Last week there were several articles about businesses and schools that lost money through malware-enabled ACH transfers out of their bank accounts: Network World: "Cyber attackers empty business accounts in minutes"; Brian Krebs of the Washington Post: "The Growing Threat to Business Banking Online".
And we continue to hear about credit card data being stolen from servers: Security Watch: Network Solutions User Credit Cards Compromised".
It's no wonder. While we witness continued dithering over cyber policy, botnets continue to grow and become more sophisticated and cash focused, the DNS remains vulnerable one year after the Kaminsky bug was publicized, and email continues to have no authentication or simple way to be encrypted.
What caught my eye in the Network World article on cyber attackers is the following:
The fraud typically starts with a targeted phishing e-mail, aimed at whomever is in charge of the company's checkbook. By tricking the victim into running software, opening a harmful attachment or visiting a malicious Web site, the criminals are able to install keylogging software and steal bank account passwords.
How simple and efficient. Email is the easiest way to attack and it only takes a moment of carelessness to compromise a business or not-for-profit institution. But it would be very easy to enable email authentication and even very simple encryption using the DNS and DNSSEC. That would make this type of attack very difficult and unlikely to succeed.
The solution is really, really simple. I will elaborate on this in a subsequent post.
If banks and other institutions upon whom we depend to keep our money safe do not implement these steps then it is inevitable that they will be required by mandate to do so. Users of on-line banking need better protection than they receive today.
Comments