Avivah LitanThere certainly is no shortage of target hacks against major and small businesses and individuals, sensitive infrastructure, and financial information. Many of these attacks are coming from China and it’s hard to decipher if it’s a Chinese conspiracy or if it’s just the fact that a lot of hackers have traditionally come from China in any event. Or maybe both. (One piece that doesn’t get discussed in the media is the appearance of lots of alleged securities fraud against U.S. investors originating from companies with Chinese names. Check out www.rosenlegal.com for its list of class action suits).
Maybe I’m missing something here, but I believe a layered fraud prevention system (which some of the largest and best equipped financial institutions are already using or working towards) can prevent most of these attacks, such as the one that just occurred at Google. See our recent research note “The Five Layers of Fraud Prevention, and using them to prevent Malware Attacks”.
Here are some measures that can be used to stop damage from attacks against user accounts, whether they are email, online gaming, bank accounts or any other type of account:
a) End-point centric fraud prevention using; device identification, analysis of the time differential on the originating device/PC, out of band transaction verification (after authentication), navigational profiling, user and account profiling, malware on session detection, and more.
Sure, in this case and others like it, the bad guys may have had trojans sitting in the legitimate user’s browser, and could have accessed the Gmail accounts in ways that fit all the profiles and mute the effectiveness of device identification, but software that detects malware in the sessions accessing the server could probably have nailed the intruders.
b) Google could also offer high risk users on an opt-in basis ‘secure browsing’ software either downloaded to their PC or on a external drive, e.g. a USB stick. I realize this would be difficult logistically to pull off with millions of users, but it could and should be offered to high risk users who want to pay for the additional security.
Finally, it’s noteworthy that Google spotted the attacks and openly communicated them to the public. It calls out the usefulness of cyber-intelligence and anti-phishing services (Google probably has developed its own) that find attacks against brands and users (including phishing attacks which in this case may or may not – probably not – have used Google’s brand), and tries to shut them down before they wreak any damage.
But more importantly and helpfully to the organizations, these services recover stolen credentials from drop servers and send them to the affected service provider. At that point, the stolen information becomes actionable, since the affected enterprise can put those accounts on a watchlist, deny access or take other suitable cautionary measures.
Cyber-intelligence services are not used by most organizations at this point, but most companies who have assets and accounts to protect should certainly consider using them.
Category: Uncategorized Tags:
1 response so far ↓
1 Holly June 3, 2011 at 1:52 pm
Two-factor authentication adds an extra layer of security so that fraudsters can’t gain access to your account if they steal your username and password. Since Google’s two-factor authentication sends a code to your mobile phone, the lack of this would preclude fraudsters from gaining access to your account. Phishing sites can be very hard to spot, so luckily there are simple things people can do to minimize the damage. (Disclosure: I work for Symantec)