Thieves to target new technologies

Social networking sites and online banking will be a major target for attacks next year as criminals continue to make money from mining personal data and commiting ID fraud, according to new pieces of research released last week.

The annual Virtual Criminology Report is commissioned by security vendor McAfee and draws on sources including the Oxford Internet Institute, the LSE's Information Systems Integrity Group and the Met's Computer Crime Unit. It warned that attacks on web-based services such as online banking will be one of the ten biggest global security threats in 2008 and may crucially damage consumer confidence in such services.

Peer-to-peer and social networking applications in particular were highlighted as prime targets for criminal gangs to harvest personal information, which could be used in future targeted phishing attacks, or to sell on the black market.

"It's key that the people running the web servers are keeping their systems updated with the relevant security," warned Oxford Institute's Ian Brown. " Malware has become very sophisticated and can be aimed at specific companies, making it trickier for security writers to [mitigate the threat]."

The UK's financial institutions also came in for some criticism, despite banks such as Barclays rolling out two-factor authentication during 2007 in an attempt to halt fraud.

“User-interface tricks to improve customer security do not seem promising and customer testing will be very problematic with card readers,” wrote Cambridge Univerity's Richard Clayton in the report. “What we need is banks controlling transfers more carefully, spotting patterns, limiting transfers out to trusted recipients like gas companies."

Paul Henry, technology evangelist for security giant Secure Computing, said he was "incredibly disappointed" in the response from financial institutions to the phishing epidemic.

He added that enterprise security policies must involve protection across all protocols to work effectively, while firms need to classify their data more rigorously to mitigate any risk of loss or improper disclosure.

Meanwhile client side vulnerabilities are on the rise according to the latest annual Top 20 report by the SANS Institute. The report highlighted a significant rise in vulnerabilities in web browsers, office software, media players, email clients and other desktop apps.

“The attacks are getting very complex in the way they are coded because criminals are trying to bypass traditional anti-virus software,” said Sans editor and TippingPoint security researcher, Rohit Dhamankar. “And web administrators need to blacklist at a network level so that users can’t visit certain sites.