No security software, no E-banking fraud claims for you

No security software, no E-banking fraud claims for you

Summary: Rational, but unrealistic in today's threatscape. According to the Times :"Customers using their credit or debit cards online have been advised that high street banks are likely to become increasingly reluctant to help victims of internet fraud as new rules added to the Banking Code signal less willingness to cover losses.

SHARE:

Rational, but unrealistic in today's threatscape. According to the Times :

"Customers using their credit or debit cards online have been advised that high street banks are likely toTwo Factor Authentication become increasingly reluctant to help victims of internet fraud as new rules added to the Banking Code signal less willingness to cover losses. The updated code, which covers the banks' treatment of customers, came into effect last month and states that victims of online fraud must have up-to-date antivirus and antispyware software installed, plus a personal firewall, to claim redress from their banks. If you fail to have the correct protection in place, the banks are increasingly likely to refuse any claim for a refund."

The E-banking users are advised to have firewalls, antivirus software and protection from spam and phishing emails, to visit the sites of their software vendors and look for updates, and check for security certificates at the E-banking pages. There's also a realistic case study basically describing the real-life situation that having a perimeter defense in place is only decreasing the risk, not eliminating it entirely the way it's getting marketed :

"Andrew Omoshebi, a design engineer from North London, had £1,500 of fraudulent transactions on his credit card recently. The 43-year-old, left, uses his credit card only for online purchases and has all the necessary antivirus, antispyware and firewall protection installed on his computer. Even so, he was alarmed to discover three consecutive transactions on his statement that were not his."

Surprisingly, Apacs, the UK payments authority isn't mentioning anything about blocking vulnerable browsers from participating in any form of transaction with them, perhaps among the most strategic moves courtesy of PayPal compared to the marketable, but totally bypassed in real-life situations PayPal's Security Key. Why having an antivirus software and a firewall doesn't mean anything from a malicious attacker's perspective?

  • Cross-site scripting vulnerabilities within banking sites are nothing new, in fact, in the past there were initiatives tracking down such vulnerabilities and how long it took for the bank to fix them. Barclays is an example with XSS vulnerabilities unfixed for over a year despite notification. Why aren't they taking XSS seriously at the first place? Because the people responsible for their anti-fraud activities aren't aware of the potential to abuse the vulnerabilities and user the bank site as a redirector to malicious software, or a phishing page with a decent SSL certificate in place. Phishers are indeed using XSS vulnerabilities to scam a bank's customers, thanks to the bank's vulnerable web applications, here's the most recent incident
  • A lot of spam and phishing emails make it through antispam and phishing filters, what a lot of customers aren't getting educated about is that spam and phishing emails can sometimes become a blended threat, and include drive-by downloads that would automatically install on a vulnerable machine upon visiting the pages. From a psychological perspective, a lot of users are naturally interested in calculating the ROI of their antispam/antiphishing product, and therefore may visit a scam pages just to see whether or not their solution will pick it up, a practice which leaves a lot of opportunities for the bad guys to take advantage of
  • In 2007 and early 2008, client-side vulnerabilities continue dominating the infection vector of choice, not only because of their integration within popular web malware exploitation kits, but because diversifying the exploits set used increases the chances for a successful penetration from a malicious attacker's perspective. Whereas the article is suggesting that users update their Microsoft software, it ignores the fact that the majority of software used on an average PC is far more diverse than IE and Microsoft Office only, consequently, the rest of the software used would remain unpatched
  • Keylogging for E-banking data is so dead, I cannot believe that customers are still educated about the trojan horse that would record their random number valid for a single session only. In reality, there's a specific segment of malware defined as bankers malware, whose features, sophistication, and targeted nature in the sense of having researched the web applications of all the major banks, are going way beyond simple keylogging

Perimeter defense is marketable, yet irrelevant from an attacker's perspective, an attacker that would ensure his malware releases make it through the most popular firewalls before releasing the malware for instance. Would you be so naive to do E-banking from the local Internet cafe? The way you wouldn't do this, you also wouldn't' want your PC to turn into an Internet cafe one, where everyone does pretty much whatever they want to, then leave. Emphasize on protecting against client-side vulnerabilities by using handy tools such as Secunia's Personal Software Inspector, and sacrifice some of your E-banking mobility by not doing it whenever you see a PC with Internet connection on it - else you're crying to claim fraudulent activities on your bank account.

Topics: Banking, Malware, Networking, Security, PCs

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

14 comments
Log in or register to join the discussion
  • Note from your insurance company...

