1 Defeating cybercriminals Protecting online banking clients in a rapidly evolving online environment The threat As the pace of technological change accelerates, so does the resourcefulness and ingenuity of cybercriminals. As a result, online banking users face an expanding range of attack types with potentially devastating results. Over the past few years, the internet community has witnessed a proliferation of cyber-attacks of increasing sophistication. New attacks are being crafted in shorter timeframes by a highly organised fraud industry with growing access to funds, cutting-edge technology and IT expertise. While this trend has serious implications for every computer user, it is particularly important for online banking clients, who face an expanding range of attack types with potentially devastating consequences. Successful attacks not only result in short-term monetary loss, they can also cause significant and lasting brand damage to targeted organisations, undermining consumer trust and impacting revenues over the long term. In this whitepaper, we explore the scope of the problem and examine the most common attack types, before outlining the key features of our solution. A global problem Cybercrime is a growing global problem, with consumers in the developed economies increasingly targeted by cybercriminals across the globe. According to a July 2012 European Commission report, an estimated 1 million people worldwide become victims of cybercrime every day. Twelve per cent of Internet users across the European Union have experienced online fraud, and 8% have experienced identity theft. 1 Internet security provider VeriSign (now part of Symantec) found in a 2010 survey that 11% of UK Internet users had been victims of online ID fraud in the previous 12 months, losing an average of 352 each. 2 Similarly, in North America, Visa s online payment subsidiary CyberSource reports that fraud cost US and Canadian businesses an estimated $3.4 billion in lost revenue during European Commission Directorate-General for Home Affairs, Cybersecurity, Special Eurobarometer 390, July VeriSign, VeriSign Online Fraud Barometer, March CyberSource Online Fraud Survey, The Australian experience One in five Australian businesses detected a cyber incident in a 12 month period Australia is no exception to the global trend. A 2012 survey of 255 businesses around Australia by the federal government s Computer Emergency Response Team (CERT) concluded that: 20% of businesses had detected cyber incidents during the previous 12 months despite the fact that 90% of those surveyed had firewalls and antivirus software Of the businesses affected by cyber incidents, 65% had detected more than five incidents and 20% had detected more than 10 9% of businesses could not tell whether they had suffered a cyber-incident It was likely that other businesses had suffered incidents and either failed to detect them or declined to report them.
2 Of those who had detected a cyber incident: 17% lost confidential or proprietary information 10% suffered financial fraud 44% reported the incident to a law enforcement agency, while 20% chose not to report it because of a fear of negative publicity One in 10 Australian Internet users was a victim of fraud According to VeriSign, one in 10 Australian Internet users was a victim of fraud in the 12 months to July 2010, losing an average of $1,000 each, or a total of $1.286 billion over that 12 month period 4. Credit, debit and charge card fraud is rising Statistics from the Australian Payments Clearing Association (APCA) show that while fraud for other payment types has fallen, the value of credit, debit and charge card fraud has skyrocketed, from cents per $1,000 transacted in December 2009, to 87.7 cents per $1,000 transacted in July More than 78% of those fraudulent transactions were card not present transactions, many of them online 5. So, while fraudulent transactions still represent a small proportion of financial transactions overall, the threat is growing. 4 VeriSign, VeriSign Online Fraud Barometer, July APCA, 2012 Financial Year Fraud Statistics. Instrument No. of Fraud Fraud Perpetrated on Australian Issued Payment Instruments 1 July June 2012 Value ($) of Fraud Total No. of all ($ thousands) Total Value of all ($ million) Fraud as % of Total No. of Fraud as % of total value ($) of Cheque 718 7,855, ,008 1,242, % 0.00% Proprietary 38,666 14,094,304 3,124, , % 0.00% Debit Cards Scheme 1,166, ,572,333 2,260, , % 0.09% Credit, Debit and Charge Cards Total 1,205, ,522,392 5,626,040 1,827, % 0.02% Source: APCA, 2012 Financial Year Fraud Statistics Scheme Credit, Debit and Charge Card Fraud Perpetrated in Australia and Overseas on Australia-issued Cards 1 July June 2012 Category In Australia Overseas Total Number Value ($) Number Value ($) Number Value ($) Lost/ Stolen 59,380 11,151,568 22,318 7,198,342 81,698 18,349,910 Never Received 17,613 4,942, ,693 18,414 5,208,443 Fraudulent 4,069 2,202, ,960 4,314 2,290,528 Application Counterfeit/ 45,800 15,589,324 95,515 29,756, ,315 45,346,055 Skimming Card Not Present 313,660 76,958, , ,523, , ,481,678 (CNP) Other 3,307 1,561,538 2, ,181 5,352 1,895,719 Total 443, ,405, , ,166,389 1,166, ,572,33 Source: APCA, 2012 Financial Year Fraud Statistics CBA Page 2 of 5
3 Types of attack Not only has the number of attacks increased, but consumers are continually confronted with a wider variety of attacks, exploiting a growing number of vectors. Here are the most common types of attack affecting Australian online banking users today: Attack type What is it? Example Solutions Phishing Man-in-the-middle Man-in-the-browser Insider fraud An attempt to acquire information including user names, passwords, credit card details and sometimes, indirectly, money using s masquerading as communications from a trustworthy entity An attempt to intercept communications between customers and their service providers, then modify the content of the communication by swapping account details, for example An attempt to take control of the user s internet browser, often by infecting the computer with a Trojan virus, to inject and modify the content of messages displayed on the user s computer Deliberate fraud on the part of employees or other authorised insiders A fake claiming to be from a service provider asks for personal information or prompts consumers to click on a link. This link directs the person to a webpage that looks real but whose only purpose is to steal confidential information, such as login IDs and passwords Hackers create an unencrypted Wi-Fi connection and eavesdrop the communication of people who inadvertently use that connection. They then modify the content of the messages