 |
| European Banks: 29 American Banks: Zero |
Bottom line? Online Banking MUST be done "outside" the browser space. We've seen the ZeuS, Clampi, URLZone, BlackEnergy2 banking trojans, we've seen lawsuits filed by customers against banks accusing them of lax authentication procedures, we've see keylogging, man in the middle and man in the browser attacks, we've seen billions of phishing attempts, we've seen the head of the FBI swear off online banking, we've been told we need a "dedicated" machine for online banking. We've seen Avivah state that nothing in the browser can be trusted, I can go on and on... and I will because...
 |
OTP's (One Time Passwords) will be circumvented by MITB attacks. (and real-time keylogging) |
Either I don't get it or the banks don't. I'm confident enough to say that if you were to go back through the PIN Debit blog over the past 18 months or so and look at everything I've posted regarding online banking, you will see that I'm not the one who doesn't get it. (type "online banking security" into the custom search box for proof)
I'm not Nostradamus, but I can tell you this. Banks would "prophet" from the eradication of all the problems associated with Typing vs. Swiping.
When Kaspersky Labs calls for the mass adoption of peripheral card readers and suggests that banks could be big drivers of this type of hardware, then banks might want to pay more attention. On the horizon is a new dilemma for online banking security.
Avivah Litan, distinguished analyst from Gartner Research points out that banks rely on "flash cookies" to identify legitimate users and that's about to change. Again...Why not use a common sense approach to authenticate legitimate users. Take your "bank issued" card out of your purse/wallet and swipe it through a PCI certified PIN Entry Device designed for online commerce and securely enter your PIN. What you have (card) and what you know (PIN) is entered into what the bank owns (the peripheral PED card reader)
Adobe Flash Player Private Browsing May Force Change in Fraud Fight
A report from Gartner highlights how the reliance on Flash cookies as an authentication mechanism by online banks may need to change with the release of Adobe Flash Player 10.1. Flash Player's "Private Browsing" feature will make it easier to clear Flash cookies, and e-commerce businesses will need to adjust, some say.
 |
| Banks Should Be Big Drivers of this kind of hardware. First they need to admit that they're in a losing battle with hackers and must stop with the band-aid responses to the real threats they face. |
Flash cookies, also known as LSO (local shared objects), are used by many banks and e-commerce sites to identify legitimate users and block unauthorized or fraudulent access. In a report entitled, "Privacy Collides With Fraud Detection and Crumbles Flash Cookies," Gartner analyst Avivah Litan writes that the practice of using HTTP browser cookies for authentication gained steam roughly three years ago due to guidelines imposed by the Federal Financial Institutions Examination Council.
“Most banks responded by implementing stronger authentication that depended in large part on knowing that their online banking customer was logging in from a known PC,” Litan wrote.
“Most banks responded by implementing stronger authentication that depended in large part on knowing that their online banking customer was logging in from a known PC,” Litan wrote.
“Upon entering a user ID to log into an online banking session, the bank Web server would check for the presence of this cookie…If the bank software could not find the cookie – for example because the user was logging in from a different PC – then the bank software would generally challenge the user with a series of questions that only the legitimate user could presumably answer.”
But a growing desire for privacy led users to delete their browser cookies more often, meaning banks had to find something else to rely on, the report noted. Enter Flash LSOs, which are “basically hidden from casual users who aren’t aware of them and don’t know how to delete them.”
Now that approach could be threatened as well, Litan told eWEEK...<<read more>>
- Related Articles:
PIN Debit News Blog: Online Banking's Ticking Time Bomb...
Oct 23, 2009 ... (or a HomeATM) (pindebit.blogspot.com); Windows and Online Banking - Just Say No (pindebit.blogspot.com); Online Banking is Weak Week ...
pindebit.blogspot.com/.../username-and-password-ticking-time-bomb.html
PIN Debit News Blog: Here's An Online Banking Promotion That Works!
