Online payments of water bills and property taxes are all the rage — a convenient alternative for government agencies and citizens alike. Yet as government follows commercial enterprises into the hotbed of online transactions, they are increasingly at risk for information security breaches — including denial of service (DoS) and phishing attacks — that have already buffeted banks and other firms.

High-profile businesses and federal government agencies have long been targets for cyber-attackers. In a series of attacks from 1997 to 2000, for example, hackers created a “chat room” on the Environmental Protection Agency (EPA) Web site for exchanging notes. Culprits also abused the EPA site to gain unauthorized access to a university computer.

A recent development is that Internet-based security invasions are moving down the food chain, across Web sites run by both private and public entities, often involving online transactions.

“Hackers take the path of least resistance. After a security hole in one place is plugged, they move on to somewhere else,” says Curt Helwig, executive director of the Electronic Funds Transfer Association (EFTA), an industry group based in Fairfax, Va.

Newer victims of cyber-abuse include smaller banks, along with third-world nations and state and local agencies within the United States.

In a recent study, Cyota Inc., New York found a 633 percent jump between January and May of 2005 in cyber-attacks against credit unions, including those operated for employees of state and local government agencies.

“Fraudsters are shifting away from bigger banks and toward smaller institutions that they think lack the right security protections,” says Amir Orad, Cyota's executive vice president.

Cyber-attacks against government Web sites can be politically motivated, but more often cyber-crooks are looking to make a fast buck at someone else's expense. They often succeed.

Observers note that, more and more, organized crime groups — frequently based out of Eastern bloc nations — represent a much bigger threat than political rabblerousers.

“'Bad guys' have always been able to steal money by putting a gun to your back,'” EFTA's Helwig says. “But with the movement of payment from paper to myriad other forms — Internet e-commerce sites, credit cards and stored value cards — crooks can now steal much larger amounts of money in a shorter time.”

ATTACK OF THE ZOMBIE PCS

Which sorts of cyber-attacks are especially dangerous to online transactions? One type of invasion — known as a denial of service (DoS) attack — floods a Web site with so much data traffic that computer users find it impossible to access the site.

Hackers resort to various tools in launching DoS attacks, as well as more sophisticated distributed denial of service (DDoS) attacks. Often, these attacks are spread by means of malicious code such as viruses, Trojans and worms. Typically, this malicious code generates attacks by producing compromised “zombie” PCs that are then remotely ordered to overwhelm a server with requests for service.

In 2002, for instance, a Web site operated by the nation of Pakistan fell prey to an attempted DoS attack performed by Indian hackers who used a worm dubbed “W32/YahaE.”

The worm arrived in electronic mailboxes as an e-mail attachment. It also produced a file on infected computers that exhorted others to join the fight against the Pakistanis.

Other notable politically motivated viruses have included the “Injustice worm,” sent to a number of Israeli government e-mail addresses to transmit pro-Palestinian sentiments.

Yet banks and other online transaction sites are also being shut down by DoS and DDoS exploits. In one recent episode, the Royal Bank of Scotland admitted that WorldPay, its Internet payment division, had been struck by a DDoS attack impacting thousands of its customers.

A PHISH PHEEDING PHRENSY

“Phishing,” another key threat, is newer in origin. In this type of attack, so-called phishers send out fake e-mails — known as “spam” — meant to lure PC users to phony Web sites that appear legitimate. When unwary e-mail recipients go to these sites, they are asked to type in personal information such as e-mail passwords, social security numbers, credit card numbers and bank account information.

Early phishing attacks targeted high-profile banks and electronic commerce sites such as Citibank, Lloyds TSB, Visa, PayPal, EBay and Amazon.com.

These days, phishing is spreading by leaps and bounds. By the end of last year, almost 50 banks and financial services providers had been hit by phishing spam, according to research performed by the security analysis firm mi2g.

State Employees' Credit Union (SECU), the second-largest U.S. credit union, recently underwent a lengthy phishing attack launched from Romania against its Web site, says Rick Rhoads, senior vice president of E-Services at the Raleigh, N.C.-based agency.

How can information security staffers protect against incursions such as DoS and phishing attacks? Many government agencies and businesses erroneously believe they are secure enough if they install firewalls to block unwanted Web traffic and encryption to “scramble” information. These are necessary tools, but alone these are not enough.

Instead, experts advise a “multi-layered approach.” Other useful products and services include spam filtering, authentication and fraud prevention.

The array of tools available for spam protection is mind-boggling. For starters, MX Logic Inc., Denver, runs an online threat center aimed at filtering out fake e-mails for customers.

Another tool — authentication — has traditionally required computer users to use passwords and other mechanisms to prove that “they are who they say they are” before gaining Web site or network access.

Today, however, Web users gain an extra measure of comfort when Web sites use authentication tools themselves to prove, in turn, that “they are who they say they are.”

Cyota eSphinx provides such a two-factor, risk-based solution for online banking, Omar says. Other offerings from Cyota include eVision, an online fraud management service, and SecureSuite, an e-commerce fraud solution that supports both MasterCard SecureCode and Visa's Verified authentication technologies.

SECU's Rhoads credits Cyota with bringing down the attack against the credit union's Web site in just 20 minutes, after SECU had been trying to do so for five days.

One method used by Cyota is to hire multilingual human security experts from around the world, who are able to communicate with offshore Internet service providers (ISPs) in their native tongues, Amar says.

Despite the plethora of products and services available today for protecting online transactions, other issues remain.

“When government Web sites started moving into online transactions, one of the first security steps they usually took was to protect customer information through the use of SSL (Secure Socket Layer) encryption,” says Andrew Stern, director of security at F5 Networks, Seattle. Yet by using SSL, Web sites can unwittingly leave themselves open to attacks by sophisticated hackers, who know how to abuse the software “tunnels” that SSL produces, Stern adds.

F5 makes an “application firewall” to guard against such emerging security problems by filtering out unwanted data from networks and from Web-based software applications.

Furthermore, some firewalls on the market today still perform only “entrance” filtering, screening Internet traffic that is trying to enter a Web site or computer network.

Other firewalls, however, also carry out “egress” filtering to look at data leaving the Web site or network, too. Such egress filtering can be helpful in preventing the creation of PC “zombies.”

Anti-spam products could also stand improvement. Microsoft Corp. is now introducing an e-mail standard called SenderID aimed at verifying the identity of the Internet server where a message originates.

“Any movement toward embracing e-mail standards is a good thing,” says Scott Chasin, chief technology officer at MX Logic.

On the other hand Chasin says SenderID is not a “silver bullet” against cyberfraud, since phishers often steal or “hijack” legitimate Internet addresses for brief intervals, anyway.

Cyber-attacks against Web sites and networks are bound to increase in numbers and complexity. It's in every agency's best interests to stay on top of the latest cyber-ploys and counterploys.