Over the last few months, there’s been quite a lot of news chatter around Banker Trojans emptying out online bank accounts of small businesses in the U.S. Today, I was reading one of such stories on Brian Krebs’ site. After reading that story I came across another news item that described booting from an alternative media to experience safe internet banking.
That got me thinking again about an article I wrote quite some time ago. More specifically, I had to think of the portions on Man-in-the-Endpoint (or Browser as some prefer to call it) attacks. My opinion has not changed since then – MitE Banker Trojans already reached some sort of ‘maximum sophistication’ point back in 2007. This specific subset of Banker Trojans was — and still is — extremely sophisticated and will exploit per-bank specific vulnerabilities in the implementation of two-factor authentication.
So where are all these very sophisticated Banker Trojans? Well, they’re very limited in number. Why? Because sophisticated malware is not needed to successfully attack the majority of banks. A lot of banks still don’t employ two-factor authentication for making transactions. Or, when they do, it’s a very weak form of two-factor authentication. Having some secret questions next to a password is not real two-factor authentication. Such protection is no match for most of the Banker Trojans/Spyware out there. Static responses – passwords, answers – should have been abandoned no later than 2007.
What frustrates me most is that there’s an ultimate solution that will solve the online banking security problem to the greatest extent.
In short: Online banking requires multi-factor authentication. The authentication code needs to be received or generated on a device which is not connected to the device that’s doing the transaction.
Ideally, not only the transaction authorization code is generated dynamically but also the password for logging onto the banking site. One thing to keep in mind here is that the cryptographic response algorithm needs to be different for logging on and approving transactions.
We should also realize that Trojans can (potentially) manipulate everything on your screen and in your traffic. The solution to this huge problem is actually quite simple. Make the receiving bank account number a part of the authentication process. Either send along the number with the SMS or use it as an (additional) challenge when using a token. The user knows where the money is supposed to go.
Some people argue that using the recipient’s bank account number as a challenge, or any other code that will uniquely identify the recipient, doesn’t solve the problem as people may not pay attention. Well, when dealing with money, people should be paying attention. It’s a silly excuse and does not take away that this is the only real solution to this problem.
Those banks that opted not to adopt my suggestions listed inconvenience as the main reason. This certainly seemed a much bigger thing with banks in America rather than Europe. For reasons unknown, American banks seem much more hesitant to potentially inconvenience their clients than those in Europe. Yet the clients I speak to in Europe are thrilled with the added security.
What we also need to keep in mind is that since 2006/2007, a lot has changed. The average sophistication of malware has gone up. Form grabbers, for example, are pretty much standard. In fact, we live in a day and age where Microsoft decided to pull a patch because of problems which turned out to be caused by the extremely advanced TDSS rootkit.
What does this mean? This means that we need online systems in place that are resilient to such powerful malware. Using any other method other than using the recipient’s bank account number there’s no way even the best security expert in the world can say with full confidence that the transaction displayed on screen is actually going where it’s supposed to go.
The state of online banking in some ways resembles that of the internet. For many banks, online banking was not directly designed with proper safety in mind. Convenience is the major driver. The internet was built on very much the same principles. I’d argue that solving the online banking problem is an indefinitely easier task than fixing the fundamental weaknesses in the internet infrastructure.
So, let’s start fixing the online banking problem. I think it’s not nearly as hard as people may think it is. The necessary solution is out there and published. All it takes is for a number of clients to start speaking up and demand better security. Surely one bank will see the competitive advantage of offering better security. From there on other banks will follow. Losing significant amounts of money or a little added inconvenience which can be minimized? I know which one I’d pick.
* Roel Schouwenberg is a senior anti-virus researcher in Kaspersky Lab’s Global Research & Analysis Team.