Event Recording

EIC 2012 Session: Facing the Online Threats against Retail and Banking Customers - What are the Future Perspectives?


Prof. Dr. Sachar Paulus, Senior Analyst, KuppingerCole
April 18, 2012 11:00

I like to hand over to Dr. Zha powers and making us giving us a speech about cyber crime.
Thanks.
Yeah. Thank you, Mr. Carl. Good morning for my side as well. I'll try to give you first introduction, probably first introduction. What I mean, you probably all are aware about the risks that are attached to this area very much so it's more probably an overview and try to frame the problem than an introduction. So I need to clicker how it click click enough.
Ah, sorry.
And I want to cover the following topics in the next half hour or so. So online threats for wheel and banking customers visited current mitigation approaches. What is there in place today? Review a little bit of technology, landscape changes. I mean, obviously cloud bring your own device, mobile devices ubiquity in a more generic sense, plays an important role here. And then since we are in an identity conference, tried to focus a little bit on what that means for identity and access management.
So cybersecurity attacks, is this just a wave? Actually, no it's as this deep curve indicates, I personally believe it's a change in the market forces that find manifestation also in the threat landscape, we will see this ever increasing states that have been responsible or that are still responsible for our physical security. So to say, we have given over the, the mandate of protecting us to our respective states are not able at this point in time to actually cover the responsibility of protecting us in cyberspace as well for different reasons, for the reasons of regulation being more difficult and cannot stop in the cyber in the cyber world at, at the state limits for reasons that they're not set up from a knowledge point of view, for reasons that they're just by definition, need to act slower than industry and hackers on the other side. So we have a market forces change if you take regulators also being part of that picture.
So this will be ever increasing in the next years until we find an, an, a common solution across all countries of the world, which is probably needs some time actually to, to get that sorted out. So this is something we need to tackle and we will be facing even more in the future. So Mr. Carl also introduced the topic of cyber war and indeed first, I mean, some people say, well, this is only a buzzword for the stuff that we've been seeing in the last years anyway, but indeed we see also tendencies of states, not only being in a protective mode here against organized crime, but also for using this technology for actually starting to deploy their forces and their influence on foreign countries and foreign foreign regions for destabilizing as, as Mr. Quine was indicating in the keynote this morning, indeed. And I notice have the same information.
The German government actually is, is, is indeed really fearing interference in critical infrastructures by foreign organizations. So some examples I've put here on the slide, very technology centric like RSA token to RSA thing from last year, Matthew, you're sorry for that. It's indeed a big, a big, big and important issue here because the, the belief by this type of attack, not only RSA is impacted, but all types of mechanisms, where there is a seed that is able to, to, to compute access information for, for the actual users for, for, for support reasons. Or so you may actually wanna have a copy on service side, all these technologies, which followed that principle are principle here at risk and needs to be reconsidered more closely. So other forms of one time passwords needs to be fought through more, more real war type of activities. Like drones can be hijacked and turned around.
There's been some news stories three, four years ago, where actually drones from the us have been taken over by foreign forces, at least the camera, interestingly enough, they were able to, to remote control. So to say, which is a very interesting fact, there was not, they were not able as, as least to my information to control the drones, but to control the camera in the drone, which is also interesting enough. We had this story also of, of Chinese hackers infiltrating the German government. So PCs in the, in a different sectors of the German government have been infiltrated by Chinese historian horses. We don't know whether Chinese means Chinese government or Chinese hackers. We only only know that this actually comes from that region. So these are very concrete examples, some statistics on the other side, if you look at the infiltration of, of industrial control systems, SCADA systems, that DHS has the statistics where they are, are monitoring the cases where they have been asked for help in, in cases of attacks.
And this number is growing from 2010 to from hundred and 16, 2011 to 342 of em, September, 2011. I did not find any more recent information, other numbers, more than 10,000 tax to computer systems per day. This is from the German government and more than five from and new mall where per day new means probably also including malware that is self adapting to, to new environments. So cannot be recognized anymore by classical means. So kind of very difficult situation and cybersecurity is not the only risk I've put here. Two lists of top threats, one from the ENISA and the other from the cloud security Alliance. And as you can see, I've put the ones in bold that are related to cyber security, cyber threats, but they are embedded into a larger set of risks that are, the companies are facing. And specifically banks of course are, are subject to this because they are managing the money.
