Technology Review
The user is the weakest link for financial security.
Cybercriminals have had great success over the past year hitting banks where their security is the weakest--on their customers' PCs. In 2009, online fraud losses doubled, according to FBI data.
Now banks are starting to hit back, focusing not only on the security of their own systems, but of their customers' systems. Last week, security firm Trusteer announced it would provide a service to banks that lets them remotely analyze computers belonging to customers who have been hacked. Using the service, called Flashlight, banking customers that believe they have been targeted could download a program to their PC that would quickly search the system for digital tracks left by online thieves and their malicious software.
"By analyzing the malware, the banks can find out how the groups are getting by their security measures," says Mickey Boodaei, CEO of Trusteer. "We noticed that most banks have no real understanding of their fraud losses. They have no idea where they are originating from, whether it was Zeus [a common Trojan horse program] or some other malicious software, and what criminal groups are attacking them."
Banks have had mixed success cracking down on cybercriminals. While cyber fraud has declined in the past three years, fraudulent online transactions have climbed, according to a presentation by the Federal Deposit Insurance Corporation (FDIC), the agency responsible for securing Americans' savings. In the third quarter of 2009, losses due to online fraud topped $120 million, with small-business losses accounting for $25 million, according to the FDIC.
Most of the fraud was due "to malware on the online banking customer's PC that was related to phishing, downloading Trojan horse programs, or visiting a website that infected the PC with a drive-by type of malware attack," FDIC examiner David Nelson said during the presentation.
While U.S. regulations have required that banks use more than just a username and password to secure bank transactions, online thieves have adapted quickly to the new security. Instead of logging into a user's account from a different country, many cybercriminals are now surreptitiously using the victim's browser to initiate fraudulent transactions. "As soon as the financial institutions began implementing strong authentication, the bad guys began to find ways to defeat strong authentication," Nelson said. "Almost all of the (latest) losses were the result of the computer intrusions on the networks or the PCs of banking customers."
A smarter credit card could mean new security features and other functionality.
A security expert shows how some small flaws could give a hacker access to personal files.
It might sound like a good idea for banks to be more proactive about security, but the history of credit cards, where losses are far greater, tends to indicate that banks will eat a lot of losses before doing anything that inconveniences customers.
To put things in perspective, the total industry losses quoted ($120M in one quarter) amount to 1% of the profits of just JP Morgan Chase in the most recent quarter. Spread across the entire industry $120M is a drop in an ocean.
If you give a hacker a Flashlight ...
So now we can expect to receive carefully spoofed email messages, allegedly from our bank, that say "Your account information has been compromised. Please log in using your Account ID and Password to download and run the Trusteer Flashlight program, which will check your computer for malicious code and send us the results. Don't worry, your information is completely safe!"
...just boot a LiveCD that can't touch the harddrive and runs only in RAM. spi.dod.mil makes a easy to use one called LPS
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
blkdog40
1 Comment
Eventually, banks will use this to avoid reimbursing victims of online fraud. If a financial institution were to require some due diligence and use of digital forensics software by the customer in it's online banking services agreement, it may show that the customer didn't use up-to-date patches, virus/malware scanning software, didn't use safe Internet browsing practices, etc when the fraud took place.
Reply
colinnwn
88 Comments
Re: online fraud
Well I can forsee a time where before a bank website let you log on, it checks you are running the most current security patches for your operating system, web browser, and have virus software.
If you don't then it would require you to download a virtual OS similar to Google's planned Chrome web based OS or a slimmed down Linux kernel running only Firefox, and access the bank website from inside this sandboxed OS and web browser.
This might be best for all computer users and bank customers.
Reply