Information Security Trends: Cloud, Mobility & Social Tools add complexity

 Cloud and Mobility Complicate Security

Cloud computing, mobility, social tools and other technologies that put mor e power in the hands of individual users pose new challenges for organizations seeking to secure data, devices and networks, new research released today by CompTIA, the non-profit association for the information technology (IT) industry, reveals.
This was the big take-home from the latest Information Security Trends study by Computing Technology Industry Association (CompTIA). Among the 308 security breaches reported by participants in the 10th annual study, 54% were caused by human error. Nearly half those errors (49%) were attributed to end-user failure to follow policy and procedure. The study is based on a survey of 508 IT and business and IT executives directly involved in setting or executing information security policies and processes for their organizations; and 368 executives at U.S. IT firms, with most having some level of involvement in the IT channel.

“As users gain more responsibility for their own technology, the human element becomes more and more important,” said Seth Robinson, director, technology analysis, CompTIA.

“There’s a growing need that we see to educate the end users and bring them up to speed with security awareness, and [increase] their knowledge of what an attack might look like,” said study author Seth Robinson. “Educating the end user really should be a bigger priority.”

cloud The message doesn’t seem to be getting through to the people in charge of enterprise security. About 60 % of survey respondents cited malware, such as viruses and Trojans, as a “serious concern.” Other types of security threats from the outside, namely hacking (54%), also outranked human error as major threats. Indeed, only 24% of respondents viewed end-user error as a “serious concern.” The respondents’ focus on external threats does not surprise Robinson. “It’s what they’ve been concerned about for years, and it informs how they’ve built and continue to build security defenses.”

Robinson attributes the  disconnect between resource allocation and rising internal threats to both stagnant budgets and an outdated understanding of what constitutes adequate end-user training. A basic run-through of security policies at the time of hire with a yearly refresher isn’t enough, he said. Today, the advice from top information security experts calls for training that is frequent and interactive. For example, Robinson said a simulated phishing attack among the workforce can be a useful training tool. IT can track the number of employees who click the link, and give those employees additional information security training to recognize that type of threat.

A net 49 percent of companies say they intend to hire security specialists, including those that also plan on training current staff.  Executives have a strong preference for security professionals with industry certifications. A full 84 percent said they experienced a positive return on investment in security certifications,

cloudwith certified staff viewed as more valuable because of their proven expertise and ability to perform at a high level than non-certified staff. Putting employee security training in the hands of a security specialist — and off the to-do list of CIOs — is something experts

strongly advocate. Decisions about device and platform management and application access should be made by infrastructure and operations (I&O) teams. However, security experts should be the ones figuring out what threats their organizations face from different end-user access scenarios.

New ATM Fraud: Cash Claw Crimes

Banks in India, Beware !!

Yet another ATM fraud  hitting the headlines across the UK during the late November 2012. The trouble now is more physical, stopping the money being dispatched from ATM and  tricking the customers which invariably result in increasing disputes between the bank and its customers. The UK’s Dedicated Cheque and Plastic Crime Unit (DCPCU) said it had seen a big jump in the rise in the number of incidents of so-called “cash claw” fraud in recent months, and is warning the public to report any incidents.


UK’s Dailymail reported in detail  with images of ‘claws’ used to steal the money from ATMs. It was reported that the devices have been used at cash points across Britain, with 2,479 reported cases in the first half of 2012. Fraud losses through cash trapping and other ATM scams across the UK came to £29.3 million last year, according to Financial Fraud Action UK, although this is said to be dropping since chip and pin was introduced in 2004.

Problem for banks in India

With close to 100,000 ATMs, millions of uneducated users and emerging ground for technology frauds, India dubiously attracts fraudsters.  So far, we have not come across any such ‘claw’ frauds stealing money from ATM. Unfortunately for the bank customers in India, a new vulnerability emerged, thanks to the instructions of National Payment Corporation of India (NPCI) on withdrawing ATM cash retraction facility by March 31, 2012. Earlier, when the cash retraction method was in force, the money would be taken back into the ATM if the customer did not remove the cash within a specified amount of time (say 30 sec), thus virtually not giving scope to any ‘claw’ fraud. Now, in the absence of such defence if any ATM machine is “clawed”, then the money would neither be retracted nor the customer could take it.

The cash retraction facility has been withdrawn reportedly, to contain the ATM fraud cases by misusing retraction facility at many bank ATMs.  While the action could address a vulnerability, it has opened up another. While cash retraction facility misuse had impact on the banks, the ‘claw’ fraud  would impact the customers as in the bank’s records the money would be debited to the customer account.

Solutions?

Customer education and public awareness seem to be effective to a limited extent, as long as the ‘education’ is not counter-productive. In the UK, the Police have warned account holders to be vigilant, but many devices are impossible to spot. 

ATM designs, perhaps, need a revisit and with display of an alert on the screen and a transparent cash dispenser draw could help prevent this kind of exploitation of flaw.

More importantly, the banks and regulators should adopt a holistic approach, at least from the security point of view, while reviewing or withdrawing an existing control, to ensure the action would not result in another vulnerability. When it comes to security, golden rules have to be remembered, ALWAYS !!



Information Security Flaw Exploited: Citibank lost over a million USD

 ‘Gone in 60 Seconds’  – and the lessons learned


During late October 2012, fourteen individuals were charged following a Federal Bureau of Investigation (FBI)-led investigation into the theft of over $1 million from Citibank using cash advance kiosks at casinos located in Southern California and Nevada. The fraudsters stole the money by exploiting a gap in the Citibank’s ATM applications—which required multiple withdrawals all within 60 seconds—giving the fraud a popular name among the legal and security circles ‘Gone in 60 Seconds’. 



The modus operandi worked as follows: the main accused recruited conspirators who were willing to open multiple Citibank checking accounts. He then supplied his co-conspirators with “seed” money, which was deposited into the recently opened accounts. After the money was deposited into the checking accounts, the conspirators would travel to nearly a dozen casinos in California,  Las Vegas and  Laughlin. When inside the casino, the conspirators, used cash advance kiosks at casinos to withdraw (all within 60 seconds) several times the amount of money deposited into the accounts, by exploiting the Citibank’s ‘security gap’ they discovered. The accused were also careful to keep both their deposits and withdrawals under $10,000 in order to avoid federal transaction reporting requirements and conceal their fraud.

What was the  ‘security gap’ which could be discovered by the fraudsters and NOT by the Citibank’s IS Auditors? 


As long as all of the withdrawals were made within one minute of the first, Citibank’s software assumed the transactions indicated erroneous duplicate processing of the first request, and hence no red flags would be raised. While the sophisticated plot  allowed the group to collect more than a $1 million over an eight-month period, thanks to a  mundane flaw in the criminals’ logic eventually led the FBI to its suspects: they all used their real names when activating the bank accounts that ended up excessively overdrawn.

What Citibank could have done to prevent this?
Presumably, the control weakness escaped the multiple layers of security at Citibank: concurrent audit during application development,  scenario based IT application controls and risk assessment by the concurrent auditors.  Also, there is a need for real time detection of suspect transactions, even for smaller amount of transactions. Interestingly, the accused kept the withdrawals under  $10,000 to avoid regulatory reporting and probably, they guessed it right that the bank would not look into transactions that would not require any regulatory reporting.

Most likely,  the fraud detection predictive data models used by Citibank  failed to notice such transactions or have assumed small amount transactions are relatively safer !! 


Lessons learned ….

Banks need to strengthen their fraud detection data models.
All transactions, not just those required for regulatory reporting, need to be monitored.
Real time audit to be built into their security frameworks. 
Needless to mention, build and continuously review appropriate application controls.