So we primary target, obviously for bad mind, people, some, some things have been indicated. So I won't go into detail here. In case you have some questions here, as Mr indicated, just interrupt me, raise your hand. If you have an interview question, we want to have this session as interactive as possible. So what's characterizing online threats for retail and banking customers. We will see the difference between retail and banking a little bit later, but in general, you can actually identify the four principles that apply for hacking banks, hacking banking accounts, hacking banking, customers, identity as same for retail. So first of all, they may actually use the customer as an intermediate because there's an interaction with a, a consumer. The attack may not need to be directly on the target, maybe indirect using weak protected environments, like the ones from consumers, where the PCs are not patched regularly and things like these.
They may also use the customer as an intelligent person, trying to do some social engineering from a customer point of view, not only from an employee point of view, the typical attack type is to perform an identity theft because this allows attackers to perform subsequent types of fraud or, or criminal activity. So the identity is stolen in the first place. This has is different. Now from years ago. Now, currently identity is even marketed and is exchanged as a merchandise. Good and typical identity records give between 20 and 25 us dollars on the black market. Currently an important aspect also is for, for online threats for retail and banking customers, that actually they are, they do not want to suck their target out to debt. So to say that they can constantly keep this as an income channel. So hackers have no. So professional organization hackers have no interest in turning down a specific channel specific attack vector.
So they make sure to keep their, the damage for the customers specifically below a certain threshold so that there will not, for example, close the banking account with that bank or ever anything other things related to this, or they don't want basically not to lose this customer or other players as a target. So as a very mature way of keeping an ongoing relationship. So to say between the hacker and the target, and also an important observation is that hackers and organizations in that environment use econom of scale. So they have a clear, a business oriented approach to this. So whatever is easy to attack, they will do whatever is, is helping them in, in getting a large spread approach with a high return at the end will be done as well. So we need to think of this approach when you look at this market.
So what are the technical ways to perform attacks? Most of you will probably know those, obviously in the first base there's fishing. Most of the attacks just by numbers are still fishing attacks out there. Farming is increasing in importance. We more and more see drive-by infections from, from manipulated sites. The interesting here is sea serve is a cross site with quest forgery. I don't know whether, you know, this term, it's very similar to cross that scripting, but it's uses the fact that you have open two different sessions with two different providers. And from one infected side, I can actually execute commands on the other session that I have open. So by this way, I can actually perform an online attack through a browser of a person, which doesn't even know that he has actually been infected. And maybe not even, you can recognize this attack for a number of technical reasons.
So using CS serve, you can, for example, well, that's what I wanted to say though. Drive by infection, you would say, well, actually this only happens if I go to malicious sites, right? Like looking up fraudulent license information for software or something like that, or, or, or, or download sites with high speed or video sites or whatever, this is no longer true because of the following fact standard sites where you have forum information and people trying to actually discuss different things. They, they, they are offering the service for free and they're actually making sure that they can pay the operations by selling marketing and advertisement space in that environment. Now, what happens is because they do not have time order skills for selling marketing, advertising online advertisement themselves on these forum and discussion sites. This is marketed by other companies. So they're channeling and, and requesting online advertisement.
Now, since these providers marketing the online advertisement, have no idea about security and have no vested interest in actually in making sure there's security. It's very easy to inject malicious marketing advertisement, flash, and whatever components that you may have on sites that you believe are trustworthy. So this is a very critical risk currently for, for, for surfing, because you can no longer say actually I'm not only, I'm only visiting trusted science because also on this trusted side may actually happen. So sea a is from my point of view, the risk, the highest risk that will, will face us from a technology point of view in the next years or so, because this is very hard to prevent. One of the keynote speakers yesterday also indicated this is by principle, a vulnerability of the way that we have that we are using for surfing and for, for, for having web interaction.
