cnet News has an article about a new type of trojan that waits until an infected user logs into their bank account and then activates to transfer money out of the account. Password stealing trojans used to be the big concern (and probably still are an important threat). However, this new bread of trojan can defeat enhanced authentication schemes (such as two-factor authentication) and similar types of security measures implemented by banks, since they don’t need to grab a password or deal with getting access to an offline security token device. They simply wait for the user to do whatever is required to log in, and then they take over the computer and carry out their dirty business. Of course, these trojans have to be programmed with the intelligence for specific banking sites.
From InfoWorld: The VeriSign Fraud Detection Service will incorporate Snapcentric’s anomaly detection software, which tracks how a user normally accesses an online banking site and then flags unusual patterns in behavior. If the software detects abnormal online behavior, however, a user may be required to answer a question or respond to an e-mail or phone message with a one-time code.
This service should be another useful tool that US financial institutions can potentially look to in order to comply with recent FFIEC guidelines (which state that user names and passwords are no longer sufficient for high-risk transactions).
Yesterday, E*Trade Financial has announced the launch of its E*TRADE Completeâ„¢ Protection Guarantee, providing complete fraud coverage, as well as complete bill payment protection and complete privacy protection to all customers. As part of that program, E*Trade will reportedly reimburse any customer who is the victim of fraudulent activity. Hopefully this step will encourage other competitors or even the banks to follow. If these financial institutions step up to take some of the risk of online fraud then maybe we will see more secure authentication systems implemented.