Notorious malware strikes again in new strain but banks must put the customer first, says Aspect
The effort to battle fraud rages on as it has emerged that the notorious GameOver Zeus malware and associated CryptoLocker ransomware are suspected returned, although in a new as-yet undetermined form. With experts detangling the code underneath the latest threat, the risk of people’s private banking information being exposed to fraudsters grows as long as banks fail to take those precautionary measures to protect them, a security and fraud expert from Aspect Software has said.
Guy Cooper of Aspect suggested last month that the vicious programmes would return, and that valiant efforts to stave off attacks – or at least encrypt data that the viruses could not access – would only be a temporary measure. Cooper said: “Fraud follows the same channel of adoption. Years ago, only PCs generally caught viruses as not enough people owned Macintosh computers, therefore it wasn’t worth the cybercriminals’ time to write malware for them.
“Today, we’ve no longer just got to worry about desktop computers, but smartphones, or tablets, or connected devices of any kind where private or sensitive information will be held. The more digital channels are embraced, the more impact there will be from a fraud standpoint. One day, this will be most things in our home as the Internet of Things prevails, but for now, banks mustn’t stand still and should recognise that fraud is an evolving landscape, not cut and dried sets of threats,” he said.
Cooper continued: “The problem is of course, achieving a happy medium between the three factors of consumer security: the minimum amount of security required to protect customer data, what efforts the customer is prepared to go to in order to identify who they are, and finally, the expected and acceptable level of freedom afforded to customers to move between devices and contact channels without exerting more effort in the name of security. It’s not easy, and not something that banks should expect to achieve easily. But working towards it is a start.
“Reducing some of that customer effort by finding out how far they are reasonably prepared to go to prove that they are who they say they are is key. Too much effort, and they end up frustrated, and perhaps less likely to use that particular bank’s mobile application again, or access that particular web service – or may even move providers. Too little, and the bank risks making it easier for malware such as GameOver Zeus to get hold of PINs or passwords, particularly if the customer has received one-time-use codes from their bank via SMS.
“The message is this: do all you can to help protect your customers but not at the expense of a great customer experience. But at the same time, do all you can to make it a great, simple and easy experience, but never, ever, drop an essential layer of security or authentication in favour of the experience. Customers must also take some responsibility in protecting themselves, which is why it is easy to find consumer advice on fraud, it’s just not so easy for organisations,” he said.
Cooper concluded: “The industry is developing technology that perfectly combines ease of access with protection. However it may be a case of both customers and banks deciding what’s more important to them, which will not be an easy decision to make.”