Account take over (ATO) fraud against online banks and their customers could be about to get considerably worse and defences need to be strengthened as soon as possible, a security expert has warned.
In a blog last month, bank security maven Ken Baylor suggested that the June leaking of the source code for the Carberp Trojan represented a dangerous development that would almost certainly follow a pattern set down when previous malware such as Zeus and Citadel were released.
The most likely outcome was that Carberp would be picked over, added to, and improved by enterprising malware developers, before being wielded against banks still struggling to cope with previous attacks, he said at the time.
“Over the next few months, it will be tweaked, optimized, and likely merged with other kits (Citadel, Zeus, SpyEye etc)," Baylor told Techworld of Carberp’s escape into the criminals domain after assessing a range of anti-fraud tools for a forthcoming NSS Labs brief, Online Banking Fraud 3 – Facing Antifraud Solutions.
“The updated web-injects especially will be studied, as they are key to fooling bank users into parting with their credentials for both online bank fraud and cross-channel fraud (that special feeling when you receive a genuine email from your bank stating your home loan has been approved, though you didn’t apply for one),“ he said.
His belief is that modified Carberp will cause a spike in ATO attacks by early 2014, making the need to boost take-up of anti-fraud software tools a pressing issue.
The report will look at tools from Quarri, Wontok, ThreatMetrix, Trusteer (being acquired by IBM), Webroot and Versafe.
These defences are all software tools designed to create an extra security layer on the consumer’s computer, usually by hooking into the browser. The problem, as ever, is that even consumers offered these tools don’t always use them. When they do, support can become an issue.
An alternative – ideally a compliment - is to hand out token and authentication systems that query every transaction above a given level. These also generate a separate class of support issues.
What is clear is that banks need such systems to aid account and fraud detection systems that involve expensive manual control which usually involve staff phoning up customers to query transactions or transfers.
Ironically, the takeup-up of anti-fraud tools in countries such as the US is now partly being driven by legal cases over fraud liability; Federal Financial Institutions Examination Council (FFIEC) advice recommends layered security as a starting point.