Published in PC Pro magazine, September 2010
Wednesday, September 01, 2010
Much has changed in the two years since PC Pro last covered online banking security in depth. Not least the number of people using internet banking which, according to the UK Payments Administration (formerly known as APACS), hit more than 22 million in 2009. Those numbers make the banks an attractive target for cybercriminals. The UK Cards Association says online banking fraud was up by 14% last year, to a total loss of £59 million.
Steve Brunswick, strategy manager at Thales, which secures around 70% of all payment transactions worldwide claims the growing popularity of internet banking, but admits it “may also be a result of the lack of new payment security deployments in recent years”.
Indeed, there haven’t been any major improvements to frontline bank security since our last feature in 2008, when card readers such as Barclays’ PINsentry device were beginning to emerge. Even now, few banks bother with this dual authentication. As you’ll see from the feature table on p102, most banks stick with old-school PIN and passwords.
Why are so many banks shunning the more secure card readers? After all, as Trend Micro’s senior security advisor, Rik Ferguson, told us: “No current malware is capable of overcoming transaction verification technology, such as Barclays PINsentry. “Any stolen account details from a customer of a bank using such a system would be worthless to criminals, as they couldn’t initiate any new transactions without the reader.”
A convenient excuse?
Industry experts claim the banks’ antipathy towards card readers isn’t necessarily about saving money.
“Rather than being a cost saving issue,” Brunswick explained, “it’s more about the balance between security and ease of use.” Many customers find card readers inconvenient, and in a hugely competitive market the last think banks want to do is alienate customers. Which is why even those banks that have rolled them out only use them for higher-risk services such as transaction verification.
In fact, the banks that are sticking with passwords are taking a carefully calculated risk. “I can’t imagine that any bank that has done due diligence would conclude that simple username and password combos wee the most secure option”, said Ferguson.
The trouble is, as Ben Smyth from the School of Computer Science at the University of Birmingham reveals in his newly published paper Forgotten your responsibilities? (How password recovery threatens banking security), downloadable from www.pcpro.co.uk/links/193smyth, it’s relatively easy for the bad guys to use socially engineered information to reset standard logins using the banks’ automated “have you forgotten your password” process.
Even one-time transaction authentication numbers (TANs) can be compromised, according to Ferguson, who told PC Pro that they “don’t have a logical relationship to the transaction in question and as such can’t act as an effective digital signature, as they can’t certify the integrity of the information being transmitted”.
Consequently, an increasing number of banks are rolling free anti malware tools such as Trusteer Rapport. Barclays recently started offering copies of Kaspersky security software free of charge, complete with a virtual keyboard for login that disables the ability to take a screen grab, thereby thwarting keyloggers. Other simple improvements applied by some banks include suspending the current browser session if the customer browses to another website, with automatic time-outs and even a summary of account activity when the customer logs out.
Behind the scenes
But it’s behind the scenes where “invisible security” has been really ramped up, David Divitt, a fraud consultant for ACI Worldwide, which counts eight of the world’s top 20 banks among its customers, points to IP (Internet Protocol) profiling. This provides banks with the ability to monitor transactions based on the geographic location of the customer to detect suspicious behaviour patterns.
“Banks establish an expected footprint for their customers and consequently, identify which internet banking logins and transactions to treat as potentially suspicious,” Divitt explained. “In the ever changing fight against online banking fraud, knowing your customer may be even more important than knowing the enemy”.
Banks are also seeking additional authentication through “out of band” channels, such as your mobile phone. When a customer wants to make a transaction, the bank can send a text to your phone and require a texted back one time code, which is shown on the PC, before the payment can be authorised. As far as the banks are concerned, this is a cost effective method of providing additional two factor transactional verification, without the need for dedicated hardware.
“Using the mobile platform, authentication devices can be provisioned to millions of users at zero cost to the customer or the bank,” explained VeriSign security expert Christian Brindley. “This, combined with a cloud based back end service, drives costs down dramatically and acts as an enabler for mass credential provisioning.
Certainly, the provision of an additional security channel away from the PC is one way of avoiding the current weapon of choice for serious gangs of online bank robbers: the man in the browser attack. This is the biggest advance the criminals have made since our last feature, with ready-made kits enabling the more technically adept gangs to commit sophisticated bank account fraud relatively easily and cheaply. Nick Billington, managing director of BitDefender UK, warns that these attacks via trojanised browsers are almost “impossible to spot”, as they tamper with data after the user has logged in and pressed the “submit” button. “Additionally, the server response is altered right after the browser displays it to the user,” Billigton explained, “so a terribly suspicious transaction would look completely normal to both the user and the banking system”.
Mickey Boodaei, CEO of Trusteer, whose Rapport anti malware browser software has been adopted by retail banks such as HSBC and The Royal Bank of Scotland, admits “there are no silver bullets or magic solutions” but insists “having to bypass multiple layers of protection, some visible and some not, makes it really hard for criminals to succeed in committing fraud”.
And that’s where we are today, with the banks starting to take transactional verification via out of band channels seriously, and implementing fraud analysis systems behind the scenes. If you want the most secure online banking experience, we suggest you ask serious questions of your bank if it still used the old fashioned PIN and password approach to keeping your cash safe.