 "Best Practices To Help BFSI Deal With Cyberfraud")
On the Internet, danger is lurking everywhere. The Internet user had to be careful at all times. This was proven once again last weekend, when the Mumbai police rounded up a fraud affair. A large amount of money was undeservedly transferred through the RTGS system. A cybercriminal was able to intercept the username and static password of an unsuspecting victim at an Indian bank.
A lot of problems arise when static passwords are used. First of all, the average computer user is not that imaginative when it comes to inventing a password. Names of the children, loved-ones or pets, dates of birth and plain combinations on the keyboard, such as 123456 are warp and weft. If passwords are too simple, it is easy for hackers to uncover and intercept them. However, when passwords are too complex, they are forgotten or written down. Moreover, people tend to use the same passwords for different accounts. A difference between private and working applications is seldom made. For hackers, it is a piece of cake to intercept these passwords.
VASCO shares some best practices that will help the BFSI sector deal with these recent threats.
Common threats
Adequate security is indispensable, because the Internet bristles with danger. Dictionary attacks, phishing, keyware and man-in-the-middle attacks are the most common ones. Just because most Internet users keep their passwords simple or reuse their passwords for different accounts, hackers execute so called dictionary attacks. In this manner, they try to break through encryption techniques with a composed, limited list of possible passwords. These lists are tuned to the country in which the attack is executed or to the victim’s interests.
Phishing is also a common technique to illegally obtain passwords. Crooks send a bogus e-mail to the user or lead the user to a fake website that incites him to fill in username and password. An attack against a carefully selected target is called spear phishing.
Furthermore, criminals make use of keyloggers. This malware registers the keys struck on the keyboard to detect the password, which is then sent to the hacker over the network. The user is oblivious of any harm. This malware can enter the computer through any possible file and is often disguised.
Dynamic passwords circumvent online threats
Strong authentication and one-time passwords give an answer to the previous problems. Two-factor authentication, as it is also called, expects the user to dispose off two elements. Firstly, he has to know something - such as a PIN code – and secondly, he has to possess something, such as a hardware device or an application to generate a one-time password (OTP).
An OTP, as the name suggest, can only be used once during a limited period of time (e.g. 32 seconds). This means that fraudsters cannot reuse the passwords at a later time, as it will have expired. An OTP can be generated by a hard- or software token, which implies that the password will not be exposed over the Internet.
Man-in-the-middle attacks
Another form of online fraud is the so called ‘man-in-the-middle attack’ (MiTM). This type of fraud scheme is still on the rise.
Man-in-the-middle attacks typically are attacks on online banking systems and can be described as a way of eavesdropping. The hacker is able to read the messages between two parties, to add things or to change the message. The sender does not realise that the link between him and the receiver is disrupted.
E-signatures guarantee transaction security
In the continuing fight against cybercriminals, the attacks become increasingly sophisticated. So how can a bank protect its customers? Again, two-factor authentication is the answer. But here, security goes beyond the use of dynamic passwords. Where dynamic passwords do identify the user when he logs on, they cannot prevent transaction content from being changed. This is where electronic signatures come into the picture.
E-signatures allow the bank to verify whether a transaction was initiated by the genuine end-user and was not altered in transit. It prevents the fraudster from submitting transactions or modifying existing transactions. To calculate an electronic signature, crucial data such as the beneficiary’s account and the amount of the transaction are used. Should a fraudster alter the amount or account number of the transaction, the electronic signature will become invalid.
Internet fraudsters have upgraded: they regularly operate with phishing, spear phishing and man-in-the-middle attacks. Banks should take precautions and must strengthen access control to their online banking applications. Only with modern two-way authentication and electronic signatures, criminals do not stand a chance. However, the end user also needs to be acquainted with Internet street smarts. He must learn which kind of behavior entails security risk, recognise the signals and be cautious.
 "Russian drones over Poland: Trump’s tepid reaction a wake-up call for Nato?")
 "As Russia pushes east, Ukraine faces mounting pressure to defend its heartland")
 "Why Mossad was not on board with Israel’s strike on Hamas in Qatar")
 "Turkey: Erdogan's police arrest opposition mayor Hasan Mutlu, dozens officials in corruption probe")
 "Russian drones over Poland: Trump’s tepid reaction a wake-up call for Nato?")
 "As Russia pushes east, Ukraine faces mounting pressure to defend its heartland")
 "Why Mossad was not on board with Israel’s strike on Hamas in Qatar")
 "Turkey: Erdogan's police arrest opposition mayor Hasan Mutlu, dozens officials in corruption probe")
