Community

Just one small note: the 2004 bar in the chart looks empty, but in fact it includes a little over 100 distinct shut-downs of attacks targeting several financial institutions. Back then it looked like a big number...

Stuart - to you and all the good guys who didn't sleep all night during the early days of phishing attacks!

John,

I was thinking about adding the punchline about what criminals can do once they're inside the corporate firewall, but I decided to do a Hitchcock and just leave the actual murder scene for people's imaginations ;)

But basically, the answer is – whatever criminal activity fortune 1000 companies have invested billions to defend against by building corporate firewalls, network security and intrusion detection systems. And much beyond that, given the fact fraudsters today are better equipped and more globally coordinated than 10 years ago when the original problem of hacking into the enterprise loomed.

With regards to employees helping the crooks, I think it's an excellent point. You're right, people will do their best to get around security.

The magnitude of the issue became apparent in an RSA "people on the street" survey conducted last year.

35% of employees feel that they sometimes need to work around security procedures established in the corporate so they can get their job done.

68% of corporate employees and 58% of government employees said they leave the office carrying sensitive data on a mobile device such as a laptop, smartphone or USB memory stick.

92% of government employees said they get training about the importance of following security practices, as opposed to 69% in the corporate. Can this explain why government employees fair a little better?

Not really. 68% of government employees said they sent work documents to a private email address so they could work on them at home, compared to 61% in the corporate. Reconciling all these figures is simple: the public sector issues less laptops and blackberries than the private sector. So if you've got a government deadline to meet, you are more likely to work on it on your private home PC than your corporate colleague.

8% actually said they've lost a device containing corporate data. What type of data might be inside? The survey lists customer data, personally identifiable information such as Social Security numbers, company financials, credit card data, or competitively sensitive information as some possible examples.

So yes, I totally agree: the enterprise environment still didn't figure out how to balance corporate security with ease-of-use for employees.

Good suggestions. Does anyone have other ideas? What do you feel about security by virtualization?

Dean,

Let me take you back to the Enigma machine.

Cracking the Enigma code was a major breakthrough, but no one claims it was the most important factor in the success of the Allies' campaign. There are a huge number of contributors, from individuals to technological advancements to tactical improvements.

Just take one historic example: the battle of the Atlantic. For years it was completely controlled by U-boat 'Wolf Packs', which were so effective in cutting Britain from fuel and supplies that in early 1943 there was talk of ceasing the war effort.

But in mid 1943 the tide turned through a combination of smart leadership by newly appointed Admiral Horton of the Royal Navy, technological advancements such as the Active Sonar, hit-and-explode depth charges and next generation radars, as well as new tactics used by allied aircrafts and escort ships.

It took several months to reverse the economical equation of sinking more ships than what the US could replace. This made U-boats less of an ultimate weapon.  

I believe the same applies to the battle over Internet Fraud. Do 56 arrests leave a dent in the economy of online crime? Yes, at least in the immediate future, if you consider the fact fraudsters believe they are not supposed to be caught. Does this win us the war? No, and no one claims it does.

It's not a war we expect to finish anytime soon. It's not a duel that any single bullet will decide. No, my friend, this campaign against online fraud, this arms race between the industry, helped by law enforcement, anti-fraud technologies and each and every one of us as an individual consumer on one hand, and the legion of criminals on the other hand, will continue to rage – but this doesn’t mean we cannot celebrate important victories and applaud the brave lads and lasses who work hard fighting the bad guys.

As always I appreciate your comments Dean – but the title managed to confuse you. It is not the industry who got surprised. It is the fraud underground, who probably expected a quiet October as many security companies and IT security professionals in Europe get ready for RSA Conference. Well, they were wrong, and got an unpleasant October Surprise.  

I'm a big fan of out-of-band authentication via mobile or phone. It has the best chances of defeating and man-in-the-browser (MITB). I’m going to write a blog entry explaining why I like it, what its drawbacks are, and how I think it should be effectively used.

As a side note, Man-in-the-middle (MITM) is a prevalent attack vector and is pretty easy to address: the cash-out of the stolen credentials is done from another machine, so a good device recognition technique will work.

MITB is a phantom attack: with one or two exceptions, and despite common belief, it has never been tried in a live attack on a financial institution. It requires a lot of effort on the fraudster’s side, and a degree of vertical integration between credential thieves and cash-out operators that makes it impractical at this point of time. Researchers differ on predicting when it will become widespread, if it all.

My thinking is that it might happen if banks start an arms race of visible authentication that cannot be otherwise breached. 

There are plenty of covert, invisible defenses against MITB which can complete your defense array: from user behaviour profiling and pattern analysis through various clever counter-measures I won’t describe here (no need to give a freebie to fraudsters, right?).

As of now, OOB based on mobile or phone devices is the best, most cost effective authentication in a MITB scenario. Anyway, I’ll post my full thoughts on OOB at a later time and we can bicker about them ;)

Dean - you're right, and giving customers something they can see or touch is always a good idea. I'd say the best strategy is to offer security to customers who want it, protect the ones who don't care about it using invisible security, and in any case think 'flexible' and develop a 'bag of tricks' you can throw at the bad guys, rather than rely on a single layer.