    "Thank you for purchasing your auto insurance from Dewie, Cheatum & Howe.

    Please refer to stipulation #137 in you policy which clearly indicates your coverage is not applicable if you ever actually start your car and drive it.:

    About the same thing.

    These people are insane.
    BitTwiddler
    • Re: Note from your insurance company...

      The devil's in the last couple of pages. Try this as well :

      "Dear customer, to ensure your satisfaction with our quality services we're notifying you that our inability to protect your sensitive data has resulted in its leakage on the World Wide Web thus, stay tuned for possible identity theft and spending the next couple of years explaining how it wasn?t you who bought that luxurious yacht your bank wants you to pay for. By the time our stolen laptops get connected to the Internet -- which we doubt anyway -- they will phone back helping us locate them which doesn?t mean we didn?t breach the confidentiality of your personal information, and are just trying to be socially responsible in the time of notification.

      Sincerely,
      Your favorite and customer-friendly breached retailer"
      ddanchev
    • Hard to Read Article FAILS to Make Its Point

      I am really disappointed with the writing in this article.

      First of all, even the very opening sentence show a lack of thought on the part of the author. Why, it starts reading like a spoof of "in media res"! What an earth was the author thinking, starting out with
      "Rational, but unrealistic in today?s threatscape."??

      WHAT is "rational, but unrealistic"?

      But it gets worse, the the decline in quality does NOT encourage the reader to believe the author knows what he is talking about.

      But before it does, the quote from the Times take us shooting back up to an acceptable level of quality for journalistic writing. But then we are brought crashing back down with:

      "The E-banking users are advised to have firewalls, antivirus software and protection from spam and phishing emails, to visit the sites of
      their software vendors and look for updates, and check for security certificates at the E-banking pages."

      This sentence SCREAMS out for rewrite! Why, for example, is the main verb in the passive voice? How could the reader POSSIBlY gain from
      this? He does not.

      But this is not all. Although it doesn't quite meet the dictionary definition, it really does read like a run-on sentence.

      But this is a small problem. Bigger problems loom ahead. Such as:

      Surprisingly, Apacs, the UK payments authority isn?t mentioning anything about blocking vulnerable browsers from participating in any form of transaction with them, perhaps among the most strategic moves courtesy of PayPal compared to the marketable, but totally bypassed in
      real-life situations PayPal?s Security Key.

      My God! What WAS he thinking? This screams out even louder for rewrite! "totally bypassed in real-life situations PayPal?s Security Key."??? Give me a break!

      But now on to my main point, that the poor writing diminishes the author's credibility. When an author screws up like this, forgetting Cato's advice (rem tene, verba sequentur), we should NOT believe that
      he knows what he is talking about (that is the "rem tene" part). Yet he is talking about a very important issue, and if he is right we NEED
      to know.

      So, for example, he says something VERY hard to believe, even counter-intutitive, when he says:

      Would you be so naive to do E-banking from the local Internet cafe?

      This is NOT naive. If the bank has implemented a site that switches to using SSL exclusively before allowing any private data entry or display, then HOW can even a "blended threat" break security to get at
      this data? As long as the browser is itself also secure, this is impossible. This is WHY SSL has become so popular.

      To put it more clearly: it is not 'naive' to believe that SSL does what it is designed to do, that it works as advertised, providing a secure end-to-end connnection between two hosts. Especially not when
      its claims to do this have stood essentially unchallenged for so long.

      But the author does not even attempt to explain this important point.
      mejohnsn
  • RE: No security software, no E-banking fraud claims for you

    Linux users don't have anti-spyware software. They also don't have anti-Linux-virus software (ClamAV, a popular Linux antivirus application, is anti-WINDOWS-virus antivirus software, designed for your mail server).

    However, Linux does come with IPTables, the built-in firewall. Does that combination of "no antivirus/no antispyware but we've got a firewall" fit, or will Linux users be forever forbidden from making a claim?
    lordshipmayhem
  • Thinking the same thing.

    The upside, I still don't know of any Linux users who are malware infected, however, even though I use Linux, I do my critical banking inside a VM from my Linux machine.

    Here are a couple
    http://www.vmware.com/appliances/directory/browserapp.html
    [B]The Browser Appliance can be configured to automatically reset itself after each use so personal information is never stored permanently[/B]
    http://www.vmware.com/appliances/directory/380
    [B]FreeBSD BSDL
    Firefox MPL[/B]

    I use the second version. It takes about 30 seconds for VMPlayer to start and the image to be available.

