OK 2015, IT'S A WRAP!

5 Simple Ways to Protect Your eCom from Online Fraud

Once upon a RAT: the story of Social RitB (RAT-in-the-Browser)

A Sneak Peek to BioCatch Upcoming Activities

BioCatch says 'Adiós to Dyre malware'

Our path to behavioral biometrics innovation

Friction-reduction US Patent granted to Citibank – Device Binding to replace login

Payment Security: the New #1 Priority

YOU are the weakest link

Is This Really the End of User Name and Password

A Tale of Two Yous: Misuse of Multiple User Access

Welcome to BioCatch New Blog

YOU are the weakest link

Posted by Avi Turgeman
Feb 16, 2015
2 min read

The recent huge attack on the Ukrainian bank revealed once again that no matter what kind of tool or method the fraudster is using in order to steal credentials and access the network, eventually the actual fraud is carried out by the weakest link in the organization security - the human factor!

In the recent attack on the Ukrainian bank, the hackers were able to install a malware called Carbanak on the employees' computers and use it to record and steal hundreds of employees credentials. Only then the real act of fraud was executed when the fraudsters impersonated to the officers of the bank, and by doing so were able to transfer millions of dollars to accounts of their owns.

Once again the human factor - e.g the bank officers - were the weakest link in the process of the organization security that were used to commit the actual theft. By nature, credentials are always vulnerable for stealing .

This was also the case in all recent attacks on big corporations like Sony, Dropbox etc. Eventually it is someone's identity which is being stolen and used in order to commit the actual fraud. My belief is that there is no way to prevent credentials stealing. Therefore there is no point of keep trying to prevent credential stealing by making authentication stronger with additional "virtual secrets" such as fingerprint and other traditional biometrics features because they are too in a potential to be stolen, and so there is also no point in keep using standard malware detection solutions because so do the fraudsters keep changing the malware and their credential stealing techniques. A law of nature is that - as long as there are credentials and "virtual secrets" to be stolen, they will be stolen.

The only way to really secure an organization is to better protect the human factor, not just by using another "virtual secret" but with a continuous behavioral and cognitive biometrics that will authenticate the user based on the actual activity that he preforms online in a manner that no one else could make an action on his behalf.