Online banking remains under threat to MitB and Trojan attacks

According to experts from banking and IT-Security, banks are not really interested in security unless they forced to. Some even try to threaten experts who show the loopholes in their systems

Safety and security for online financial transactions has always remained a cause of worry for all customers. Be it ATM frauds or online banking or mobile banking, the onus to prove that he was robbed remains on the customer. Several times it is found that banks do not even pay heed to security requirements. It is often said that in a chain, it is the weakest link that is most vulnerable. In banking sector, unfortunately, the bank itself comes out as the weakest link.

In addition, banks are often found not to pay any heed on any warnings on Trojans and malware and always tell us that their systems are 100% safe and sound like a forte-Knox. While, there are several cases on bank Trojans stealing thousands of dollars from customer accounts, especially from western world, Indian banks are even not ready to pay any heed to these threats.

In fact, many banks 'shut out' security expert, Yash KS, who has demonstrated how sites of several Indian banks are vulnerable. Mr Yash shot the video showing how Trojan can breach bank sites and uploaded it on public platform so that the lenders can increase the level of security. All these banks responded immediately by blocking and successfully removing the video from public domain like YouTube but failed to enhance security levels of their sites.

Mr Yash says, "Citibank has never responded when I contacted them to talk about malware. But when I posted my videos online, they mitigated the risk to some level within 10 days. It’s a good response. (However) Before fixing it, they blocked my video in YouTube saying it is harmful content."   

Recently British Broadcasting Corp (BBC) published an article on how hackers are outwitting online banking identity security systems ( The article says, "Criminal hackers have found a way round the latest generation of online banking security devices given out by banks."

The article, however, says that a test witnessed by its team suggests even those with up-to-date anti-virus software could be at risk, and there is no specific risk to any on individual bank. "Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered," it said.

To get rid of the risks involved in online banking transactions, financial institutions brought two-factor authentication (2FA). But this is also not without problems. In 2005, renowned security technologist and author, Bruce Schneier, wrote an essay where he predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint.

This exactly was the issue Mr Yash has been trying to explain to all the banks in India. But there is no response so far. According to Mr Yash, he met senior officials from ICICI Bank and demonstrated to them that how a malware can harm their account holders. However, the bank officials claimed that their systems are more secured compared with other banks and no such can happen to their customers.

When Mr Yash again demonstrated that even more secure site of ICICI Bank as claimed by its officials is vulnerable to malware attacks. After waiting for several months for a response from the Bank, he finally put the demo video in public domain. The Bank then sent Mr Yash a defamation notice through its corporate communications department saying that he trying to sell his product to them and that he should immediately remove the video from his website else they may take the legal action.

According to Mr Yash, another lender, HSBC Bank, also tried to remove his videos from public domain. He claims that the Bank asked the hosting services provide to disable his site and later forced them to remove the video that showed how HSBC’s online accounts can fall prey to malware attacks. Mr Yash also alleged that the lender sent some goons to his residence. He said,”…after failure attempts to bring down content with the help of service provider, HSBC sent goons to my residence. I was not present at that time; they have asked my family members rude questions.”

However, there is no verification for his claims about the goons and whether they were indeed sent by the lender.

Coming back to the security loopholes in online transactions, the Financial Fraud Action UK reported that during the first six months of 2011, online banking fraud losses in that country totalled 16.9 million pounds. Banks in UK usually refund victims of online fraud as a matter of course.

In case, you are wondering what is the situation in India, well, the numbers of frauds in online transactions are much less compared with other countries. This is because we Indians (and our bankers) prefer to do most of our transactions by visiting the bank branch in person.

According to Reserve Bank of India, managing security is more challenging in online and phone banking as compared to other delivery channels and online threats in the form of phishing attacks, spyware, viruses, Trojans, key loggers are frequent. “Fraudsters are not only tech savvy but have clear understanding of the systems and procedures obtaining in banks,” said G Padmanabhan, executive director of RBI while speaking at a Secure Banking conference last year.

This leaves all net-savvy bank customers from India wondering if online banking is really safe and secure. The answer is yes and no. Yes, if you are taking all precautions like regularly updating the anti-virus installed on your computer and using good anti-malware software and practising safe browsing practices. No, if you do not follow the above mentioned practices or using public computer (like a cyber café) or your bank do not have enough checks in place to block malware or Trojan attacks.

