How well does your antivirus program recognize and block the tens of thousands of banking trojans infesting the Internet?
"Most antivirus suites have only modest detection of these variants," says Jose Nazario, senior researcher at Arbor Networks.
The boom in banking trojans is one more off shoot of the spike in cyber crime triggered by the economic slowdown. Meanwhile, cyber thieves who specialize in cracking online bank accounts have a strong financial incentive to step up their activities, says Nazario. And they have a plethora of sophisticated technologies at their fingertips.
Stronger defenses are available. But the U.S. banking industry is not promoting them. Doug Johnson, vice president of risk management policy for the American Bankers Association, says that financial institutions are required by federal mandate to have "additional levels of security."
When I asked Johnson for specific examples, he cited a couple of behind-the-scenes ways banks ensure that customers are logging on from their usual PC. However, he was unable to cite any specific protections banks are using to prevent man-in-the-middle attacks.
"I would say the majority of institutions use a form of security that is transparent to the user," says Johnson. "And that’s because the user really demands that. The user wants that convenience. They want to be able to just put in their password and ID, but also have additional layers of transparent security."
Security experts say the assumption that U.S. online banking patrons demand convenience above all else makes things easy for the crooks. Major banks in Brazil, Europe and Asia require customers to supply a user ID, a password, and a unique code generated by a key fob token or smart card, or sent via text message to the account holder's cell phone. So-called "multiple factor authentication" systems are available -- but not widely promoted -- in the U.S.
"Username and password still rule the earth. It's not that there aren't better methods for authentication- there are, but stronger authentication schemes still come at the cost of added complexity, added cost, or both," says Brian Chess, chief scientist at Fortify Software. "Since many users don't understand the risks they face, more complex authentication schemes can come off as an inconvenience."
Chess would like to see wider adoption of token-based authentication schemes such as PayPal's Security Key. But for that to happen, "the cost has to be lower and the benefits have to be better understood by the public," he says .
Trusteer may have something that could help. The Tel Aviv-based software company has powerful anti-theft technology, called Rapport, that works in the browser to directly prevent man-in-the-middle attacks. It currently supplies Rapport to ING Direct and several other banks that make it available to their online customers.
You can actually try a free, basic version of Rapport here. The free version will let you set up in-the-browser protection for several online banking and shopping websites that you patronize regularly. "Basically what it does is to block, specific types of attempts to access information and tamper with information in the browser, " says Mickey Boodaei, CEO of Trusteer.
By Byron Acohido
Photo: Brian Chase, Fortify Software