How do you know if you are being compromised when accessing your bank online? Are you confident that the content you are seeing and interacting with is real and secure? Up until now, it has been difficult to tell. Advances in security techniques have proved to be successful on protecting the server side from cyber thieves but now they are increasingly attacking end users on the client side of applications.
Such methods, for example, Man-in-the-Browser (MITB) attacks, are sadly very much underestimated by e-banking organizations. This lack of knowledge leads to unsafe web platforms and exploited customers – bad news on both fronts.
What happens in a typical MITB attack? Usually, a user is completely unaware that he or she has had their device infected with a trojan, usually introduced by a phishing campaign or some kind of social engineering offensive. It silently observes in the background, waiting for the user to visit a target website. At this point the malware can go about its sinister business - ultimately to plunder sensitive information.
Users remain ignorant of the attack, and the bank remains oblivious as the user appears to be behaving normally and there were no red flags at the login stage.
Clearly, attacks like these set out to commit some kind of financial extortion whether it’s to steal credentials or data like a user’s credit card information – and this can still happen even if other authentication factors are in play. Banks must not underestimate the reputational damage that such incursions can inflict. Trust is a very important factor in the financial services sector and people need to be confident that they can access e-banking services via safe and secure technology platforms.
Ironically, even though banking trojans have been around for a decade or so, most banks still lack the tools that would give them the correct level of insight into the frequency and scale of such intrusions. Using such tools would at least allow them to be able to act in such a crisis, alleviating costly damages.
According to research carried out by IBM, last year trojans accounted for nearly half of all global financial cybercrime. Historically, banking Trojans have been responsible for attacks that have netted cyber-criminals many millions and infected up to 11 million PCs.
As they have matured, trojans have become more seasoned and are able to thwart anti-virus defenses. This is all bad news for people who are increasingly using online banking to manage their financial affairs. If we consider how much online banking fraud is costing UK consumers, we can begin to understand the importance of appropriate protection to financial services organizations if they wish to retain customers.
Taking all of this into account, what are banks doing to protect the browser side of their e-banking services? How can banks protect users who are accessing their online banking sites using their computers?
Fraud monitoring can offer some help. If a bank is screening transactions then they might detect that something is awry. However, if an attacker is simply waiting for the user to carry out a transaction and then only modifying the destination account number, this activity will not trigger anything.
Similarly, bot detection or behavior-based detection will yield no results as the user is commanding the navigation. Everything will seem normal. How about device fingerprinting or geo-location? Unfortunately, these cannot be considered viable solutions because, under such attacks, the user is using their own device in its usual location.
What about a totally different approach? You could monitor the application in real-time for modifications to the DOM, to native APIs, and to events. Since anything could be potentially malicious, a whitelisting approach combined with machine learning is needed in order to tackle false positives. Such a system can generate real-time notifications to the backend of the application, with useful data that can drive automated responses.
The proposition of application real-time monitoring provides a solid defense. It can detect changes produced by MITB (as well as other injection/tampering attacks such as MITM, malicious extensions, malicious or compromised third-party modules).
It doesn’t matter how these attacks are implemented, this approach works by detecting changes made to the web page without user knowledge. It allows financial institutions to react in real-time by having set policies in place that act upon the alerts in metadata. It also detects zero-day threats.
These days there should be no excuses for getting security right, across all access points. Financial losses stemming from attacks can be severe and the damage to both reputation and brand could prove to be even more so.