Staying off the Hook

The Middle East has been hit by a spate of bank security breaches and phishing frauds in recent months as scammers go on the prowl for new victims. Business Management catches up with the man on the front line at National Bank of Kuwait (NBK) – Chief Information Security Officer (CISO) Tamer Gamali – to discover more about battling the on-going phishing threat.

“You are trying to find solutions that provide the highest levels of controls but the greatest amount of flexibility for the customer”
-Tamer Gamali, National Bank of Kuwait

On the morning of Sunday, June 22, 2008, alarm bells began to ring at NBK. A phishing scam was targeting customers in a bid to steal customer information and passwords. A bogus email, purporting to be from NBK, claimed that the bank had lost the details of two million bank customers and that re-registration was required. The fraudsters tried to direct customers to a fake NBK log in page where details would be stolen and accounts raided. Fortunately, NBK’s anti-phishing controls quickly detected the con and the site was taken down within hours. No losses were suffered by NBK or its customers.

“It wasn’t the standard ‘update you banking details by clicking here’,” reveals the bank’s CISO Tamer Gamali. “They added a story about the bank losing details in an effort to try and mislead the customer.” But there was one glaring error, as Gamali explains. “The email was done by someone with not a great deal of knowledge because it mentioned two million customers. The population of Kuwait is 2.7 million and there are at least eight banks operating here. No single bank has two million customers.”

Despite the inflated online customer numbers (the correct figure is just over 100,000), the email would have appeared genuine to an unsuspecting NBK client checking their email accounts. They could have re-registered only to later discover that their account had been emptied. And don’t forget, just a tiny strike rate is good enough for the gangs behind these scams. “They will send 500,000 emails and if they can get one or two to respond then they have made their money,” says Gamali.

The incident in June was just the latest in a long list of phishing attacks on banks in the Middle East as the criminals increasingly divert their efforts away from the European and US banking giants. Indeed, Gamali says he discovered 10 fake NBK websites two years ago but in 2008 this figure has leapt to 50. On top of this, a survey conducted by Readiminds revealed that more than 20% of banks in the Middle East have been targeting by phishing or pharming (a hacker’s attempt to redirect a website’s traffic to another, bogus website). Institutions in the region are having to ramp up security and controls, as well as educate customers, in order to stay ahead of the fraudsters; not an easy task in these times of 24/7 online banking.

“Three years ago the phishers were going for the mainstream banks; they weren’t targeting the Middle Eastern ones,” Gamali remarks, “However, three years down the line they are moving to other banks so now is the time that the banks here should have all the measures in place. They have been lucky to get away with being affected for a while now but no longer because they are easy pickings – especially those that have a lack of controls in place.” Gamali also notes how important for these controls to be different. For instance, if you are a bank that has a single password for logging in and a single password for a transaction, then a phisher, if he can get the customer to respond, has all the details that he needs. The first time the customer discovers the fraud he or she will probably be seriously out of pocket. In terms of re-imbursement, some banks do offer to refund customers and others won’t; it’s a grey area with no clear law or policy.

Attack, not defence

Over three years ago NBK identified the need to tackle the security threat (not just phishing) head-on. Gamali, previously head of security services for KPMG Kuwait, started the information security unit from scratch when he arrived at NBK. At first Gamali and his team dealt with phishing scams themselves, but they soon realised this was not practical. “We used to contact the ISPs directly and work on getting the [phoney] sites taken down,” he explains. “However, the volume of work started to increase to a point where we began facing the challenge of how to speak Korean to an ISP in Korea or Dutch to an ISP in the Netherlands. All of a sudden we needed to speak 25 languages.”

NBK also had to work with the international ISPs to get bogus sites removed. June’s fake NBK website was taken down in just over two hours but it all depends on where the ISP is based, with Eastern Europe, the Far East and South America often taking longer. “There is no hard or fast rule on how long it takes – it depends on which country and ISP you are dealing with,” Gamali confirms.”

To help with the legwork of detecting contacting fraudulent websites and contact the ISPs, NBK opted for the services of Cyveillance. The US-based company monitors the main mail boxes, such as Yahoo! and Hotmail, to spot the bogus emails and locate where the fake websites are being hosted. Kuwait’s biggest lender is then able to carry out quick analysis to identify compromised cards before a fraudulent transaction has occurred. The bank can also send a SMS text to a customer’s phone the minute a transaction takes place. If it is indeed an unauthorised movement of money the customer can contact the bank to block it.

