Beware Cross-Channel Cybercrime Threats!

Shoot! Anybody with a smidgen of Web security history under his or her belt winces as soon as the word "cross" comes up as a modifier, thanks to the legions of exploits based on cross-site scripting (where by insertion or malice, a script from a seemingly safe and benign site introduces malware or phishing into a browser because of covert references to another script on some other less safe and savory site). When I read about cross-channel threats to banking, I couldn't help wincing just a little, and then wondering what the heck this might mean.

Though I had to dig for a while to find a good explanation, here's what cross-channel threats signify in the context of
cybercrime against banks. These days bank customers use multiple services that include checking and savings accounts, ATM cards, along with debit and credit cards, but may also encompass securities trading, wealth management, and other services, too. Simply put, a cross-channel threat means that when cyberthieves gain illicit access to bank accounts they are likely to attempt multiple types of fraud across the whole account simultaneously, to try to extract as much money as they can in the shortest time possible. Thus, a compromised account is likely to become subject to check fraud, credit card fraud, spurious ATM withdrawals, and attempts to access other assets as well (e-transfers from savings into checking, so that higher ATM withdrawals, or debit card charges, can go through).

Lots of industry experts make the point that too many institutions rely on manual checks to catch fraud, and that not enough technology has been put in place to detect fraud automatically (which usually helps to limit losses, because automated checks are always active, and kick in as soon as suspicious patterns of activity begin to emerge from account data). Here's a scary chart from's "Faces of Fraud: Fighting Back" Executive Summary.

Security experts like to point out that adding fraud detection technology speeds up detection, and will usually deny fraudulent activity before accounts can be completely drained. For more information on this fascinating subject, see Tracy Kitten's article for entitled "Banks Must Improve Fraud Detection," wherein she interviews George Tubin, a senior research director for TowerGroup who focuses on delivery channels and financial security.

Stu Sjouwerman

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews