A simple phone call or text message could have saved Mark Patterson nearly $350,000. The money was stolen from his company’s bank account last year by cybercriminals based in Eastern Europe. Patterson discovered the fraud six days after it had begun, when the bank sent notice that a fraudulent $9,000 transfer to an account in California had failed to complete.
A startup security firm, DUO Security, hopes to offer a better way to secure banking transactions, by routing the information used to confirm a transaction through to a second device: a smart phone. The company has developed apps for a variety of smart phone platforms to create a separate channel between a bank and its customer to verify a transaction. Customers receive the details on their phone and approve transactions with a single touch.
“You push a button on your computer, you receive a notification, and you push a button on your phone, and that is it,” says company cofounder Jon Oberheide. “We don’t really want to overwhelm the user with options.”
Patterson’s company was a victim of the Zeus banking Trojan, a money-stealing software program used by cybercriminals to hijack victims’ online banking sessions and pay out large amounts of money to intermediaries known as “money mules,” who transfer the funds overseas. “It’s been a very stressful year and a half,” Patterson told attendees at the CyberCrime 2010 Symposium in Portsmouth, New Hampshire, last month.
Defenses against Zeus and other programs like it are few. Criminals routinely test the latest version of their code against antivirus software. Capturing a username and password during an online banking session is simple, which is why banking regulations no longer allow only a single factor (a password) to secure online transactions.
Because the criminals have control over the banking customer’s computer, even a second factor–such as another temporary passcode–often fails. Zeus and other Trojans modify bank transactions in real time, sending funds on to money mules but displaying a page that makes it appear that the money is going to a legitimate payee. In fact, any security measure that uses the same communications channel between the PC and the bank can be corrupted by attackers who have compromised the device. DUO Security uses encryption to verify that the communication is going to and from a device that the user has registered.
Allowing the user to actually see the transaction before confirming it is key, says Avivah Litan, a fraud analyst at Gartner. “We have been advocating transaction verification for a long time,” she says. “We call it ‘sign what you see.’”
DUO Security is not the first to focus on the phone. Firms such as RSA, Entrust, and PhoneFactor use similar techniques for verifying transactions via a mobile phone. However, many products merely issue a passcode, an approach that is still vulnerable to Trojans. Zeus’s developers are known to have circumvented the issuing of a text message passcode on Symbian and BlackBerry devices by using the Trojan to ask victims to install an app on those devices; the malicious app forwards the SMS code to the attackers, who can then complete the transaction.
DUO Security has focused on making the technology simple to integrate with banking websites, requiring the addition of only a few lines of code. Customers don’t have to enter in codes, and banks don’t have to run specialized hardware in their network or significantly modify their site. The company’s hope is that by making it simple enough, a wider audience will adopt the technology.
“We think we can really expand where multifactor [authentication] is offered, where multifactor could be offered [to secure] your Facebook account, your Twitter account,” Oberheide says. “These things might seem trivial to you, but you could have that extra protection without the headaches that traditionally go along with multifactor authentication.”