And we won't get rid of that unless we change the protocol and probably he might be right with that assumption. So next in importance, of course, is stealing credentials, stealing credentials once. And the most critical of course is to steal the identity for a long time. So actually to get credentials of online customers and act as them in a way that he will, won't, won't identify because it's certain under a certain threshold, for example, but this is not the only thing you have to consider. And Mr. Car put that well in shape by looking at the overall information security management perspective that you need to take care about only the online security. So to say of the banking core banking application is only very, very small part of the whole picture that I've been looking currently. And you need to look at all the different attack vectors as well, that may be sub connected to this.
And so cyber tax is only one of the, the pictures you may have. You have, in addition, you may reconsider, or you may consider going into a cloud. Many retail customers are doing this already. Bankings are a little bit more reluctant about this. There's this question of bring your own device discussed by Dr. Mundel yesterday. Security-wise is very, really pretty much tricky because you need to protect corporate information. At the same time, there may be new attack vectors coming into the infrastructure. If the target is not the information on the device, which is currently the, the core focus of bringing your own device data loss prevention, but it may be interrupting or attacking other elements like online banking through that channel. Then we have no currently no ways of addressing this. And by the way, that comes to my mind, something very similar, which shows how this actually relates to each other classic SAP security.
If you think about this is thought in terms of, well, actually I need to go have good authorizations, a good privilege and identity management, and maybe I need some good authentication in addition to this, but since this is running in the back end, blah, blah, blah, this is of no major concern. Now a company called virtual forge, which is specializing on, on SAP security has identified a security issue a number of years ago, where you can actually by having a cer attack, I just explained earlier two modified data in the SAP system. Now this happens as, as follows, the user serves on a specific infected website. This website is running some, some code that the user doesn't see the code executes some activities to start IFC connections on, on this local machine. And every SAP gooey actually comes with that engine. So you can execute locally stuff too remotely to go to the SAP system.
And from there, you can actually change data. You can retrieve data, you can get data out of your SAP system through a browser. So this just as an example, it combines 2, 2, 2 technology types of attack. So say is this SAP RFC, which is known, but people think, well, this is in the back backend. So we will protect this and web security like online, online, online, online security, and online browsing security. And if you combine to those, you have a new attack vector, and the same may happen here as well. So you just bring your own device, which is probably well thought out from a, a data protection point of view, but is not meant to protect against attacks coming from the outside food devices and applications that are taking some or carrying some, some malicious code that will be executed once within a new network.
So this is things that we need to think about as well. And of course, users also already mentioned by Mr. Cal, the, the motivation of mobility and all being always on and always productive, also brings the risk of interacting with business systems and information on different levels and in, in different situations where actually risk is much higher than you would like to have it. So the only way actually to help here is to educate users, to train users, to, to get them on board that they understand and that they understand the risk. So my personal view for regarding the overall information security management is you need to have an E I SMS that users the people, and that doesn't try to act against the people that they're working with you and need to use the people as resources for this, to be able to happen.
You need to actually get them on board and educate them, train them and make them transparent what the risk is of what their individual decisions are. So whether the current mitigation approaches, and there's a big difference between retail and banking. And luckily enough, this is the case. So today let's first look at retail, basically there's non more or less. There's some best practice around secure hosting, which is dedicated with the hosting providers that run the systems. There is some mandatory, some mandatory controls coming from the payment card industry in terms of what's payment, in how payment information must be protected in retail, but there's no strategic or little strategic information. If you look at done actually in that environment. So if you look at the standard or, or if I think about my five preferred online shopping systems of my wife, for example, she's shopping with Saleo and she's shopping with eBay and with best buy and a number and, and, and, and, and brands for friends.
