Cyber-Fraud Trends, Defenses Debated at Cyber-Defense Summit

At the InfraGard Cyber-Defense Summit, security experts discussed the costs of cyber-crime and cyber-fraud, and ways to defend against cyber-criminals.

Cyber-crime continues to flourish as perpetrators continually evolve new attacks and scams to compromise users and steal money and information, but there are certain things enterprises can do to protect themselves, security experts said at a cyber-defense summit.

Financial cyber-fraud, insider threats to corporations, risk assessment and the costs of cyber-crime were some of the topics covered at the New York Metro InfraGard Cyber-Defense Summit in New York City on Sept. 14. The event focused on current threats facing organizations and providing information on how to prevent future occurrences.

Some types of cyber-fraud such as identity theft, and check and payment card fraud have been declining since 2006, said David Nelson, a specialist with the Federal Deposit Insurance Corporation's Cyber-Fraud and Financial Crimes section.

The decline is partly a result of the improvements financial institutions have made in their security practices such as implementing new anti-fraud technology, said Nelson. Increased adoption of regulations, such as the Payment Card Industry Data Security Standards (PCI-DSS) and the guidelines from the Federal Financial Institutions Examination Council (FFIEC), have helped financial institutions secure customer accounts from theft. Organizations are also sharing more information with each other and law-enforcement agencies, making it much easier to recognize fraud and investigate incidents.

However, criminals are innovative and flexible, so instead of giving up, they've switched targets, according to Nelson.

Online account takeover attempts have been increasing each year, with estimated losses approaching $114 billion in 2010. Attackers are relying on various social-engineering tactics to trick users into clicking on a phishing or spear-phishing email, opening an attachment containing a malicious Adobe document or opening a link posted on the social networking sites, said Nelson. More than half of all wire-fraud activity tends to be initiated by attackers after compromising an online bank account, he added.

Contrary to popular belief, the money is not going straight to China, Korea or another international destination. In fact, domestic transfer accounts for 40 percent of fraudulent wire activity, with funds being transferred to other institutions around the country, such as New York City.

The good news is that banks are winning for the time being, said Nelson.

Losses from online bank account takeovers in the first quarter of 2011 were nearly half the losses in the fourth quarter of 2010. Financial institutions were doing a much better job stopping fraud in the first quarter, as only 27 percent of incidents went undetected, compared with 40 percent in the fourth quarter of 2011.

It's not just banks that are uncovering incidents, as customers, vendors and service providers and law enforcement are also vigilant and reporting fraud.

Many banks and credit unions have implemented multiple layers of security controls, deployed virtual browsers that cannot be easily compromised to their customers for online banking and installed anomaly-detection systems on their network, according to Nelson. Customer education and awareness programs are also having an effect.

These are "controls that are working" and should continue to be deployed, said Nelson. However, organizations need to continue monitoring and assessing risk.

A recent study from the Financial Services Information Sharing and Analysis Center found that financial institutions are doing a better job of stopping funds from leaving the institution even after the cyber-criminal creates the fake transaction. In 2009, financial institutions managed to stop funds from actually being transferred only 20 percent of the time. The number rose to 36 percent in the first six months of 2010, the survey found.

Larry Ponemon, founder of the research firm Ponemon Institute, discussed his organization's cost of cyber-crime study that was released early August. The study, found that the median cost of cyber-crime for a benchmark sample of organizations was $5.9 million per year, a 56 percent increase from the median reported in July 2010.

All industries fall victim to cyber-crime, including malware, Web-based attacks, botnets and stolen devices, according to Ponemon. Information theft was the biggest external cost, and recovery and detection activities were the biggest internal cost, the study found.

Organizations should be "vigilant" about new risks but should not forget about "old problems," said James DeFalco, an examining officer with the Federal Reserve Bank of New York. Unpatched or forgotten machines are likely to be infected first and allow attackers to conduct attacks from inside the firewall, according to DeFalco.