CIOIN

Ann Johnson, Vice President - Global IPV & Global Accounts, RSA, The Security Division of EMC spoke to Sneha Jha during her recent visit to India. Talking about the unbridled growth of online, phishing and Trojan attacks Johnson advocated the need stronger industry collaboration. She also observed that there would be an uptick in the online domain security and validation.

What are the emerging trends you have observed in online frauds?

Johnson- The RSA anti fraud command center recently announced the findings of its 'May Fraud Report'. This published report brought into sharp focus the global nature of fraud trends. This has stirred ripples of concern across all geographies. Individuals and organisations are increasingly becoming the victims of vicious phishing attacks resulting in identity theft and even crippling financial fraud.

Our eye opening report ranks India amongst the top three countries targeted by phishing attacks by brands. The other countries witnessing the phishing attacks by brands were the US followed by UK. The U.S (42 percent), UK (19 percent), and India (8 percent) accounted for 70 percent of the brands targeted by phishing in April. Brazil and China fell off and were replaced by Ireland and Colombia in terms of the countries with the most targeted brands. As of May 1, 2011, the RSA Anti-Fraud Command Center has shut down 410,279 online attacks in 184 countries.

Phishing is now emerging as a grave threat and is done with the specific purpose of economic gain, making it a serious threat to net users. From a pure fraud and phishing standpoint it has maintained some consistency that being said we are seeing a lot of high profile and public breaches. This has been the year of breaches.

We are seeing increased attacks of that nature within large enterprise by a wide variety of actors whether they are financially motivated or whether they are national or state motivated. The audacity of the attackers seems to be increasing as they are getting bolder they are attacking high profile companies.

With the rise in online and m commerce channels, the financial services sector is increasingly becoming susceptible to such frauds. What’s your take on that? How can these pitfalls be avoided?

Johnson- The rise of mobile banking and ecommerce is happening regardless of the geography. In every geography the banking institutions are keen on rolling out mobile banking in one way or the other. This is a fertile ground for financial frauds.  If there are gaping security holes the financial services industry can become a soft target for potential cyber attacks.

The industry is extremely lucrative because of the sheer volume of customers’ personal and financial data. The financial institutions need to continually find new ways of exploiting the data in the industry. So they have to stay one step ahead of them at all times

While extending online and m-commerce services banks need to put security on the forefront and security is not an after thought. We always believe that security should be an enabler for our customers and should help them deliver business. mobile banking transactions security needs to be at front end of the conversation.
 
The perpetrators of such crimes are very well organized and well funded. So they are going to start attacking the mobile channels more and more. Outside of the android platform we haven’t seen a lot of Trojans written for the mobile platform but they are surely coming.

Our Anti Fraud Command Center has found that the Trojan kits are becoming more available to the mobile platform. Mobile has a couple of inherent risks. Its much easier for that device to get lost or stolen. And not everybody uses a strong pin in a user device. Through somebody’s smart phone device you can get into their bank account. This brings to light the need for improving user behavior and user education.

There is possibility of smart phones to be a hijacked, spoofed, pirated and broken into. These devices are much more open to these kinds of frauds even if the bank has enabled some kind of security system. That’s why user behavior profiling is so important.

We strongly advocate user behavior profiling. So even if your device is lost, stolen or spoofed one of the things that we strongly advocate in the industry is that we should do some kind of user behavior profiling because that is the real intelligence of stopping fraud no one can actually find out how I am going to behave for 90 days unless they are shadowing me.

The other thing that is very alarming about mobile banking or mobile commerce is the speed of the transactions. These transactions are happening on a real tie basis and if you are not savvy you might click on an application that is spoofed and can bring Trojan down to your device.

Globally we can get a lot better about this with user education. Its incumbent on the security vendors and on the banks and the m commerce service provider to educate their customers. Depending on which geography you are in people are taking a more conservative or aggressive approach. Our goal is to stay one step ahead of the fraudsters.

What are the phishing trends specific to the Indian geography?

Johnson- In a largely populated country like India the fraudsters will behave differently. Here there will be more broad based phishing because there are a lot more people to phish. There are so many bank accounts in India. The sheer volume of customers’ personal and financial data can drive them to perpetrate such crimes for monetary reasons. The prepaid phones could be a bane because more people’s accounts could get compromised.   

How can the Indian banks maintain a robust security posture?

Johnson- With the SEBI and RBI guidelines most of these aspects have been covered. The depth and breadth of the RBI regulations takes care of the security aspect adequately. Its very robust. There’s a lot of thought put into it. And it refreshes the banks on training, systems and processes. However I see that there is a need for collaboration in the Indian market. The banks could do better with a little more collaboration and information sharing among themselves. They do some but it seems to be very informal.

There is a banking association so there is some structure.  In the market where there is a lot of collaboration among peers and among the vendor community it helps us stay one step ahead of fraudsters.