 |  |  |  |  |  |  |  |  |
2010 Online Banking Security Survey:
ZeuS-Like Malware Rapidly Outpaces All Other Online Banking Threats
PhoneFactor recently surveyed financial services professionals regarding the threats facing online banking today, what banks are doing to protect their customers and perceptions about the role security plays in customer loyalty. The survey, which was conducted in November 2010, included responses from more than 70 financial institutions. The results point to a rapid shift in the prevalence of real-time attacks from online banking trojans, such as ZeuS, which are now more common than password phishing attacks, but a lack of understanding about what to do to protect against these threats.
Survey Demographics
Institutions of all sizes, including more than 20% from banks with $25B+ in assets, participated. More than 60% of respondents were in management roles, including more than 20% who were senior managers (C-Level/VPs). A wide array of disciplines were also represented, including IT, Risk Management, Operations, and Product/Business Unit Managers.
ZeuS-Like Attacks Present the Greatest Threat to Online Banking Today
Real-time attacks from online banking trojans (ZeuS, Clampi, etc), also referred to as Man-In-The-Middle attacks, are seen as the greatest threat to online banking today for more than half (51%) of survey respondents. Password phishing and pharming were a distant second with 24% of respondents believing password attacks to be the greatest threat to online banking.
The frequency of real-time attacks from online banking trojans (ZeuS, Clampi, etc) has increased significantly over the last 12 months; 69% indicated an increase in these attacks during that period. While online banking trojans have outpaced password phishing/pharming attacks as the “greatest threat today”, password attacks continue to rage on. Fifty-five percent (55%) of respondents indicated an increased frequency of password attacks over the last 12 months.
Zeus-style online banking trojans have also edged out password phishing and pharming as
the most prevalent threat. Thirty-seven percent (37%) of respondents reported that online banking trojans are the most prevalent type of attack at their bank. Password phishing and pharming were close behind with 35% indicating that this was the most prevalent threat. Given the growth trajectory of online banking trojans, the gap between these two attack vectors will likely widen in the coming year.
Whitepaper
Online ACH and wire transfers were seen as being most vulnerable to attack with nearly one in three respondents rating these types of transactions as either “extremely” or “very” vulnerable to attack. Access to view account information was also seen as highly vulnerable.
What Measures Are Banks Taking To Address ZeuS?
Security questions and one-time-passcode methods (such as security tokens) are the most commonly deployed security measures today. Ninety percent (90%) are using security questions, and more than 60% of respondents are currently using some type of one-time-passcode (OTP) method to help prevent online banking fraud.
Banks plan to invest in a variety of security measures over the next twelve months. Phone-based authentication tops the list of planned enhancements. Twenty-three percent (23%) plan to implement out-of-band phone calls and 22% plan to implement sms authentication.
However, there is still widespread misunderstanding about whether current security measures, such as one-time-passcodes, protect against today’s top threats. Only 37% of respondents recognize that one-time-passcodes do not protect against ZeuS.
Of those who recognize the weakness of these methods, 79% are either using today or plan to use next generation methods, such as out-of-band phone calls, transaction verification, and biometrics to protect against ZeuS.
Security Increasingly Seen As A Competitive Differentiator
Investments in online banking security products and services are being driven most by concerns about the potential impact on the institution’s reputation. Eight-five percent (85%) indicated this was “extremely” or “very” impactful. Fraud losses and regulatory requirements were tied with 76%. Customer demand for better security, while not topping the list, was a material consideration for most, with 53% indicating it was “extremely” or “very” impactful.
86% of respondents believe their customers are at least moderately concerned about online banking fraud, and 64% believe that the level of concern among customers has increased over the last 12 months.
The relatively new concept of security as a competitive differentiator is really taking root. Nearly 3 out of 4 (72%) believe that security could be leveraged as a benefit to build customer loyalty and/or acquire new customers.
Summary
Password phishing attacks have plagued online banking for nearly a decade, but have been outpaced in the last year by a surge in real-time attacks from the likes of ZeuS, Clampi, and SpyEye, among countless other malware variants. Banks are implementing a number of measures to strengthen the security of their online banking platforms, which is unquestionably good. Unfortunately, they don’t all understand the vulnerability of methods like one-time-passcodes, which these attacks easily circumvent. As banks become more educated, they are expected to move even more quickly toward methods like out-of-band authentication and transaction verification to protect against these threats.
About PhoneFactor
PhoneFactor defeats online banking trojans like ZeuS by verifying account logins and transactions through an out-of-band channel – the telephone network. PhoneFactor works by placing an automated voice call or sending a text message to the user’s registered phone number to authenticate account logins, ACH transactions, wire transfers, bill payments, and account changes. The account holder simply answers a call or responds to the SMS text message from PhoneFactor to authenticate. Because the authentication is confirmed through the telephone network, it protects against attacks initiated by malware running on the user’s computer as well as less sophisticated password phishing and pharming schemes. Real-time fraud notifications and voice biometric options are also available.
The PhoneFactor service was recognized in 2011, 2010, and 2008 as an SC Magazine Awards Finalist for Best Multi- and Second-Factor Solution and a 2010 Network Products Guide Product Innovation Award winner. The company was also recognized with two 2009 Gartner reports, Cool Vendors in Identity & Access Management and Cool Vendors in Healthcare Providers’, and was named to the Bank Technology News FutureNow list of the top 10 technology innovators securing the banking industry today.
PhoneFactor is trusted by thousands of leading organizations to secure millions of logins and online transactions each year.
“Security comes first for us at VirtualBank and we are constantly working to make it better. We feel equally as strong about our client’s on-line experience and the impact that all the security protections have on them. PhoneFactor enables us to both meet today’s security needs while offering a superior user experience.”
- VirtualBank, Money Magazine’s Best Online Bank
“Given today’s threat landscape, we believe getting the right protections in place for our customers today, rather than six months from now, is critical. PhoneFactor’s transaction verification system offers strong out-of-band security, is easy for our customers to use, and provides the tools we needed to expedite deployment.”
- Stillwater National Bank and Trust, A Leading Regional Bank
For more information, contact PhoneFactor at 877.No.Token (877.668.6536) or visit our website at www.phonefactor.com.