MiTB brings new threat to online banking
Online banking brings great convenience to customers and tremendous business opportunities for financial institutes. With the growing popularity of online banking, more malware and attacks are also found targeting financial services companies, observes Rana Gupta, Business Head, India and SAARC, Safenet.
One dangerous malware has been active recently is the Man-in-the-browser (MiTB) attack. It launches attack through the browser when users are initiating online transactions. Since the MiTB gain access to the banks as the users through the browser, any traditional security technologies are not able to detect or protect them from the attack. Nevertheless, Asian banks are taking on new technologies to protect their business and valuable customers.
Online banking is bringing great convenience to customers and tremendous business opportunities for banks. Providing 24×7 banking services means banks are virtually open for business constantly and serving customers around the clock. To bring more customer-centric services, more Asian banks are also extending Internet banking to mobile banking.
I am also a big fan of online banking. Being constantly on the road with a packed schedule and bank accounts with multiple currencies and locations, nothing seems easier to manage my own finance with online banking. Paying credit card bills at the airport terminal or transferring funds in my hotel rooms at the middle of the night have become a regular practice.
But recently a few incidents brought me to reconsider my confidence and appreciation towards online banking. In July, a Zeus banking Trojan attack was reported targeting 15 US banks’ credit card system. The security company that discovered the attack, Trusteer, noted the attack was launched through injection of Zeus into the browser of the familiar Verified by Visa and MasterCard SecureCode environment, altering information at the verification process.
In less than a month, another Zeus attack was launched in Eastern European to infect 100,000 PCs in the UK. The criminals were harvesting all revenue-producing credentials, like online account IDs, login information, credit and debit card numbers and account balance.
While all types of malware targeting financial fraud have been on the rise, the most dangerous and sophisticated type of malware for online banking is Man-in-the-browser (MiTB) attack. Similar to the attacks mentioned, the MiTB attacks through the browser of the infected PCs, gaining access to users’ credentials and altering transaction details.
How does MiTB attack?
When users initiate any online banking transactions, the MiTB malware can quietly manipulate the request. For example when a customer is making fund transfer, MiTB could change the requested instructions like destination account number or transfer amounts. The bank will receive the MiTB instructions as if it came from the customer. Meanwhile the MiTB will produce a bogus transaction confirmation details as required by the customer and as if it was sent from the bank. Thus, neither the bank nor the customer is aware of the altered transaction until it is too late.
Since MiTB attackers gain access to banking systems as the users themselves through a browser, any traditional security technologies, like multi-factor authentication, are not able to protect them from the attack. The traditional risk-based anti-fraud tools, which requires users to answer a set of pre-determined security questions or analyzes user behavior and pattern, are also unable to detect that.
The damage from cybercrime attacks is significant and predictable, especially for financial institutions. The lost of reputation and customer churn could also bring devastating impact toward revenue. A study early this year provides an alarming fact that quantifies the damage. The report indicated the US financial service industry in 2009 collectively suffered losses of US$54 billion.
In fact, cyber attack is not limited to the financial sector. Another recent study conducted by Ponemon Institute covering 45 US organizations across different industries, indicated on average cybercrime cost each organization US$3.8 million per year. The study released in July stated the cost represents the amount spent to cope with attacks, the disruption to business operations, revenue loss and destruction of property and equipment, on top of the annual routine spending in security. While financial services sector was the primary target, the study noted other verticals, like government departments and energy sector also suffer a higher cost than average when dealing with cybercrime.
Taking one step ahead
Though MiTB attacks have not been discovered in Asia, it is only a matter of time when similar attacks will be arriving in the region. To ensure customer trust and to build integrity of their online banking services, some Asian financial institutions are already staying ahead from MiTB attack though different technologies.
The most commonly used technology to protect customers from MiTB is through out-of-band (OOB) transaction verification process. The banks can overcome MiTB by verifying the transaction details through communication channels other than PCs or browsers. SafeNet provides OOB through MobilePASS, which verify transactions using automated telephone calls or short text messages (SMS). When online transaction is initiated, the bank can send an SMS containing the password and transaction details to the customer’s mobile. Only after the customer verifies transaction details by entering a one-time password into the banking portal, the transaction would go through. Although OOB does not protect customers from downloading MiTB malware, it utilizes a secure channel of communication to notify and approve the transaction.
Another way to protect against MiTB is to use a certificate-based authentication together with a secure browsing environment. Combining both multi-factor authentication with a secured browser within a USB token, this solution offers a secure access wherever the customers are. When the users conduct any online transaction, they are first required to authenticate the identity using multiple authentications, then they can access to a secured browser from the token to conduct any transactions.
These are just some of the technologies to combat specifically against MiTB. With the rapidly growing number and variety of malware, Asian banks need to constantly stay ahead to protect their business and customers. A comprehensive security strategy requires not only investment in technologies, but also security policies to respond and education to prevent malware infection will be essential.