This year we can expect the computer security arms race to keep scaring the daylights out of anybody who understands what’s going on. Also: Look for confusion in the financial community about complying with the Federal Financial Institutions Examination Council’s (FFIEC) mandate to install two-factor authentication by year-end.
The main story on the hacking front is the upward spiral of money and resources on the black hat side, and the vigorous defense mounted by the white hats, now that real criminals are on the scene, says Kawika Daugio, director of Northeastern University’s information assurance program. “We’ve seen more and more professionals involved,” he says. “It’s the standard trend because, as the difficulty [to successfully attack a protected network] increases, the scale required and the sophistication required to make it pay, go up.”
The worst news: With organized crime involved, look for infiltrations of your company by people meaning to set up institutions for attack. “It involves the collusion of insiders, or former insiders, including unproven outsourcers,” he says. That last item, of course, cuts to the heart of the way business is done today.
The problem isn’t really the outsourcer itself, but its subcontractors, according to Daugio. “Someone may outsource an activity to a company, and you may have comfort with their structure and their people,” he says “But they may subcontract it further, without your knowing it.” That’s been a problem in India, he says, leading to a lot more due diligence on the security side, and, also, sending business elsewhere—North Carolina, for instance.
Look for plain-vanilla phishing attacks to decline this year, says Daugio. “Consumers are beginning to assume that any e-mail about any online activity is a scam,” turning the typical, so-called “brute force” attack on the subscribers of an entire Internet service provider, launched in hope of picking up two or three account numbers, into a waste of a criminal’s time.
But, he says, “Consumers still haven’t learned the relatedness of the risk of identity theft, and financial losses, from something they should have been worried about from the very beginning—dealing with people they don’t know.” The problem is that people have grown used to visiting strange websites and leaving their personal information behind–voluntarily. These crooks take that information and use it to attack institutions.
“From a scammer’s perspective and a value perspective, it‘s just easier to set up a scam website, and if you look at organized crime activities, that’s where they’ve always thrived,” says Daugio.
The authentication issue, of course, has been long in coming, but now that it’s here, institutions not only have to figure out how to implement it, but also to spend the money and deal with repercussions if the system isn’t very good. Daugio says that even some of the more sophisticated biometric systems, like measuring typing or signature rhythms (see Electronic Payments Week, Nov. 15, 2005), not to mention mimicking fingerprints with Silly Putty and Scotch Tape, can be defeated.
Among the problems institutions will face, according to Avivah Litan, Gartner Inc.’s vp and research director, is that two-factor authentication, which works only when the user logs in–not continually–leaves the institution and the customer wide open to what’s called a “man-in-the-middle” attack, in which malicious software is slipped into a network after the initial log on. Another big problem: ATM and PIN cards that don’t use a card’s security features to bind a user’s identity to the card, such as hiding a security code on the second track of the magnetic stripe, are easy to counterfeit, she says.
The best bet for most institutions, says Litan, is to build their own authentication systems, instead of buying one off the shelf. Crooks may be smart, but they’re also lazy: In effect, they’d rather buy a set of master keys than try to pick locks. The former is the big security hole in vendor products, she points out, because once somebody figures out how to defeat a widely used system, any institution using it can be easily penetrated. Homemade authentication isn’t standard, she says, and crooks are more likely to move on, rather than try to defeat a customized system just to prove they could do it. (Contact: Kawika Daugio, 646-267-3998; Aviviah Litan, Gartner Inc., 301-610-7482)