So a number of standard, I would say, mass market online shops, and they have no Federation. So you cannot, you need to create a new identity there where you are not sure how secure that will be actually managed in that environment. There's no strong authentication. They're not even check the secure, the validity of your password or the quality of your password. And the only thing that you may see in that environment is that they protect against automated creation of accounts for, for marketing or whatever reasons is maybe useful to competitors or other organizations. So they use captures, which by the way, is neither secure because the, there are enough intelligent mechanisms out there for, for automatically detecting, captures, and filling them out a and B it's not meant to protect actually against human hackers. So which we'll find ways typically to go around this, on the banking side, we are a little bit luckier.
Although I have to immediately say, this is really much dependent on the region we are in worldwide. So we still have areas where you can log in with a simple username and password and create online transactions without any additional activity. This is not true and central Europe. So it really depends very on, on the region. And best practice is to have a strong re authentication or re attestation in the moment where you actually execute a transaction. This strong re authentication or re attestation has different forms. It may be pin a pin to ton transaction number. It may be a mobile type of time, an OTP, mobile OTP, maybe an OTP with a device is maybe a smart card base. So a number, number of different solutions that are out there, which are probably for the sake of what we, what we see in terms of risk acceptable for the point in time, very good is there is a standard home banking computer interface.
And we will see later in the technology changes that this is, this is something that I'm, I'm, I'm pretty, pretty sure that we'll raise in importance again for a number of reasons. So there is an, an standard here specifically for, for transaction based banking. And this is, this is more or less the situation we have today. So not in detail, of course, we can look at different banks and different, recent different countries, and the regulation there is different, but this is overall the situation that we have. So we have changes. I hope you can read it. Yeah. There's changes in technology landscape and, and two, two important changes here will influence the way we actually perceive these risks and work with these risks and how this will happen. The one is ubiquitous computing, smartphones everywhere. I said for everyone, so you need, so this is important because we will go away from a, from a technology trend point of view, we will on a long term, go away from actually surfing the web and entering web addresses for the interaction, with a specific provider.
Instead the provider, more and more like we have it also on the smartphones for of uses. We have it on the iPads on the, on the, on the Samsung tablets as well on the Androids. And it will come also for PCs. So apple has started with the app environment, the app store on their laptop that will close the, the free installation of software sooner or later. That may be from a, from a freedom of software usage point of view, maybe to be criticized, but from a security and usability point of view is probably really a good idea. So there are two phases of the metal and Microsoft is preparing similar activities. So we will see that the interaction from, with, or from cost consumers and probably also sooner or later with employees in working organizations will actually happen through specific applications again, but differently from earlier on, we will have standardized protocols and standardized ways of interacting between client and server.
And the ways that the information is handled will be using all the standards we are discussing in Sowa and identity, Liberty, and you name it type of activities for getting there common, common ground security wise. So we will have these types of apps for each and every company. So the problem from a security point of view is that what I can do here today for example, is I have a banking app here from my bank. I have also the same app as a free app, directly from the manufacturer for connecting different banks, because the other banking accounts, not all banking accounts, I have support this thing directly, and it's supporting H B C I, the standard I mentioned for authentication and for actually initiating a transaction. And I have my, my account data here and everything. It can start transactions from here, very convenient. And the, on the authentication, the transaction authentication is through mobile tan.
So it's what is going to do it. Once I trans initiate my transaction, my, my money transfer, it's going to send me an SMS with a one time password. Now it comes on the same device. So this dual authentication principle and this separation of device that was originally meant doesn't work anymore for convenience. And I like it, I have to say for security wise, and I'm not sure this is really good idea, but from a convenience point of view, I'm, ah, this is the first time I can actually, I, I, I see something I need to pay and I'm even, I have done this in a shop. I did not have money that did not accept my credit card for whatever reason. And I say, can I do an online transaction? Yes, of course. Well tomorrow, no, no. Right. No. Right. No risk. Well, and in front of them, I was just doing the, the online transaction in the shop.
Very interesting way of actually handling payments in, in these modern days. Right? So, but this is of course risky for, because probably, I mean, I'm protecting this with a pin I'm protecting, there's a number of configuration options for this online banking system, online banking app here to make it right. And I'm using them, but a they're not used in a standard configuration when it's shipped. And B probably most of the people will just, well, don't use the security measures for sake of convenience, for example, or because they simply don't know. So this is a major risk overall. We need to look at this. And on the other side, what we see is with these, with these ubiquity happening, we are, we have some, and we in the keynotes yesterday, I mentioned this as well. We do not have any, I think it was Mr. Posh.