From July 2011, the RBI has mandated a system of alerts for all card transactions, irrespective of the channel used. However, the central bank made it clear that it is for banks to make this effective by ensuring that the customers are persuaded to register their mobile phone numbers for receiving such alerts.

So far the second-factor authorisation (2FA), introduced by RBI about three years ago, appears to be working fine. Some banks have also issued small devices that generate authentication codes that can be used only for one time for secure card transactions. The report from BBC states, “While these chip and pin devices make the hackers' job more difficult, the hackers themselves have raised their game.”

MitB and Trojan attacks are just examples of what hackers and criminals can do to steal your money. So, how one can protect oneself from online banking frauds? According to Mr Schneier, multi-factor authentication like the 2FA does not solve anything. “In case of MitB, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in case of Trojan, the attacker is relying on the user to log in,” he said.

“The solution is not to better authenticate the person, but to authenticate the transaction. Think credit cards. No one checks your signature. They really don't care if you're you. They maintain security by authenticating the transactions,” Mr Schneier says.

Are the banks listening, especially when innovative methods of hacking and stealing are coming to the fore regularly?



Andrea Smith

5 years ago

maybe they can start telesigning people in to further prevent fraud and hacks.

Bharat Forge Q3 FY12 revenues up 21%

Bharat Forge’s standalone net profit grew by 24.8% on a YoY basis to Rs103.1 crore.

Bharat Forge Ltd. announced its Q3 FY12 results with  standalone  revenue  reaching  Rs941.1  crore,  a  growth  of  21.1%  over  the corresponding period previous year.

EBIDTA for Q3 before exchange loss reached Rs239.1 crore, a YoY (year-on-year) growth of 26.4%. Standalone EBITDA margins for the quarter expanded by 100 bps to 25.4% from 24.4% in the corresponding quarter previous year.  

PBT before exchange loss in Q3 FY12 grew by 36.9% to Rs163.5 crore compared to corresponding period previous year. Exchange loss in the quarter of Rs16.2 crore was on account of significant currency volatility. Standalone Net Profit grew by 24.8% on a YoY basis to Rs103.1 crore.

During the quarter, exports grew by 29.3% on a YoY basis to Rs464.4 crore. The growth  in  exports  is  attributable  to  strong  market  growth  and its  increasing penetration with customers globally.  

B N Kalyani, chairman and managing director, said “The contribution from export market continues to grow on the back of increasing penetration with global customers, buoyant non-automotive business and strong demand environment overseas. It is also a clear indicator of our strong and  growing  relationship  with  all  major  global OEM’s  across  automotive  and  non-automotive application.”

In the late afternoon, Bharat Forge was trading at around Rs306.75 per share on the Bombay Stock Exchange, 1.05% up from the previous close.


Omnitech Q3 Revenues up by 48.75% to Rs130.89 crore

Omnitech has a Q3 FY 2011-12 profit after tax of Rs12.75 crore.

Omnitech InfoSolutions Ltd has registered 48.75% growth in revenues on a consolidated basis for the third quarter ended 31 December 2011 (Q3) compared to the same period last year. The total revenue for Q3 FY11-12 stood at Rs130.89 crore compared to Rs87.99 crore for the corresponding period of last year. The Q3 FY 2011-12 profit after tax is Rs12.75 crore compared to Rs15.09 crore for the same period during the previous year, witnessing a reduction of 15.53%.

EPS stands at Rs8.66 for the quarter. EBIDTA on a consolidated basis for Q3 FY 2010-11 stood at Rs33.99 crore as compared to Rs28.82 crore reported in corresponding period of last year.

Atul Hemani, managing director and CEO, Omnitech InfoSolutions said, “The strong revenue growth is on account of breaking new accounts and completion of the transition of few major contracts. We continue to expand organically in Asia-Pacific and Europe. We continue to expand our team across the globe in line with our growth strategy. This is continuously putting pressure on our margins but we are glad that we have created the base, and now, we will leverage on this in the coming fiscal."

In the late afternoon, Omnitech InfoSolutions was trading at around Rs133 per share on the Bombay Stock Exchange, 2.88% down from the previous close.


We are listening!

Solve the equation and enter in the Captcha field.

To continue

Sign Up or Sign In


To continue

Sign Up or Sign In



The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)