By Steve Slater
LONDON (Reuters) - Banks are fighting an uphill battle to protect themselves and their client accounts from cyber attacks, and the sometimes careless use of social media by customers and staff isn't making the fight any easier.
British police and banks this week warned customers about the rise in criminals using social media to strike up a relationship and then try to get money from them.
Personal details from sites such as Facebook, Twitter and LinkedIn are also being used by fraudsters to scam customers, including to help in the increasingly common practice of "vishing", or voice phishing, industry sources said.
"Vishing" involves fraudsters calling and saying they are from the bank. They say there is a security problem, and ask the customer to call the emergency number on their bank card. But the fraudsters never hang up from the call -- in Britain they are able to stay on the line for 2 minutes -- and create a fake dial tone to convince the customer to provide account details or even transfer money to another account.
Britain's BBA banking lobby group estimates one in six customers could fall for this type of fraud, or 8 million people in the United Kingdom alone.
"The classic cyber crime doesn't involve extremely sophisticated technology, it involves finding a date of birth on social media," said Paul Clandillon, European practice leader for fraud and financial crime at IBM, at a recent conference on financial crime.
Revelations this month that hackers had obtained details of 83 million customers of JP Morgan -- one of the biggest data breaches in corporate history -- have shown how vulnerable banks remain, despite spending hundreds of millions of dollars a year on cyber defenses.
That was a complex attack, but far simpler and more frequent frauds involve scammers using social media profiles to obtain a fuller picture of potential victims, bank industry sources and fraud investigators said.
Fraudsters can map out a bank's organizational chart via information on social media, or dig out customer information online. Often they don't need to look far -- when Barclays introduced debit cards with photos on them, for example, some customers posted photos of their new cards, including account details printed on them, on social sites.
THE WEAKEST LINK
"They (fraudsters) view the customer as the weakest link and they are convincing customers they are the bank. They have access to data in ways they never had before," Bruce Forbes, head of security investigations and digital forensics at Royal Bank of Scotland, said at last month's BBA conference.
Banks have long been the favorite target of cyber criminals -- although retailers, healthcare firms and others have also been hit -- with attacks including attempts to steal money, client data or confidential information about sensitive financial deals, or just trying to disrupt systems.
So-called hacktivists can break into financial systems to score political points while state-sponsored hackers can look to conduct industrial espionage or disrupt economic activity using banks as intermediate targets.
Cyber crime costs the global economy $445 billion a year and continues to grow, according to the Center for Strategic and International Studies (CSIS). These losses come from fraud, intellectual property theft and the mushrooming spending on cybersecurity itself.
Often hackers will not use data themselves, but parcel them up and sell them to other people to use, notably specialists who convert stolen passwords and identities into financial gains. Criminals can keep data for months or years before using it.
Social media provides a double-edged sword for banks, however, and the industry is also using it to fight back.
"Social media helps the criminals pursue their trade, but it also leaves a digital footprint in evidence that provides opportunities for us," said Mark Rowley, assistant commissioner for specialist operations for London's Metropolitan Police.
Technology developed more than a decade ago to help casinos in Nevada detect collusion between players and dealers is among the tools being used by banks to hunt for networks of organized fraudsters, by hunting out associations between people on social media that were otherwise nearly impossible to find.
Facebook, LinkedIn and Google Earth are also being used by banks alongside more complex searches, involving trawling for data that does not show on regular search engines.
Such "unstructured data" includes not just social media but pictures and videos and other information, and accounts for more than 80 percent of all data available.
"Focusing on unstructured data is what will give us the edge (over criminals) to be able to identify the very complex and organized collusive rings," said IBM's Clandillon.
(Additional reporting by Eric Auchard; Editing by Mark Potter)