Oct 26, 2009 ... Online Banking is Weak Week Continues! PandaLabs Q3 Malware Report Released Today · Verifone Investment in Semtek Includes Option to P.. ...
pindebit.blogspot.com/2009/10/online-banking-promotion-that-works.html- PIN Debit News Blog: URLZone, Conficker, Clampi and Zeus - Online ...
URLZone Hits Google Search Engine Optimization and Frankly, I thought that since this is Online Banking is Weak Week on the PIN Payments . ...
pindebit.blogspot.com/2009/09/urlzone-conficker-clampi-and-zeus.html PIN Debit News Blog: Feature Story: Twitter Attack Pushes Online ...
May 20, 2010 ... Feature Story: Twitter Attack Pushes Online Banking Trojan. Security Watch is reporting on one of the many reasons Kapersky Labs is calling ...
pindebit.blogspot.com/2010/05/twitter-attack-pushes-online-banking.html
PIN Debit News Blog: Moving Beyond "Compliance Think" in Online ...
Apr 2, 2010 ... A change is happening in the security of online banking. In October 2005, the FFIEC provided guidance requiring the banking industry to ...
pindebit.blogspot.com/2010/04/moving-beyond-compliance-think-in.htmlPIN Debit News Blog: Lack of Online Banking Security Causing ...
Sep 10, 2009 ... The PIN Debit Blog Provides Daily Coverage of Breaking News relating with a focus on the security provided by PIN Debit and how it relates ...
pindebit.blogspot.com/2009/09/lack-of-online-bankinig-security.htmlPIN Debit News Blog
Jun 16, 2010 ... There is an online banking Trojan out there that is bypassing up-to-date ......Kaspersky Reports on Information Security Threats . ...
pindebit.blogspot.com/PIN Debit News Blog: Customer Satisfaction with Online Banking Slips
May 13, 2010 ... The study also found that highly satisfied online banPIN Debit News Blog: Online Banking Requires Separate PC! (or a ...
Oct 17, 2009 ... HomeATM's device can prevent online banking customers from being caught out by the Clampi Trojan .... Online Banking's Innate Security Flaws ...
indebit.blogspot.com/2009/09/connect-dots-and-win-customers.html- PIN Debit News Blog: Zeus Online Banking Trojan Webinar Infected ...
Oct 7, 2009 ... 1, security industry start-up Silver Tail Systems held an in-depth online seminar for its bank and e-commerce clients that examined the ...
pindebit.blogspot.com/2009/10/zeus-online-banking-trojan-webinar.html PINcept.com: Techmiso: Navy Federal's Online Banking Security Flaw
Aug 17, 2009 ... Onlinebanking users are hopefully aware of the need to login to their banksweb-based system using secure means, such as via a web site ...
pincept.blogspot.com/2009/08/techmiso-navy-federal-online-banking.htmlPIN Debit News Blog: GoldMoney Enhances Online Security
May 27, 2010 ... Security has top priority at GoldMoney and this latest measure is one of ... Our secure two-factor online banking authentication eliminates ...
pindebit.blogspot.com/2010/05/goldmoney-enhances-online-security.htmlPIN Debit News Blog: Wells Fargo Offers Online Banking Tips for ...
Nov 25, 2009 ... So tell your bank to "bite the bullet" and provide a "bullet proof" solution for online banking security. Call it HAAS. ...
pindebit.blogspot.com/2009/11/wells-fargo-offers-online-banking-tips.htmlPIN Debit News Blog: Online Banking "Lock-Down"
Oct 18, 2009 ... So, your choices are: Buy a separate PC for online banking for hundreds or ...Cyber Gangs Raise Profile of Commerical Online Bank Security ...
pindebit.blogspot.com/2009/10/online-banking-lock-down.htmlPIN Debit News Blog: Yet Another Online Banking Threat - Fake ...
Jun 5, 2009 ... Facebook Security Flaw Exposed · Gemalto Launches Online BankingAuthentication Dev ... 41% of Americans Say No to Online Banking Citing S.. ...
pindebit.blogspot.com/2009/.../yet-another-online-banking-threat-fake.htmlPIN Debit News Blog: Here's An Online Banking Promotion That Works!
