Blog article
See all stories »

Protecting online bank accounts - is there an app for that?

Losses from falsified online banking transactions in the US tripled in the third quarter, and it seems that the banks have no way to stop them, reports Joseph Menn for the FT. At $120m, this is only about 17% of the total cost of identity fraud and bad checks / cheques, amounting to a total of $700m, although significant enough that you would believe banks would be working hard to stop the problem. The issue for businesses it seems is that many banks are not feeling much of the $120m cost, ensuring that the losses remain with the business account holders. Compensation is something the banks are avoiding, unlike the losses from fraudulent use of a credit card. While they continue to do so, the direct financial cost to banks may mean that they push off the problem for later.

It seems that a "trojan" named Zeus is being sold by hackers to criminal organizations who are wanting to use it to empty business bank accounts. Zeus makes it easy for online banking passwords to be recorded by the criminals, then used to transfer funds from the account through the standard, legitimate online banking system. The FT story claims that new versions of the trojan also allow criminals to bypass some of the additional physical security that banks are employing, such as tokens with rotating passkeys and SMS confirmation messages. If this really is the case, it is a worrying development, although I can't technically understand how the hack could do that unless these security systems are incredibly poorly implemented.

If the additional security measures that banks employ are being bypassed by hackers, it seems that banks may eventually have to act. If the losses start to approach those of other fraudulent transactions, and banks continue to push responsibility to the customers, the large base of small and mid-sized businesses may just mutiny finding a way to protect their money without feeding the coffers of the worst offending banks. How long will it be before we see a league table of banks and percentage of losses due to fraudulent transactions - at least with this type of information companies could pick the most reliable bank, reducing their risk.

When banks finally decide to act, and they find that they are unable to secure online accounts and transactions through a web-browser, some may just decide that it is time to develop full, installable, self-validating applications as the only access mechanism to online banking facilities. If "there is an app for that", the flexibility for accessing accounts from anywhere is lost, but it may be the only way security can be maintained.

3916

Comments: (3)

A Finextra member
A Finextra member 09 March, 2010, 08:57Be the first to give this comment the thumbs up 0 likes

Is there an app for protecting online banking transactions ? Well, there are some addon's meant to increase the level of security, eg. those tokens for two-factor authentication or SMS authentication schemes but there is no fundamental cure from the inherent vulnerability of the underlying infrastructure.

There are attack schemes described as "man in the browser" (malicious software being inserted into your PC) that cannot be prevented that way. In a nutshell, the contemporary Internet infrastructure (PC's and servers on the bank side based on PC technology) are "insecure at any time" just as cars were "unsafe at any speed" as Ralph Nader declared a few decades ago. Since then, a lot has happened to improve car safety and the Toyota case shows clearly that the market is no longer willing to tolerate deviations to the downside. Can't we ask for more IT security as well ?

On the bank side, the current state of the art for obtaining better security is spending enourmous amounts of qualified labour and money for security patching. But that's still just patchwork and no real cure, and it is a constant race between bad guys and good guys - where the bad guys are always one or two steps ahead and the good guys always have to catch up. They simply can't win once and for all.

Much less can the banks protect those millions of PC's at our homes and offices which are used for consumer and business-related online banking. That part of the infrastructure simply cannot be made reasonably secure - those constant reminders to average citicens on using firewalls and keeping antivirus software updated are a rather helpless attempt. Highly skilled hackers have broken into Google and many other high tech companies, if they want to hack into your PC they surely will succeed.

To protect bank customers, a new class of Internet terminal would be needed - some type of netbook, acting as a simple hardwired browser device and not acceptimg any downloaded code. That kind of device would not support a number of fancy functions that were designed for games and online advertising, but it would provide a reasonably secure environment for online banking, online shopping and eGovernment or healthcare applications.

Andrew Churchill
Andrew Churchill - MIDAS Alliance - London 09 March, 2010, 12:30Be the first to give this comment the thumbs up 0 likes

Gerhard, 

You're absolutely correct that the SMS authentication systems are vulnerable to browser attacks (or real-time phishing), but largely by virtue of poor implementation.  After all there's no point using a mobile TAN if the user has to pass it straight back to the attacker. 

ENISA covered these 'out of band' systems in it's November report (link available at http://www.finextra.com/news/fullstory.aspx?newsitemid=20797) and whilst there are a few peculiar non sequitur conclusions therein, if properly implemented with specific transaction authentication both ways over the out of band channel then that addresses most issues.

Though Phil, whilst I too use 'there's an app for that' as a metaphor for mobile, to be pedantic it doesn't need to be an app on a smartphone, as SMS or voice work too!

I also like your idea on league tables, though in the UK I'm not sure we'd ever persuade them to drop the anonymity of reporting aggregated losses through APACS - maybe the FSA could take action for negligence (as the customers can't sue (£0 loss as it's usually refunded) and the shareholders won't (no point suing yourself))!    

Andrew 

A Finextra member
A Finextra member 09 March, 2010, 13:42Be the first to give this comment the thumbs up 0 likes

It feels to me, especially reading the comments (thanks guys) that it is the vulnerability of Internet browsers that represents half the problem. Internet Explorer has always been targeted, by virtue of its large market share, but Firefox is starting to become a target too if the FT article I linked to is to be believed.

I think that there is something, somewhere between a physical netbook style device for every customer and the current openness of browsers that banks should be (or maybe are) investigating. Here are two options that come to mind:

1) Traditional installable application - Coded from scratch to run directly on the operating system, not in the browser. Of course, key loggers for the whole OS could still be effective, but this approach removes the browser and its flexibility from the equation. The guys at Skype have been building bullet-proof client applications for ages, that self validate on startup. Other companies provide digitial rights-type technologies for executables as well. By removing the browser, it certainly makes it harder for criminal organizations to filter out the activity targeted at a banking website from all the other activities you perform on a PC everyday.

 

2) Secure Browser in a Virtual appliance - a little like the Netbook approach proposed. A virtual machine running just a browser, with everything else locked down, could be fairly quickly started up by a user. The banks would not need to produce and test custom applications installed on desktops, but could distribute the VM quickly and easily. The advantage is that the VM returns to its original state after every session, so even if a piece of malware did get into it, its lifespan would be extremely limited. VMWare or a partner used to provide an IE appliance, though I don't see any reason why a bank couldn't produce and lock down their own based on a Linux OS running an open source browser, with everything else locked down tight that the user can only use it for banking.

Either way, I think that banks need to consider an installable application approach that bypasses the inherent lack of security of a browser. In the US, where businesses do not have the protection of losses being covered, they could be effectively persuaded to use an application the bank made available through FUD, even if the standard browser continued to be supported if not recommended.

Phil