Gartner advises banks to shore up online channels

By Marcia Savage, Features Editor, Information Security magazine 17 Dec 2008 | SearchSecurity.com

Enterprise IT news roundup Digg This!     StumbleUpon     Del.icio.us

Gartner recently warned that banks should tighten up their online security in light of a new password-stealing Trojan targeting online bank sites.

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Researchers at BitDefender, a security software company with a U.S. office in Fort Lauderdale, Fla., reported on Dec. 3 that they had detected the malware in the wild. Disguised as a Mozilla Firefox plug-in, the Trojan is activated each time a user opens Firefox and filters data sent by the user to more than 100 online banking sites, including bankofamerica.com and chase.com. Login credentials are sent to a Web address in which the domain and hosting server are located in Russia.

A BitDefender spokesman said the company sent samples to Mozilla, which addressed the problem. But Gartner analysts last week said they believe criminals will copy and improve on this new type of Trojan as they continue to innovate in order to access financial accounts. The attack "should spur banks to immediately implement tougher security at their online channels," the analysts, Stessa Cohen and Avivah Litan, wrote in a Dec. 9 report.

"Most banks use security methods that are easily compromised, such as software-based user authentication via PC recognition," they wrote. "Many banks aren't employing a layered security approach that consists of stronger user authentication, fraud detection (and user behavior modeling) and out-of-band transaction verification. Layered security would prevent criminals from using harvested data to compromise accounts."

Banks also rely on consumers to install security software and have been reluctant to impose more effective banking measures out of fear of consumer backlash, they added.

In addition to implementing a layered security approach, Gartner recommends that bank CIOs and security officers notify consumers about any new threats via email and text alerts instead of simply putting notices on their websites. Security and risk executives at banks should also familiarize themselves with the potential benefits and limitations of voice biometrics for user authentication and transaction verification, according to Gartner.

Tags: User ID and password security,  SaaS and Web application security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT User ID and password security Study of banking malware analyzes underground economy Emerging themes in identity access management Security on the street with SearchFinancialSecurity.com: Mobile banking IBM USB banking device stops keyloggers, malware Integrating biometric authentication with Active Directory Biometrics: Taking authentication to the next level Password management best practices for financial services firms Can email fraud be reduced by sending full statements, PKI technologies? Former LendingTree employees pilfer firm's customer database Keystroke recognition aids online authentication at credit union SaaS and Web application security Why financials must implement Web application security best practices The PCI compliance case for source code review Security questions to ask SaaS vendors when outsourcing services Study of banking malware analyzes underground economy Security on the street with SearchFinancialSecurity.com: Mobile banking Verizon security chief says protect your data first The security risks of Google Notebook Developing a patch management policy for third-party applications On-demand log management gets the nod Microsoft warns of Excel zero-day flaw

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary NASDAQ  (SearchFinancialSecurity.com) password cracker  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary