Wanted - An Electronic Achilles
ICSTIS, the body that regulates premium rate phone numbers in the UK, recently received about 50,000 complaints from PC users who claimed that secret Trojan software had changed their internet dial-up settings to connect automatically to premium rate phone numbers.
ICSTIS concedes this was only the tip of an iceberg. Anyone who fell victim to that infestation and who banks online could also be vulnerable to Trojans that take control of their machines to conduct rogue banking transactions.
"Our view is that Trojans are potentially a much more insidious and damaging threat than phishing," says Sandra Quinn, spokeswoman of the Association for Payment Clearing Services, which leads the industry fight against online fraud.
"Absolutely," agrees George Thompson, director of security services at business service providers KPMG. "They could be worse than phishing simply because users are not aware that these things are on their machines."
What lurks within?
But while most commentators still talk of Trojans and spyware as a potential threat, there is evidence of damage. A survey published last year by Earthlink and Webroot concluded that about 90% of PCs host spyware, with on average 26 pieces of spyware installed on each computer. In many cases the aim of is some form of identity theft, for example by capturing personal information through logging keystrokes used during online banking.
Spyware authors collate information collected from 'client' machines and sell it on to organised crime gangs who then use it to make fraudulent transactions.
In recent months audit firm Ernst & Young has tackled "half a dozen" assignments to advise financial institutions how to respond to these attacks. "The buyer can validate the information, see what works and then collect several (sets of account details and passwords) to make a co-ordinated attack," explains Antony Smyth, a partner in information services advice and assurance at E&Y. "Suddenly it can turn into a nasty problem."
And there are signs that the fraudsters are busy. Thompson says "I know of one bank that suspects most of its losses [from online fraud] come from details obtained from Trojans rather than phishing."
"Spyware is a large threat to the industry," agrees Phil Robinson, managing consultant of the penetration testing team at Information Risk Management. "It's an escalation of phishing attacks, rather than a different type of attack. But it is difficult to quantify the level of losses. I would certainly say some of the banks have suffered unauthorised access, but you can't easily determine what success Trojans have had."
There are now signs that the retail banks are tackling the threat with urgency. Mark Hemingway, spokesman for HBOS, confirms that his bank has written to all its online customers warning of the risks from Trojans and spyware. "Yes, it's a weak link," he says. "Fraudsters will always target the weakest links. Banks and building societies are very secure, but customers who may not have the most up-to-date anti-virus software pose our greatest challenge."
In an effort to improve security, HBOS has arranged a discount on Trend Micro's anti-virus software for its online banking customers.
But there is little agreement about how effective anti-virus software is against spyware in particular. This is because a user may inadvertently download it when closing a pop-up, obtaining freeware, opening an email attachment, through instant messaging, or visiting a website that spoofs that of a legitimate company.
HBOS and APACS say that strong firewalls as well as anti-virus protection may be needed against spyware. And APACS accepts that some firewall settings that protect against spyware can cause problems for home users just to access the Net.
"Most home computers don't have the software to safeguard them [against spyware], even if they have anti-virus software installed," says Peter Yapp, deputy director for IT security at the Control Risks Group. "They will need specialist software, but for most individuals this is just another piece of software they are told they need."
Austin Dunn, a senior manager at business service provider Deloitte & Touche, agrees. "Although regular anti-virus updates are important, they do not necessarily alert or protect users against spyware. This may allow third parties to captured their personal details surreptitiously," he says.
"Although some ISPs now offer home users spyware detection in addition to anti-virus and personal firewall software, users remain vulnerable as they are often naive about the risks of not taking precautions against malware or of the symptoms associated with infection. Furthermore, the risks associated with malware infection are compounded with the increasing uptake of 'always on' broadband connections."
Dunn wrote Countering financial crime risks in information security, which was commissioned by the Financial Services Authority and published by the FSA last November. In it he argued that one of the biggest threats to banks was from organised criminals who infiltrated "agents" to steal from within or to compromise security. This view, which the banks dispute, may be yet be vindicated once details emerge from the Â£22m pre-Christmas heist of Belfast's Northern Bank.
Ian Grigg, director of e-payments advisers Systemics, only partially accepts this assessment. "Insider fraud is still by far the biggest concern of the City banks," he says. "Whether IT security is included in that bailiwick is open to question ï¿½ no virus has brought down a bank, whereas insider frauds have."
Grigg adds "I would challenge (the FSA) to elucidate and present its evidence (of organised crime placing agents inside banks). In contrast to that, there is evidence that identity theft crimes are becoming organised. And there is some evidence, although not conclusive, that traditional organised crime players are involved.
"There is also substantial evidence that much identity theft comes from insider breaches, whereby insiders are "turned" and sell (individuals' personal details). In this sense, the FSA could be pointing in the right direction, as there is definitely a high risk wherever identity is stored in mass databases."
Grigg argues that as UK lenders rely more heavily on customers' electronic identities to transact business, and the government offers more services based on digital proofs of identity, then their vulnerability to identity fraud must rise. "The scope for security defences is limited, as the identity thief only needs to succeed only once to steal an entire database," he says. "It's an asymmetric power struggle which the banks won't be well placed to win."
And, says Control Risks' Yapp, the move to chip and PIN could actually make that situation worse. "The pressure to learn PIN numbers means that people will use one PIN number for all their cards, online access and even their burglar alarm," says Yapp. "When someone guesses one of these they've unlocked the whole lot." Deloitte's Dunn also warns about the impact of chip and PIN: success in countering credit card fraud is likely to push fraudsters to concentrate on online fraud.
Many observers believe that if banks are to protect online transactions the only solution is to improve the payment authentication process. Yapp says banks will simply have to be more imaginative than to ask for a user's mother's maiden name.
In what looks like a mighty shove towards digitally-stored biometric data, Yapp says the banks' challenge is to validate transactions using information that both parties have easy access to without anyone having to write it down somewhere, and preferably not information that a third party could guess or obtain by research.
Phil Robinson, from Information Risk Management, believes that banks must first concentrate on consumer education. "I haven't seen (them publish) a huge amount about Trojans and spyware, the nature of risk posed by some of the websites you may visit and what others can do to your computer," he says. "Banks should also be advising customers to increase browser security and perhaps use a different browser because a lot of these things target Internet Explorer. I haven't seen any banks do this."
Ernst & Young's Smyth suggests banks should focus on two-factor authentication. This might include a transaction being confirmed through text messaging to a mobile, or through a smart card reader attached to a PC. In some countries, online banking can be done using only PCs that store an agreed identification code.
Who benefits, really?
Such moves are unpopular with the banks because of the cost; at present this outstrips losses from online fraud. But, says Smyth, the main deterrent is probably bankers' worry that stricter controls could discourage customers from banking via the internet. They want to encourage this trend because the costs are negligible compared to teller-mediated transactions.
But customers' awareness of the rising threat could also stem the tide. The banks must hope not too many consumers share the views of Peter Yapp, who argues that we should restrict electronic banking to private networks. "The internet is not secure enough for online banking," he says.
This article has been provided exclusively to Bankinfosecurity.com by Infosecurity Today Magazine. To sign up to receive Infosecurity Today free of charge, visit www.subscription.co.uk/cc/ist_d.