Banking malware families and variants are constantly evolving, bank transaction authentication methods are also evolving. It is a cat and mouse game where the user expects convenience and with an ease of use.
As malware flavors continue to chart new territory from the days of Spyeye, Zeus & Citadel to the likes of Prime,Dridex, Gozi, Tinba, and Shifu—these are stealthy Trojans and that have been associated with fraud across the global banking industry.
When a financial institution deploys a new banking online or mobile service, security is no longer a mere add-on but a core and critical component to the service. The bank must integrate technologies to guard against the new malware types. These malware – Man-in-the-Browser (MITB) Trojans, silently infect the victim end user’s device – laptop, mobile device, tablet and unbeknownst to the victim, secretly plague end users who are trying to complete a simple payment transaction, by manipulating the transaction data in the background and sending the credentials or funds to a mule account.
Previously we have seen such things as large scale deployments of authentication tokens to the customer base to help guard against these rogue transactions. But where the malware is downstream of this authentication we are seeing such methodologies fail. This is something akin to branch bank teller authenticating the customer via passport and signature – only for the transferred money to be stolen out in the bank room of the bank – straight into the getaway car. It is one thing to authenticate the User – we also need to authenticate the transaction.
The way forward…
So to mitigate the risks and threats precipitated by such banking Trojans, banks have adopted a range of transaction authentication methods such as transparent multi-factor, risk-based authentication and transaction integrity through the validation of transaction details paired with cryptographic signatures and more.
With the deployment of mobile apps the bank has the opportunity to integrate or bake such security into the app – so instead of relying on third party tokens or devices, or using the SMS network the security feature is all within the App – when a user makes a payment transaction, a push notification arrives on their mobile phone, and requests the user to validate the payee and payment details. With a simple tap of approve, the transaction is signed cryptographically – here we are also now relying on the security of the actual phone.
As always – the bank must guard the User from malware fraud – whilst providing a convenient and ease of use bank solution, plus meet the emerging trends in technology and service uptake and deployments – authentication via SNAPCHAT?
Whatever the present and future holds for banking security against these malware, we do know that a banks should adopt a layered approach in malware security.