Oct 26, 2009 ... It would attract customers looking for security, it would create trust, ... Why not provide a promotion that "enables" the online banking ...
pindebit.blogspot.com/2009/10/online-banking-promotion-that-works.html
PIN Debit News Blog: Online Banking's Ticking Time Bomb...
Oct 23, 2009 ... Sounds elegant and sounds like a great online banking promotion. Get a free SLIM...... Closing Out Online Banking Security is Weak Week. ...
pindebit.blogspot.com/.../username-and-password-ticking-time-bomb.htmlPIN Debit News Blog: Online Banking Attacks Continue
Nov 10, 2009 ... Our secure two-factor online banking authentication eliminates dangerous passwords .... More On How SSL (used for online banking security). ...
pindebit.blogspot.com/2009/11/online-banking-attacks-continue.htmlPIN Debit News Blog: More on Soaring Online Bank Fraud
Oct 9, 2009 ... Losses from online banking fraud hit £39m in the first half of the year, ... But it also said online security measures, which require the ...
pindebit.blogspot.com/2009/10/more-on-soaring-online-bank-fraud.htmlPINcept.com: Internet Fraud Challenges Today's Online Business ...
Aug 17, 2009 ... In a recent article from The Washington Post, light was shed on the current state of online business banking security. ...
pincept.blogspot.com/2009/08/internet-fraud-challenges-todays-online.htmlPIN Debit News Blog: Online Banking Passwords at Risk - Chances to ...
Sep 28, 2009 ... "Computer hackers have created a new trojan virus which could mean asecurity headache for hundreds of thousands of online banking customers ...
pindebit.blogspot.com/2009/09/online-banking-passwords-at-risk.html
PINcept.com: FDIC: Online Banking Flawed
Aug 26, 2009 ... can lie dormant until the targeted online banking session login is initiated. .....Techmiso: Navy Federal's Online Banking Security F.. ...
pincept.blogspot.com/2009/08/fdic-online-banking-flawed.htmlPIN Debit News Blog: More On the URLZone Online Banking Trojan
Sep 30, 2009 ... Our secure two-factor online banking authentication eliminates dangerous passwords ... AIMsi Delivers Encrypted Swipe Security to Retaile. ...
pindebit.blogspot.com/2009/.../more-on-urlzone-online-banking-trojan.htmlPINcept.com: Bank Info Security Reviews Financial Institution Breaches
Aug 28, 2009 ... Financial data -- bank account numbers, social security .... Techmiso: Navy Federal's Online Banking Security F.. ...
pincept.blogspot.com/2009/08/bank-info-security-reviews-financial.htmlPIN Debit News Blog: Another Lawsuit Against Weak Online Banking ...
Sep 28, 2009 ... Brian Krebs writes for the Washington Post and tells of another lawsuit filed claiming that poor online banking authentication and security ...
pindebit.blogspot.com/2009/09/another-lawsuit-against-weak-online.htmlPIN Debit News Blog: Zeus and Clampi Steal Online Banking Credentials
Sep 23, 2009 ... Earlier I posted about Clampi, an online banking Trojan. ... Read the Article in it's Entirety at Search Financial Security.com ...
pindebit.blogspot.com/2009/09/zeus-and-clampi-steal-online-banking.htmlPIN Debit News Blog: Online Banking/eCommerce Introduced in Bangladesh
Nov 3, 2009 ... “This will create a revolution in e-commerce and online banking,” said Bangladesh.... More On How SSL (used for online banking security). ...
pindebit.blogspot.com/2009/11/online-banking-begins-in-bangladesh.htmlPIN Debit News Blog: More on FDIC's Online Banking Report
Mar 10, 2010 ... With security. With the only PCI 2.0 Certified PIN Entry Device designed foronline banking and the electronic transfer of funds. ...