    NOTE to Windows Users, why not do the same? Quaranteed that malware writes neither know how to or can infect FF on FreeDSB in Xfce inside VMWare player.

    TripleII
    TripleII-21189418044173169409978279405827
  • Tempting Fate

    Users may visit "scam pages just to see whether or not their solution will pick it up?" If people really are doing that, no wonder the banks want those kinds of rules (well thought out or not). Isn't that something like intentionally crashing your car to see if the air bags really will deploy?
    MichP
    • so how does one test security software?

      i don't visit these types of site. i'm not that willing to risk something bad happening. other than buying software from a company that has a good reputation in the security product market, how can you test how good it is? i have used GRC's site for port scans, etc. but they aren't all inclusive. the tests within most internet security suites are just a click and wait operation. there's no real way to see what's being tested and how thouroughly. so what does one do other than hope the worst doesn't happen? recommendations anyone?
      jhand47201
      • Some recommendations.

        I have some easy & very practical suggestions. (XP)

        1. Install Mcafee Site Advisor. This hi-lights search
        results to identify questionable or bad sites (yellow or
        red), unknown sites (gray) and green (good). This will help
        keep you off sites that install malware, send phishing or spam
        emails and install key-loggers & root-kits.
        The download link is:
        http://www.download.com/McAfee-SiteAdvisor-for-Internet-Explorer/3000-2144_4-10508464.html?cdlPid=10784842

        2. I would recommend using Firefox for greater security since
        it does not utilize Active-X controls.
        The download link is:
        http://www.mozilla.com/en-US/firefox/

        3. The best way t check your existing security is to use
        alternate programs and see what they find. Usually,
        there will be differences. In my case an alternate
        AV program found 2 key loggers and 2 trojans installed on the computer
        for 21 days. This is a perfect example of checking my Corporate
        AV program which did not detect them.

        4. Also, an excellent and very popular (free) AV program is AVG.
        The download link is:
        http://free.grisoft.com/ww.download-avg-anti-virus-free-edition

        5. Another useful resource allows actively scanning your computer from using
        the Internet Explorer. This method generally finds and removes many
        viruses not detected by other methods. A weekly newsletter is also
        available detailing the latest Windows threats.

        6. For additional security, I use Linux, which has provided excellent
        security for over 4 years with no additional AV, Firewall or malware
        programs. It uses Firefox and works with the Mcafee Site Advisor.


        Beyond a certain point of infection, it's better to format the hard drive and re-install the OS. A relative dropped off her Dell Dimension last week with problems (XP). I was able to online scan and found 231 infected files, but the virus programs prevented me from doing any kind of removal, the browser hijackers would just take me to undesired web sites. I called her and recommended that she change her pin numbers and re-issued her credit cards.
        Joe.Smetona
      • Also,

        Rootkits are generally undetectable by conventional virus scanners because they reside beyond the normal API (Application Program Interface, <<Files that your Windows Explorer sees and handles>>). If you visit the AVG site, they have a rootkit scanner.

        Sometimes these free programs are integrated into the paid versions. This may be the case with AVG now, so you may want to verify before installing.
        Joe.Smetona
        • thanks!

          i run PCillian by Trend Micro at home. I just tired of Symantecs resource hogging. Tried another AV/IS program - forge which one right now, but after working OK a few weeks it would start to cause the computer to take as long a 22 minutes to boot up from a cold start and web pages would take 2 to 6 minutes to open. If you opened an web page and Outlook was open and downloading mail, forget doing anything. The company tech support recommended resetting all the parameters to default, rebooting and then resetting everything. After the second time I had enough of it. I hear things about Linux but I don't care to learn to put together an OS. I am just to busy to ride another learning curve. Same with Firefox. I do several of the other things you suggested. Thanks for the input!
          jhand47201
  • RE: No security software, no E-banking fraud claims for you

    Hi, I had a similar problem in my office email account and I realized that the efficiency of present spam filters has gone down significantly. I read an article about an new technology called ReceiverNet from Abaca. ReceiverNet technology characterizes each protected user based on the percentage of spam they receive and then uses those reputations to rate the incoming message flow. I changed my spam filtering system to Abaca?s Email Protection Gateway and it blocked Replica watches spam mails, Subpoena Phishing mails and many more. I found that Abaca?s ReceiverNet service has 99% efficiency in blocking spam mails and they guarantee their results . For more information, log on to http://abaca.com/.
    victor louis
  • RE: No security software, no E-banking fraud claims for you

    There should be a minimum of security apps and devices one should have on their system before one can be "safe" on there internet. Again there is no absolute security since the user can be duped to install security bypass software or devices thinking they are "protective".
    Another analogy is no matter how many airbags you have in your vehicle if you one set bad tires you can still die in a vehicle accident.
    phatkat
  • RE: No security software, no E-banking fraud claims for you

    The question here is not really about security of the users system used to access the Banks online systems, but rather how secure is the Banks system. We all know that no operating system is fully secure (although some are more secure than others), that not all AV products will detect all threats and malware, that your system could be packed to the gunnels with security products and updated and still be open to potential infection.

