Money2020: Cybercrime threat will demand application of new defences
Basic security mechanisms in payment and banking systems are poorly applied and are out-gunned by the resources available to cybercriminals, a session at the Money2020 event in Las Vegas was told.
David Abouchar, senior director of product management at security specialist ControlScan, told a session on cybercrime that there is a need to focus on the basics of systems security. “We are not doing the basic hygiene: ‘Password123’ is just not acceptable these days” he said. Other basic issues, such as sloppy control over Remote Access Control, combine with issues like the lack of understanding among merchants of how consumer data is stored and making it easy for the criminals.
Abouchar said that while there are technical issues such as the vulnerability of web applications to exploits like SQL Injection techniques, training and awareness are as much part of the solution as technology. He cited a Gartner statistic that shows two-thirds of all websites have exploitable vulnerabilities – which his own experience bears out. “Web designers are really good at designing web pages, but they are not always aware of the security aspects,” he said. “We often think of it as a technical problem, but humans are the weakest link in the chain.”
For this reason, there is a growth in social engineering, where criminals use old-fashioned con tricks to get people to handover their sensitive information. He told the audience of a recent penetration test at a big-name bank in which 30% of users in a targeted department handed over their log-in data to a simple spoof email.
Siva Narendra, chief executive of Tyfone, an Oregon-based firm that specialises in security and identity for mobile banking and payments, agreed that passwords were a weak link, but went further, arguing that they are next to useless as a defence against cybercrime and should be replaced with hardware-based solutions. As mobile banking and payments continue their rapid growth, the industry is simply moving the problem to a new environment. “We are taking all of the vulnerabilities of the cyberworld and putting them on new hardware,” he said. “We have to move away from this – at some point you have to eat broccoli; it’s good for you.”
Narendra said that the increasing use of the cloud also poses issues. “The cloud is a great place to consolidate data, but it is not a great place to consolidate identity,” he said.
The current model in which a user accessing a central server using a password is flawed because the server has to know something about that password in order to be able to validate it – in the case of a one-time password, for instance, it would have to know the values used in the algorithm that creates it.
Combined with having everything in the cloud, this makes little sense. “It’s like putting all of the valuables in a citadel and then protecting that citadel with a weak door,” he said.