Identity theft: A threat more severe than you think

The financial services industry in Asia is one of the most heavily regulated sectors, and compliance is often touted as a form of security assurance. However, compliance is just a single aspect of security. Various regulations cover a wide range of issues, but simply implementing solutions or devices to deal with compliance is not enough.

The rising pervasiveness of mobile devices in Asia Pacific and the subsequent rise of Internet banking has resulted in increasingly sophisticated cybersecurity threats. However, according to Telstra’s Mobile Identity Study, 62 percent of financial services executives noted they have not invested enough in identity and security. Less than half of consumers were also satisfied with their financial institution’s security performance since more than a third have experienced identity theft.

With identity theft cases such as the JP Morgan breach and South Korean banks hit by massive credit card breaches last year, and identity fraud resulting in US $16 billion being stolen from victims in 2014, identity theft is quickly becoming a stronger, yet still underestimated threat for the financial services sector.

Rise of attack surface and sophistication

Identity theft has become common among cybercriminals due to an increasing attack surface and the sophistication of attack tools. Today, cyber attacks come through a wider range of vectors. For instance, as many financial services organisations are allowing employees’ personal devices access to corporate networks, Bring Your Own Device (BYOD) enables mobile devices to become a channel for cybercriminals to hide, spread, and steal information by leveraging the credentials of an organisation’s employee.

Another vector can be insecure public-facing web applications that lead to identities being quickly stolen. These include zero-day vulnerabilities that grabbed headlines last year such as Shellshock and Heartbleed. All that's needed is for an organisation to be slow in patching a vulnerability or to lack the right technology to protect its web applications. Once the cybercriminals gain control, they can do whatever they want – from stealing data to using the servers to launch botnet attacks.

This expanded ‘playground’ means cybercriminals have more options when it comes to how they can steal login credentials, and no longer need to depend on keylogging software or database breaches but simply using web injects.

For example, when a user logs into your Internet banking account, they can insert an additional field which appears to be legitimate on the web page with your ATM PIN (automated teller machine personal identification number) to fool both tech-savvy and non-tech-savvy internet banking users. While this happens, a malware can execute a ‘man-in-the-browser’ attack in the background, which is invisible to the host web application.

Other than increasing attack vectors, malware and Trojans today have the capability to steal login credentials via mobile banking applications to access funds in banks and other financial services institutions. Cybercriminals can simply create a mobile application that looks similar to a banking application, and use spear-phishing to steal login credentials. Some malware, like Dyre or Dyreza, directly target corporate banking accounts and have successfully stolen upwards of a million dollars from unsuspecting companies.

Address threats with layered defense, proactivity and strong mobile policies

With insider threat accounting for majority of breaches in the first half of 2015, it is more pertinent than ever that organisation keep pace with today’s fast-moving cybercriminals, companies should implement necessary measures to secure their Internet-facing applications. This should be at the top of their priority list, as that is a natural channel for cybercriminals, who are always looking for opportunities to infiltrate a network. Importantly, jail-breaking devices should also be discouraged, as this typically presents another means for cybercriminals to access networks.

First, an in-depth defence strategy with the use of the right technologies is an imperative. A common misconception held by many is that using technology like a firewall is sufficient to protect an organisation’s networks but this no longer holds true today. Organisations must look at other technologies, such as web application firewalls. Web application attacks are often tuned and created for a particular application, and are missed by traditional security measures.

Even though remediation – fixing things after a breach – plays its role, it pays even more to be proactive in securing your networks. A remediation scenario is reactive in nature and the forensic team traces back the cause of the breach, provides a report, and remediates after the incident. On the other hand, proactively securing your organisation may not catch 100 percent of all attacks, but being able to reduce this from 100 percent to a smaller percentage should still be considered a win.

Lastly, there is also a need to fight against complacency and shed the “it won’t happen to me” attitude, where they see their neighbours getting attacked yet expect to remain fortunate themselves.

Organisations should establish mobile device security policies that define guidelines, principles, and practices for how mobile devices are treated, regardless of whether they are issued by the company or owned by individuals. These policies should cover areas such as roles and responsibilities, infrastructure security, device security, and security assessments.

By establishing security policies, organisations can create a framework for applying practices, tools, and training to help support the security of wireless networks. Training employees on its mobile security policies can also help organisations ensure that mobile devices are configured, operated, and used securely and appropriately.