We do not have on these intelligent devices, any smart interfaces to smart card readers. And if you have them, then they're kind of really bulky and, and nobody wants to carry them. So, so smart card authentication originally meant to be really something valuable is on the decline. From my point of view, if you look at the electronic identity card as a technology, as a German, one, for example uses our RF ID type of communication instead of hard wired smart card card based not I R ID based connection where, whereas in contrast to hardwired connection, you will, can you imagine having an RFID reader being part of such a device now? Probably not either. So we need find ways where we can actually get alternatives to this strong authentication using the devices that we are used in, in, in some way that the technology evolution for identification devices like smart cards and E I D is not, or has been a cutoff, has been desynchronized from the evolution of the smart devices that we are using.
So this is something we need to take care from a security point of view. If you look at the online and retail banking scenario that we are currently trying to investigate, it's a major increase of risk. So for the bank overall, this means risk, convenience, but risk. On the other side, we are more and more thinking about putting applications also in the cloud, right? So put, try to get economies of scale in operating it. And this is only working brilliant explanation yesterday. Again, is this only working, if you actually manage to get things that you do better in the cloud, because it's also done for others, it's going to be cheaper and only then you will be able to survive if it's especially if it's your non-core activity. So the problem here is that when going to the cloud now specifically for the scenario, you have to think about which identity provider is actually still in that game.
So we'll will be the bank still assuming the bank does online banking in the cloud. I mean, as said, Mr. Cal security needs to be there. So a number of steps to take before we go there, but this is not unthinkable because we will have a number of banks that will incorporate that will start decreasing the cost structure specifically in the economic situation that we are facing right now, there needs to be, from my point of view, there will be some, some significant changes in the banking environment overall. So there will be a market force driving the cloud adoption. Of course it needs to be secure, but there will be market force, but still, if you go there, the major question from an online banking perspective is what will be the identity provider, because today it's the bank and the bank is trusted because of its functionality and its role of managing this identity.
Now, what will be this in the future if they go for, for the cloud? So in principle, the cloud is a good move also because there's economies of scale in managing this secured, secure, securely, managing the cloud is also major argument for, for, in cause in terms of economies of scale, but there are additional steps necessary. We don't see dates, there's some bits and pieces in the identity space that are available like strong authentication. But as mentioned, if you combine this now on the, on the, on the, on the client side with this trend here, there's a number of things you need to think through again and rethink what's the role of the trust provider in that environment. But after all, of course it's a risk based decision, right? It's not one off decision it's secure or not. Even in that situation, we have the standard argument, you can't protect everything. So there will be attacks. You can't put the same effort on everything. You don't need to do that. So the only the things that you need to do is identify the most severe security risk focus on that. First, you need to have a clear transparency and impact on impact and probability. So a good quantification of the risk. We will have a session this afternoon, where we will discuss this in more detail, how to get the numbers for impact and probability.
And you need to understand the risk and not only you as an operator needs to understand the risk, but also the user needs to understand the risk. I think this is a major challenge. We need to, to go through that at the end of the story, the user must be able to judge the risk to take the right decisions. For sake, time sake. I will speed up a little bit. So what's in it for authentication authorization. As I mentioned earlier, this is in our EIC conference. So what can we, what can we say after having reviewed that perspective in terms of authentication, authentic, authentication authorization? I personally think the solution for this year is that we need to have context based authentication. So we need to have some intelligence in actually finding out whether the authentication is valid. So it's more than just proving the identity of the person that is actually initiating the transaction is actually verifying the validity of the request, which is more, which is much more important.
