Friday, February 26, 2010

Defeating Online Bank Fraud Once and For All

Is it possible to really defeat online banking fraud once and for all? Roel Schouwenberg thinks so in an interesting guest editorial on Kaspersky's Threat Post. Schouwenberg says the solution is already out there, and it's pretty simple: multi-factor authentication.

In an outstanding and detailed analysis he did back in 2008 of bank attacks, he noted that what he calls Man-in-the-Endpoint Banker Trojans, or Browser Trojans, have not improved much since 2007. The reason: they haven't had to.

Basically, what many banks are using for two-factor authentication -- secret questions next to passwords -- is neither true two-factor authentication nor secure. The Trojans of the past three years are just as adept at breaking such systems yesterday as they are today.

Many banks, particularly in the US, believe asking customers to use tokens, for example, would be a nuisance that would drive away business.

While I think multi-factor authentication would go a long way in preventing attacks against banks, it's still just another technology, and the issue isn't its use, but its implementation. Even the strongest authentication system is still vulnerable to human abuse, misuse, and social engineering.

Such authentication systems should also be combined with other systems, in a multi-layered defense, like fraud monitoring programs. Such programs, like FraudAction from RSA, allow or block transactions based on patterns of usage and behavior. Multi-factor authentication might not stop a suspicious transaction, such a lone transaction in Eastern Europe against a bank account in the US owned by someone who has never left the country.

But fraud monitoring operating behind the scenes and transparent to the user would be a good tool to augment multi-factor authentication. It might not stop bank attacks once and for all, but it would definitely help.

Wednesday, February 10, 2010

Dueling Botnets Fight Turf War in Cyberspace

A new Russian botnet is on the loose, spreading a Trojan horse that not only steals data -- like any good Trojan -- but then deletes a rival Trojan from infected machines.

That's really sweet, but I wouldn't exactly call it the Good Samaritan Trojan either. The new Spy Eye toolkit, discovered by Ben Greenbaum, a senior security researcher at Symantec, began showing up on cybercrime sites in December.

Spy Eye is battling Zeus, a similar crimeware Trojan that steals online banking credentials, according to Symantec. Spy Eye has a feature, "kill Zeus," which is meant to disarm its close rival.

This sort of cyberspace equivalent of gangs slugging it out for territory isn't new, according to The Register, which has reported Trojan battles among Srizbi, Beagle, Netsky and Mydoom dating back to 2007.