Enterprise IT :: SDA India : India’s Enterprise IT, IT Business, IT Services & Management

Interviews

Back to Interviews | Printer friendly | Comment

Online Fraud and Methods to Tackle It

Two of the major issues facing CIOs in Singapore are the harmonizing of IT and business strategies, and compliance. Online fraud falls into both of these categories and as a result CIOs are faced with a delicate balancing act – protecting their data assets in a very threatening global fraud environment, without making their company more difficult to do business with, while taking into account customers’ changing needs and preferences...

Naftali Bennett is Senior Vice President, Consumer Solutions Division RSA Security. Bennett has over 10 years of security, software and anti-fraud experience. As senior vice president of the Consumer Solutions Division at RSA Security, he is responsible for product delivery and the development of strategic account relationships. He joined RSA Security from Cyota – a company that he co-founded and in which he served as Chief Executive Officer. Under his leadership, Cyota developed an array of authentication and security products and grew to become one of the largest anti-fraud providers to the financial industry, serving eight of the top twelve global banks. Prior to founding Cyota, Mr. Bennett was VP Marketing at I-scraper.com, and he also served six years in the anti-terror and commando unit of Israel's Defense Forces – where, as a company commander, he was responsible for training his troops and leading them in combat operations. Mr. Bennett holds a law degree from the Hebrew University.

SDA: Can you talk to us in a bit about RSA SECURITY's solutions for a world beset by online fraud and identity theft?

Naftali Bennett (NB) : The key point to remember about online fraud and ID theft is that these threats are constantly evolving and are becoming more and more targeted. In order to combat this we need solutions that are adaptable, that are easily managed and that offer appropriate levels of security in terms of the value of the data being accessed.

RSA SECURITY offers the complete spectrum of defence of IDs and protection against online fraud, from non-intrusive, background transaction monitoring and risk analysis (for low-risk, low-value transactions), through user input of unique passcode identifiers (hardware tokens, for example, allow people to prove that they are the owner of the data asset being accessed whilst online) to certification and large PKI systems (usually for corporate, high value transactions), as well as an anti-phishing and anti-pharming service.

SDA: How has the Cyota acquistion added to RSA SECURITY's online security and anti-fraud solutions portfolio?

NB: The Cyota acquisition really addresses the huge increase in retail, or consumer, Identity Protection. Most people don’t care about technology – they just want it to work, be secure and not complicate things. A non-intrusive, background solution that needs zero user input and only becomes visible when it is needed is a must and that is exactly what Cyota’s risk-based authentication offers.

The recent increase in online fraud means that most banks cannot use e-mail, as it is no longer a trusted medium. The Cyota product groups (in particular, watermarks) offer a way to “reverse authenticate” – that is, the bank or other FSI can prove to the end user that the mail or the website are genuine and do indded belong to, and are run by, the bank or FSI in question – this is a huge step forward in reclaiming e-mail and web-presence as a trusted channel of communication.

Additionally, FSIs can also enjoy a proven, effective anti-phishing and anti-pharming service, designed to mitigate the damages caused by these online threats.

SDA: Are we witnessing a paradigm shift in the deployment of remote access solutions?

NB: With the adoption of SSL VPNs, setting up secure remote access is both simple and cost-effective. Unfortunately, unless 2 Factor Authentication (2FA) is used, be it transparent or tangible, it is also a security risk. A direct link to the company network secured only by a user name and password isn’t sufficient anymore in today’s online environment.

SDA: Can you tell us in a bit about RSA SECURITY's partnership with Check Point and how that relationship will position the combined solution to take on the above paradigm shift?

NB: We partner with several Technology Partners. In Check Point’s case, the synergy arises from their excellent range of SSL VPNs, the issues outlined above are easily addressed by offering the end-user pre-installed and pre-configured 2FA as part of the SSL VPN package. Simple, safe and cost-effective – that’s what most end-users want.

SDA: Can you tell our readership more about the flexible, layered authentication approach to security?

NB: A simple way of explaining it is to think about everyday examples. For instance, I have a couple of nice, quite expensive, watches – they are insured. My children have watches that are plastic, digital and covered with various cartoon characters – they are not insured!

Not all data is created equal. Access to data that has an intrinsically high value (IP, data that is critical to the running of the company, third party data that is being hosted, customer records for example) should be protected to a higher level than data with less value (old white papers, out of date marketing material, old presentations, data purchased from a 3rd pary for example)

By applying the appropriate level of authentication to the appropriate data asset, companies can budget using an ROI, rather than adopting a 'one size fits all' approach.

Similarly for consumers and their financial activity – if John Smith is paying his electric bill online for the tenth consecutive month, from the same computer, then there is no need to bother him. However, if John or someone claiming to be John is suddenly transferring ,000 to Lithuania from a new computer, then it might make sense to ask him a few more questions or place an automate phone call to confirm his identity.

SDA: Can you tell our readers about the new Smart Redirection Attack, and what RSA SECURITY is doing to help prevent it?

NB: Smart re-direction is really the fraudsters’ way of combating the increasingly fast shut-down times (of rogue servers) that are being seen due to the efforts of companies like RSA SECURITY. What happens is that if the vicitm that clicked on the link in the phishing email and was sent to a phishing site and that site has been shut-down, it will automatically re-direct the victim to another live site. This increases the life-span (and therefore likelihood of success) of the fraud.

