Skip to content

Staying One Step Ahead of the Cyber Criminals

The latest Symantec report suggests that the number of worldwide malware samples increased by an astonishing 71% in 2009 compared to the previous year. According to the report, this increase stems from the growing popularity of easy to use toolkits that novice cyber criminals are using to turn out their own malware. In our experience, banks and their customers are one of the key targets for this new breed of criminal. While customers need to be more aware of online security risks, banks are also doing their bit to protect their customers. The challenge for banks, however, is to remain one step ahead of the criminals.

The latest technique to be used by fraudsters is to implant a code in the customer’s browser to gain control of their banking session while using the same IP address of the legitimate user. These so-called ‘man-in-the-browser’ attacks are capable of moving funds out of a user’s account without the bank or the customer being aware until transactions have been clocked up on credit cards or the balance on their current account begins to dwindle unexpectedly.

Man-in-the-browser viruses are difficult to detect as often standard security measures do not even reveal the presence of the virus. However, financial institutions can reduce the effectiveness of man-in-the-browser attacks by gaining a better understanding of a customer’s online banking profile and their regular interactions online, so suspicious activity can be recognised more quickly and easily. Banks can also use out-of-band communication, such as a mobile phone, as an additional method of authentication to confirm the transaction details and verify the user. This makes it more difficult for fraudsters to operate, as they have to simultaneously compromise multiple channels.

The findings from Symantec’s latest report, highlight the importance for banks of taking a layered fraud prevention approach - one that analyses the log-in, the transactions, and risky sequences of events – to give banks the best chance of minimising online banking fraud, thwarting attacks and ensuring the industry doesn’t continue to contribute to the rising malware attack figures.

David Divitt

Fraud & Risk Solutions Consultant