Upcoming changes to the New Zealand financial services industry pose significant security threats for consumers, banks and merchants, says an anti-fraud expert.
Cyber crime consultant Richard Booth, who was in Auckland recently, told the Herald the biggest challenge for kiwi banks will be the roll out of real time payments - where transfers of money clear and settle instantly.
"By the end of next year the ability for a bank to recall suspicious funds, that window shortens from the current three days to zero," booth said.
He said that Kiwi banks need to start investing, in people, processes and technology to improve their real time detection and prevention of fraud.
Booth, who migrated from London to Sydney to run the Anti-Fraud and Cyber Crime Intelligence business in Australia and NZ at RSA, works closely with banks and credit card companies on anti-fraud initiatives.
Booth said New Zealand's physical isolation from the rest of the world had largely sheltered the country from cyber attacks, but that was no longer the case.
"A lot of the attack vectors like phishing and malware that are utilised in Western Europe and the United States are easily reusable in this region," he said.
The anatomy of a fraud attack and how financial institutions can protect our money better
1) Harvesting personal data
Step one for criminals is harvesting people's data, says Booth, and their focus is web and mobile banking channels.
In July alone, EMC's fraud report figures found US$362m was lost to businesses globally through phishing attacks.
"Banks in NZ and Australia are suffering a bit by not investing in gaining visibility - having an understanding about what attacks are threatening clients and being proactive about it," Booth said.
"It comes down to understanding what phishing attacks are out there, what malware attacks are out there and also what rogue apps are out there."
"This is where we start to blur the lines between security, privacy and the need to secure payment," he said.
2) Application fraud
"Identity theft is still on the increase. For me as a criminal, if I can steal your identity and convince the bank that I am somebody else and that somebody else has a good credit history, then I am able to create what is known as a mule account - which facilitates the laundering of money."
Banks can gain better visibility at the point that an application is made around the identity and the behaviour of a user.
Malware and automated scripts can make hundreds of applications with false data, but Booth says banks need to focus on differentiating those 'attacks' with real human behaviour.
3) Account take over
"Once I have got my mule account and I have somewhere I can actually filter money through, now I go after bank accounts that have nice fat balances in them to steal money."
Many banks in NZ and Australia use SMS/text - one-time passwords as a favourite password authentication mechanism, booth said.
But criminals can easily bypass this through number-porting (where a phone number is transferred to a different sim card).
"Telco's aren't regulated enough to do strict identity checks when somebody requests a number port... I don't have to have sophisticated malware to own your phone number, I can just ask the telco to redirect you (text) messages somewhere else and I am then intercepting your one-time codes that get sent to you," Booth said.
One of the first step banks can do at the point of login is to look at understanding their users and their normal pattern of behaviour.
"If I (a bank) have never seen someone log into an online session from say Ghana, for example, why all of a sudden are they behaving that way? It can be as simple as understanding what devices your users are logging on with and where they are logging in from."
4) Cash out
"This is where the criminals use all the data they have got and all the accounts they have created or compromised to turn that data into cold hard cash."
Booth says cashing out is usually done by two methods:
• Using stolen credit cards to make fraudulent transactions for goods and then shipping those goods overseas, or;
• Moving money out of the country through bank transfers or using brokerage services such as Western Union.
Credit card transaction monitoring and money movement transaction monitoring are vital at this point, Booth argues.
"Banks in the UK have taken a very strong stance on this, further to authentication they are actually now doing transaction signing."
"This morning I had to move some money from my Barclays account in London and because I am paying new payee that I have never paid before, it wasn't just a case of authenticating that transaction I actually had to use the value of the transaction and destination account details to digitally sign the transaction, there is a one-time code that is tied to that individual transaction - this could be the next step for NZ and Australia," Booth said.
RSA is the security division of EMC Corporation - considered the world's largest provider of data storage systems which also offers information security, analytics and cloud computing services, among others, to businesses.