Cloud
providers have attracted enterprise customers with the promise of rapid
elasticity, on-demand provisioning, high availability and a pennies-per-hour
pricing model. But there's just one problem: These very qualities have enticed
criminals to adopt cloud services as well.
When
a scam artist is looking to set up a phishing scheme to gain access to victims'
bank accounts, the built-in redundancy, scalability and automation capabilities
of cloud servers are extremely appealing. And when all it takes to procure
cloud services is a working credit card -- without ever needing to deal with a
live salesperson -- the cloud becomes an even more viable base from which
criminals can commit fraud.
"All
of the advantages of the cloud for enterprises are the advantages for the bad
guys," said Jeff Spivey, international vice president of ISACA, a founding
member of the Cloud Security Alliance (CSA) and president of Security Risk
Management Inc., a Charlotte, N.C., and information security consultancy.
"It's that anonymity and scale that's attractive to the fraudsters."
Without
proper cloud-based fraud detection and prevention practices in place, cloud
providers can become unwitting hosts for cybercriminals. It's a threat that can
expose providers to legal liabilities, profit loss and blacklisting. What's
more, any cloud provider can become a target.
"While
cloud has been a phenomenal enabler for legitimate businesses, it's also been a
phenomenal -- and I mean phenomenal -- enabler for fraud and fraudulent
activity," said John Rowell, senior vice president of research and
development as well as global service operations at Dimension Data, a South
African cloud and managed services provider. "Fraud is a huge deal on the business
side."
How does
cloud-based fraud occur?
Across
the broader market, discussions about cloud security have focused primarily on
the customer side of the equation. Even as cloud providers continue to devote
the resources necessary to ensure that customer data is secure, they can't
overlook the fact that some of their own customers could be a threat.
Fraud
manifests in the cloud in several ways, according to experts. Typically,
fraudsters use a stolen credit card to procure virtual machine (VM) instances
or platform services on which they build their operations -- among them phishing
schemes, money-transfer scams, identity theft and malware.
"[You]
can go get a fraudulent credit card, a good one -- it'll be working, but it'll
be stolen -- for less than a dollar," Rowell said. "So, think about
how the cloud enables [criminals]. All they have to do is sign up online and
they can have a server in five minutes for less than a buck, and it's a
throwaway identity."
In
a joint investigation in 2012, researchers from McAfee Labs and Guardian
Analytics uncovered a massive, cloud-based banking fraud operation that
attempted to bilk an estimated $78 million from account holders in Europe,
Latin America and the United States. The investigation, dubbed "Operation
High Roller" because of the criminals' focus on high-balance accounts,
found the scheme's success hinged on the resource availability and automation
in the cloud, as opposed to a single host computer.
"With
no human participation required, each attack moves quickly and scales
neatly," investigators wrote in a report.
In
some cases, criminals skip the stolen credit cards altogether and instead crack
into a legitimate customer's account, hijacking the VMs to use for their own
fraudulent activities. Cyber
criminals are also looking to Infrastructure as a Service to provide vast amounts
of on-demand processing power to launch distributed-denial-of-service attacks,
according to Raj Samani, vice president and chief technology officer of
McAfee Inc.'s EMEA operations.
Consequences of
failure to detect fraud
Although
fraud may not be the gravest security threat cloud providers face, ignoring it
jeopardizes their bottom line in several ways.
From
a purely financial perspective, any revenue gained from a stolen credit card is
likely to evaporate quickly, thanks to the sophisticated fraud detection
systems banks and credit card companies now use. The real damage comes from the
revenues cloud providers never see from legitimate customers because the
hundreds of VMs they would have paid to access have been tied up by the
fraudsters.
"[There
are] service providers that … do not have adequate fraud measures in place, and
they have to be losing insane amounts of money on it," said Dimension
Data's Rowell. "It's got to have an immense impact to their profitability
as well as just the health and cleanliness of their platform."
Moreover,
cloud providers that don't commit resources to fraud detection and prevention
could ruin their reputation -- and kiss goodbye any chance to engage enterprise
customers, Rowell added.
"If
you were putting up a storefront, you wouldn't want to hang your shingle beside
a shop that says, 'Hey, we're selling stolen credit cards.' No one wants to be
associated with that," he said. "It's incumbent on the service
provider industry to police fraud. If they're not doing it, they're doing their
entire customer base a disservice."
Enterprises
are also likely to block IP addresses from which spam and other suspicious
activity originate, unintentionally blacklisting the cloud providers that host
them.
While
there is no legal precedent yet, it's possible that governments and law
enforcement agencies may start holding cloud providers criminally or civilly
responsible for neglecting to detect and eradicate fraud, said ISACA's Spivey.
"Depending
on how big the problem becomes will determine whether regulators or lawmakers
start to get more involved," he said. "But if I'm running a store,
for instance, and I know people are coming into the store buying and selling
drugs, and I never brought it up to people, then law enforcement is basically
going to [conclude] that I enabled this to occur because I let it happen on my
premises."
No comments:
Post a Comment