The BBC ecently highlighted so-called man-in-the-browser (MitB) attacks that enable cyber criminals to get around the latest generation of calculator-style two-factor online banking security devices, but this form of attack is really nothing new.
Criminal hackers have been wreaking havoc with the ZeuS Trojan for around ten years, attacking everything from bank accounts to government networks, according to security firm ActivIdentity.
Because the malware lives in the web browser and can get between the user and the website, it is able to alter what is seen and change details of what is being entered without the user or standard anti-malware products detecting anything is wrong.
Security experts have recognised for some time that traditional online defences “fall short” because MitB attacks are constantly evolving, which in effect means that an MitB attack can be successful irrespective of the authentication method in place because the malware is able to control the application that is used to transact online (the browser) rather than go after the authentication method.
What is new, however, the security firm says, is the sheer magnitude and ingenuity of MitB attacks threatening online banking, having advanced from occasional exploits to a global multi-million-dollar cyber-crime industry.
The problem is that standard web browsers are not architected to keep pace with the continuous stream of new malware, and firewall and antivirus products are inadequate to protect against massive number of attacks on the end user PC.
“To counter online bank fraud, the focus needs to be in preventing the scalability of malware attacks,” says Christy Serrato, solutions marketing, financial services at ActivIdentity.
Banks acknowledge that online banking can be an efficient customer channel, yet comes with a security price because customers do not always follow prescribed security procedures and most will not accept higher security at the cost of poor usability, she says.
“Thus, banks need to provide an effective, layered protection that can be active without requiring any user participation and/or special procedures,” says Serrato.
The key, she says, is real-time device profiling and mobile location services together with versatile strong authentication and out-of-band verification to improve security in a way that is transparent to online banking customers.
“Combined with an endpoint security layer of a hardened application, such as a secure browser, that can communicate with the authentication device’s firmware and connect only to bank web sites on its “white list”, criminal hackers can be forced to work even harder for any successful attack,” she says.