Online Banking Doomed Unless We Start Swiping vs. Typing!

PC World has an excellent article regarding Online Banking Trojans which are becoming increasingly more sophisticated.  As regular followers of this blog are well aware, I've long proclaimed that HomeATM can virtually "ELIMINATE" the threats posed by phishing.  When it comes to online banking trojans, they are simply data mining programs.  

What data would there be to mine if online banking customers were empowered with the same technology used to access cash at an ATM...i.e. Swipe their bank issued card and enter their bank issued PIN with a PCI 2.x certified PIN Pad?  The short answer is that we instantaneously encrypt the log-in session using 3DES/DUKPT encryption.  As the data NEVER enters the browser, there's nothing to "browse."  Encrypted data is useless.  The only problems ATM users experience are related to skimming devices and hidden cameras, neither of which is a threat to a HomeATM user who logs on to their online banking session in the safety and privacy of their own home. 

What they "don't" talk about is that online banking community uses SSL to secure the session and there are flaws in SSL which have the industry scrambling to put a band-aid on.  Later with the band-aids.  It's time to revamp the whole system.  In Europe, they are increasingly using hardware devices to authenticate the online banking session.  (see related article below, Todos delivers 20 Millionth eBanking Security Product)





Oh...and don't forget what the Editor in Chief of Bank Technology News recently proclaimed:  Online Banking is Dead - Bank Technology News Editor-In-Chief



Here's the article from PC World: 

Criminals today can hijack active online banking sessions, and new Trojan horses can fake the account balance to prevent victims from seeing that they're being defrauded.



Traditionally, such malware stole usernames and passwords for specific banks; but the criminal had to access the compromised account manually to withdraw funds. To stop those attacks, financial services developed authentication methods such as device ID, geolocation, and challenging questions. Unfortunately, criminals facing those obstacles have gotten smarter, too. One Trojan horse, URLzone, is so advanced that security vendor Finjan sees it as a next-generation program.

Greater Sophistication

Banking attacks today are much stealthier and occur in real time. (Translation: One-Time Passwords are at risk) Unlike keyloggers, which merely re­­cord your keystrokes, URLzone lets crooks log in, supply the required authentication, and hijack the session by spoofing the bank pages. The assaults are known as man-in-the-middle attacks because the victim and the attacker access the account at the same time, and a victim may not even notice anything out of the ordinary with their account.

According to Finjan, a so­­phisticated URLzone process lets criminals preset the percentage to take from a victim's bank account; that way, the ac­­tivity won't trip a financial institution's built-in fraud alerts. Last August, Finjan documented a URLzone-based theft of $17,500 per day over 22 days from several German bank ac­­count holders, many of whom had no idea it was happening.



But URLzone goes a step further than most bank botnets or Trojan horses, the RSA antifraud team says. Criminals using bank Trojan horses typically grab the money and transfer it from a victim's account to various "mules"--people who take a cut for themselves and transfer the rest of the money overseas, often in the form of goods shipped to foreign addresses.



URLzone also seems to detect when it is being watched: When the researchers at RSA tried to document how URLzone works, the malware transferred money to fake mules (often legitimate parties), thus thwarting the investigation.

Silentbanker and Zeus

Silentbanker, which appeared three years ago, was one of the first malware programs to em­­ploy a phishing site. When victims visited the crooks' fake banking site, Silentbanker in­­stalled malware on their PCs without triggering any alarm. Silentbanker also took screenshots of bank accounts, redirected users from legitimate sites, and altered HTML pages.



Zeus (also known as Prg Banking Trojan and Zbot) is a banking botnet that targets commercial banking accounts. According to security vendor SecureWorks, Zeus often focuses on a specific bank. It was one of the first banking Trojan horses to defeat authentication processes by waiting until after a victim had logged in to an account successfully. It then impersonates the bank and unobtrusively injects a request for a Social Security number or other personal information.



Zeus uses traditional e-mail phishing methods to infect PCs whether or not the person enters banking credentials. One recent Zeus-related attack posed as e-mail from the IRS. Unlike previous banking Trojan horses, however, the Zeus infection is very hard to detect because each victim receives a slightly different version of it.

Clampi

Clampi, a bank botnet similar to Zeus, lay dormant for years but recently became quite active. According to Joe Stewart, director of malware research for SecureWorks, Clampi captures username and password information for about 4500 financial sites. It relays this information to its command and control servers; criminals can use the data immediately to steal funds or purchase goods, or save it for later use. The Washington Post has collected stories from several victims of the Clampi botnet.



