During the past 12 months, many community banks have expanded their online banking services, such as personal financial management tools, and introduced mobile banking. This is an exciting development, but a development that raises the fraudster threat level, as well.
“I expect that smaller banks will be targeted,” said Sean Sullivan, a security advisor with F-Secure, which provides security and backup services to consumers and corporate clients. “For many reasons, consumers have been turning to community banks and credit unions, and criminals see this as a new opportunity. If I want to target The Bank of Smallville, I only need to visit Facebook in order to try and guess whom to target. Smaller banks that have not yet been targeted should not take that for granted in the future.”
So what is a bank to do when it comes to security? “I think banks generally do very well with their online and mobile offerings,” said Sullivan. “But they need to do more to provide practical tips to customers. The security advice offered by banks today is very general and bland to the point that people don’t act on it.” Providing customers with a security checklist for potential threats to online banking transactions should be a top priority. The checklist should not only include guidelines for changing passwords and security questions, but also descriptions of online/mobile security threats with tips on identifying and avoiding these threats.
One of the most effective schemes used by fraudsters, for example, is the man-in-the-middle banking trojan. The trojan waits until the customer initiates his or her banking session (with an infected computer), then manipulates the session. Typically, the customer sees a “please wait” message displayed while the attackers reconfigure a transaction to a controlled account.
Sullivan emphasizes that man-in-the-middle attacks are difficult to combat because many people are using Windows XP on their personal computers — the world’s most popular operating system. “Many Windows XP computers are poorly maintained and not up-to-date,” said Sullivan. “Windows XP isn’t necessarily weak if properly configured, but it certainly has the greatest attack surface by default among OS still in use. It is also highly pirated and, therefore, often not properly secured. Folks with pirated copies of Windows still need to bank, however, and so they end up being at risk.”
Man-in-the-middle attacks depend on infected PCs to manipulate the Web browser banking session. Smartphones and tablets offer more security, as long as the consumer uses double password protection (one for phone, the other for mobile banking access) and verifies that the mobile banking app is secure. No banking trojans currently target iPad or Android-based tablets, according to Sullivan, who points out that Web browser-based banking is least likely to be compromised or infected on a tablet.
Yet more Americans, today and predictably for the next few years, will still conduct some or all their banking via personal computers rather than via a mobile device. A research study released last month by Chase Card Services, in fact, found that 49 percent of respondents will conduct online banking this year, while estimates place the number of Americans doing mobile banking at less than 20 percent.
Sullivan makes a good point that despite a bank’s internal level of security, a consumer might still be at risk. For this reason, banks need to educate their customers on specific steps customers should take to guard against potential attacks, such as man-in-the-middle trojans.
Michael Scheibach is executive editor of BankNews.
Copyright (c) February 2012 by BankNews Media