Online Fraud: Start with the "Why"
By Yohai Einav, Senior Fraud Analyst
I have six friends that serve me true
Their names are Why and What and When
and How and Where and Who.
-- Rudyard Kipling
Why quote Kipling in an online identity blog? According to all his biographies, Kipling was never a victim of identity theft, nor did he ever write a blog.
But Kipling knew something about the 6 W's, something that we, in the security industry, often forget: starting with the "Why."
Have you noticed the phenomenon: every discussion about identity theft, security and online fraud - starts with the How and What questions:
"How do fraudsters attack banks?"
"What technologies are fraudsters using?"
"What is the damage to customers?"
"What can we do to protect ourselves?"
All good questions. But, the first thing we should ask is "why?"
"Why am I being attacked?"
"Why am I a target?"
And, of course, "why isn't my competitor a target?!"
When you think of it, all banks are good sources for money (yes, they really are!), but, for some reason, not all banks are attacked by fraudsters. As I see it, not all fraud targets are born equal: there are the preferred and the less preferred. Where do you want to be?
A good example for the "Why" is Phishing:
Phishing is a huge, worldwide phenomenon. Millions of phishing emails are sent every year and thousands of new phishing sites are created every month. But the list of entities being attacked is quite constant. And you usually see a trend of bursts of phishing attacks against a specific target.
Why?
Well, fraudsters constantly look for new hacks in banks' security, and once they find one they attack with full force (by the way, when I say "hack" I don't necessarily mean technological hack, but a "hack" in the bank's security procedures). This means that if you see your bank has a sudden increase in phishing attacks - start looking for loopholes in the bank's perimeter security.
A true story: one of the largest US banks saw a surge in phishing attacks against it a few years ago - from separate attacks here and there to hundreds of attacks a day. Why did this happen? The bank asked itself the same question, and began looking for security hacks. Finally, the bank discovered that it allowed users to change their PIN through an automated answering service using "easy to get" credentials. The bank disabled this 'feature', and the phishing surge stopped. The bank was no longer a preferred target.
Asking "how do the fraudsters conduct their attack?" or "what is the attack's origin" misses the point. Asking the accurate "why" question can help avoiding the How's and What's. Understand why you're a target, then take the measures to make yourself a non-target.
Even Kipling knew it, and he lived in the days where dial-up connection was a dream. Imagine that.
Comments
Massive increase in fraud crimes should make the government and banks realise that their data protection and Chip and PIN systems are diverting rather than deterring fraud crimes.
This shows that fraud will continue to grow until they exploit KEY and PIN system described on website www.xwave.co.uk which will deter BOTH identity and card fraud by making signature and PIN systems reliable and foolproof.
Fake documents have made our signature system unreliable while skimmers and pin-hole cameras etc. have made PIN system unreliable. We have option to make signatures reliable by personalising them with ID stickers and option to use Card Key Code to make PIN system reliable to make use of stolen and skimmed cards meaningless. By ignoring to exploit this system banks are only letting fraud crimes grow.
ID KEY system will eliminate the need for us to protect our personal and card details since fraudsters will be deterred from misusing these stolen details.
Proposed ID KEY can be treated as a reliable international ID card because it will personalise signature and PIN number to only the right individuals in any country.
We hope that the government and banks will appreciate these details and exploit KEY and PIN system before it is too late to stop a fraud boom.
Posted by: Roger | May 5, 2008 07:46 PM