A Finextra member 09 March, 2010, 08:57 0 likes

Is there an app for protecting online banking transactions ? Well, there are some addon's meant to increase the level of security, eg. those tokens for two-factor authentication or SMS authentication schemes but there is no fundamental cure from the inherent vulnerability of the underlying infrastructure.

There are attack schemes described as "man in the browser" (malicious software being inserted into your PC) that cannot be prevented that way. In a nutshell, the contemporary Internet infrastructure (PC's and servers on the bank side based on PC technology) are "insecure at any time" just as cars were "unsafe at any speed" as Ralph Nader declared a few decades ago. Since then, a lot has happened to improve car safety and the Toyota case shows clearly that the market is no longer willing to tolerate deviations to the downside. Can't we ask for more IT security as well ?

On the bank side, the current state of the art for obtaining better security is spending enourmous amounts of qualified labour and money for security patching. But that's still just patchwork and no real cure, and it is a constant race between bad guys and good guys - where the bad guys are always one or two steps ahead and the good guys always have to catch up. They simply can't win once and for all.

Much less can the banks protect those millions of PC's at our homes and offices which are used for consumer and business-related online banking. That part of the infrastructure simply cannot be made reasonably secure - those constant reminders to average citicens on using firewalls and keeping antivirus software updated are a rather helpless attempt. Highly skilled hackers have broken into Google and many other high tech companies, if they want to hack into your PC they surely will succeed.

To protect bank customers, a new class of Internet terminal would be needed - some type of netbook, acting as a simple hardwired browser device and not acceptimg any downloaded code. That kind of device would not support a number of fancy functions that were designed for games and online advertising, but it would provide a reasonably secure environment for online banking, online shopping and eGovernment or healthcare applications.

Andrew Churchill - MIDAS Alliance - London 09 March, 2010, 12:30 0 likes

Gerhard, 

You're absolutely correct that the SMS authentication systems are vulnerable to browser attacks (or real-time phishing), but largely by virtue of poor implementation.  After all there's no point using a mobile TAN if the user has to pass it straight back to the attacker. 

ENISA covered these 'out of band' systems in it's November report (link available at https://www.finextra.com/news/fullstory.aspx?newsitemid=20797) and whilst there are a few peculiar non sequitur conclusions therein, if properly implemented with specific transaction authentication both ways over the out of band channel then that addresses most issues.

Though Phil, whilst I too use 'there's an app for that' as a metaphor for mobile, to be pedantic it doesn't need to be an app on a smartphone, as SMS or voice work too!

I also like your idea on league tables, though in the UK I'm not sure we'd ever persuade them to drop the anonymity of reporting aggregated losses through APACS - maybe the FSA could take action for negligence (as the customers can't sue (£0 loss as it's usually refunded) and the shareholders won't (no point suing yourself))!    

Andrew 

A Finextra member 09 March, 2010, 13:42 0 likes

It feels to me, especially reading the comments (thanks guys) that it is the vulnerability of Internet browsers that represents half the problem. Internet Explorer has always been targeted, by virtue of its large market share, but Firefox is starting to become a target too if the FT article I linked to is to be believed.

I think that there is something, somewhere between a physical netbook style device for every customer and the current openness of browsers that banks should be (or maybe are) investigating. Here are two options that come to mind:

1) Traditional installable application - Coded from scratch to run directly on the operating system, not in the browser. Of course, key loggers for the whole OS could still be effective, but this approach removes the browser and its flexibility from the equation. The guys at Skype have been building bullet-proof client applications for ages, that self validate on startup. Other companies provide digitial rights-type technologies for executables as well. By removing the browser, it certainly makes it harder for criminal organizations to filter out the activity targeted at a banking website from all the other activities you perform on a PC everyday.

2) Secure Browser in a Virtual appliance - a little like the Netbook approach proposed. A virtual machine running just a browser, with everything else locked down, could be fairly quickly started up by a user. The banks would not need to produce and test custom applications installed on desktops, but could distribute the VM quickly and easily. The advantage is that the VM returns to its original state after every session, so even if a piece of malware did get into it, its lifespan would be extremely limited. VMWare or a partner used to provide an IE appliance, though I don't see any reason why a bank couldn't produce and lock down their own based on a Linux OS running an open source browser, with everything else locked down tight that the user can only use it for banking.

Either way, I think that banks need to consider an installable application approach that bypasses the inherent lack of security of a browser. In the US, where businesses do not have the protection of losses being covered, they could be effectively persuaded to use an application the bank made available through FUD, even if the standard browser continued to be supported if not recommended.

Phil