Blog article
See all stories ยป

Internet banking faces a new threat

The recent announcement of the multi-channelled Zeus attack on a user's internet banking account is an interesting hypothesis and surely will not be the last when it comes to beating the ever advancing online banking systems. The attack method currently seems to use the mobile phone as a forwarding device for any one time password that is delivered to the customer. It's unclear whether or not the mobile phone hack would hide the incoming SMS from the customer, however if it doesn't, then if banks ensure they include relevant transaction details in the SMS - amount, and beneficiary - it could allow the legitimate customer to detect that something has gone wrong prior to money being lost.

However, if this is the beginning of these types of attacks, we can be sure that the sophistication will also ramp-up as time passes. It's easy to imagine a few other tricks that could be implemented in the mobile phone side of the attack to further mask the attack. Banks need to keep on top of these threats by maximising the technology they use in Out of Band communication and not simply using it as a basic notification service.

Having the customer respond or sign a transaction via the Out of Band channel could cut down on the potential for abuse since the bank would be able to look at the incoming mobile phone number to help authenticate the transaction. All of this, however, further points to the fact that our most advanced and innovative protection methods will inevitably be defeated as the never-ending game of cat and mouse progresses. When the locks on the door cannot fully protect, the banks will always have the incredibly robust suite of transaction behaviour detection tools available to them.

Regardless of what technology is sitting at the front gates, there is always a way to detect abnormal behaviour when it's occurring, and banks will always keep these systems honed to ensure customers' money is protected.

5893

Comments: (1)

A Finextra member
A Finextra member 04 October, 2010, 14:59Be the first to give this comment the thumbs up 0 likes

Out-of-band authentication and authorisation is certainly a great step forward, although criminals will of course continue to try exploiting any existing weakness.

But some consideration should be given to the mechanics used. SMS seems the obvious choice that springs to mind immediately, but it is not very reliable from a functional point of view. There is no service level guaranteed, SMS messages can easiliy be delayed for hours or not be delivered at all. And some customers are still not fluent in SMS usage ...

More reliable and more natural to use would be the voice channel - making the process real-time, conveying the transaction data to the customer via speech output and getting the immediate response via voice (voice recognition techniques can help to add some further security). Entering some code digits on the mobile phone might be included too.