Online banking remains under threat to MitB and Trojan attacks

According to experts from banking and IT-Security, banks are not really interested in security unless they forced to. Some even try to threaten experts who show the loopholes in their systems

Safety and security for online financial transactions has always remained a cause of worry for all customers. Be it ATM frauds or online banking or mobile banking, the onus to prove that he was robbed remains on the customer. Several times it is found that banks do not even pay heed to security requirements. It is often said that in a chain, it is the weakest link that is most vulnerable. In banking sector, unfortunately, the bank itself comes out as the weakest link.

In addition, banks are often found not to pay any heed on any warnings on Trojans and malware and always tell us that their systems are 100% safe and sound like a forte-Knox. While, there are several cases on bank Trojans stealing thousands of dollars from customer accounts, especially from western world, Indian banks are even not ready to pay any heed to these threats.

In fact, many banks 'shut out' security expert, Yash KS, who has demonstrated how sites of several Indian banks are vulnerable. Mr Yash shot the video showing how Trojan can breach bank sites and uploaded it on public platform so that the lenders can increase the level of security. All these banks responded immediately by blocking and successfully removing the video from public domain like YouTube but failed to enhance security levels of their sites.

Mr Yash says, "Citibank has never responded when I contacted them to talk about malware. But when I posted my videos online, they mitigated the risk to some level within 10 days. It’s a good response. (However) Before fixing it, they blocked my video in YouTube saying it is harmful content."   

Recently British Broadcasting Corp (BBC) published an article on how hackers are outwitting online banking identity security systems (http://www.bbc.co.uk/news/technology-16812064). The article says, "Criminal hackers have found a way round the latest generation of online banking security devices given out by banks."

The article, however, says that a test witnessed by its team suggests even those with up-to-date anti-virus software could be at risk, and there is no specific risk to any on individual bank. "Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered," it said.

To get rid of the risks involved in online banking transactions, financial institutions brought two-factor authentication (2FA). But this is also not without problems. In 2005, renowned security technologist and author, Bruce Schneier, wrote an essay where he predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint.

This exactly was the issue Mr Yash has been trying to explain to all the banks in India. But there is no response so far. According to Mr Yash, he met senior officials from ICICI Bank and demonstrated to them that how a malware can harm their account holders. However, the bank officials claimed that their systems are more secured compared with other banks and no such can happen to their customers.

When Mr Yash again demonstrated that even more secure site of ICICI Bank as claimed by its officials is vulnerable to malware attacks. After waiting for several months for a response from the Bank, he finally put the demo video in public domain. The Bank then sent Mr Yash a defamation notice through its corporate communications department saying that he trying to sell his product to them and that he should immediately remove the video from his website else they may take the legal action.

According to Mr Yash, another lender, HSBC Bank, also tried to remove his videos from public domain. He claims that the Bank asked the hosting services provide to disable his site and later forced them to remove the video that showed how HSBC’s online accounts can fall prey to malware attacks. Mr Yash also alleged that the lender sent some goons to his residence. He said,”…after failure attempts to bring down content with the help of service provider, HSBC sent goons to my residence. I was not present at that time; they have asked my family members rude questions.”

However, there is no verification for his claims about the goons and whether they were indeed sent by the lender.

Coming back to the security loopholes in online transactions, the Financial Fraud Action UK reported that during the first six months of 2011, online banking fraud losses in that country totalled 16.9 million pounds. Banks in UK usually refund victims of online fraud as a matter of course.

In case, you are wondering what is the situation in India, well, the numbers of frauds in online transactions are much less compared with other countries. This is because we Indians (and our bankers) prefer to do most of our transactions by visiting the bank branch in person.

According to Reserve Bank of India, managing security is more challenging in online and phone banking as compared to other delivery channels and online threats in the form of phishing attacks, spyware, viruses, Trojans, key loggers are frequent. “Fraudsters are not only tech savvy but have clear understanding of the systems and procedures obtaining in banks,” said G Padmanabhan, executive director of RBI while speaking at a Secure Banking conference last year.

This leaves all net-savvy bank customers from India wondering if online banking is really safe and secure. The answer is yes and no. Yes, if you are taking all precautions like regularly updating the anti-virus installed on your computer and using good anti-malware software and practising safe browsing practices. No, if you do not follow the above mentioned practices or using public computer (like a cyber café) or your bank do not have enough checks in place to block malware or Trojan attacks.

From July 2011, the RBI has mandated a system of alerts for all card transactions, irrespective of the channel used. However, the central bank made it clear that it is for banks to make this effective by ensuring that the customers are persuaded to register their mobile phone numbers for receiving such alerts.

So far the second-factor authorisation (2FA), introduced by RBI about three years ago, appears to be working fine. Some banks have also issued small devices that generate authentication codes that can be used only for one time for secure card transactions. The report from BBC states, “While these chip and pin devices make the hackers' job more difficult, the hackers themselves have raised their game.”

MitB and Trojan attacks are just examples of what hackers and criminals can do to steal your money. So, how one can protect oneself from online banking frauds? According to Mr Schneier, multi-factor authentication like the 2FA does not solve anything. “In case of MitB, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in case of Trojan, the attacker is relying on the user to log in,” he said.

