Gartner recently warned that banks should tighten up their online security in light of a new password-stealing Trojan targeting online bank sites.
Researchers at BitDefender, a security software company with a U.S. office in Fort Lauderdale, Fla., reported on Dec. 3 that they had detected the malware in the wild. Disguised as a Mozilla Firefox plug-in, the Trojan is activated each time a user opens Firefox and filters data sent by the user to more than 100 online banking sites, including bankofamerica.com and chase.com. Login credentials are sent to a Web address in which the domain and hosting server are located in Russia.
A BitDefender spokesman said the company sent samples to Mozilla, which addressed the problem. But Gartner analysts last week said they believe criminals will copy and improve on this new type of Trojan as they continue to innovate in order to access financial accounts. The attack "should spur banks to immediately implement tougher security at their online channels," the analysts, Stessa Cohen and Avivah Litan, wrote in a Dec. 9 report.
"Most banks use security methods that are easily compromised, such as software-based user authentication via PC recognition," they wrote. "Many banks aren't employing a layered security approach that consists of stronger user authentication, fraud detection (and user behavior modeling) and out-of-band transaction verification. Layered security would prevent criminals from using harvested data to compromise accounts."
Banks also rely on consumers to install security software and have been reluctant to impose more effective banking measures out of fear of consumer backlash, they added.
In addition to implementing a layered security approach, Gartner recommends that bank CIOs and security officers notify consumers about any new threats via email and text alerts instead of simply putting notices on their websites. Security and risk executives at banks should also familiarize themselves with the potential benefits and limitations of voice biometrics for user authentication and transaction verification, according to Gartner.