific rules, and track the difference in system behaviour as a result of policy change.
So companies can minimise the chances of letting anyone use a stolen credit card for multiple, fictitious transactions like flight bookings or online purchases or even financial or trading requests. As companies aggressively embrace the Internet for sales, self-service and information sharing, online security is core to establishing trust between companies and users.
A recent online security survey from a cross-section of India's top 40 banks by ReadiMinds 'State of Online Security in Financial Institutions in India - 2008'[1] has highlighted the issues pertaining to online identity theft and online financial frauds. According to this survey 30% of banks reported to have been victims of identity theft during the last one year, while 30% of the banks reported to have been victims of phishing at the same time and 10% of the banks were victims of man-in-the-middle attack at the same time.
Online security has become a business issue. There seems to be a strong link between the business performance of a financial institution and the online security measures implemented by it. Over 70% of banks that reported to have implemented stronger security, also regularly deliver better business performance compared to their peer group. But the worrying issue was that over 57% of banks still do not have a dedicated budget for online security. Online security is still part of the IT budget. But the good part of the finding was that 100% of respondents were aware that integrating stronger user authentication, with fraud detection, and risk based transaction verification is the strongest form of defense against online identity theft and financial frauds.[2]
IDC[3] confirms the Identity and Access Management (IAM) software market as one of the fastest growing security software markets in Asia Pacific*, growing at a compounded annual growth rate (CAGR) of 17% (2008-2012) to reach US$ 524 million by 2012.
[1] http://www.zdnetasia.com/news/security/0,39044215,62041139,00.htm
[2] http://www.zdnetasia.com/news/security/0,39044215,62041139,00.htm
[3] IDC AP Semiannual Security Software Tracker, Oct 2008 (version Q3 2008.2)
* Excludes Japan, Indonesia, Philippines and Vietnam