How to counter online banking browser attacks

The weakest link in your computer's security isn't hardware or software - it's you. With the rise in popularity of social networks like Facebook, cybercriminals are increasingly employing social engineering techniques to trick users into installing malicious programs that can steal ID information, bank details and other valuable data from their computers.

The recent ZeuS banking Trojan, which stole an estimated £6 million from bank accounts world wide in the last three months, is an example of exactly the kind of threat that's spread by duping users into downloading and installing unsafe software, with more than 1.5 million malicious 'phishing' messages sent out to Facebook users.

ZeuS, and other Trojan programs like it, are known as 'Man-in-the-browser' (MITB) attacks, and work by infecting the user's own browser software, either to carry out tasks behind the scenes of which the user is unaware, or running key-logger scripts that can be used to capture banking and other login information useful to criminals.

MITB attacks can secretly log into a user's banking site and transfer money - all without the user knowing, and without the bank being able to tell if the transaction was carried out by the real users, or by a malicious bot.

Often the Trojans used to launch these MITB attacks are difficult to detect, as they are often customised to appeal to users in a particular country, or customers of a specific bank - so are not readily identified by antivirus software designed to look for generic virus types.

Security experts SafeNet argue that because traditional authentication and anti-fraud techniques can't tell who's behind a particular transaction. The answer is to use authentication systems that operate over more than one platform, such as requiring a pass key that is sent by SMS.

Another alternative is to use a secure browser that's securely stored on a removable device such as a USB key.

To learn about these and other security solutions for financial services, download the white paper from our sister site ITWhitePapers.co.uk here.