NAB’s Big 10 Lessons About Online Security

Every month, National Australia Bank (NAB) has to deal with 300 new phishing sites specifically set up to try and steal data from its customers. How does the banking giant deal with that onslaught — and why are scammers looking for victims with “the right level of dumb”?

Picture: Brendon Thorne/Getty Images

Rick Smith, principal security architect for personal and business banking at NAB, gave an overview of the challenges the bank faces in offering a secure service at the Digital Security Summit in Canberra yesterday. Here are 10 of his key insights.

1. Basic phishing tactics still work

Phishing emails might seem dumb and obvious and full of spelling errors, but they continue to appear, which suggests they still work on a worthwhile percentage of victims. “300 is the maximum number of new phishing sites per month trying to steal customer information,” Smith said. “3000 is the number of newly-infected customer machines we find every month.”

2. Dealing with phishing is a full-time job

Handling even those basic threats requires significant resources. “We have teams that run 24 hours a day constantly staying across these threats,” Smith said. Internally, the team are referred to as ‘fraudies’.

3. Spear phishing reconnaissance tools are growing

Mass-mailed phishing can be obvious, so a lot of activity happens in ‘spear phishing’: making a message appear to come from a trusted source. “Spear phishing is all about influence: how do I get you to open that attachment?” Smith noted. Automated tools designed to probe LinkedIn, Facebook and other social networks for potential connections are increasingly being used, and their sophistication is growing. “I bet there’s someone out there using Google Analytics or something like that to measure conversion,” Smith said.

4. Scammers will run psychometric testing

One common form of online scam involves recruiting ‘mules’ for money laundering and other dubious activities, typically with offers of allegedly well-paid work from home. These scams involve more than just email blasts, Smith explained:

Mule recruitment is becoming very sophisticated. They run psychometric tests on the mules. If they’re too smart, they’ll take the money themselves. If they’re too dumb, they’ll look for help from others and expose the scam. So they get put through psychometric testing to make sure they get ‘the right amount of dumb’.

5. Malware converts to cash

While phishing can help build a rogue database of customer details, malware infections remain the most productive sources of revenue for online crime. “Sophisticated cyber-criminals prefer malware,” Smith said. “That’s what really gets them the money.”

6. Mobile is a big target . . .

Online banking from mobiles is big business. “Customers are going mobile,” Smith said. “Nearly half of NAB’s online banking logins are from mobile devices. We get 2000 new downloads of our app every day.”

That does create opportunities for scams, such as the ability to work around two-factor authentication. But before you panic too much . . .

7. . . . but desktop is still easier to exploit

“Desktop malware is still worse than mobile,” Smith said. “Desktop malware has been around for 15 years. It’s feature-rich. What we’ve seen over the last few years [in mobile] is not very functional malware from a banking perspective.”

8. Beware site injection

Malware will often make relatively subtle changes, such as adding an intercession screen to a banking sign-in asking a customer to reconfirm details. Many customers will fall for this, Smith noted.

9. Persuading people to download malware isn’t subtle

“Providing someone with something for free that they would otherwise have to pay for is enough,” Smith said. In the battle between greed and caution, greed often wins.

10. Customer guarantees only get you so far

If fraudulent activity happens, banks won’t hit the customer for that money. Turns out we’re not spectacularly grateful about this, since we end up having to get cards reissued. “One of the biggest bits of feedback from customers is ‘it’s great that you give back the money, but it just takes so long to fix everything’,” Smith said.