    So why do the majority of banks still rely on username and password even when the technologies and systems exist to make this type of access redundant? The answer is... I don't really know, I can speculate that it may be to do with the cost of implementation, or that the Banks and corporates and government, in their infinite stupidity to rush on to the Web with another money saving (making) idea never really gave a second thought to future proofing their systems against these types of threats. Or maybe it is more to do with the fact that there is no legislation with any teeth whatsoever to 'punish' these institutions for running a simple system that can be breached by using an acquired username and password from a user that has been duped into handing it over by whatever means.

    Should we now have a requirement whereby any institution or corporate body or government agency that holds personal information be subject to regular system security audits. If there are any 'issues' found in their system they are notified and given a reasonable time frame to put these 'issues' right plus they must inform all their clients that the issue exists. Failing to do so would result in draconian measures, for example, the site could be blacklisted or taken down or maybe massive costs levied.

    The system could be funded by a levy and managed by an independent organisation free from political or corporate interference..Okay perhaps I am moving to laa laa land but why is the onus and the cost and the burden of security foisted upon the consumer? Perhaps it is because it is far easier for these institutions to either lobby government to pass legislation, or change their terms and conditions to suit, that pushes the burden of responsibility back onto the people rather than those responsible for creating maintaining and managing the system.

    The post by ddanchev effectively sums it up, their system is compromised, your data is stolen and it is up to you to prove that your are not guilt of whatever you are being accused of.

    Yes, as users we should all take responsibility for securing our systems against threat, it is in our interest to do so, but these institutions should also take responsibility for securing their systems and employing the available technologies to make it exceedingly more difficult for their systems to be compromised.

    The system is geared in favour of these institutions, the time for this imbalance to be addressed is surely overdue.
    Anthony M
  • Wrong Direction

    The banks are taking this in the wrong direction. Yes, users absolutely should protect themselves with the best tools they can get. However, (and I've said this before, over and over) security is a moving target and no matter how great a security tool is, somebody will make a new hack tool to get around it. Darwinian evolution as applied to programming, security, and hacking. What the banks, the government (who spends tax dollars supporting banks in some of these cases), and bank insurers need to be focusing on is a two-pronged approach of educating the users and educating the developers. The users need to be taught 'best practices' for avoiding making themselves vulnerable (don't click on the email from Uncle Ted if you don't have an Uncle Ted) and the developers need to be taught best practices for more secure programming (cross-site scripting is just one of the practices that flies in the face of secure programming).

    My personal methods of self-preservation include a single, dedicated credit card that is only used for web purchases and it is the only one I use for this. If a web purchase shows up on another card: not mine! If a non-web purchase shows up on the web-card: not mine! I have a dedicated email account that all web purchases go to. No email receipt, probably not my purchase (not all sellers email a receipt; harass them into doing so). I print all web orders. I do this before finalizing the deal in case they don't provide a printable 'receipt' web page at the end. No receipt: not my purchase. I do business with trusted sites. OK, this one is really tough. Best Buy could be hacked and I wouldn't know it; same is true for the bank. Also, sometimes you just have to have that one item that is only available from thief.com and they seem to have good reviews. Do your due diligence; Google is your friend in this.

    I know this seems like a lot of work, but it's your information, so it's entirely up to you to protect it. Just as the information about you that the bank holds (or seller) is their information (you don't actually believe it's yours, do you??) and it is entirely up to them to protect it. Shop with those who demonstrate an awareness of the problems in this area by consistently utilizing development 'best practices' and exhibiting the best customer services. Totally shun those who do not. (This, too, is difficult since we frequently don't know, so, again, Google their reputations to find out.) Let your money, the stuff you're trying so hard to protect, vote and the Darwinian selection process will eventually weed out some of the worst offenders. (I'm not so naive as to believe failure won't be somehow awarded; cost-benefit analysis will sometimes indicate that a certain amount of loss is better than security.)
    hnkelley