The recent announcement of the multi-channelled Zeus attack on a user's internet banking account is an interesting hypothesis and surely will not be the last when it comes to beating the ever advancing online banking systems. The attack method currently
seems to use the mobile phone as a forwarding device for any one time password that is delivered to the customer. It's unclear whether or not the mobile phone hack would hide the incoming SMS from the customer, however if it doesn't, then if banks ensure they
include relevant transaction details in the SMS - amount, and beneficiary - it could allow the legitimate customer to detect that something has gone wrong prior to money being lost.
However, if this is the beginning of these types of attacks, we can be sure that the sophistication will also ramp-up as time passes. It's easy to imagine a few other tricks that could be implemented in the mobile phone side of the attack to further mask
the attack. Banks need to keep on top of these threats by maximising the technology they use in Out of Band communication and not simply using it as a basic notification service.
Having the customer respond or sign a transaction via the Out of Band channel could cut down on the potential for abuse since the bank would be able to look at the incoming mobile phone number to help authenticate the transaction. All of this, however, further
points to the fact that our most advanced and innovative protection methods will inevitably be defeated as the never-ending game of cat and mouse progresses. When the locks on the door cannot fully protect, the banks will always have the incredibly robust
suite of transaction behaviour detection tools available to them.
Regardless of what technology is sitting at the front gates, there is always a way to detect abnormal behaviour when it's occurring, and banks will always keep these systems honed to ensure customers' money is protected.