-
Experts share the real threat behind the cyberattacks against Bank of America, Wells Fargo and others, and what banks can do to protect themselves.
September 27 -
Crooks have figured out a way to illegally obtain mobile phone SIM cards, causing a headache for the contactless payments market.
March 19
While much of the banking industry is distracted by the
In this scheme, crooks are creating virtual machines that are clones of customers' real computers or mobile devices, including their IP addresses. Then many of the methods banks use to authenticate a customer can be compromised without the bank or consumer being aware. "This is an 'in browser' attack that uses an existing device …The device is identified as legitimate. So if that bank is relying on [device identification], the attack will work," says Avivah Litan, a vice president and security specialist from Gartner.
RSA (EMC) reported it found a malware variant called Prinimalka-Gozi that reportedly will soon be used in a massive attack on banks. RSA, which has not identified targeted banks publically and did not return requests for common by Thursday, said that criminals will use the attack method to bypass device fingerprinting, or information such as web browser configuration, that's used to identify a user's computing device.
According to a
These programs can identify a device by tagging browsers; using HTML, JavaScript or other methods to profile based on screen resolution, browser type, time zone, language and media supported; deploying HTTP fingerprinting that extracts types of compression supported and language; profiling connection information to determine the operating system used to connect to the Internet; and the accumulating information on the type of connection services.
In an attempt to get around device fingerprinting, crooks will install malware on a device to steal online banking credentials and clone the user's computer using a virtual machine synching module. That allows cybercriminals to target accounts based on information such as balances, and a faux web banking session started via the cloned computer and proxied through the victim's machine will be able to use the victim's real IP address when authenticating to online banking.
Security firm Trusteer contends the new attack is a relative of a
Among the firms active in device identification malware detection and navigation detection are Silver Tail Systems, Digital Resolve, Trusteer, SAS and NICE Actimize.
Litan suggests deploying software that searches for malware while the user is in session, and using navigation and fraud detection software to determine if a session is moving or behaving abnormally based on that user's profile. "You want to look for linkages between certain transactions and other transactions to identify possible fraud. You can never rely on one measure like device identification. It's a good measure to start with, but it can be beaten by good crooks, so you need a layered approach," Litan says. "Use a layered approach because each layer can be broken."