Social Engineering Replaces Guns in Bank Heists

Australia’s banking industry is under threat due to a heavy reliance on Single Socket Layer (SSL) encryption that hackers are increasingly finding their way around.

There are no “stick-em-up” dramatics in today’s million-dollar bank heists, but it simply involves the use of SSL-evading Trojans and refined phishing techniques.

While banks are reluctant to quantify financial losses, Australia’s Computer Emergency Response Team (AusCert) admits its own research proves attacks are on the rise.

AusCert general manager Graham Ingram said a false sense of security surrounds SSL encryption, a technology in use right across the financial services industry.

This reliance on Internet browser encryption means banking sessions can be hijacked by Trojans and key-logging programs, especially if users engage in lax security protocols and don’t use current anti-virus signatures.

The bottom line is that social engineering tricks are circumventing Internet banking encryption.

Ingram said there is a belief that customers are safe and privacy is protected through the use of SSL, but “this is not the truth.”

His statement was backed up by AusCert’s analysis and assessment manager, Kathryn Kerr, who said it is a serious issue for any organization offering Internet banking as well as anyone using virtual private networks for remote work.

Neal Wise, director of security firm Assurance, said SSL does serve a good purpose but leaves users prone to a “man in the middle”-type attack.

“Unfortunately, the only controls a bank can rely on for users to transport data is SSL encryption; it leaves them in an interesting situation–having to cover related security issues they have not created,” Wise said.

“We will see financial institutions providing cut-price antivirus and content-checking tools for their clients, because right now if someone manages to put a keystroke logger on a client computer, and a banking session gets recorded, banks have to cover that risk and it is not their fault.”

While security experts claim Internet banking fraud drains as much as 2 to 5 percent of revenue, the financial services industry isn’t as forthcoming when it comes discussing online threats, and the Australian Bankers Association refuses to comment.

A spokesman for the Commonwealth Bank of Australia said SSL encryption has served the bank and their customers well, and it is confident it will continue to do so.

The spokesman pointed out that SSL encryption is a global industry standard.

“We are constantly reviewing and assessing our Internet security measures so that our customers can have the utmost confidence and trust in our service,” he said.

Paul Jennings, head of channels and systems management for Westpac Banking, said the latest threats – like phishing – don’t defeat SSL encryption, only tricks the customer into revealing their identity. He said this occurs before the SSL encryption begins.

“SSL is still required for a secure session, but one cannot rely on it as a panacea to all fraud and security or privacy issues,” Jennings said. “We have fraud detection tools, screen high-risk payments, run education campaigns and recommend our customers use antivirus tools, so we are quite comfortable with Internet banking security, but SSL encryption is just a cornerstone.”

The National Australia Bank (NAB) has taken a more holistic approach to online security. A NAB spokesperson said there is a need for multiple layers of protection between customer and bank transactions – a primary driver behind the move to two-factor SMS authentication – adding there is also a need for consumers to be aware of their own responsibilities when it comes to protecting data and their own PC.

Peter Dowley, an IT security architect at Australia and New Zealand Banking Group Bank, said using SSL encryption for online banking ensures that bulk attacks cannot be conducted by compromising either the Internet backbone or Internet service providers.

“The next vulnerable point is the customer’s computer, and so attackers have to concentrate their efforts at this point.”

Claiming SSL encryption will stand the test of time, Matthew Warren, Deakin University head of the School of Information, said social engineering techniques are shaking customer confidence.

“It does not matter if someone cracks an encrypted SSL key, because it would take so long and by the time it was cracked, the data would be worthless,” he said.

“While encryption protects the data in transport, spyware can record passwords and e-mail them to another party. The banks need to look at three-tier authentication that includes a swipe card because you cannot rely on a user name and password.”

Keep checking in at our Security Feed page, or subscribe via RSS, for updated news coverage.

By Michael Crawford, Computerworld Today (Australia)