Multi-factor authentication will solve the problems of online banking.
In a blog posting on the threatpost website Roel Schouwenberg, a senior anti-virus researcher in Kaspersky Lab's global research and analysis team, claimed that banking Trojans reached a form of maximum sophistication in 2007. This specific subset of banker Trojans was - and still is - extremely sophisticated and will exploit per-bank specific vulnerabilities in the implementation of two-factor authentication.
He said that a lot of banks do not employ two-factor authentication and when they do, it is a very weak form of it.
He said: “Such protection is no match for most of the banker Trojans/spyware out there. Static responses - passwords, answers - should have been abandoned no later than 2007. What frustrates me most is that there's an ultimate solution that will solve the online banking security problem to the greatest extent.
“In short: online banking requires multi-factor authentication. The authentication code needs to be received or generated on a device, which is not connected to the device that is doing the transaction.
“Ideally, not only the transaction authorisation code is generated dynamically but also the password for logging onto the banking site. One thing to keep in mind here is that the cryptographic response algorithm needs to be different for logging on and approving transactions.”
A solution inside this, suggested Schouwenberg, is to make the receiving bank account number a part of the authentication process, either by sending along the number with the SMS or using it as an additional challenge when using a token.
He said: “We need online systems in place that are resilient to such powerful malware. Using any other method other than using the recipient's bank account number, there's no way even the best security expert in the world can say with full confidence that the transaction displayed on screen is actually going where it's supposed to go.
“So, let's start fixing the online banking problem. I think it's not nearly as hard as people may think it is. The necessary solution is out there and published. All it takes is for a number of clients to start speaking up and demanding better security. Surely one bank will see the competitive advantage of offering better security.
“From there on other banks will follow. Losing significant amounts of money or a little added inconvenience, which can be minimised? I know which one I'd pick.”
Various responses were posted to the article, mostly agreeing with Schouwenberg's claims. One suggested using PKI as ‘if banks maintained a key for each account then wire transfers could include a challenge-response portion to ensure that the recipient of the money is who they say they are'.
Another response from 'Dave' said that two-factor authentication will not solve the problem, shifting the risk will. He said: “As banks accept risk for individual accounts and risk for business accounts lie with the business, in the US, credit card laws require this for credit card accounts and banks are extending the same ‘protection' to most individual accounts and debit cards. Brokerages are a whole other segment of the financial services industry where no one can easily and accurately predict who is at risk from a breach.”
Commenting 'blogger the IT security guy' said: “While I think multi-factor authentication would go a long way in preventing attacks against banks, it's still just another technology, and the issue isn't its use, but its implementation. Even the strongest authentication system is still vulnerable to human abuse, misuse and social engineering.
“Such authentication systems should also be combined with other systems, in a multi-layered defence, like fraud monitoring programs. Such programs, like FraudAction from RSA, allow or block transactions based on patterns of usage and behaviour. Multi-factor authentication might not stop a suspicious transaction, such a lone transaction in Eastern Europe against a bank account in the US owned by someone who has never left the country.
“But fraud monitoring operating behind the scenes and transparent to the user would be a good tool to augment multi-factor authentication. It might not stop bank attacks once and for all, but it would definitely help.”
For more information on Trojans, and how not to fall victim to them, listen to the SC webcast with Stephan Freeman, information security manager at the London School of Economics and Martin Lee, senior malware analyst at Symantec Hosted Services.