Subscribe
About

Standard Bank to step up e-crime measures

By Iain Scott, ITWeb group consulting editor
Johannesburg, 07 May 2008

Standard Bank is considering a number of new technologies in its drive to protect itself and clients from increasingly sophisticated online fraud and theft.

Speaking at the ITWeb Security Summit in Midrand this morning, Pat Pather, Standard Bank director for group IT security, said that the bank was looking at, among other things, matrix cards, tokens and integrated token cards, a risk-based authentication model for self-service channels, voice biometrics for call centre and telephone banking, and fingerprint and palm-vein biometrics in the branch network with extension to ATMs.

Pather outlined for delegates the evolution of e-crime, beginning with "brute force" attacks when online banking began in 1997, and evolving through keystroke logging and ID theft, phishing, hybrid spyware, and SIM swaps to more recent man-in-the-browser attacks.

As an example of the latter, he highlighted the "silent banker" Trojan, which manipulates online transactions to reroute payments into defined accounts.

Pather says that e-criminals are becoming more sophisticated. As a result, the next generation of attacks will see greater focus on finding application vulnerabilities.

"Application security is very important. Hackers are going to start hacking into your system. The very simple reason is, as we tighten up our controls, meaning we have two-factor authentication in place and so forth, what are people going to do?"

He says time between discovery and exploit is shrinking to the point of zero-day attacks. He also expects to see complex social engineering techniques and the emergence of "smishing" (gathering sensitive information via cellphones) and "vishing" (voice).

The bank has had significant success with combating such crime to date. Pather highlighted a current case where the bank worked with other parties, including the Scorpions, to locate a Cape Town-based man who was arrested after allegedly stealing money from online accounts using information sent to a server in Estonia.

He says that the bank has staff whose sole function is to proactively monitor and manage online fraud attempts.

Share