Using the web to access online banking? Who is protecting the browser side?

Pedro Fortuna, Jscrambler: Who is protecting the browser side of online banking?

To date, there hasn’t been a way to understand if online users are being compromised or to be sure precisely what they are seeing whilst visiting and interacting with a web page. We know that endpoint security and anti-viruses fail and online users can be infected even with all the precautions that they may take. Server-side security is now very mature and excellent progress has been made in that particular field.

In light of this, hackers now target the end-user through the client-side of applications using methods such as Man-in-the-Browser (MITB) attacks, as one example. These types of attacks are still very much underestimated by the e-banking sector. Organisations in this sector are not aware of the importance of such threats due to the lack of visibility. They don’t fully recognise the attack vectors and scenarios that make their web platforms vulnerable, allowing their users to be exploited.

According to Open Web Application Security Project (Owasp), an authority dedicated to app security, a MITB attack starts with the user’s device getting infected with a Trojan, usually via a phishing campaign or some sort of social engineering attack. Next, it sits quietly in the background until the user visits one of its target websites. As the user then navigates the website the Trojan, which is hooked into the browser, is able to freely sniff or modify requests and responses, stealing sensitive information. The user won’t know what has happened because the information that was displayed back to him was actually his intended transaction. The bank is equally in the dark because there was nothing fishy with the specific login or the behaviour of the user.

The most common objective of this attack is financial fraud or to steal personal data that can include credentials, private information or credit card details – this can happen even when other authentication factors are in use. Reputational damage can be severe, especially so in a sector such as financial services where trust is a significant part of the business. Users need the reassurance that their e-banking platform will always be available, speedy to use and, very importantly, secure.

Banking Trojans have been around for ten years now. Even though they have evolved in terms of features, they haven’t changed that much. What has increased is the frequency of attacks, the diversity of bots and the propagation methods and overall damage that they are doing. Conversely, what hasn’t increased is the visibility on the problem. Most banks lack the tools that would allow them to see just how much they are being targeted by such attacks and to act in the face of critical incidents, thus preventing losses.

In 2011, Citadel was hit by a bank-account-raiding Trojan that surfaced and infected 11 million PCs, helping crooks to make off with $500 million. Trojans have evolved, becoming ever increasingly sophisticated forms of malware focused on stealing banking credentials and with the ability to evade anti-virus. Dridex appeared in 2014 and was responsible for netting cybercriminals somewhere in the region of $40 million. These types of malware exploit systems to send out spam/phishing emails with infected attachments that in turn infect more systems. According to research carried out by IBM, 2016 saw Zeus and Neverquest responsible for nearly half of all global financial cybercrime.

Today, online banking is perhaps the most popular way for people to manage their money. Banks ensure internet banking security for customers by using encryption technology — for example, secure sockets layer — verifying internet banking account activity, incorporating account safety features, and warning customers of ways to avoid threats such as identity theft.

Furthermore, figures quoted by the Daily Mail show that online banking fraud cost UK consumers £29.3 million in 2014 – a 71% rise from the year before. These figures prove that cyber-security is a pressing issue for every bank throughout the UK – and one that financial institutions can’t ignore if they want to retain customers.

Aside from any financial penalty that might accrue from customer data being hacked, why else should financial institutions take every precaution necessary to protect themselves from attack? Reputational damage or erosion of the brand following on from any such cyber breach has the potential to be much more financially damaging. The Edelman Trust Barometer 2015 indicated that 83% of respondents see it as important for banks to protect customer data. If a bank allows information to be hacked they will lose trust; 63% of said that they refused to purchase a product/service because they distrusted the firm behind it.

The Perceptions of Business Transparency report showed that half of British adults believed that the conduct of banks linked to the financial crisis has damaged their trust in all businesses. In last year’s Global Consumer Banking Survey 11% of respondents said they’d gained more trust in the banking sector over the previous year; 15% of British consumers still said they had minimal or no trust in banks.

Users may well be using banking apps (mobile apps on their phones) and this way of accessing bank accounts is not without security challenges as this a test on 40 home banking apps found.

But what about the browser side? What are financial services organisations doing to protect their clients who choose to access online banking services using their computer?

Let us consider some of the approaches:

• Device fingerprinting and geo-location cannot be considered viable solutions. In these attacks, the user is using their own device in its usual location.
• Fraud monitoring can yield some results. For instance, if you are screening transactions then you may detect that something is off. However, using an online banking example, an attacker may wait for the user to carry out a transaction, modifying only the destination account number. This will potentially not trigger anything. False negatives will occur.
• Bot detection or behaviour-based detection will not spot anything unusual because the user is commanding the navigation. Everything will seem normal.

A totally different approach could be to monitor the application in real-time for modifications to the DOM, to Native APIs, and to events. Since anything can be potentially malicious, a whitelisting approach is needed, combined with machine learning to tackle false positives. The resulting system can generate real-time notifications to the backend of the application, with useful data that can drive automated responses.

Application real-time monitoring is here to stay. It can detect changes produced by MITB (as well as other injection/tampering attacks such as MITM, malicious extensions, malicious or compromised third-party modules). Regardless of how these attacks are implemented, this approach works by detecting changes made to the webpage without the knowledge of the user. This type of solution allows financial institutions to react in real-time by having set policies in place that act accordingly to the alerts in metadata. It can also detect zero-day threats.

There can be no excuses to getting security right, across all access points. The impact to the bottom line from monetary losses can be severe notwithstanding the potentially incalculable damage to both reputation and brand.

By Pedro Fortuna, co-founder and CTO, Jscrambler