Five people were recently charged with stealing $450,000 from the bank accounts of the city of Carson, Calif., according to published reports. In 2007, they managed to compromise the city treasurer's laptop with a variant of the Talex bank Trojan, which intercepted credentials and accessed account information. This is not an isolated incident today, unfortunately. Many small businesses and municipalities are being infected with sophisticated malware that targets bank accounts and banking credentials, such as the Zeus, Clampi and Silon Trojans. Many of these bank Trojans infect users' browsers, going further than traditional man-in-the-middle attacks by modifying webpages, inserting new form fields and manipulating cookies. To combat these threats, a variety of commercial and free tools facilitate systems connecting securely to bank accounts online. Let's explore some of these online bank security tools and the pros and cons of each.
New York-based Trusteer Inc.'s Rapport software is likely the best known commercial product for securing online banking today. Each financial institution installs Rapport systems at their sites, and then customers can download and install client software that focuses on protecting the browser and interaction with financial sites via the browser. The software works on both Windows and Mac, and monitors Application Programming Interfaces (APIs) to determine whether any other programs are attempting to monitor or manipulate them. For example, the WinInet API on Windows systems establishes SSL communications and is often modified or accessed by banking malware. By preventing malware from hijacking and modifying the browser itself, Rapport can potentially protect against the latest man-in-the-browser attacks that bank Trojans like Zeus implement. In addition, Rapport is regularly updated, much like antivirus software, which enables it to protect users against the latest variants of malware.
The benefits of software like Rapport, as well as similar solutions for securing online banking like U.K.-based Prevx Ltd.'s SafeOnline, are general protection of browsers and endpoints, minimal impact on most endpoint systems, and monitoring capabilities for banks. However, many banks do not want to make this software mandatory, as users will feel that security is being "forced" on them. In addition, the software does require an agent to be installed, and may require local administrator access and privileged use of the browser, neither of which are desirable from a security best practices standpoint. The attackers are not idle, either -- newer versions of the Zeus Trojan and other malware have demonstrated functions that can detect and potentially disable certain versions of Rapport and other protective software. Finally, the software may also conflict with other programs and solutions, including a popular shareware program called Sandboxie.
Sandboxie, and systems like it, create a protected and isolated space on a system where all designated programs operate (called a "sandbox"). If the browser is labeled as an isolated program, sandbox solutions will prevent any malware from affecting the rest of the system, even if it executes. Other systems are implementing this same technique in hardware, namely USB-based devices that run self-contained browsing tools and environments. IronKey Inc., a company well-known for its encrypted portable drives, now offers a product called Trusted Virtual Computing, which provides a virtual operating system and browser that runs directly from a USB drive. In addition to an isolated OS and browser, these devices have built-in antimalware scanning and multifactor RSA authentication capabilities, as well as online updates for the latest threats. The benefits of this tool include not having to install software on the host system, as well as more effective isolation between the browsing environment and the host system during financial site access.
Another hardware-based solution is IBM Corp's Zone Trusted Information Channel (ZTIC), which establishes a secure (SSL/TLS) session with pre-configured banking sites, and then allows the host system to connect to it as a sort of banking proxy via the browser. When a user accesses the banking site and enters information, it is displayed on the USB device's LED readout and only passes on to the bank if the user manually clicks a button on the device. This could prevent any man-in-the-browser attacks from modifying data or site information at the host level without being detected. Unfortunately, all of these hardware-based solutions still require the user to enter information at the physical keyboard, which could be intercepted by keystroke logging functions easily.
A simple and free option for online bank security is to use a bootable CD/DVD distribution that runs a read-only operating system loaded into memory. Sometimes called "Live CDs," a variety of these solutions exist (common distributions include Knoppix, SLAX and Webconverger). The benefit of using a Live CD is total isolation from the host operating system, as the user will need to manually boot from the distribution into the read-only environment. The environment cannot be modified during a banking session, and no information is saved once the session is complete, preventing loss or exposure of sensitive data. The downside to these solutions is the need to boot into the environment, as well as the need to train users.
As more banking customers experience financial fraud caused by sophisticated malware, interest in tools like these will undoubtedly grow. Each has definitive pros and cons, ranging from software installation issues to whether they provide true isolation, and cost is always a factor for both banks and end users.
About the author:
Dave Shackleford is director of risk and compliance and director of security assessments at Sword and Shield Enterprise Security Inc., and a certified SANS instructor. He was formerly CSO at Configuresoft Inc. and CTO at the Center for Internet Security, and has worked as a security architect, analyst, and manager for several Fortune 500 companies. In addition to these roles, he has consulted with hundreds of organizations for regulatory compliance, as well as security and network architecture and engineering.