The biggest security threat banks face — malware that pervades their online and mobile banking users' devices — is being met by an increasingly sophisticated class of software called clientless malware detection.
Mobile malware increased more than 600% in the past year, according to a recent survey from Juniper Networks — the number of malicious mobile apps has grown to 276,000.
One common type of malware, the Zeus Trojan, has affected more than 3.6 million PCs in the U.S.
Malicious programs are becoming more specialized. One type of Trojan can intercept the text messages banks send their customers for purposes of dual-factor authentication and for SMS banking (this is sometimes called an SMS grabber).
Another variant targets Facebook users — It embeds itself in a link that appears in Facebook messages and fan pages. If clicked on, the link sends users to a fake bank website that captures the victim's Social Security number and other sensitive information that is later sold on the black market.
The idea that a bank can get its customers to download security software to protect their own mobile devices and computers is simply unrealistic, observers say.
"Consumers use a lot of tablets, iPads, mobile devices, TVs," says Eyal Gruner, who heads technical sales at Versafe. "You can't store something on the consumer's machine … You can't trust the end user. Our goal is to protect the financial institution from malicious activity in online banking."
A newish crop of malware detection software looks for signs of phishing, URL redirects, SQL and HTML injections, logins from unknown machines, anomalous behavior and other signs of online and mobile banking foul play — all without requiring any software to be downloaded onto the customer's computer or mobile device.
"The bank can see if the session coming in is infected with malware, without having to have anything on the client's desktop," says Avivah Litan, vice president and distinguished analyst at Gartner. We've taken a closer look at some of these technologies.
ThreatMetrix's basic software is not bent on detecting malware but on examining attributes of a transaction for anomalies. "If someone is using a credit card from an IP address in New York, we can see if he's using a proxy and is really in Eastern Europe," says Andreas Baumhof, chief technology officer of the software company. ThreatMetrix provides real-time feedback and a risk assessment to the financial institution. The company has 1,500 customers around the world, he says. "All this information is shared across our customer base — if we see a device that's been used for fraudulent transactions at a number of merchants and a user of that device tries to log into a financial institution protected by ThreatMetrix, we issue a warning."
But forensic examination of transactions only detects certain types of crime, Baumhof acknowledges. If a fraudster completely hijacks an internet banking session to steal personal information or conducts automated wire transfers in the background, ThreatMetrix software can't see it.
In January, ThreatMetrix acquired TrustDefender, a malware detection company Baumhof founded. TrustDefender makes two kinds of malware detection software: one that requires nothing to be deployed to the end points, and another that requires a download and is typically used in corporate banking and within large enterprises.
The clientless version can inspect an online banking transaction for signs of tampering caused by Trojans and targeted attacks. For instance, the software will compare the code in a login page used in a transaction against the bank's actual login page.
"A lot of 'man in the browser' Trojans try to change the login page and add a field that asks you for your phone number," Baumhof says. Evidence of altered code on the page triggers an alert to the bank.
What if the hacker has not changed the login page? Some hackers inject code into a banking site that causes a window to pop up after login, and tells the customer there's been unauthorized access to his account and asks for a new piece of data such as a credit card number.
In such cases, when the software detects the suspicious behavior, it gives the bank a real-time alert.
The financial institution then decides whether to block the user or to continue observing the behavior to understand the scheme, if there is one. "Often if there's a fraudulent transaction on an account, then the bank can go into the system and find out which device was used for it," Baumhof relates. "Then they look at all the other accounts the same device has accessed. If you know the first account was fraudulent, there's a high risk that all the other transactions were fraudulent as well."