I’ve been working in the authentication and fraud detection space for close to ten years now and I find it both fascinating and scary. And the more knowledgeable I get, or maybe just the more I read about it, the scarier it gets. At our recent sales conference we had a number of speakers who talked about the State of the Union in cyber security and online fraud – among them Avivah Litan from Gartner, and two folks from one of our customers, a major North American bank, who has deployed our fraud detection solution.
In Avivah’s session she walked through some of ways that fraudsters are hijacking banking sessions today. One in particular stuck in my mind – a piece of malware froze the individual’s browser and before they noticed it was frozen they had entered 2 or 3 One Time Passwords – each of which was stolen by the Trojan. The fraudster then started doing transactions in that account.
Our customer then stood up and described how Zeus malware on a user’s computer woke up when the user logged in to a particular site, prompted them for information that would otherwise not be required for what they were doing, and then used that information to perform a much different transaction.
For someone like me, not down in the weeds of fraud detection, this was pretty heady stuff. These are things I could easily see myself doing. I’m a marketing person and probably typical of many online banking customers. I know enough not to respond to emails that solicit my login information – but I’m not likely to notice if my banking site suddenly prompts me for a little more information when I sign on; particularly if I generally use that information for some other type of transaction. And I get super frustrated when my computer doesn’t do what I want it to – but before I shut the thing down in frustration and reboot I generally try doing the same thing 2 or 3 times.
But I just do my household banking online – I’m not a corporate banking user. And for now they’re the one’s being hit the hardest. But even as a consumer I get distinctly uncomfortable when I hear that things could “wake up” on my computer and start doing something I’m not aware of. Now, my bank’s idea of stronger security is to prompt me with an additional security question after I enter my user name and password. . . you know, “what colour is the brick on your house” or “what’s your favorite topping on a Dairy Queen Sunday”. . . that sort of thing. But in today’s world this sort of incremental security is laughable – even to marketing people like me. I would expect my bank to have a little more respect for me. Today’s threats, like Man-in-the-Browser, occur after the user authenticates; so stronger authentication on its own is not enough.
I applaud those banks that are taking that extra step to layer solutions on to their current fraud detection measures to deal with the latest threats; but I fear there aren’t enough of them.