(Page 2 of 2)
One solution is to use software or a dedicated terminal to ensure that no malicious program can intercept a consumer's communications with a bank. Consumers who have an old PC or laptop lying around could install the free Linux operating system on the machine and use the machine exclusively for financial transactions, suggests SecureWorks's Stewart. Some security firms are also developing software to allow people to run a secure zone on their computer that eliminates the threat of communications being intercepted.
"It goes back to the question, 'Can you trust the computer that you are using? Has it been infected by something that can impact you when you log on to your bank?'" Stewart says.
Another solution is to use a second means of communication, such as calling from a phone or sending an SMS message, to confirm that a transaction is valid, says Ariel Avitan, manager of information security for the Europe, Middle East, and Africa region of Frost & Sullivan, a global business consultancy based in San Antonio, Texas. "It's a cat-and-mouse game," Avitan says. "The [criminals] open a new door, and we shut it. Then they find another one."
Finding solutions and pushing financial firms to adopt them are two separate challenges. Banks only implemented two-factor authentication in October 2005, after the Federal Financial Institutions Examination Council (FFIEC) mandated additional security for online bank accounts.
Ferma's Ferrari has already arrived decided to fall back on a low-tech solution. "We have gone back to issuing manual checks," he says.
Microsoft software clones the environment running on a user's machine.
The team gathered data on compromised pages and the would-be victims.
Any system (chain) is only as secure as its weakest software (link)!
The solution, technically, is simple and cheap - just get a simple PINPad, just like those used at any supermarket/gas station/any merchant and enable it to be connected to the business/home PC (USB/bluetooth/etc). This enables a trusted device (hard-wired/coded in PROM) to possess the crypto keys needed by the bank and the user to authenticate each and every transaction that is displayed on the little screen and any data entered on its own little keyboard - just like shopping! Simple, easy and secure!
So, why not now? Again simple. Governments have not been willing to regulate for security in the computer and data comms industries!! Remember, as Ralph Nader knew and Al Gore portrayed in another area as an "Inconvenient Truth", safety and security has NEVER been market driven, e.g. fire extinguishers in offices, seat belts in cars, and on and on.
PS: That PINPad, with its associated "card present" transaction backing, would also enable secure social service operations and the like and, by the way, in large quantities we are talking about less than $35 per unit(cheaper than any anti-Trojan/Virus/Botnet or like malware detection package.
The trusted solution is there, now...Is there the willingness of government to act in the interest of the security of its citizens and the protection of a critical national infrastructure, the banking, finance and payments sector.
How about confirming when you log out?
In order to access the accounts, one would need their secure-id number. Instead of the institution then assuming that every transaction requested during that session was valid, it could store them all. As the user logs out, all the transactions will be listed and the user will enter his new secure id to confirm. And the session terminates.
Re: How about confirming when you log out?
That's how it works for my bank.
On top of that I use a bootable DVD of Ubuntu, so no viruses are present for my banking session, even if the rest of my computer potentially contains trojans, my banking should stay safe.
Re: How about confirming when you log out?
Additionally as mentioned in the article adding a phone call or SMS text message could be implemented on top of a securID random # sequence generator.
Furthermore we need greater encryption for transmission on the web. My bank (Huntington) for my business for instance gave me my account information via 3 different methods (not one instance provided all the required information to login and access the account) as well as the securID generator.
Perhaps a NFC technology could be implemented here, or a 2d barcode scan via webcam then encrypted while transmission between the server and client take place. Thoughts? Cheers!
As described, the computer of Ferma has been infested by a Trojan Horse. Once the user connected to his/her account, the Trojan issues illegal bank orders concurrently with user's legitimate bank order. It hijacks the open session. This is rather clever.
Thus, the problem has nothing to do with the authentication. Would it be one, two or even three factor authentication, the exploit would work. The problem is the integrity of the user's computer. And this one is tougher to succeed, especially with generic open computers. If using non dedicated device, then we will have to access this risk and try to mitigate it: checking the integrity of computer often, monitoring often banking transactions,...
Authenticating users vs. Validating Transactions
There is a subtle difference bewtween authenticating a user, and in this case, Ferma is a legit user, and validating or authenticating the transdactions being made. A strong defense against Trojan/malware/loggers etc, is an out-of-band summary of the transactions you've just submitted. An interactive telephonic delivery (voice channel) that reads your transactions back to you over the phone AND offers you the ability to cancel a transaction would make it harder for this exploit to succeed. Firms like Authentify, RSA, Entrust, Verisign and others have this ability - the end user must be aware of it and request the transaction verification from the bank.
Make the user put in a reCaptcha for every transfer that leaves the bank. Record all failed transactions and alert the account holder with the IP address and account number used in the transfer.
A number of the people above have mentioned doing a simple live dvd boot for your banking sessions, and that definitely is a great way to ensure protection. But in addition, a simple rework of the transaction method, where you queue up all the transactions you want, look at the list of them, and then enter an additional one-time password to clear that specific list of transactions to be processed. This means you have complete control over what transactions happen, even on an infected computer.
Some problems with the suggested solutions:
If malware is on the device, it can take over what is displayed, so a confirmation can be thwarted.
To use a second device for a confirmation, need to make sure the malware doesn't change the phone number or address while you are logged in.
Too many people don't read confirmations carefully enough.
I'd have to ask how a bank site can allow 27 transfers to accounts that have never been used by this account holder before, all in one session. The transaction system needs to be smarter. For may account, I'd say if there is ever a transfer to an account I haven't used before, flags should go up and should require double verification. Two such transfers, or one over $1000, I want triple verification. Especially if the target account is not a well-trusted business account. This is a problem with some of these accounts. They don't let me put limits on what can be done.
Deutsch Bank used to issue a list with 100 random IDs in paper format to its online bank users. After the user uses one id to complete one transaction, the used id beomces invalid. This strategy may help in this particular case.
Include transaction details in the authentication code
My own little solution would be to use a visual PassWindow to include the transaction details visually to the user in the actual code. Details of this solution are on the Security page. The problem with the electronic token device mehtod is the codes are generic and not connected to the actual transaction, thats how the attackers can switch them around after a hijack or easily socially engineer a new valid code out of a user by requesting they "Session expired, please login again" through their hijacked browser.
Having the user actually see the type and amount of the transaction they are sopposed to be authenticating embedded within the actual visual challenge would prevent the average user from authenticating them.
The Bank should require a 24hr hold on all *New* entries made to the "Accounts Payable" list, it can not be done on the fly.
An email with a confirmation "link" should be sent informing you of that activation. That would give you notice to confirm and a timely phone call to lock/remove unauthorized entries.
Manufacturing in the United States is in trouble. That's bad news not just for the country's economy but for the future of innovation.
This document is part of the “How-To Guide for Most Common Measurements” centralized resource portal. This tutorial provides a detailed guide for measurement and device considerations to take temperature measurements using thermocouples. Get an introduction to thermocouples, which are inexpensive sensing devices widely used with PC-based data acquisition systems. Also review some specific thermocouple examples and learn how thermocouples work and ways to integrate them into a data acquisition measurement system.
View full PDF >
Listen to story > 
On Twitter
Become a Fan on Facebook
Subscribe to the Feed
colinnwn
88 Comments
Too Bad Mr. Ferrari
... is dragging his company back into the stone age.
"We have gone back to issuing manual checks,"
A more reasonable, yet still drastic reaction, would be to dedicate a terminal or virtualized OS to only be able to connect to the business's bank website.
Reply