Online Banks Need Stronger Security, Analyst Says

Security measures such as the use of one-time passwords and phone-based user authentication -- considered among the most robust forms of IT defenses -- are no longer enough to protect online banking systems against fraud, a Gartner Inc. report warns.

Cybercriminals are using increasingly sophisticated tactics to outmaneuver security systems so they can steal cu

stomers' log-in credentials and pillage their bank accounts, according to Gartner analyst Avivah Litan, who wrote the report.

Trojan horse programs lurking inside a customer's Web browser can steal one-time passwords and immediately transfer funds, or intercept a transaction between a bank and a customer and make changes unbeknownst to the user or the bank, Litan said.

In cases where a bank uses a phone-based, "out of band" authentication system, criminals use call forwarding so that the fraudster, not the legitimate customer, gets the call from the financial institution, Litan said.

Banks need to quickly implement additional layers of security, she advised.

Because any authentication method that relies on a browser can be attacked and defeated, banks should start using server-based fraud detection to monitor transactions for suspicious patterns, Litan said. The goal is to monitor log-in, navigation and transaction activity to spot any abnormalities that suggest an automated program is accessing an application, she said.

For example, a European bank using that kind of monitoring technology discovered that a Trojan completes transactions much faster than a human would; a Trojan can take as little as one second to enter a money transfer amount and press OK, whereas a human would take 20 to 30 seconds.

Litan recommended that fraud monitoring tools be used to check for significant differences between online banking transaction patterns and a customer's usual behavior.

The FBI's Internet Crime Complaint Center reports that each week, the FBI sees several new cases opened involving complaints of cyberfraud.

This version of this story originally appeared in Computerworld's print edition. It's a shorter version of an article that first ran on Computerworld.com.

Subscribe to the Security Watch Newsletter

Comments