May
28
2014

Prevent Heartbleed becoming a bloody mess

While the Heartbleed flap may have abated and many have been lulled back into a sense of security, our huge volume of connected devices means we are still vulnerable.

Apart from obvious at-risk ‘smart’ devices like phones, tablets, laptops and other PCs, everything from home routers, CCTV cameras, baby monitors, domestic heating and utility gadgets, thermostats, cloud-based data services, printers, firewalls and video-conferencing systems, are also potentially vulnerable.

Heartbleed highlighted a critical flaw in software called Open SSL, which is supposed to make it much harder to steal data. Instead, suitably-informed hackers have been able to exploit the bug by remotely prompting the server to hand over small chunks of the data it has just handled – in many cases disclosing log-in details, passwords, or other sensitive personal information.

But despite software companies quickly issuing patches to correct the vulnerability, the problem has also highlighted other significant flaws. Web sites are regarded as being inconsistent at best when it comes to updating security. Problems have been further compounded by the fact that a large number of sites have so far not cleaned up all their security credentials put at risk by Heartbleed. Many are still to invalidate or revoke the security certificates used as a guarantee of their identity. It means that if a compromised certificate has not been revoked, a fraudster can continue to impersonate the at-risk website.

Protecting the keys to the kingdom

Protecting the keys to the kingdom fundamentally hinges on a layered security strategy underpinned by multiple checks form numerous data sets. Having an armoury of tools that includes device intelligence to block compromised card use, fraudulent enrolments, phishing attacks, hidden measures that assesses suspicious activity and multi-set identity verification, will always be worth the investment.

Millions of consumers on both sides of the Atlantic regularly put themselves at risk of fraud simply because a lot of us are creatures of habit – to the point of digital delinquency. Recent Experian research has highlighted the prevalence for favouring repetitive online identities often based on a single e-mail address, username and password combination.

It means that any well-designed phishing e-mail which comprises a recognisable brand logo, a well-known network administrator or legitimate looking address, can quickly open the door to a goldmine of customer payment and identity data. Armed with stolen personal details, criminals have the opportunity to fraudulently open new accounts, submit bogus applications for credit cards, bank accounts, and store cards – often on an industrial scale.

Forensic review

When a fraud attack is spotted, organisations need to quickly complete a forensic review, identify and clarify the points of vulnerability, analyse precisely what data was stolen and how the fraudsters got away with it. The initial scope of investigations quickly expands into something much larger – especially if regulators or politicians opt to wade in. Complete visibility of all customer data and transactions across all channels is critical. Keep drilling-down until the root cause can be identified, analysed and protected against any repeat attacks – because if fraudsters get away with it once you know they’ll be back for a second go.

For many businesses deep and consolidated insight rarely exists. Without realising it, consumers may fall prey to phishing attacks and unwittingly disclose the virtual keys to their online accounts. No one wants to turn away legitimate or sizeable transactions evidently from loyal customers – but with revenue, reputation and brand at stake, no one can afford to ignore the potential risk.

But being forewarned is as good as being forearmed. Knowing and spotting your enemy early offers a huge advantage. As attackers grow increasingly sophisticated, it is virtually impossible to identify fraudulent online transactions without being able to accurately identify the mobile device behind the transaction. Clear visibility into fraudulent attacks is difficult with the anonymity of the web, but transactions underpinned by reliable device intelligence helps provide greater protection. Consider manually reviewing transactions if and when appropriate.

Re-tasking and moving staff away from the demands of their day-to-day roles may seem like a costly burden and waste of resources, but it is often invaluable to have fraud investigators review a higher percentage of transactions during periods of heightened risk. Efficient application of resources also counts. With the right technology in place, the false-positive rate will be low and fraud teams can concentrate on tackling the riskiest transactions. In all likelihood, as the number and sophistication of fraud attacks rise, the periods of heightened risk are likely to increase.

Informally collaborating with others whenever a new threat emerges is always worth considering. What goes around comes around. While it may be your turn this week, there’s no doubt the fraudsters will switch attention elsewhere in due course. Other companies which are successfully blocking potential data-breaches are likely to be an excellent source of ideas and best practice around fraud prevention. Also leverage industry networks and specialist fraud providers wherever
possible.

Trust the fraud team’s instincts

Trust the fraud team’s instincts. They’re in the frontline in the fight against fraudsters and during periods of increased activity will have a sound sense of erratic or irregular transactions and trading patterns. It’s also worth pro-actively contacting customers if fraud is suspected, if transactions look
suspicious or reflect unusual payment patterns.

Don’t skimp on investment in your entire online estate. It’s your shop window and particularly given the exponential rise in demand for mobile channels, it’s likely to be your most cost-effective and lucrative income stream for the foreseeable future. Mobiles and hand-held devices offer enormous opportunities and a host of innovations are already  proving to be a huge benefit, particularly online platforms which allow customers to directly submit proof of identity in an instant, by taking a photo of documents on their smartphone or other device, rather than being obliged to rely on lengthy manual and paper-based checks.

But given the market share Apple and the MacOS are projected to win, grow and dominate during the next few years, having suitably compatible anti-fraud technology will be critical from here on. While account creation, profile management and loyalty programs may be regarded as soft targets for attackers, online defences can be shored up by ensuring that all points of account entry are equally protected from fraudulent access.

As the furore around Heartbleed starts to fade, now is as good a time as any to ensure you are protected against future fraud attempts.

Share

  1. No comments yet.

  1. No trackbacks yet.