Security 2.0? Or Batten Down the Hatches? Online Channel is a Challenge
For instance, Christopher Beier, senior security products manager at Fiserv, talked about protection in terms of a "network effect" that he calls "Security 2.0," a holistic approach to guarding e-commerce in the new world of Web 2.0 interconnectivity and social networking.
By contrast, Joe Stewart, director of malware research at SecureWorks, said he sees the threats becoming so pernicious that he basically recommends isolation: sharply restricting administrative rights on the network level, for instance, and for end users, if possible using just one computer for financial transactions and nothing else.
That's because, Stewart said, hackers such as the Eastern European creators of the Clampi Trojan and its variants are now able to gain access to credentials-and the money they're supposed to protect-through so many Web applications, including Adobe and Flash tools and the basic browsers themselves, such as Internet Explorer.
"We came across a configuration file that told us what institutions they were targeting, and that list had more than 4,600 names on it. We're used to Trojans aiming at 30 to 40, maybe 100, but this is by far the widest net we've seen cast," Stewart said.
"And all it takes is visiting the wrong Web page and then you're running it on your computer," he said.
The threat is not just existential. For instance, Atlanta-based SecureWorks cites the recent case of a local auto parts company that saw $75,000 stolen via a Clampi attack and an apparently unwitting money "mule" in North Carolina who was acting as the middleman moving the funds through what she thought were legitimate accounts.
Such increasingly sophisticated exploits-whether they involve human intervention along the way-have become so successful, in fact, that Stewart and his SecureWorks colleague, communications vice president Elizabeth Clarke, believe the bad guys have already collected the data they need to access far more personal accounts than they could possibly get to, and instead are focusing on those most likely to have enough money to bother going after.
"The bad news is that most anti-virus programs catch only a small percentage of these attacks, but the good news is that our clients are not on that list, because we know about the repository and block the attack," Clarke added.
That said, problems can still exist behind the network and the best way to prevent that is to sharply restrict who has access, SecureWorks said. For instance, limit the number of users with administrative access that could allow a Trojan to spread quickly through a large number of computers. And drastically limit the use of outside software not critical to transaction and other business processes.
Meanwhile, financial institutions, in fact, may not be the easiest target anymore, "because they tend to get alerted really fast that something's happening," Clarke said. "It's that favorite knitting or scuba diving Web site that's also on these lists, with lower volumes of users, who may never hear about it and spread the Trojan over much longer periods of time."
She added, that "while it's kind of an extreme suggestion, we're saying now that the only way to completely stop them from coming in through your browser and taking over your computer is to use a computer dedicated only to doing online banking and bill pay."
SecureWorks recommends that computer not to be used to simply surf the Web and send and receive e-mail, since Web exploits and malicious e-mail are two of the key malware infection vectors.
And while both Stewart at SecureWorks and Beier at Fiserv stress the need for institutional and end-user education, and point to the difficulty of staying ahead of adaptable, innovative, motivated hackers, Beier sees opportunity in connectivity.
"It's a defense and depth strategy," Beier said of his Security 2.0 concept. "Even though the point products are important, it's how they work together that's really the key."
He elaborated: "From a Fiserv perspective, the best example I can give you is to look at the lifecycle of an online banking transaction. There are several layers of communication that occur, beginning from when a person comes online and first touches a Web site. That's the place where we can begin to define who's a good or bad person coming online, for instance, with fraud prediction tools that can filter out the potential thieves from among the legitimate online bankers."
Next is multifactor authentication to gain entry, then anti-money laundering tools that look at the movement of money, and at the back end, solutions such as Fiserv's FraudNet that look at electronic bill pay transactions, Beier said.
"So across the lifecycle of the transaction, all the way through the movement of money, there are products looking at protection that financial transaction," he said.
Increasingly making this more complicated is the connectivity that comes with financial institutions responding to consumer desire to, for instance, communicate potentially compromising data through a Tiny URL on Twitter.
That's Web 2.0 at work, and it's also where Beier said what he calls Security 2.0 can respond and protect.
"The future is having all these products communicate with each other. We're working on the synergies between the products we support-perimeter protections, multi-factor authentication and FraudNet for bill pay-to accomplish this," Beier said.
"That may take the form of consulting, at least, if not as a managed service," he said.