Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security

Group

Online Banking
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

A cure to common cold is found!

I’ve recently spotted two articles that share a single theme: they basically announce the online fraud fighting world’s equivalent to “A cure to common cold is found!”. 

The first article is about a certain web payment organisation that will tackle phishers by blocking old browser versions, making sure users will access their accounts via more advanced and phishing-hardened browsers. The second was an announcement of one of the major security players that a large UK bank is beefing up their web security through the introduction of extended SSL. 

Don’t get me wrong. First, I respect both financial organisations very much for their fraud fighting capabilities. I know that they invest a lot in online fraud fighting, deploy many layers of security and do a lot of things behind the scenes, which in my mind is the most effective strategy.  

Second, both moves make a lot of sense as they can help customers help themselves: new browsers are far better than old ones when it comes to security, and extended SSL certification is far better and idiot-proof than its standard version. Both provide visible cues for users to know something is phishy. That’s why I’m not naming names or pointing fingers.

In fact, I’m applauding the initiatives and think more industry players should follow that lead. 

It is the dramatic language of the articles that make me raise an eyebrow. There’s a very big gap between the effectiveness of these measures and the words used to describe them. 

Here’s the thing: fighting fraud through browser-level cues is one layer of security, but in itself will not leave a dent in online fraud.  The reason is that online fraud is a moving target. It took years to educate consumers not to open file attachments from people they don’t know; this didn’t stop the wide spread of malware and botnets. It took years to educate people to expect the yellow SSL lock; this didn’t stop the wide spread of phishing. 

Chances are that in 3 years, everyone will have the latest browser version, extended SSL, the works. Now, lets have a quick poll. How many of you think this will stop fraud? Raise your hands please. Higher, guys, I can’t see them. Oh, you didn’t raise hands? I’m not surprised. 

Fraudsters already have several tools in their arsenal to bypass these visual cues. Take HTML injection Trojans: you actually keep a live session with the real bank, the URL is that of the real bank… It’s just that a crimeware installed on your PC takes whatever HTML is presented on screen and injects new code, which means the Trojan operator can present pretty much anything while piggybacking a legitimate session with the bank’s web site. You’ll get all the right visual cues, but the content is completely under the fraudster’s control. 

HTML injection Trojans used to be anecdotal a few years ago. Today they’re everywhere. They also don’t cost much. For $350 I can get you a good one called Limbo. Put Limbo on your machine, and you’ll be amazed to see your bank requesting all sorts of data when you log in – things like your ATM PIN and birth date.

Believe me, if you have one on your computer you won’t be able to tell the difference between a Limbo controlled session and a genuine one. Since it piggybacks the session, all the visual cues are there. 

If you’re interested in developing an online fraud career, I highly recommend Limbo. 

The bottom line is that browser-level visual cues are not the cure for online fraud, and anything that reads like “a cure to common cold is found!” should make you raise an eyebrow.

3790

Channels

Security

Group

Online Banking
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (2)

A Finextra member
A Finextra member 24 April, 2008, 15:07Be the first to give this comment the thumbs up 0 likes

Hi Uri,

Glad you agree with the browser confusion, which of course, apart from confusing end users yet again, doesn't really address the problem, rather it's just green window  dressing.

We know that with out-of-band mobile solutions we can defeat a man-in-the-middle (or limbo session attack), either when the hacker substitutes another account as the payee, or alters the amount of the transaction, but is there any browser based or best guess adaptive solution which can achieve this via the internet? 

I know we can obviously guess if the action matches a user pattern and assign a risk value to it, but there is no way to 100% protect internet based transactions with internet based solutions. It seems that out-of-band (mobile) solutions are the only potential cure to this 'cold' problem.

Am I right?.

Report abuse
Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 25 April, 2008, 06:19Be the first to give this comment the thumbs up 0 likes

I'm a big fan of out-of-band authentication via mobile or phone. It has the best chances of defeating and man-in-the-browser (MITB). I’m going to write a blog entry explaining why I like it, what its drawbacks are, and how I think it should be effectively used.

As a side note, Man-in-the-middle (MITM) is a prevalent attack vector and is pretty easy to address: the cash-out of the stolen credentials is done from another machine, so a good device recognition technique will work.

MITB is a phantom attack: with one or two exceptions, and despite common belief, it has never been tried in a live attack on a financial institution. It requires a lot of effort on the fraudster’s side, and a degree of vertical integration between credential thieves and cash-out operators that makes it impractical at this point of time. Researchers differ on predicting when it will become widespread, if it all.

My thinking is that it might happen if banks start an arms race of visible authentication that cannot be otherwise breached. 

There are plenty of covert, invisible defenses against MITB which can complete your defense array: from user behaviour profiling and pattern analysis through various clever counter-measures I won’t describe here (no need to give a freebie to fraudsters, right?).

As of now, OOB based on mobile or phone devices is the best, most cost effective authentication in a MITB scenario. Anyway, I’ll post my full thoughts on OOB at a later time and we can bicker about them ;)

Report abuse
Join the discussion
Uri Rivner

Uri Rivner

CEO and Co-Founder

Refine Intelligence

Member since

14 Apr 2008

Location

Tel Aviv

Blog posts

89

Comments

37

More from Uri

This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

See all
Community
See all blogs »
Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Digital Identity Management 

Navigating the digital identity landscape: A blueprint for financial services competitiveness

Adam Preis

Adam Preis

Now hiring

See more