Online corporate banking channels are under threat from sophisticated and sustained attacks by malicious sources

23 March 2010

Online corporate banking channels are under threat from sophisticated and sustained attacks by malicious sources. According to annual figures released by the UK Cards Association, 'phishing' attacks in the UK rose by 16% in 2009, resulting in the total amount of online banking losses hitting £59.7m, up 14% year-on-year.

One particular prevalent type of fraud that will be boosting these numbers is the so-called 'man-in-the-browser' attack. Following on from basic Trojan viruses that existed for many years, online banking became susceptible to 'man-in-the-middle' attacks, where the hacker would place themselves between the corporate and its bank, intercepting and modifying online instructions from the corporate for their own ends. Banks were able to tackle this fraud, however, as the messages from the hacker came from a different IP address to the corporate, making the fraud detectable. Unfortunately this is not the case with man-in-the-browser attacks - here the Trojan embeds itself in an internet browser application on a user's computer. When a user logs on to specific online banking sites, the Trojan is activated and intercepts and manipulates data as it is being communicated from the legitimate user's PC to an online banking system. All the while, this appears to be coming from the user's legitimate IP address.

So how can banks guard against this type of fraud? One method is to engage in profiling a user's account, keeping a record of the typical funds that flow in and out, and comparing any suspicious activity to these regular trends. Authentication could also be enhanced to confirm that the user transferring funds is the genuine bank client, as opposed to a malicious source - banks in the future may look to use 'multiband' authentication, requiring use of a secondary device (such as a smartphone) to confirm online banking transactions. As with all fraud, the perpetrators are inventive and cunning. Banks and their clients have to be able to respond to these challenges in a similar way, while ensuring they are not adversely affecting the online banking experience.

Source:Ben Poole, Editor GTNews