Last updated: 19 March 2014
Top tip number 2. in our series of 5 reasons to use digital security devices for eBanking
More security is needed where cyber criminals are attacking — at the client’s PC used for online banking.
In its most recent research, the Anti-Phishing Working Group (APWG) determined that 25 percent of all PCs carry some type of financial malware or downloader. Online banking client PCs are so vulnerable that the FBI and NACHA issued what USA Today called an “extraordinary warning” —
that small and medium-size businesses should dedicate a PC exclusively for online banking.
Users are cautioned never to go anywhere else on the Internet other than their bank with that PC, and to isolate it from other networks and systems in the company.
According to a recent blog by Robert Siciliano over on Finextra:
“It has become apparent that these conveniences of technology have outpaced consumers’ security intelligence.”
I like the essence of Robert’s blog that banks need their customers to take an active role in making their PC that little bit more secure.
There are many reasons why hackers are able to successfully attack PCs used for online banking. One problem is that traditional protection mechanisms such as anti-virus are based on having seen a virus before. This leaves a window of vulnerability, called zero-day, between when viruses are first detected and when end-users actually install an update to their software that prevents it.
Even more alarming is the fact that spyware tool kits, such as ZeuS and SpyEye, make it easy to create new variants so that hackers can stay ahead of the anti–virus software programs, making them less effective. In addition, these programs act as command and control centers for thousands of “zombie” computers, which enable hackers to deliver millions of attacks very quickly.
The hacker’s goal is to install a program on the PC of a high-value bank account that routinely makes ACH transfers, such as that of a company or a municipality. The program might be a keylogger used to steal login credentials and shared secret questions as the client types them. Another program reroutes the customer to a hacker site when they enter the bank’s URL (called Domain Name Server poisoning, or domain re-directs). The hacker site either captures bank login credentials or hijacks the banking session after login authentication is complete (called man-in-the-middle).
The most insidious threat is the man-in-the-browser attack, a malware program that enables the thief to use the customer’s own browser during the course of an authenticated online banking session. The hacker can then make fraudulent transactions that are invisible to the legitimate user and look authentic to the bank.
The pervasive nature of these threats, combined with the inherent vulnerability of software-based protection like anti-virus software, require that banks implement new device-based security measures they can put in the hands of their clients.
See part one of the series on taking the scale of fraud seriously and also visit www.ebankingsecurity.net for advice on deploying online banking security.