Clampi defeats user authentication by waiting for the victim to log in to a bank account. It then displays a screen stating that the bank server is temporarily down for maintenance. When the victim moves on, the crooks surreptitiously hijack the still-active bank session and transfer money out of the account.  Editor's Note:  If people would STOP TYPING their username and passwords to log-in and replaced the authentication with a Card Swipe and PIN Entry (which ensures you are on the genuine online banking website) then this threat would be eliminated as well. 

Defending Your Data

Since most of these malware infections occur when victims respond to a phishing e-mail (which we eliminate) or surf to a compromised site, SecureWorks' Stewart recommends confining your banking activities to one dedicated machine that you use only to check your balances or pay bills.



Good News People!  The HomeATM PCI 2.x Certified PIN Entry Device IS A SEPARATE AND DEDICATED MACHINE which online banking customers can use to:

1. Log In (Genuine Two Factor Authentication)

2. Check Balances

3. Pay Bills

4. Conduct Real-Time Money Transfers

5. Conduct Secure Online Transactions with Credit and Debit Cards.



Alternatively, you can use a free OS, such as Ubuntu Linux, that boots from a CD or a thumbdrive. Before doing any online banking, boot Ubuntu and use the included Firefox browser to ac­­cess your bank site.



Editor's Note:  That seems like a tremendously huge pain in the ass.  I thought the financial industry was focusing on "convenience."  Besides...as reported last week on this blog... 50% of American's don't even know what phishing is, so what percentage are going to know how to use or boot up with a Ubuntu thumbdrive?   I would venture a guess that close to 100% of Americans know how to swipe their card and enter their PIN.



Most banking Trojan horses run on Windows, so temporarily using a non-Windows OS defeats them, as does (TEMPORARILY) banking via mobile phone.  (I say temporarily, because when hackers set their sights on mobile banking, smart phones use browsers, which is the root of the problem in the first place.  Think outside the browser...think encryption "inside the box."

The key step, however, is to keep your antivirus software current; most security programs will detect the new banking Trojan horses.  Editor's Note:  Even if you have the most up to date Anti-Virus programs installed, Zeus bypasses detection 77% of the time.  So...that ain't happening.

There is an online banking Trojan out there that is bypassing up-to-date anti-virus programs as much as 77% of the time, according to security company Trusteer. The Zeus Trojan is also known as Zbot, WSNPOEM, NTOS and PRG. It is the most prevalent financial malware on the web, Trusteer says. (Editor's Note:  Others say it's Clampi) 

According to Trusteer: "When we set out to measure the efficiency of anti-virus products in the wild against Zeus, we had no idea what kind of results we would get," said Amit Klein, CTO of Trusteer and head of the company’s research organization.



"The findings, that up-to-date anti-virus programs were only effective at blocking Zeus infections 23 percent of the time, are disturbing".



This is bad news for consumers and banks, since the vast majority of Zeus infections are going unnoticed."

Related articles by Zemanta

• Online Banking's Ticking Time Bomb... (pindebit.blogspot.com)


• 93% of Internet Users Shoud Ditch Online Banking (pindebit.blogspot.com)


• Todos Delivers 20 Millionth eBanking Security Product (pindebit.blogspot.com)


• Closing Out Online Banking Security is Weak Week...with a Bang (pindebit.blogspot.com)


• Quote of the Day: Inside the Browser is Perfect Place for Criminals to Be... (pindebit.blogspot.com)


• Online Banking Fraud in the UK Hits a New High (pindebit.blogspot.com)


• What "Type" of Problems Can HomeATM Solve? (pindebit.blogspot.com)


• Online Banking Trojans Infesting the Web (pindebit.blogspot.com)


• Windows and Online Banking, Like Oil and Water (pindebit.blogspot.com)


• Online Banking Report from FBI (pindebit.blogspot.com)


• Wells Fargo Introduces Mobile Banking Money Transfer...Be Careful! (pindebit.blogspot.com)


• Garlik's UK Cybercrime Report 2009 Released (pindebit.blogspot.com)


• Online Banking Provide Opportunity to Rebuild Trust Between Banks and Consumers, Says MasterCard CFO (pindebit.blogspot.com)


• How Banks Can Be Serious Players in P2P Payments (pindebit.blogspot.com)


• Online Banking is Dead - Bank Technology News Editor-In-Chief (pindebit.blogspot.com)