sent between the person and the website they are visiting. The user visits a website that installs malware on the user s computer. When the user transfers funds on that computer, the malware injects code to replace destination account with the fraudster s account and steal the money. An employee prompts a user to reveal confidential information such as their login ID and password, then steals money from the user s account. Ultimately, the only truly effective technique for preventing users from clicking on Phishing links is consumer education. But the following solutions can help mitigate the impact of customers affected by Phishing. Strong user verification process to avoid identity take-over. Multi-factor authentication requiring a physical device for access Access controls that require multiple users to create or authorise transactions Locked sessions secured by strong encryption Anti-Phishing measures (described above) Installation of anti-virus software A secured browser run from a separate, secured device Access controls that require multiple users to create or authorise transactions Access controls that restrict user activities and require multiple users to create or authorise transactions Audit trails to facilitate the detection and resolution of unauthorised activities CBA Page 3 of 5
4 Our solution To be effective, a solution must be comprehensive, flexible, portable and easy to use. CommBiz is a business banking platform that meets all of these requirements, with industry-leading security and usability. With the range and severity of attacks increasing, solutions must adopt a variety of measures to address different categories of threat. But they must also be easy for users to implement and maintain, as well as supporting changing user preferences and transaction styles, including the trend towards mobile access. Key requirements To be effective, a solution must be: Comprehensive: effective against all major attack types including phishing, man-in-the-browser, man-in-the-middle and insider fraud at all possible stages from compromised credentials to transaction creation, authorisation and processing. Flexible: addressing emerging threats and future trends. Agile: able to adapt in a short timeframe to deal with new threats. Universal: catering for access from different operating systems and portable devices. Portable: able to be carried conveniently by users, wherever and whenever they need access. Reliable: guaranteeing secure 24/7 access. CommBiz and NetLock Developed by the Commonwealth Bank for business clients, CommBiz meets all of these requirements. In addition to industry-standard security features like strong 128-bit SSL encryption, CommBiz combines a range of advanced security features to counter both existing and emerging threats, while still offering outstanding usability and accessibility. Advanced security features include: User access controls: multi-factor authentication for all users empowered to administer users and authorise transactions. User roles and permissions: a unique system of users roles, giving authorised clients an unprecedented level of control over user access within their organisation, including the accounts users can access, the activities they can perform and the dollar value of transactions they can create or approve. NetLock: One of the first devices of its kind, NetLock combines a USB device with proprietary security software to create a locked session that is impermeable to a variety of attack types. User access controls As well as a unique user name, users with authoriser or administrator access carry a unique physical token that generates a one-time password for each session. Organisations can choose to use either one-factor or two-factor tokens, which require users to enter a PIN to generate each one-time password. Clients can also choose to make tokens mandatory for all of users, including those with view-only access. Combined with NetLock security, these controls provide true multi-factor authentication. User roles and permissions Sophisticated user roles and permissions, combined with a comprehensive audit trail, allow organisations to exercise a high degree of control over the activities of users. Authorised administrators can control: Access hours: defining the days and times when each user can access CommBiz. Account permissions: controlling which users can view or transact on each account. Account authority: defining how many authorisers are required to authorise a transaction on each account, depending on transaction size. CBA Page 4 of 5
5 Payables and receivables caps: setting a cap for each user, limiting the total dollar value of transactions that user can create each day. Payment restrictions: ensuring users can only make payments to existing address book entries. Payment templates: ensuring users can only create payments from one or more predefined payment templates, with the source and target accounts already specified. Profile verification: ensuring that changes to user profiles are created by one administrator and authorised by a second administrator. NetLock Launched in 2009 and significantly enhanced and extended since then, NetLock is a USB device that uses Public Key Infrastructure and digital certificates to guarantee an exceptional level of encryption while authenticating user connections to CommBiz through a locked session. Based on digital certificates from world-leading security provider IdenTrust, NetLock also has the capability to electronically sign future transactions. In addition, NetLock uses a modified version of the Firefox browser to prevent code injection and potential Trojan infections. As a result, NetLock is highly effective against both man-in-the-middle and man-in-the-browser attacks. NetLock is portable and extremely easy to use, requiring no technical knowledge on the part of the user. It has zero footprint, with no need for the client to install software on their computer, enhancing mobility and reducing opportunities for attack. Because the Commonwealth Bank can push remote updates to devices in the field, NetLock allows us to address emerging threats rapidly. When required, we even have the capability to turn each USB into a read-only device, making it impermeable to attacks. NetLock is currently available to Windows users, with versions for the Apple operating system and mobile devices in development. For more information on IdenTrust, visit the website at Conclusion Challenge your financial institution on how they are protecting your money and if you are not happy with the answer, consider choosing a financial institution that invests heavily in security to stay ahead of cybercriminals. CBA Page 5 of 5