First published: 18th December 2009
A recent Gartner report by analyst Avivah Litan notes the recent surge in online banking fraud, and details some of the methods criminals are using to defeat strong authentication methods. It correctly identifies the insecure browser as the flaw to be addressed, but advocates server-based fraud detection to monitor transactions for suspicious behaviour as the solution.
Criminals attack strong authentication methods in a variety of ways. Authentication using one-time passwords or a token generating an authentication code might be compromised by a trojan in the browser that captures the user-id, password and code, and uses them immediately to make a fraudulent transfer, returning an error message to the victim. Or the trojan might silently change the destination and amount of the transfer. If the authentication uses out-of-band communications by phone, criminals might use call forwarding to intercept the validation call.
Server-based fraud detection monitors transactions for suspicious behaviour that might indicate that the transaction is automated. The speed of "typing", the navigation from login to the transaction page, or other clues might give away that a bot, and therefore fraud, is involved.
Could a trojan that captures keystrokes also note the cadence of the strokes, and use that when communicating with the bank's server? Criminals are likely to develop ways to make their transactions look more "normal", especially now there is a Gartner report instructing banks to look for the "abnormal". The benefits of a server-based fraud detection monitor are likely to be short-lived.
Our Chief Consultant suggested a solution to untrustworthy computers in an article for the IMIS Journal in 2004:
Perhaps trusted readers would be a solution. We could have a device with a screen, about the size of a PDA, with a built-in smartcard reader that probably plugs into a USB port. Its function would be simple: accept a text-only document through the USB connection, display it on the screen, and sign it using the inserted smartcard, returning the signature by the USB. Make the case tamper-evident, and publish the software for review. The Government would certify units; they would definitely not be updateable. This would make them immune to viruses, because they would have limited functionality: they can sign documents; they cannot change their own software. The primary design objective would be to make the functionality as simple as possible, so there will be fewer programming errors, and so the code will be easier to audit.