E-banking: A Trojan Horse Assaulting Connection Identifiers
- Considering an increasing number of customer complaints, on 28 September, the Association of Banks in Singapore (ABS) issued a press release on a new threat induced by a Trojan horse named SpyEye. The Trojan targets e banking applications and attempts to add fraudulent third-party beneficiaries for funds transfers. This threat is propagating through infected websites, by e mail or through downloading items from social networks.
- When the user enters his identifiers on the legitimate banking portal, a banner appears stating that the transaction may take one to ten seconds to complete or that verifications are in process. The banking association advises that customers close their browser and contact their bank to let them know.
- The simple use of OTPs (via SMS for instance) might not suffice to remedy this problem: the Trojan waits for the customer to enter the code to take control and perform funds transfers. Some banks propose a second OTP to secure high amounts transactions: these more complex mechanisms could be deployed.
- Trusteer has recently study a version of this Trojan horse designed to get hold of banking credentials in Android; the adaptation of this threat to the e-banking context shows that these very close channels are highly interwoven and permeable.
- These risks add up to the increasing number of fraudulent websites and other phishing attempts; they are further increased by the users’ lack of training when it comes to protecting themselves. A study released by Melbourne IT (focusing on the US) reveals that less than half of the surveyed customers do check on the website’s URL before connecting; 75% of those polled believe they can trust financial institutions to secure their accounts.
- In the UK, the Financial Fraud Action UK reports a 32% decrease of online fraud during H1 2011 (16.6 million pounds). Improved Internet users’ awareness and fraud detection tools may account for this. Nevertheless, while the total amount of fraud losses in the UK decreases 9%, phone scams-related losses have increased 48% over the same period compared to 2010 (see April 2011 Insight).