Tuesday, September 1, 2009

Online Banking "Dangerous" - Gartner



Gartner States that Online Banking is "Dangerous" in newest analysis:



Event
On 24 August 2009, the Washington Post's Security Fix blog reported that the Financial Services Information Sharing and Analysis Center (FS ISAC) — an industry group created by a U.S. presidential order to share data about critical threats to the financial sector — had issued a confidential alert to its members, which include the Federal Reserve, the New York Stock Exchange, Citigroup, Morgan Stanley and Goldman Sachs. The FS ISAC alert urged business bank customers to "carry out all online banking activity from a stand-alone, hardened, and locked-down computer from which e-mail and Web browsing is not possible."



Editor's Note:  Why dedicate a stand-alone, hardened and locked-down computer from which e-mail and Web browsing is not possible, when it would be safer, more cost-effective and more useful to utilize a PCI 2.x Certified "stand-alone" device which not only provides multi-factor authentication, but also provides "real-time" money transfer, B2B payments and more? 



The FS ISAC issued its alert in response to reports from financial institutions, security companies, the media and law enforcement agencies of "a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses."




Editor's Note:  Again, exploitation is relative to how you conduct funds transfers.  Agreed, you cannot use a PC from which web browsing is possible, but you can utilize a device which doesn't use the web in the first place.



Analysis
The FS-ISAC warning calls into question the safety of online banking...and confirms that criminals are winning the cyber war against financial institution account holders....



Criminals raid these accounts for millions of dollars (no estimates are available for the total amount of money stolen, (but Gartner believes it could be very large) by planting trojans on user desktops to steal account credentials and transfer money to criminals' accounts. Especially problematic aspects of these incidents include:
  • Lack of disclosure by banks to shareholders and account holders, who must learn about these incidents from media reports

  • Criminals' practice of targeting business accounts, which are typically larger but enjoy less protection under the law than consumer accounts.

  • Lack of protection afforded by current antivirus and anti-malware software running on users' PCs, and users' failure to keep their protection software updated.

  • Criminals' ability to circumvent strong user authentication, which includes using dedicated one-time password tokens issued by the bank to business users.

  • The new level of sophistication in reconnaissance, asset acquisition and exploitation demonstrated by these attacks, raising the possibility that ex-intelligence, paramilitary and military personnel are working with traditional organized crime groups.

These multistage attacks do more harm to customers than large, well-publicized credit card breaches. When cards are stolen, regulations typically require reimbursement of customers for unauthorized charges. In money transfer attacks, business users are unlikely to recover the bulk of their stolen funds.








  • Don't rely solely on the strength of user authentication if the authentication is communicated through a PC browser.

Editor's Note:  Which is why HomeATM doesn't use the web browser for authentication, but instead utilizes the only PCI 2.x Certified PED in the world to instantaneously encrypt the authentication credentials and transmit the encrypted data using the Internet (not the web) as a conduit. Is it safer this way?  You can bank on it!











Reblog this post [with Zemanta]

Disqus for ePayment News