And this is only possible. If you have more factors that you take into account banks and payment services will probably stay. And I hope so will play even an more important role as an, as an identity provider, as G H B C is a good established, flexible standard. It will be used more, as I say, and in the talk of yesterday from Kim Cameron, you have been maybe noticing this claims augmenter term, and I very much like it. So you have your identity with Facebook or with someone else. This is for a baseline authentication. This is fine, but you need to have additional claims to be actually to verify the validity of the request that maybe something we think about to be useful because the bank would be trustworthy enough for issuing such types of claims. In any case banks need to rethink and retail, of course, the value of standardized approaches for identity management authentication.
There's still a gap to the standard indu industry standard way of thinking. So there's some, some alignment still to be done. Federation is something that should be used securely, of course, because then versatile authentication is going to be much easier to be implement, which is one part of context based authentication. So I think retail and banking customers send customer view. There's still some improvements in the authentication space possible. So context based authentication, last few words on this, which information is used would be probably one criteria. Put some of those here just as, as examples, they may be different ones. How is it used? Is the, are already authenticated earlier on which devices used that may and all these may actually then need different authentication. Where is it used? Are there signs of fraud? What did the user before all this information may be used for, for actually allowing the request immediately? So no authentication or imposing some retest of a different strength. So these were words for me. Thank you very much for listening, and I hope you enjoy this session over today.
Thanks. Aha. Please give big hand for this very insightful presentation and we are a little bit over time, but we still should allow a couple of questions if this is possible. And while everybody's thinking, I probably start off. I think you, you started with cyber crime and how complex this is state sponsored or organiza or very big effort taken into, into attacks and then bridged to, to authorization and authentication and access control, basically, which outlines that everything basically hangs all together and with new technology coming in, makes it even more complicated. I, I, I have 1, 1, 1 question you also mentioned it's, it's very difficult. If not impossible to come up with a 100% protection of all of this, if asked, what would you think is more important to try to protect for everything or to really concentrate on a fast reaction when something happens?
Okay, good question. So whether whether preventive is more successful as a strategy or a better reactive approach in classical security, and I've been working in that environment for some time, preventive security in most cases won't work. So you need, because you always may have attackers that go over the limit of the prevention threshold. So it's, it's an, an, an absolute must for having a good reactive capability in terms of incident management, maybe even also crisis management. So I personally believe now this goes beyond that talk, but I personally believe that the reaction part is even more important than the preventive part. Okay.
Thank you. Now over to you, here is the question I hand over the marker to you.
Thank you, Matthew. Again. So in the physical world, if a, if a country was attacked, there's no question that the police in the army would respond, but in the online world, it's a little bit foggy. What do you think essentially, the, the role of the state should be in the cyber, you know, attacks even against private companies or organizations?
So my, my personal view is that states have been created because of the fact that people were not able any longer to protect themselves. So they created joint organizations. You may call them which they delegate the mandate of the forces to, to execute repressive actions, whatever. Now in the online world, it doesn't work yet. So what will be the, the analogy in my point of view, that individual personal information should be protected by the state, because this is the analogy to the physical security that the people have. Anything beyond that business type of security, which is related to business interaction is something which is subject to the market. So there's a fine line between the responsibility of the security for the, for the citizens and security for business. And my, my view is for the citizens, yes, the states have the responsibility for this. They may do more on the, on the business side. They shouldn't involve too much. They may enable, but overall business must sort that out.
Here's another question.
Thank you. A more general question because you Saha gave a good example. Do you think, think it's unavoidable to introduce some con inconvenience when stepping up with the security, you gave quite a good example with your iPhone, where the one time passport coming on the same device, which is, which was not meant like that. But if this is the case, so if we have to introduce more inconvenience, I doubt that we will be able to cope with the security challenges.
Yes, I totally agree. So convenience goes first. I mean, this, this is, this is a, this is a law of nature that people will, will always try things that are easy for them. And if, if they're suppressed, people will find other ways of doing it. So the holy grail is to find secure solutions that are convenient. So, and we should, as a, as an industry and as, as a community, we should put our efforts and finding solutions that are addressing both needs, both usability, as well as the security requirement, because only that it will be accepted
As I don't see any further hands racing. And I don't wanna eat too much into the next session. Thanks again, to, to you soccer for, for this insight for presentation.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00