Banks need holistic security approach

Banks and financial institutions need to adopt a more holistic security approach amid an ever-changing threat landscape, advise security experts.

Fraudsters continuously develop resourceful, inventive ways to get hold of user credentials and commit unauthorized access to systems, noted Alvin Ow, Asia-Pacific and Japan technology consultant director of EMC's security division RSA.

Banks and financial institutions, therefore, will have to keep ahead of creative attack methodologies while tightening and reinventing their security strategies, Ow said told ZDNet Asia in an e-mail.

Citing findings from Verizon's 2011 Data Breach Investigations Report, KPMG Singapore's Victor Keong, said 79 percent of U.S. organizations took weeks to discover a data breach.

"Although traditional defense-in-depth tools such as firewalls and anti-virus solutions do provide a level of protection, they are not able to address the modern-day threats that many organizations are facing," said Keong, who is partner of information protection and business resilience for the consulting firm.

He advised banks and financial institutions to put the right people, process and technology that focuse on protection in the current threat landscape. They should also implement proper incident processes which allow organizations to provide quick response on attacks, he said.

Security experts ZDNet Asia spoke to highlighted advanced persistent threat, or sophisticated malware deployed with social engineering to infect organizations, as the most common strategy used by fraudsters. This includes more targeted attack methods such as spear phishing, Man in the Browser (MITB) and Man in the Middle (MITM) attacks.

MITB is a Trojan that attacks Web browsers and is able to modify pages, transaction content and insert additional transactions, while MITM is a form of eavesdropping that hoodwinks victims into thinking they are sending messages to each other.

Address all channels
To step up their security measures, Ow urged banks to adopt a holistic approach that encompasses security tools aimed at addressing various data channels. This could include the combination of anti-Trojan and anti-phishing tools to monitor outside the channel, risk-based authentication for activities at the channel, and transaction-monitoring within the channel.

"Financial institutions should evaluate their security posture against solutions like risk-based authentication, transaction monitoring, anti-phishing and anti-Trojan services," he explained.

Keong revealed that banks and financial institutions have been actively taking steps to mitigate the risk of security breaches. Physical credit card protection, for instance, has improved over the last few years with the introduction of EMV chips, which drastically reduced fraud cases, he said. Singapore banks are also adhering to guidelines set by the Monetary Authority of Singapore, including the implementation of one-time passwords for Internet banking services.

"We access new technologies and programs to guard against security threats as the Internet space is constantly evolving," said a spokesperson from United Overseas Bank, Singapore's third-largest bank. However, the bank did not elaborate on its security techniques.

Myla Pilao, director of core technology marketing at Trend Micro's TrendLabs, cautioned that reputation and brands are on the line, especially when security breaches occur in the financial industry, due to the amount of personal, corporate information and trade secrets.

"A lot is at stake [and] security breaches are likely to get worse," Pilao said in an e-mail.