Blinding bank's anti-fraud systems with FraudFox VM

Banks have invested heavily into fraud detection systems that tries to identify suspicious transactions. The systems put together network data, user's normal payment pattern...  anything that can create a picture of what is normal and what is not. An important part of this is device fingerprinting, a technology that collects system information from browsers. The amount of data a standard browser is willing to release is enough to make a unique fingerprint for each individual device. The problem with device fingerprinting is obviously that anything a bank can collect is also available for any other service as well.. This is where FraudFox comes in. FraudFox VM is a tool that collects device fingerprints and present them to the bank - leaving the bank in the same position they had before they invested heavily in malware detection systems from major security vendors. This development is clearly a result of that anti-virus is dead (Not my words -  Symantec's CEO said this) and in reality end-users has no healthy alternatives. Consequently it makes no sense to even ask end users to keep their devices clean from malware.. They can't, so no help from them either.

So what's the situation?

• Banks cannot tell the difference between a fake and legitmate user
• The device fingerprint can be spoofed
• Network adresses can be spoofed
• Users neither have competence or resources

The banks obviously need to work on this and I believe they need to revise their client side security strategy from detect and react to block and report. This means we will see more use of malware resistant applications like browsers desktop applications. This development has gained traction in the mobile space where potent app security tools are available as products that integrates with the app.

So the bad news is not so bad - banks will not be blinded by fraud tools like FraudFox - but they need to add security to the user applications that connects to the bank services. As the analysts from Gartner says: Self-protective and self-aware applications is a strategic IT trend. When I see tools like FraudFox and others, I agree.. once again.