The thought of a bank that does not have an online presence that allows its customers to manage their accounts, carry out transactions and similar over the Internet is unthinkable.
Online banking is becoming increasingly popular, but unfortunately this popularity is drawing the attention of cyber crooks who are continually inventing new ways of accessing victims' financial information.
Vladimir Zapolansky, deputy director of Kaspersky Lab's Global Research and Analysis Team, and head of Technology Positioning, said that according to the company's research, 59% of people worry that they could fall victim to online financial fraud, and 45% believe that in that eventuality, they will be reimbursed by their bank.
He cited several scenarios in which cyber criminals are exploiting online banking to commit cyber crime. For example, a user enters his details on an online banking page, and finds shortly after, that money is missing from his account, and moreover, that it was stolen using his legitimate credentials.
This could happen through malware built into the user's browser that makes the PC display fake data entry fields. The legitimate credentials are gathered and sent to cyber criminals who then use the credentials to steal from the user's account. Zapolansky said this type of feature is built into the infamous Zeus Trojan that has been used to steal millions from people around the world.
He said a solution to this sort of problem would be a server-based security solution that works on the bank's IT infrastructure, as it analyses transaction and flags any that are anomalous or suspicious, and also protects users from several sorts of attacks should they not have dedicated software installed.
Another example, said Zapolansky, are the online protection measures employed by many financial institutions, such as two-factor authentication, which confirms a transaction via a one-time password, text message or token. "ChipTAN technology, for example, is considered to be effective against attacks. The user receives a device that generates a one-time password by reading an image on the banks Web site."
Unfortunately, he said, even this measure is not enough, and can be bypassed. The customer receives a notification that purports to have been sent by his bank saying that money has erroneously transferred to his account and needs to be given back. Upon checking his account, the users would see that money has in fact been put in his account, and transfers back to the sender, using his ChipTAN device.
However, in reality there was no transfer and the user ends up transferring money out of his account to a cyber crook. The page was not real, and was created by a banking Trojan that infected his machine, such as the notorious SpyEye Trojan.
"The answer in this case is a dedicated security solution that protects online payments, by switching the user's browser to safe mode when conducting online transactions and blocking any third-party activity on the Website. It should also protect against keyloggers."
The final example he cited was the use of mobile devices being used for online payments. This could include a user, having conducted an online transaction from his mobile device, discovering that money has been transferred from his account to an offshore account. Vulnerabilities in mobile platforms are rife, added Zapolansky, particularly for the Android platform, which accounts for about 98% of malware written for the mobile platform.
"To avoid this, users should have a good mobile security solution installed on their mobile devices, that for example, randomly changes the layout of symbols in the virtual keyboard each time, rendering the interception of screen touches useless."
Share