Understanding Man-in-the-Browser Attacks Targeting Online Banks - eWeek
Malware integrating itself into a victim's Web browser is nothing new. Increasingly however, these man-in-the-browser attacks are being used to successfully bypass authentication mechanisms used by online banking sites, according to a security researcher. (Editor's Note: Kaspersky Labs has called for the mass adoption of peripheral card readers for ALL internet banking users and HomeATM has the ONLY PCI 2.1 Certiified Peripheral PIN Entry Device/card reader designed for eCommerce.) Jason Milletary, technical director for malware analysis at SecureWorks, explained banking Trojans like ZeuS, Gozi and SpyEye utilize man-in-the-browser (MITB) techniques to provide cyber-criminals with additional information needed to conduct financial fraud, such as the victim's Web browsing activity and data. "These types of threats have been technically established for several years," he said."The concern is how these types of attacks are potentially being used to attempt to bypass more advanced authentication mechanisms being implemented by online banking sites." Editor's Note 2: No matter how "supposedly" advanced an authentication mechanism is, if online banking continues to be conducted "inside the browser" it will be eventually defeated by MITB attacks. Online banking authentication, and for that matter, ALL financial transactions, MUST be conducted OUTSIDE the browser. |
Also see: Banking's Big Dilemma: How to Stop Cyberheists via Customers PC's
By Ellen Messmer
In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of the computers to make unauthorized funds transfers, often to faraway places.