AFP compiles the most alarming—and informative—fraud news relevant to corporates in Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization. Follow @AFPFraudwatch on Twitter for all the latest updates.
Report: Information Sharing Critical for Effective Cybersecurity
Information sharing, rather than heavy regulation, is the key to shoring up cybersecurity, according to a new report by Business Roundtable (BRT).
BRT, an association comprised of CEOs from leading U.S. companies, is calling for public-private partnerships to detect and combat cyberthreats. The report emphasizes that the “single most important element” in implementing an effective cybersecurity strategy is information sharing, which includes a “two-way exchange of alerts, response actions, situational awareness and mitigation analysis.”
BRT sees recent government cybersecurity proposals as “compliance-based, check-the-box models” that call for best practices and standards before any information sharing legislation is passed and implemented. BRT is advocating for a concise legal framework for public/private sector sharing, an expansion of existing threat-informed risk management and mitigation methodologies, and commitments from CEOs to actively invest in cybersecurity.
Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (FS-ISAC), agreed with the positions taken in the report. However, he noted that there are already many successful information sharing efforts happening between the public and private sector, as well cross-sector information sharing across the financial services sector. “There’s a lot of stuff going on within our sector that we’ve done to protect ourselves,” he told AFP Fraudwatch. “We’ve seen a lot of different attacks in the last few years—account takeover attacks, distributed denial of service attacks—so there’s been a lot of sharing within our sector and it’s been really effective.”
Nelson sees a lot of progress being made. FS-ISAC in particular has been attracting a plethora of new members; all the major financial institutions and even small community banks have joined. The organization also is expanding its initiatives. “There are a lot of thing we have on our plate this year that we’re doing; we’re integrating some of our staff with the government staff at the Department of Homeland Security. We’ll actually have people there full time,” he said.
However, on the government side, many recent efforts have either failed (the Cybersecurity Act of 2012) or lacked the necessary teeth to truly make an impact (the National Strategy for Information Sharing and Safeguarding), noted Torsten George, vice president of worldwide marketing and products for risk-management vendor Agiliance. George told AFP Fraudwatch that the big question surrounding the Cybersecurity Act was whether it would mandate bi-directional information sharing or just dictate the flow of information towards government agencies, while the National Strategy fell short of providing the necessary means to enforce implementation of a cyber threat information exchange program.
George noted that it might take a successful cyberattack against critical infrastructure to force politicians to work together on bipartisan legislation on information sharing. “Business leaders have given up on the dream of collaboration between the public and private sector and taken steps to share at least threat information among their peers. Good examples are the Red Sky Alliance, FS-ISAC and others,” he said. “Hopefully, politicians will recognize the benefits of these private sector initiatives and finally come to an agreement to pass an information-sharing focused bill that arms businesses and the government with the bi-directional intelligence they need to secure our infrastructure from cyber-attacks.”
DDoS Attacks: Fraudsters Slipping in the Back Door?
Although cyberwarfare and “hacktivism” typically does not involve actual theft, that does not mean fraudsters won’t take advantage of it, experts say.
Last week, the New York Times reported that the recent string of DDoS attacks on top U.S. banks is believed to have come directly from the Iranian government as retaliation for economic sanctions and similar cyberattacks by the U.S. The attacks, which affected Bank of America, Citigroup, Wells Fargo and others, involved flooding bank websites with traffic until they collapsed. However, no accounts were breached and no money was stolen.
Nevertheless, Aaron Bills, founder and chief operating officer at 3Delta Systems, told AFP Fraudwatch that the attention these apparently state-sponsored attacks are receiving could open the door for fraudsters looking to steal money. “If anything, I think this provides enormous air cover for the cybercriminals,” he said. “Knocking somebody off the air is a political statement; more than anything it’s an annoyance. If I was a cybercriminal, I’d more quietly go about my business, which is penetrating your network in an undetected way without the noise. While you’re watching the fireworks show off to the side, I’ll just take your stuff while no one’s paying attention using phishing attempts, malware and account takeovers.”
Randy Sabett, J.D. CISSP, counsel at ZwillGen PLLC, agreed. “The fireworks are happening over here, meanwhile there’s this thing quietly creeping in and doing something really bad, as opposed to just being an annoyance,” he said.
Additionally, Sabett sees another underlying threat in the recent DDoS attacks themselves. According to the NYT report, the hackers were able to create a botnet comprised of computer networks in data centers through a form of malware designed to evade detection by antivirus programs. “What always happens with this type of malware? The bad guys learn from each other and they learn how to incorporate new ideas,” he told AFP Fraudwatch. “So if you take an existing snippet of malware that goes inside these financial institutions and scours for credit card numbers or figures out where the vulnerabilities are, and you add to it this layer of stealth, now maybe we’re looking at something even stronger. We saw the same thing with Stuxnet and Duqu—they’re not completely different; they’re offshoots of each other.”
FS-ISAC’s Nelson also noted that many cybercriminals are using DDoS attacks in conjunction with account takeovers. “We’ve seen a number of cases this last year in which regional banks were hit and the criminal has committed an account takeover,” he told AFP Fraudwatch. “They wire the money out and then they do a DDoS attack against the bank. No one can get in, including that one customer that can’t see that their money’s been taken.”
Fortunately, banks are getting better at preventing account takeovers, Nelson noted. FS-ISAC’s fourth Commercial Account Takeover Survey revealed mostly positive trends. In the first half of 2012, 2.11 out of every 1,000 commercial customers experienced account takeovers, compared to 3.42 per 1,000 in 2011. 65 percent of those attacks did not involve monetary transactions (53 percent in 2011) and 9 percent resulted in funds leaving the institution (12 percent in 2011).
For the takeovers that did involve monetary transactions, 76 percent involved wire transfers in the first half of 2012, compared to 96 percent in 2011. ACH stayed the same at four percent, but check writing and other methods went from 0 percent to 18 percent. 39 percent of losses involved wires, 52 percent involved ACH and 9 percent involved checks and other methods, compared to 73 percent, 27 percent and 0 percent in 2011.