This pro-active approach to phishing, and security in general, fended off the attack in June but Gamali is all too aware that sure won’t be last the one he and his team have to deal with. Indeed, according to research more than 60 million phishing emails are sent each day, with about one in six eventually opened. The Anti-Phishing Working Group (APWG) reported between 30,000 and 50,000 new phishing sites per month in 2007. “Phishing and related website spoofing has grown to an epidemic worldwide,” acknowledges APWG Chairman Dave Jevans. “Most people would be shocked to learn that billions, yes billions, of spam and phishing emails are sent every day by scammers.”

And Gamali suggests that do-it-yourself phishing kits on the internet are only exacerbating the problem. “These online kits take you step-by-step through how to find websites that you can hack and upload your pages to, and it gives you a mailing list of who to send it to,” he notes. “So if you have the kit and a reasonable IT knowledge you can have a go at phishing.”

After the criminals have reeled in a victim then comes the problem of how to get the money out of the account. With international transfers there is a ‘window’ that allows transfers to be stopped if spotted by the bank or the customer. Not to be outsmarted, the phishers are exploring ever-more devious methods – including utilising mobile phones. “This is a new trend here but one that has been going on the US for a while,” Gamali reveals. “If they can obtain card details through phishing they can then go and buy credits from a telecoms company and charge up the phone with thousands of dollars of credit and then transfer smaller amounts of credits to people enticed into money making business opportunities advertised through the internet, who would then go on and sell credits to end users on the street. If any alarm bell rings then the local credit dealers would be arrested who have no link bank to the original culprits. This is using the telecoms companies to launder money.”

Education

In an ideal world customers would just delete phishing emails when they land in their inboxes. It’s customer gullibility that the con artists prey on along with the fact online banking is an important revenue stream for the banks. The institutions have been educating customers on what to look out for and to be extremely suspicious of emails purporting to be from their lender. Unfortunately, this education won’t prevent everyone from falling victim. Jevans is philosophical about the problem. “Even if we could afford the expense of educating tens of millions of consumers, the phishers and crimeware authors are continually improving their techniques in order to make it virtually impossible for people to discern fake emails from the real thing.”

One security expert who knows a thing or two about the global problem of phishing is PayPal CISO Michael Barrett. For him, a positive attitude goes a long way. “People have a tendency to say, ‘Woe is me, phishing is insolvable’. We think that’s way too defeatist and that actually the problem is surmountable. Education, technology and industry partnership will be the answer to the phishing problem.”

Gamali agrees but is keen to stress that the banks walk a fine line beteeen security and flexibility. Controls need to be tight but not too rigorous and time consuming that consumers can’t be bothered to bank online. “You are trying to find solutions that provide the highest levels of controls but the greatest amount of flexibility for the customer. You don’t want them to be heavily impeded by using online banking because it is a channel that the banks encourage customers to use. We want to continue to provide that service but we also want to provide the assurances that it is secure.”

However, with all the media coverage about the proliferation of phishing scams and the security steps that banks have had to implement, there is a danger that customers will log off for good. After all, without the trust there that online banking is safe it makes it an uphill struggle to attract new customers. So is banking on the web slowing down even declining over security fears? NBK’s CISO says evidence suggests this is the case. “I recently saw some statistics that there was a decline in online banking last year by somewhere between 10 and 15% because customer confidence had dropped due to people perceiving online banking to not be secure.”

So what would Jevans like to see done to restore customer confidence and deter criminals? “We, as an industry, must implement email authentication technologies to allow ISPs to automatically reject fake emails, and ensure that important business emails are reliably delivered.” He adds: “It is crucial that banks and brokerages start to authenticate the email that they send, in order to allow receiving computers to verify the authenticity of emails, and automatically reject phishing and other spoof messages.” Gamali describes the banking sector as a “moving target” and emphasises the need for institutions to stay active. He concludes: “You can’t stop people sending emails but the priorities are to shut down sites, educate customers and internal controls to detect fraudulent activity.”

Phishing statistics:

• 3.6 million people lost money last year to phishing scams worldwide.
• 40% of phishing sites are hosted in Asia.
• 90% of business emails received in the Middle East are Spam.

[Sources: Trend Micro and BoxSentry]