pindebit.blogspot.com/2010/03/more-on-fdics-online-banking-report.htmlPIN Debit News Blog: $35 Promo to Online Bill Pay at Bank of America
Using More than Existing Security! Using Existing Customers. Using Competitors Customers who flock to the more secure way to bank online! ...
pindebit.blogspot.com/2009/.../35-promo-to-online-bill-pay-at-bank-of.htmlPIN Debit News Blog: Is Online Banking Dangerous? Bank on It
Sep 3, 2009 ... Is Online Banking Dangerous? Bank on It. Does Web 2.0 need Security Web 2.0? Editor's Note" Is that a rhetorical question or are they being ...
pindebit.blogspot.com/2009/.../is-online-banking-dangerous-bank-on-it.htmlPIN Debit News Blog: ACI Worldwide on the "Threat to Online ...
Mar 31, 2010 ... Threat to online banking security. According to this month's figures released by the UK Cards Association, the number of "phishing" attacks ...
pindebit.blogspot.com/2010/03/aci-worldwide-on-threat-to-online.htmlPIN Debit News Blog: URLZone, Conficker, Clampi and Zeus - Online ...
Security firm Finjan has detected a bank Trojan, dubbed URLZone that exploits a ... Our secure two-factor online banking authentication eliminates dangerous ...
pindebit.blogspot.com/2009/09/urlzone-conficker-clampi-and-zeus.htmlPINcept.com: Bank Customers Who Pay Bills Online 15% More Profitable
Aug 5, 2009 ... How fast will online banking and bill-pay adoption grow over the next five years?..... Techmiso: Navy Federal's Online Banking Security F.. ...
pincept.blogspot.com/2009/.../bank-customers-who-pay-bills-online-15.htmlPIN Debit News Blog: Online Banking Authentication a Weak Link in ...
Dec 14, 2009 ... CEO Terry Austin to discuss how criminals are bypassing existing online banking security methods, and new approaches to combating fraud ...
pindebit.blogspot.com/2009/.../online-banking-authentication-weak-link.htmlPINcept.com: ONO! Huge Security Hole on the Web
Aug 19, 2009 ... Jack Henry to Aquire Goldleaf · ProPay Implements End-to-End Data Security Platfor... Techmiso: Navy Federal's Online Banking Security F.. ...
pincept.blogspot.com/2009/08/ono-huge-security-hole-on-web.htmlPIN Debit News Blog: Online Banking will Contribute to Growth of ...
Aug 8, 2009 ... The increasing popularity of online banking will likely lead to an increase in ....Techmiso: Navy Federal's Online Banking Security F.. ...
pindebit.blogspot.com/2009/08/online-banking-will-contribute-to.htmlPIN Debit News Blog: Gartner's Avivah Litan on the Online Banking ...
Dec 2, 2009 ... The recent surge in online banking fraud and unauthorized Automated Clearing House ..... VirtualBank Strengthens Online Banking Security Wi. ...
pindebit.blogspot.com/2009/.../gartners-avivah-litan-on-online-banking.htmlPIN Debit News Blog: Hackers Target Online Banking - Video CBS
Dec 23, 2009 ... Online PIN Debit "Fair Share" of Online Payment Ma... GoldMoney Enhances OnlineSecurity · Video: Phishing Big Problem with Online Banking ...
pindebit.blogspot.com/2009/.../hackers-target-online-banking-video-cbs.htmlPIN Debit News Blog: Biggest Online Financial Security Threats in 2010
Dec 8, 2009 ... The increased emergence of such threats makes BOT detection critical for online banking. Source: Help Net Security (originally posted 11/24/ ...
pindebit.blogspot.com/2009/12/biggest-online-financial-security.htmlPIN Debit News Blog: American Express Online Username Password Banking
Dec 7, 2009 ... For security reasons it is important that you always sign your AMEX Online Banking session. You can do this by simply clicking on the Logout ...
pindebit.blogspot.com/2009/12/american-express-online-username.htmlPIN Debit News Blog: Zeus Online Banking Trojan Keeps Getting ...
