Bank security experts play up social risks

Organisations have overlooked the risk of social engineering in favour of technical security solutions, experts warned this week.

Speakers at the Cards and Payments Australasia conference yesterday said consumers and bank employees were increasingly vulnerable to targeted phishing attacks as they posted personal information online.

According to Queensland Detective Superintendent Brian Hay, LinkedIn had become a “real foundational platform” for cybercriminals in search of high-ranking targets within an organisation.

“You might be getting your name out there in areas where you don’t want that attention,” he said of the professional networking site.

“All of a sudden, your email has gone from [being worth] five, 10 cents [on the black market] to 50 dollars.”

Ty Miller, chief technical officer of penetration testing firm Pure Hacking, explained that cybercriminals could use executives’ email details to persuade their employees to reveal more sensitive network details.

He said cybercriminals could obtain email login details through information that users posted on sites such as Formspring, which invited its 22 million registered users to answer “seemingly innocent” questions about their personal preferences.

Detective Superintendent Colin Dyson of the NSW Police Fraud Squad said that although some social networking users believed that their information would only be available to “friends” or “friends of friends”, it would not be difficult for a cybercriminal to fall within those categories.

Dyson told conference attendees that criminals were treating Australian credit card and personal information as “commodities” that were bought, sold and traded via online sites and bulletin boards.

“It’s beyond me the information people put on a social networking site,” he said.

“My rule of thumb is that if you don’t put it on a wall in Martin Place [in Sydney’s CBD], you don’t put it on a social networking site.”

Wayne Howarth, Citibank’s country fraud risk manager and head of authorisations, called for greater collaboration between law enforcement, consumers, industry, and financial institutions.

Citibank employees were screened and educated about security risks during the on-boarding process, he said. The bank was also working with police to educate parents of school-aged children about cybersecurity.

The bank’s educational efforts about credit and debit card skimming had also given rise to “a lot of” notifications from customers when they detected “strange devices” on bank machines.

“Industry, law enforcement have to work together, and we have to work with the customers. You can’t do it alone,” Howarth said.

According to Pure Hacking’s Miller, security-conscious organisations could score “some quick wins” by adopting a hacker’s perspective.

Instead of the traditional focus on patching and standards compliance, Miller urged security officers to consider the “easiest way to compromise an environment with a high success rate, without detection”.

The security industry was “generally chasing [its] tail” in deploying preventative measures, he said, describing advances in security – and Black Hat – technologies.

“The banks used to have just usernames and passwords and that was enough,” he mused.

“All the tools these days that you could use to hack in to systems are getting better and better … There’s always going to be ways that you can bypass it [security].”

Detective superintendant Hay argued that the “human factor”, rather than technology, was central to security.

“These are the issues we don’t see addressed time and time again,” he said, describing targeted ‘spear phishing’ and social engineering methods.

“All these guys and girls are in there and trying to find a technical solution, but ... it’s people that commit crime, it’s people that are going to attack your systems, it’s people that are going to fail your networks.”