-
Before the Target breach, many merchants were apparently willing to delay or ignore the card networks' deadline for adopting EMV and ready to face the consequences. Now, even merchants who remain unsold on EMV as cost-effective security may view incorporating the technology as unavoidable.
February 19 -
How could this happen? Why is the U.S. payments industry still using archaic and notoriously insecure magnetic stripe card technology? And will the episode change anything? American Banker answers frequently asked questions about the Target breach.
January 22 -
The latest investigation into the massive data breach at Target has found that hackers entered the retailer's network by stealing a vendor's password and then patiently waited until the busy holiday season to strike.
February 11
What good could possibly come from breaches at major retailers that exposed millions of Americans to potential card fraud? The silver lining for U.S. financial institutions is that the breaches at Target, Neiman Marcus and Michaels have woken up their customer base to cybersecurity threats.
With nearly every media outlet reporting the grisly details, there has never been a better time to educate commercial account holders about the risks associated with online banking, particularly phishing attacks.
Consumer awareness will help firms implement the Federal Financial Institutions Examination Council-mandated educational programs on corporate account takeover by providing account holders who are now sure to be active listeners. Corporate account takeover is a type of business identity fraud where malware is used to infect the machines of account holders to capture login credentials, hijack online banking sessions and commit electronic wire fraud. To help combat this type of fraud, the FFIEC recommends that banks educate their commercial account holders on how CATO attacks work, the exposure risk, recommended minimum security standards and types of insurance coverage available to them to cover fraud losses.
The Target breach began when an outside vendor fell victim to a phishing attack and entered its network credentials into a malicious website controlled by hackers. This gave hackers authorized access to spread their malware onto point-of-sale servers and systems. This tactic is analogous to corporate account takeover attacks because online banking credentials are essentially authorized access into a bank's network.
A long-held belief in IT security is that the easiest and least detectable way to gain unauthorized access into a system is to leverage someone else's authorized access. The consequence for online banking is that account holders have that authorized access and, thus, are and will continue to be the most attractive target for cybercriminals. Why would hackers bother learning how to pick a commercial-grade safe when users can be tricked into simply opening the door for them?
Unfortunately for banks, and their customers, the phishing attacks which started the Target breach are alarmingly successful. Verizon's
There are several reasons phishing attacks still work. First, embedded links in phishing emails inherently want to be clicked. After all, humans are curious by nature and that is exactly what links were designed to do: pique their curiosity. It takes training to resist the habit of following a link or opening an attachment.
Secondly, hackers are refining their techniques; phishing attacks are looking more and more legitimate. Lastly, while banks have invested a lot of resources into educating business clients, particularly their accountants and bookkeepers, on phishing attacks, not all employees at these firms receive training on online banking. This creates additional risk as the Target breach demonstrates that for fraud to occur, it only takes one user being tricked into giving away credentials to open the door to the entire network. All employees at a company should be trained on phishing attacks, not just their online banking users.
The amount of news stories focused on cyber-breaches demonstrates that not only is mainstream media becoming more comfortable delving into technical topics, but also that there is an eager audience awaiting that information. Major retailers across the country have paid the tuition, in full, for the education of each and every online banking user. There has never been a better time to educate online banking users on the threats which exist, the countermeasures available to them, and how critical they are in the fight to deter fraud.
To properly educate customers, banks should use a multifaceted approach which appeals to different learning styles: whitepapers, seminars/webinars, interactive web games and threat overviews. A best practice to follow is alerting the customer base to new threats, at least every other month, to keep security top-of-mind.
Ryan Elmer is the national director of eBankSafe, a fraud-deterrence line designed to mitigate the risk of corporate account takeover and electronic wire fraud.