Through the acquisition of Cyota, RSA SECURITY now has ownership of a proven anti-phishing service including the 24*7 Anti Fraud Command Center, which is basically an operations centre linked to the largest of the world’s banks, and other data sources which identifies, analyses and shuts down phishing, pharming and fraud attacks quickly and efficiently. This includes Smart Redirection Attacks.

Anti-phishing service clients also become part of RSA® eFraudNetwork™ community – the most effective cross-bank collaborative online fraud network that includes dozens of leading global financial institutions and some of the world’s leading ISPs that gives RSA SECURITY a holistic view of today’s fraud environment. The eFraudNetwork community is designed to share fraudster information across multiple banks in real time; when a fraudster attack is identified against one member FI, all others are instantaneously protected as well.

SDA: Can you explain to our readership the concept of using invisible authentication?

NB: The important thing to remember is that the vast majority of consumer end-users are not IT savvy. The concept of risk based authentication and transaction monitorting means that all the data needed is collected from the users PC and behaviour automatically without the need for any input from the end-user or for any client-side software.

The system notes the usual behaviour of the user, as well as additional factors and sources, over a period of time (usual behaviour criteria can be programmed into the system to alow the system to run live from the outset) and will flag any deviation from this behaviour. These deviations are weighted, and the cumulative “risk score” is calculated (this takes about 300 milliseconds). These scores are then used to define what action (if any) needs to be taken by the bank. The action may be a phone call from the bank, the answering of “lifestyle type” questions (for example, Mother’s birth date, name of first school) even the need to use a 2FA token – depending on the bank’s risk escalation procedure.

SDA: Why is Security one of the foundations of effective compliance?

NB: Compliance is a way of knowing what is happening to a system at any time and being able to prove it. By reducing the number of unregulated or unknown actions (ie security breaches) compliance is made easier. Similarly if, by implementing and enforcing a good security policy, you have good awareness of what is going on in the system, compliance is that much easier.

SDA: Can you step us through some effective strategies to boost fraud detection rates without impacting genuine users?

NB: The use of back-end, transparent technology is key. The use of 2FA is also key, whether through hard or soft tokens. However, the most important parts of any consumer 2FA project are as follows:

Make it as simple as possible. The less user input needed, the more effective the result.
Match the level of security with the level of risk. One size does NOT fit all and all transactions and users should NOT be treated equally.
Educate the users beforehand using direct mails, websites, FAQs etc.
Look at the robustness of the tokens that are sent out. The tokens will take a lot of punishment as they are being used in the real world, not in an IT controlled office environment – cheap tokens will need replacing more often than robust ones. Think of the logistics and costs of replacing 5%, 10% or even 20% of the issued tokens. The bank turns into a service centre for faulty tokens.
Remember that when the customer has to replace a damaged token two things happen, first, they cannot access their account (losing transaction revenue). Second, They build up a negative perception about the bank’s service if they do not get a replacement very quickly, thus damaging brand value and credibility.
Management, registration and support of a 2FA project should be simple, scalable and cost-effective.

SDA: What are the emerging online security threats and solutions/technologies being developed to combat them?

NB: Phishing, pharming and fraud are generic problems, it is the modality of their execution which is evolving very quickly. For example, Smart Redirection Attacks. The attacks nowadays are also driven by cash acquisition – they are a business. Some are launched by “entrepeneurs”, while others are a function of organized crime. Ready made pharming and/or phishing attacks can be bought or, in some cases, downloaded free of charge from the Net – this makes the proliferation of attacks extremely fast.

Our job is to gather as much information as possible (through the Anti Fraud Command Center and eFraudNetwork) to close these attacks as early as possible and the forewarn our customers.

A revenue-generating business that has access to the latest technology (Internet fraud) has to be fought by a revenue-generating business that has access to the latest technology and information (such as RSA SECURITY)!

SDA: Is 2FA sufficient to manage the risk of multiple threats? What in your view is a comprehensive strategy that will work today and also scale up to the challenges of tomorrow?

NB: There will almost certainly always be a place for perimeter defence such as Anti-virus, firewalls, Intrusion Prevention System, and content filtering. However, the fraudsters have realized that the easiest way to get past perimeter defence is to assume the identity of someone who has the necessary clearance to render the perimeter defence useless. That someone may be a System Administrator ar it could be the owner of your bank account – you.

Today, organizations need to take a layered approach to security. Only the combination of several solutions and best practices will ensure an oranization’s and its customers’ protection today and tomorrow.

SDA: What are the top five recommendations that you want to make to CIOs looking to protect their data assets in a global fraud environment?
- Ensure that your security policy matches and complements the business objectives of the company and get business leader buy-in.
- Formulating a security policy is only the first step – it must be implemented, enforced, monitored, reviewed and, if necessary changed to be appropriate to the current business, threat and user landscape.
- Make sure that identities are protected as well as data assets – misappropriation of an identity renders perimeter defence useless.
- Ensure that the protection applied is in proportion to the value of the data assets being protected.
- Anti-fraud security is ongoing. Make sure that the system that you select is manageable, scalable and adaptable to ensure the best ROI.