“The solution is not to better authenticate the person, but to authenticate the transaction. Think credit cards. No one checks your signature. They really don't care if you're you. They maintain security by authenticating the transactions,” Mr Schneier says.

Are the banks listening, especially when innovative methods of hacking and stealing are coming to the fore regularly?

  • Like this story? Get our top stories by email.

    User

    COMMENTS

    Andrea Smith

    8 years ago

    maybe they can start telesigning people in to further prevent fraud and hacks.

    Dhanlaxmi Bank MD & CEO Amitabh Chaturvedi resigns

    According to sources, the Bank's MD & CEO has resigned due to serious differences with other Board members

    Dhanalaxmi Bank Ltd's managing director and chief executive, Amitabh Chaturvedi has resigned from the bank. The Bank’s board of directors are meeting today at 4pm and may declare financial losses of about Rs30 crore. However, we learned that this has nothing to do with the resignation of Mr Chaturvedi and he may have resigned due to serious differences with some of the Board members.

    According to the sources, the bank is facing liquidity problems and may report financial losses of about Rs30 crore. However, the lender is not in serious trouble, the sources added.

    Last year in November, the RBI conducted an inspection and issued a 15-point Monitorable Action Plan (MAP) to Dhanlaxmi Bank. This was followed by the furore caused due to a memorandum sent by the All India Bank Officers’ Confederation to the RBI stating the weak financials and certain wrongdoings by the bank.

    As per the MAP, Dhanlaxmi Bank should moderate its loan growth, year-on-year, to 25% for 2011-12, should not be dependent on portfolio buyouts and should focus on increasing its direct advances. It has asked the bank to improve its earnings ratio and cash-income (efficiency) ratio to 70% by March 2012 from its current 83.73% during 2010-11. (Read more...RBI directs Dhanlaxmi Bank to adhere to its action plan)

    The AIBOC alleged that the bank has manipulated accounts and provisioning, has a mismatch in asset-liability resources, maintains poor capital adequacy ratio and has huge dependence on call money borrowing. It has also accused the bank for ignoring social banking and financial inclusion. After, Moneylife broke the story, the share price of Dhanlaxmi Bank tanked by more than 20%, touching its 52-week low of Rs54.40.  ( read more.. )

    Mr Charurvedi was appointed as MD and CEO on 13 October 2008, as per the bank's website.

    Dhanalaxmi Bank shares closed 2% down at Rs56.30 on the Bombay Stock Exchange, while the BSE Sensex ended the day 102 points or 0.38% higher at 17,707.31.

  • Like this story? Get our top stories by email.

    User

    COMMENTS

    govind shanbhag

    8 years ago

    MDT - three decades ago similar fate had happened to one of the oldest kerala catholic managed bank which was placed under moratorium - BANK OF COCHIN LTD. BOC in short had 205 branches,197 in Kerala and ultimately SBI took over the bank with all assets and liabilities. There were more liabilities than assets but no depositor was inconvinced and entire credit balance was fully paid to depositors. It was bonanza for the staff especially officers who were absorbed in SBI with State Bank scale. I have seen the quality of advance in Mumbai, how can any bank lend such loan . In Private it is a proxy war.

    Melvin Joseph

    8 years ago

    Such things can be happen when there is an appointment of a typical private sector CEO in an old generation bank like Dhanlaksmi Bank.It is like changing the Engine alone and not repairing the other parts of a problematic train.
    New Generation CEOs with short term agenda and mandate may not suit the old generation institutions. If you analyse, his past assignments, it will be more clear!

    S Prabhu

    8 years ago

    Manipulation of accounts and provisioning is common scenario among private banks and every MD & CEO shows glossy picture to the investors and the depositors. More banks too come out with huge losses and the top management has no accountability role.

    Government Securities: IDBI Bank launches India’s first online retail G-Sec portal

    Government-owned IDBI Bank Ltd has launched India’s first online retail G-Sec portal. The portal provides an opportunity for retail investors to buy and sell government securities (G-Secs). G-Secs are bonds issued by Central and state governments. The portal became operational on 17 January 2012.

    IDBI Bank organised a function to launch the portal which has been christened IDBI Samriddhi...

    Premium Content
    Monthly Digital Access

    Subscribe

    Already A Subscriber?
    Login
    Yearly Digital Access

    Subscribe

    Moneylife Magazine Subscriber or MAS member?
    Login

    Yearly Subscriber Login

    Enter the mail id that you want to use & click on Go. We will send you a link to your email for verficiation
  • We are listening!

    Solve the equation and enter in the Captcha field.
      Loading...
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email
    Close

    To continue


    Please
    Sign Up or Sign In
    with

    Email

    BUY NOW

    online financial advisory
    Pathbreakers
    Pathbreakers 1 & Pathbreakers 2 contain deep insights, unknown facts and captivating events in the life of 51 top achievers, in their own words.
    online financia advisory
    The Scam
    24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
    Moneylife Online Magazine
    Fiercely independent and pro-consumer information on personal finance
    financial magazines online
    Stockletters in 3 Flavours
    Outstanding research that beats mutual funds year after year
    financial magazines in india
    MAS: Complete Online Financial Advisory
    (Includes Moneylife Online Magazine)