I’ve recently spotted two articles that share a single theme: they basically announce the online fraud fighting world’s equivalent to “A cure to common cold is found!”.
The first article is about a certain web payment organisation that will tackle phishers by blocking old browser versions, making sure users will access their accounts via more advanced and phishing-hardened browsers. The second was an announcement of one
of the major security players that a large UK bank is beefing up their web security through the introduction of extended SSL.
Don’t get me wrong. First, I respect both financial organisations very much for their fraud fighting capabilities. I know that they invest a lot in online fraud fighting, deploy many layers of security and do a lot of things behind the scenes, which in my
mind is the most effective strategy.
Second, both moves make a lot of sense as they can help customers help themselves: new browsers are far better than old ones when it comes to security, and extended SSL certification is far better and idiot-proof than its standard version. Both provide visible
cues for users to know something is phishy. That’s why I’m not naming names or pointing fingers.
In fact, I’m applauding the initiatives and think more industry players should follow that lead.
It is the dramatic language of the articles that make me raise an eyebrow. There’s a very big gap between the effectiveness of these measures and the words used to describe them.
Here’s the thing: fighting fraud through browser-level cues is one layer of security, but in itself will not leave a dent in online fraud. The reason is that online fraud is a moving target. It took years to educate consumers not to open file attachments
from people they don’t know; this didn’t stop the wide spread of malware and botnets. It took years to educate people to expect the yellow SSL lock; this didn’t stop the wide spread of phishing.
Chances are that in 3 years, everyone will have the latest browser version, extended SSL, the works. Now, lets have a quick poll. How many of you think this will stop fraud? Raise your hands please. Higher, guys, I can’t see them. Oh, you didn’t raise hands?
I’m not surprised.
Fraudsters already have several tools in their arsenal to bypass these visual cues. Take HTML injection Trojans: you actually keep a live session with the real bank, the URL is that of the real bank… It’s just that a crimeware installed on your PC takes
whatever HTML is presented on screen and injects new code, which means the Trojan operator can present pretty much anything while piggybacking a legitimate session with the bank’s web site. You’ll get all the right visual cues, but the content is completely
under the fraudster’s control.
HTML injection Trojans used to be anecdotal a few years ago. Today they’re everywhere. They also don’t cost much. For $350 I can get you a good one called Limbo. Put Limbo on your machine, and you’ll be amazed to see your bank requesting all sorts of data
when you log in – things like your ATM PIN and birth date.
Believe me, if you have one on your computer you won’t be able to tell the difference between a Limbo controlled session and a genuine one. Since it piggybacks the session, all the visual cues are there.
If you’re interested in developing an online fraud career, I highly recommend Limbo.
The bottom line is that browser-level visual cues are not the cure for online fraud, and anything that reads like “a cure to common cold is found!” should make you raise an eyebrow.