Notes from FST Media’s Future of Security conference

The third annual FST Media Future of Security in Banking and Financial Services conference took place this week in Sydney and Melbourne and featured a wide variety of speakers from across Australia’s financial services organisations.

The opening address was from ANZ Banking Group’s head of alliances and emerging payments, consumer cards and unsecured lending retail products, Greg Drumm, whose presentation covered the issues of securing financial transactions and information in a mobile environment. After running through a brief history of the mobile industry to set the context, he described a world where mobile devices have become a mainstream mobile financial services tool. The newness of mobile payments mean few risks have yet emerged, but Drumm said you can guarantee that they would, especially as fast and reliable identification methods are not yet available in the wider world. He also cautioned that identity fraud costs Australia $4 billion each year, while in the US it is apparently more lucrative than the drug trade. Voice verification shows promise as an authentication tool, but is still not a perfect solution in all situations. Drumm also called for a re-energizing of the partnership between the private sector and government to ensure that issues of security are handled in an effective manner.

The second session was presented by IBM and delivered by Paul Watters, a research director for the Internet Commerce Security Laboratory (ICSL). Watters led the audience through a thought experiment where he asked them to put themselves in the shoes of those on the ‘dark side’, to think about how criminals actually run their business. His presentation demonstrated how cybercrime organisations have many of the same attributes of legitimate businesses in terms of having budgets and targets. They will go after the richest targets but follow the path of least resistance, and many have developed specialisations. They also tend to keep business hours as well.

The third session was the Leaders Panel, where four industry specialists discussed trends relating to electronic security and fraud, under the leadership of Fortify founder and CTO Roger Thornton. Amongst the numerous discussion threads was the notion that cyber-criminals will tend to be opportunistic and will move to different markets and organisations as weaknesses are detected and remedied. They will always target the path of least resistance, but as the defences become more complex, so too do the complexity of the attacks. Threats are also evolving quickly, leading financial services companies to have to increase their research and intelligence work to better anticipate what is coming. But even relatively unsophisticated attacks can get past complex security systems in the right circumstances. While fraudsters are getting cleverer, the panel agreed that to date the good guys are one step ahead, and may have even increased the gap slightly in the past year.

After the morning tea break Suncorp’s executive manager for group financial crimes, Marty Latimer, talked through the details of how Suncorp deals with online fraud. Latimer said that in almost every case the fraud involves a new IP address and a larger than normal amount transferred into a new account. But recent attempts are becoming more complex. He said his team was constantly battling ‘speed’ in responding to new threats, while man-in-the-middle attacks are emerging that get around two-factor authentication, and social media is also becoming a more prevalent attack vector. The big question is whether fraud detection systems can keep up, as he pointed out that the next generation of users live their entire life online. He said the key was in developing fluid analytics that could model on-the-fly to intervene only in high-risk transactions, with real time intelligence sharing to detect more complex fraud indicators such as authentication bypasses.

The final presentation was from Zlatko Hristov, regional head of IT security at MF Global. He opened with the statistic that 65 percent of web surfers had fallen victim to cybercrime, and then took the audience through a possible scenario involving a business user being infected while on a public WiFi network, demonstrating how the malware package could perform functions from key-logging bank details to acting as a router when it connects to a business network and alerting a command and control host to create a breach through which an attack could be launched. He also took the audience through a live hacking demonstration, where a computer was exploited and a malicious payload uploaded. What was most surprising was how easy he made it appear. “User awareness is the most powerful weapon, but it is the most difficult to implement,” Hristov said.