Skip to Content
Uncategorized

Smart Phones Help Fight Bank Fraud

As more people carry the devices, technology firms are creating better security checks for bank transactions.
December 9, 2010

A simple phone call or text message could have saved Mark Patterson nearly $350,000. The money was stolen from his company’s bank account last year by cybercriminals based in Eastern Europe. Patterson discovered the fraud six days after it had begun, when the bank sent notice that a fraudulent $9,000 transfer to an account in California had failed to complete.

Secure line: In an effort to foil hackers, a new app provides a second line of communications with a bank.

A startup security firm, DUO Security, hopes to offer a better way to secure banking transactions, by routing the information used to confirm a transaction through to a second device: a smart phone. The company has developed apps for a variety of smart phone platforms to create a separate channel between a bank and its customer to verify a transaction. Customers receive the details on their phone and approve transactions with a single touch.

“You push a button on your computer, you receive a notification, and you push a button on your phone, and that is it,” says company cofounder Jon Oberheide. “We don’t really want to overwhelm the user with options.”

Patterson’s company was a victim of the Zeus banking Trojan, a money-stealing software program used by cybercriminals to hijack victims’ online banking sessions and pay out large amounts of money to intermediaries known as “money mules,” who transfer the funds overseas. “It’s been a very stressful year and a half,” Patterson told attendees at the CyberCrime 2010 Symposium in Portsmouth, New Hampshire, last month.

Defenses against Zeus and other programs like it are few. Criminals routinely test the latest version of their code against antivirus software. Capturing a username and password during an online banking session is simple, which is why banking regulations no longer allow only a single factor (a password) to secure online transactions.

Because the criminals have control over the banking customer’s computer, even a second factor–such as another temporary passcode–often fails. Zeus and other Trojans modify bank transactions in real time, sending funds on to money mules but displaying a page that makes it appear that the money is going to a legitimate payee. In fact, any security measure that uses the same communications channel between the PC and the bank can be corrupted by attackers who have compromised the device. DUO Security uses encryption to verify that the communication is going to and from a device that the user has registered.

Allowing the user to actually see the transaction before confirming it is key, says Avivah Litan, a fraud analyst at Gartner. “We have been advocating transaction verification for a long time,” she says. “We call it ‘sign what you see.’”

DUO Security is not the first to focus on the phone. Firms such as RSA, Entrust, and PhoneFactor use similar techniques for verifying transactions via a mobile phone. However, many products merely issue a passcode, an approach that is still vulnerable to Trojans. Zeus’s developers are known to have circumvented the issuing of a text message passcode on Symbian and BlackBerry devices by using the Trojan to ask victims to install an app on those devices; the malicious app forwards the SMS code to the attackers, who can then complete the transaction.

DUO Security has focused on making the technology simple to integrate with banking websites, requiring the addition of only a few lines of code. Customers don’t have to enter in codes, and banks don’t have to run specialized hardware in their network or significantly modify their site. The company’s hope is that by making it simple enough, a wider audience will adopt the technology.

“We think we can really expand where multifactor [authentication] is offered, where multifactor could be offered [to secure] your Facebook account, your Twitter account,” Oberheide says. “These things might seem trivial to you, but you could have that extra protection without the headaches that traditionally go along with multifactor authentication.”

Keep Reading

Most Popular

A view of clouds illuminated by sunlight
A view of clouds illuminated by sunlight

We can’t afford to stop solar geoengineering research

It is the wrong time to take this strategy for combating climate change off the table.

conceptual illustration showing various women's faces being scanned
conceptual illustration showing various women's faces being scanned

A horrifying new AI app swaps women into porn videos with a click

Deepfake researchers have long feared the day this would arrive.

Death and Jeff Bezos
Death and Jeff Bezos

Meet Altos Labs, Silicon Valley’s latest wild bet on living forever

Funders of a deep-pocketed new "rejuvenation" startup are said to include Jeff Bezos and Yuri Milner.

ai learning to multitask concept
ai learning to multitask concept

Meta’s new learning algorithm can teach AI to multi-task

The single technique for teaching neural networks multiple skills is a step towards general-purpose AI.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.