Why Yahoo’s malware attack is hitting banks hard
At the end of last year, Yahoo was hit by a malware attack. It affected over two million clients, mainly in Romania, Great Britain, France, Italy and Spain, putting their personal data at risk. Upon visiting the website between 27 December and 3 January, users received advertisements, some of which were malicious and infected users’ devices without even a click, writes Pat Carroll.
In this example, a “drive-by” exploit kit (a toolkit that automatically exploits vulnerabilities in programmes and web browsers) was deployed, with the result that simply loading the advertisements was enough for the user’s computer to be infected with malware. Upon seeing the malicious advertisements, users were redirected to random domains served from a single IP address apparently hosted in the Netherlands. The exploit kit took advantage of vulnerabilities in Java and installed a host of different malware, including: ZeuS, Andromeda, and Necur. It has also been alleged that a primary focus of the exploit is to enable Bitcoin mining by establishing a “Bitnet” (a variation of a Botnet trojan) that is designed to mine Bitcoins from those targeted.
While no one doubts the ability of fraudsters to infiltrate sites for the purpose of injecting malware into a computer, when the core business is marketing and you rely on visitors to your website as your core advertising medium then it’s totally unacceptable that Yahoo was not better prepared for the attack. No matter what amount of apologies Yahoo gives its clients, its reputation has been seriously dented and trust shattered. Companies like Yahoo have a social and moral responsibility to take all measures possible to ensure that such a breach should not occur. The consequence for many customers is that their personal and financial data has been compromised, the consequences of which can be shocking for some of the more vulnerable members of our society.
Unfortunately, Yahoo is not alone in terms of major companies who have hit the headlines in the past year where significant breaches have occurred, and sadly we can expect more of the same in 2014. Once a network or system is compromised, the lost data remains at large and the data owners remain vulnerable to attacks that can compromise their bank accounts, and other accounts of value.
So it is clear that big brands need to act to protect their customers’ information. However, there’s also a very important second piece to this puzzle – the banks, because they are the ones who stand to take the reputational hit. After all, if a customer’s bank account details are comprised via Yahoo, TK Maxx, Amazon or the like, the first time the customer is going to find out is when they look at their bank balance, and the first organisation they are going to phone is the bank, regardless of where the fault lies. When a few tens of thousands of people are phoning up their bank to find out what’s going on, that’s going to put serious pressure on the banks’ systems and cause considerable reputational damage.
This means it’s up to banks to make sure that when fraudsters get hold of bank account information, they can’t do anything with it
The answer to this conundrum is to have stronger authentication systems in place, which can quickly and accurately confirm or deny the identity of the user, thus making it much harder for criminals to use stolen data. Being able to determine the difference between a fraud event and a genuine user making a transaction is the ultimate weapon in the defence against crime, and ideal in terms of best practice consumer protection and satisfaction. The key lies in the security architecture, providing the highest levels of security and privacy by combining invisible security layers, and low or no friction on the consumer side. Voice biometrics can prove a vital component in this architecture when used as part of a multi-factor approach, as voice verification extracts from speech signals specific features that are directly related to the morphological trait of the user’s vocal tract, and are unique to the individual. In short, they give consumers confidence that a fraudster can’t pretend to be them.
Corporate mind-sets have to change. The technology exists today to enable these complementary security layers to augment existing security defenses. The payback for those entities that get this right will be swift and significant – consumers will be quick to recognise those brands that provide them with the assurance that their banking credentials are protected, their transactions are secure and their interactions are intuitive.