Online Fraud: Start with the "Why"
By Yohai Einav, Senior Fraud Analyst
I have six friends that serve me true
Their names are Why and What and When
and How and Where and Who.
-- Rudyard Kipling
Why quote Kipling in an online identity blog? According to all his biographies, Kipling was never a victim of identity theft, nor did he ever write a blog.
But Kipling knew something about the 6 W's, something that we, in the security industry, often forget: starting with the "Why."
Have you noticed the phenomenon: every discussion about identity theft, security and online fraud - starts with the How and What questions:
"How do fraudsters attack banks?"
"What technologies are fraudsters using?"
"What is the damage to customers?"
"What can we do to protect ourselves?"
All good questions. But, the first thing we should ask is "why?"
"Why am I being attacked?"
"Why am I a target?"
And, of course, "why isn't my competitor a target?!"
When you think of it, all banks are good sources for money (yes, they really are!), but, for some reason, not all banks are attacked by fraudsters. As I see it, not all fraud targets are born equal: there are the preferred and the less preferred. Where do you want to be?
A good example for the "Why" is Phishing:
Phishing is a huge, worldwide phenomenon. Millions of phishing emails are sent every year and thousands of new phishing sites are created every month. But the list of entities being attacked is quite constant. And you usually see a trend of bursts of phishing attacks against a specific target.
Why?
Well, fraudsters constantly look for new hacks in banks' security, and once they find one they attack with full force (by the way, when I say "hack" I don't necessarily mean technological hack, but a "hack" in the bank's security procedures). This means that if you see your bank has a sudden increase in phishing attacks - start looking for loopholes in the bank's perimeter security.
A true story: one of the largest US banks saw a surge in phishing attacks against it a few years ago - from separate attacks here and there to hundreds of attacks a day. Why did this happen? The bank asked itself the same question, and began looking for security hacks. Finally, the bank discovered that it allowed users to change their PIN through an automated answering service using "easy to get" credentials. The bank disabled this 'feature', and the phishing surge stopped. The bank was no longer a preferred target.
Asking "how do the fraudsters conduct their attack?" or "what is the attack's origin" misses the point. Asking the accurate "why" question can help avoiding the How's and What's. Understand why you're a target, then take the measures to make yourself a non-target.
Even Kipling knew it, and he lived in the days where dial-up connection was a dream. Imagine that.
