21 March 2018
David Divitt

David Divitt

David Divitt - VocaLink

19Posts 71,819Views 14Comments

Internet banking faces a new threat

27 September 2010  |  5718 views  |  1

The recent announcement of the multi-channelled Zeus attack on a user's internet banking account is an interesting hypothesis and surely will not be the last when it comes to beating the ever advancing online banking systems. The attack method currently seems to use the mobile phone as a forwarding device for any one time password that is delivered to the customer. It's unclear whether or not the mobile phone hack would hide the incoming SMS from the customer, however if it doesn't, then if banks ensure they include relevant transaction details in the SMS - amount, and beneficiary - it could allow the legitimate customer to detect that something has gone wrong prior to money being lost.

However, if this is the beginning of these types of attacks, we can be sure that the sophistication will also ramp-up as time passes. It's easy to imagine a few other tricks that could be implemented in the mobile phone side of the attack to further mask the attack. Banks need to keep on top of these threats by maximising the technology they use in Out of Band communication and not simply using it as a basic notification service.

Having the customer respond or sign a transaction via the Out of Band channel could cut down on the potential for abuse since the bank would be able to look at the incoming mobile phone number to help authenticate the transaction. All of this, however, further points to the fact that our most advanced and innovative protection methods will inevitably be defeated as the never-ending game of cat and mouse progresses. When the locks on the door cannot fully protect, the banks will always have the incredibly robust suite of transaction behaviour detection tools available to them.

Regardless of what technology is sitting at the front gates, there is always a way to detect abnormal behaviour when it's occurring, and banks will always keep these systems honed to ensure customers' money is protected.


Comments: (1)

A Finextra member
A Finextra member | 04 October, 2010, 14:59

Out-of-band authentication and authorisation is certainly a great step forward, although criminals will of course continue to try exploiting any existing weakness.

But some consideration should be given to the mechanics used. SMS seems the obvious choice that springs to mind immediately, but it is not very reliable from a functional point of view. There is no service level guaranteed, SMS messages can easiliy be delayed for hours or not be delivered at all. And some customers are still not fluent in SMS usage ...

More reliable and more natural to use would be the voice channel - making the process real-time, conveying the transaction data to the customer via speech output and getting the immediate response via voice (voice recognition techniques can help to add some further security). Entering some code digits on the mobile phone might be included too. 


Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Latest posts from David

What's the link between the price of electronics and fraud?

11 November 2013  |  2677 views  |  0 comments | recomends Recommends 2 TagsSecurityPayments

Lifecycle of a fraud

28 October 2013  |  1900 views  |  0 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

Bayesian v Neural Networks

22 October 2013  |  3215 views  |  1 comments | recomends Recommends 0 TagsPaymentsRisk & regulation

What's really behind the Courier Scam?

19 August 2013  |  2928 views  |  0 comments | recomends Recommends 0 TagsSecurityPayments

Blurring the line between risk and fraud

11 March 2013  |  2935 views  |  1 comments | recomends Recommends 0 TagsSecurityRisk & regulation

David's profile

job title Senior Fraud Product Manager
location London
member since 2009
Summary profile See full profile »

David's expertise

Member since 2009
19 posts14 comments
What David reads
David's blog archive
2013 (5)2010 (10)2009 (4)

Who's commenting on David's posts