Mar 11, 2010 ... Our secure two-factor online banking authentication eliminates dangerous passwords and ... eCommLink Joins PCI Security Standards Council ...
pindebit.blogspot.com/2010/03/zeus-online-banking-trojan-keeps.htmlPIN Debit News Blog: Associated Bank's OOBA Provides Greater ...
Nov 5, 2009 ... "In today's environment every customer has to be security conscious," said ...Why is My Online Banking So Lame? (pindebit.blogspot.com ...
pindebit.blogspot.com/2009/.../associated-banks-ooba-provides-greater.htmlPIN Debit News Blog: Mobile Banking Online Agenda Available
Apr 7, 2010 ... Our secure two-factor online banking authentication eliminates dangerous passwords ..... Browser Security Looms as Big Issue in Online Bank. ...
pindebit.blogspot.com/2010/.../mobile-banking-online-agenda-available.htmlPIN Debit News Blog: Torpig Botnet Harvests Online Banking Credentials
May 5, 2009 ... Our secure two-factor online banking authentication eliminates .... SecurityRisks Inherent with Online Shopping · Outbreak of Bank Related ...
pindebit.blogspot.com/2009/05/torpig-sinowa-botnetl-harvests-online.htmlPIN Debit News Blog: UBS Rolls Out IBM's ZTIC Online Banking ...
Feb 23, 2010 ... The trend towards using "hardware" to protect online banking and online banking .... Internet (Lack of) Security News through February . ...
pindebit.blogspot.com/2010/02/ubs-rolls-out-ibms-ztic-online-banking.htmlPIN Debit News Blog: TD Bank Offers Flip Utlra Camcorders to New ...
Apr 29, 2010 ... While the FLIP seems like a nice lure to open an account with TD Bank the Flip Side is that Consumers Need Online Banking Security more and ...
pindebit.blogspot.com/2010/.../td-bank-offers-flip-utlra-camcorders-to.htmlPIN Debit News Blog: Heartland Bank and KeyBank Sued over HPY ...
Jan 21, 2010 ... Bank Info Security dot com and Finextra are both reporting this morning that the ....80% Want Better Online Banking Security than a "Us.. ...
pindebit.blogspot.com/2010/.../heartland-bank-and-keybank-sued-over.htmlPIN Debit News Blog: Texas Bank Sues Victim of Cybertheft Incident
Jan 28, 2010 ... A Texas banking customer lost $800k to some bad guys in Romania and Italy due to what they claim is insufficient online banking security. ...
pindebit.blogspot.com/2010/01/texas-bank-sues-victim-of-cybertheft.htmlPIN Debit News Blog: USA Today Posts Follow Up to ABA Warning to ...
Jan 7, 2010 ... After reading our story on how cyber-robbers are targeting small business online banking accounts, security consultant Jennifer Bayuk went ...
pindebit.blogspot.com/2010/01/usa-today-posts-follow-up-to-aba.htmlPIN Debit News Blog: Security Firms Get Ready for Smart Phone Attacks
Jun 9, 2010 ... Security firms gird for attacks on smart phones ... Our secure two-factor online banking authentication eliminates dangerous passwords and ...
pindebit.blogspot.com/2010/06/security-firms-get-ready-for-smart.htmlPIN Debit News Blog: (Another) HSBC Outage Stops Customers from ...
Jan 8, 2010 ... ITPro's Jennifer Scott reports that HSBC's Online Banking Platform crashed for a ....80% Want Better Online Banking Security than a "Us.. ...
pindebit.blogspot.com/2010/01/another-hsbc-outage-stops-customers.htmlPIN Debit News Blog: Former RSA Security Executive Yaron Dycian ...
Jun 14, 2010 ... Online Security Expert to Drive Next-Gen Product Development and Go to ... Our secure two-factor online banking authentication eliminates ...
pindebit.blogspot.com/2010/06/former-rsa-security-executive-yaron.html
Read more: http://pindebit.blogspot.com/2010/06/yet-another-reason-banks-should-call.html#ixzz0rEeCxc8z
