by clicking the arrows at the side of the page, or by using the toolbar.
by clicking anywhere on the page.
by dragging the page around when zoomed in.
by clicking anywhere on the page when zoomed in.
web sites or send emails by clicking on hyperlinks.
Email this page to a friend
Search this issue
Index - jump to page or section
Archive - view past issues
Connexus : Issue 37
experts are observing that two-factor authentication may no longer be sufficient on its own to protect the mutuals' members. "We're seeing that, in smaller financial institutions and right through to the big ones, they have the configuration files to get round any two-factor authentication or any authentication process to wreak havoc on those bank accounts," says Egan. And, as Forsyth points out, two-factor authentication still won't stop a phishing attack. "That's where the customer believes they are on a legitimate site and busily enters the same information from their second-factor authentication." In an address to the Abacus conference last year, Joel Hatton, principal info security analyst at AusCERT, said a machine infected by Zeus can even get the information needed to capture SMS tags. The member is asked for their phone number and type of phone in a pop-up box in the browser, and then sent an SMS with an invitation to upgrade their phone software. To maintain adequate defences against such attacks, mutuals need to demand antifraud innovation from their core banking system providers, says Egan. "The unfortunate part is that, in the mutual space, the core banking service providers are still relying on years-old authentication capabilities." Leanne Vale, senior manager, financial crimes at Abacus, also highlights the risks some in the industry are taking. "The mutual sector has been moved steadily towards stronger authentication, such as SMS and tokens, since internet fraud began in earnest circa 2004," she says. "However, we still have the challenge of a number of organisations and products that rely on single static data to validate financial transactions, which are subject to compromise if the user's computer is infected." The problem is that some of these static data authentication measures have been hard coded into platforms and can't easily be changed, she says. "It's critical for mutuals to have an open dialogue with their providers about solutions and ensure passwords are single use and don't appear on screen. "The recent round of cold calling scams even by telephone showed us criminal groups already have many details and will use these on or offline." It's possible for core banking service providers to make software solutions available to members of mutuals that will determine the health of their computer or device, and secure it, before authentication takes place when a member is doing online banking. BOTNET THREAT Mutuals that fail to take adequate steps against cybercrime need to be aware there could be more at stake than identity theft and compromised member accounts. As Hatton highlighted last year, infected Zeus machines become part of a 'botnet'. "So a Zeus machine can be more than just a passive capture of information. It can actually, when it needs to be, be turned into an attack machine to go after somebody they may not like. It could be a small financial institution or computer emergency response team." Egan, too, notes that cybercriminals have more ambitious targets in their sights: theft of corporate data, which has the potential to create costly and protracted problems for organisations. He points to the recent Sony data breach as evidence. "Once the identity and confidential details of customers are stolen, it puts massive pressure on corporations from a public relations, brand point of view, and trust becomes a key issue." -- Christine Long is a freelance journalist. Connexus www.abacus.org.au 35 "Once the identity and confidential details of customers are stolen, it puts massive pressure on corporations... and trust becomes a key issue." Ted Egan, chief executive of TrustDefender. ". ..the simple act of rolling a mouse across the page will download software to your system." Rob Forsyth, managing director, Asia Pacific, at Sophos.