Until recently, âphishingâ attacks simply used stolen access credentials (i.e. passwords and PINs etc) to fraudulently remove money from customers accounts. Banks strengthened their access security to defend against this type of attack.
Criminals have now developed this attack by tampering with the customerâs connection to the bank. There is no need to âphishâ for the banks account details as they can steal the customerâs money while he is legitimately connected to the bank. The customer will never know the attack has occurred â until their money has been removed.
These new types of attack are known as âMan in the Middleâ and âMan in the Browserâ. They are highly sophisticated frauds and can be used to systematically attack thousands of customers. Kits to perform these types of attack are being manufactured by the criminal community.
With a âMan in the Middleâ attack the criminal creates a copy of a banks web site which he then tricks the customer to visit. The criminal passes through all information to the bankâs real web site so the customer is unaware of the attack, but the criminal has the opportunity to modify the conversation and remove funds from the customers account. If the customer is vigilant he might spot the fake address of the attacking site but this type of fraud has already proved dangerously effective.
âMan in the Browserâ is even more destructive than âMan in the Middleâ. In this case the criminal downloads a Trojan into the customerâs browser. A Trojan is a sophisticated piece of software that can control the customerâs PC, including the browser. This attack works in the same way as âMan in the Middleâ with the Trojan modifying the customerâs conversation with their bank during a legitimate session. Neither the customer nor the bank will be aware of this type of attack.
A recent âMan in the Browserâ Trojan was programmed to attack over 400 banks and once in the customerâs computer could even be automatically updated by the criminal to add new banksâ details. This Trojan was designed to be downloaded into hundreds of thousands of PCs and attack every customerâs bank account.
Sophisticated systematic attacks like these are far more threatening to the security of web banking services than simple âphishingâ. Banks are now developing new defences against this type of attack.
The only way to completely defend against âMan in the Middleâ and âMan in the Browserâ attacks is to authenticate every important instruction the customer sends to the bank. The security effectively moves down from protecting the âfront doorâ at login to protecting each individual instruction. The problem has always been in finding an effective means of doing this without making the system unusable for the customer. Fiddly hand held authenticators, already introduced by some banks, are not the right solution.
Cronto had developed a unique solution based on its innovative visual cryptogram which secures transactions without requiring codes to be entered into fiddly authenticators. The customer, for example, can use the camera in his mobile phone to authenticate important instructions to his bank.
What is clear is that the criminal world has turned its attention to web banking and banks cannot delay any longer the introduction of transaction authentication of individual instructions.
Crontoâs guide âBeyond Phishing â De-mystifying the growing threat of Internet banking fraudâ can be downloaded free of charge from the Cronto website