We've all heard of phishing and man-in-the-middle attacks by computer hackers, but how many people think it could really happen to them? Most might think they'd never fall for a socially-engineered cyber attack but, according to Vasco Data Security, social engineering is growing steadily.
And 37 per cent of all attacks are targeted at financial services organisations, according to the data security firm's e-book, Mitigating human risk in banking transactions. A fifth of phishing attempts attack financial credentials. What's more shocking is that 23 per cent of recipients open phishing messages and 11 per cent of recipients open phishing attachments. Data from Gartner Group suggests that theft through phishing costs US bank and credit card issuers around $2.8 billion a year.
Phishing and other types of socially-engineered attacks (including using voice-phishing, instant messaging, spoof emails, covert redirect and 'man-in-the-browser') all depend on one key weakness in any security system: the human. So many companies address this through education, increasing security awareness and user-oriented security controls. But Vasco makes an important point: “But even with education and additional user controls, social engineering attacks are still successful, because the final decision is made by the user – the user authenticates to their bank, but the bank does not authenticate to the user.”
Two of the key risks in the traditional transaction initiation process are:
- that hackers can (relatively easily) direct a user to a fake bank website, which can be used to harvest the user's bank account log-in details; and
- that hackers can also convince the user to initiate or authorise a fraudulent transaction without the bank's involvement.
Vasco has a system that addresses this problem and takes the 'trust' decision away from the user and ensures only the bank can initiate a transaction signature request.
CTMfile take: These observations may not be new but they are interesting – especially for corporate treasury professionals with responsibility for making high volumes of/very large payments on a daily basis – to note how important it is to get independent, authentic confirmation from the bank and the initiator before making payments.
Cybersecurity is neglected by most companies in annual reports
A survey of annual reports published by 800 companies found that most are not providing enough data on their cybersecurity strategies and few consider it a boardroom issue
What do Chinese toilets tell us about cyber attacks?
A news story about facial-recognition software used to dispense loo-roll in China reminds us that technology may not always be able to overcome human fallibility
Attack the Humans! They are to blame for much of corporate finance scams
Verizon’s data breaches report shows the dynamics of cyber fraud and what to do about breaches in each industry sector