Working together? Not yet.
Time for breach disclosure legislation in the UK?
Published 11:31, 03 September 10
Reading recent reports a couple of weeks ago on the compromise and illegal funds transfer from 3000 UK bank accounts, my first reaction I’m afraid was “so what”; after all, this is nothing new.
Whether here or abroad, it seems that online banking fraud is here to stay. As a banking customer, I’m not sure I’m happy about this situation where my money is concerned.
I suspect that like most people, I check my online transactions regularly but in a macro way - looking at opening and closing balances to get a feel that everything looks right and only skimming the detail transactions.
If I knew that an attack occurred involving my bank I’d certainly be more diligent to ensure that no theft has taken place, and would be happy to report anything that didn’t look quite right. However, no banks were mentioned in the report and it is unlikely that they will be.
A lack of breach disclosure legislation means that the bank(s) involved may try to keep everything quiet if at all possible.
In the US, as we know, there is breach disclosure regulation in many States and as a result, the details behind these types of attacks are available to all, most importantly to customers. Increased transparency is good for consumers, but can present additional challenges for businesses.
Where disclosure by banks is required, the cost of online banking fraud is more than the money lost; it is reputation damage and even lost customers. So legislation seems to be the only way to ensure transparency, and here in the UK, legislation is coming but it is painfully slow - by recent accounts perhaps 3 or 4 years out.
So what is to be done about a problem that is on the rise - increasing in both frequency and sophistication? Articles last week mentioned that some banks are recommending anti-virus software to customers and while that is helpful, it certainly will not stop bank fraud.
Malware is mutating too quickly for traditional signatures to be created and distributed in time, and the longer the detection to signature distribution process takes, the more people will be infected.
What about better consumer education? Again, while that would certainly help, these days it is often difficult to tell which websites and downloads to avoid - the list of sites hosting malware is growing all the time and some of them we would trust without question. Targeted spear-phishing and social engineering scams can get the better of even the most savvy Internet user.
The truth is that as with most things concerning the Internet, there is no single solution to the problem. Good hygiene at the consumer end will reduce the number of nefarious transactions that banks have to deal with but better situational awareness is needed from the banks themselves.
The fraud in question was of a pattern we often call “low and slow” where cyber criminals attempt to operate under the radar; the transaction amounts were relatively small, the malware was able to hide the thefts from the account holder, and the attack went on for a period of time before being detected. Individually, transactions may show no suspicious signs.
However, taken as a group, patterns can quickly emerge that indicate something is amiss. Increasingly sophisticated cyberfraud requires increasingly sophisticated detection mechanisms and security teams skilled in forensic investigation.
Better transparency, although some way away, will also help. As in the physical world, crime prevention is always more effective when the community is informed and involved. Taking a twist on the Metropolitan Police slogan - our mantra should be “Working Together for a Safer Internet”.
Blog post by Iain Chidgey, General Manager, ArcSight EMEA