According to Eurostat, 36 percent of people in Europe used online banking for transactions last year. In Norway the figure was a staggering 83 percent. But, just as with any other service that involves large sums of money, criminals attempt to make off with as much of the loot as possible. In the Internet age, bank robbers no longer need cutting torches to get to customers' money.
Bank robbery 2.0: Attacks in the browser
Banks have invested heavily in the security of their systems and effectively encrypted the communication channels from the customer to the bank. They have also continued to improve the TAN procedure, having recently done away with printed TAN lists and introduced new procedures such as mobile TAN and flicker TAN. But, in reality, cyber criminals can circumvent all these protection mechanisms by attacking the customer's PC.
In the world of bank robbery 2.0, perpetrators do not attack the banks. They infect online banking customers' computers with intelligent computer malware called banking Trojans. Visiting an infected website is all it takes to infect the computer with this specialised malware. Once it has stolen the access data, this malware can actively intervene in the payment process and divert legitimate transactions to other accounts without being detected.
How does the fraud work?
If the browser has been manipulated by a banking Trojan, data is still transferred from the computer to the bank in an encrypted form, but it is not the data that the user actually entered in the browser. If the bank customer tries to pay his rent from his infected PC, for example, the data he enters is visible in the Internet browser, but once the TAN is entered the money is unnoticeably directed to the criminal's account.
Most antivirus solutions do not detect new banking Trojans until it is too late, since they require a corresponding signature for protection. In one test, conventional protection programs only detected 12 percent of the malware strains immediately and 27 percent after 24 hours. This means that traditional security technologies found it almost impossible to protect computers fully against current banking Trojans.
The biggest issue with this, is that the consumer is unaware of this fact. Nobody likes to talk about the threats of banking Trojans, because they are unable to offer a solution to the problem. Being aware, alert and working from an AV-protected pc within a safe network does not do the trick in this case. Even the best educated IT security expert can fall victim to this malware, as it operates completely invisible and requires no user involvement at all.
Due to the lack of communication about banking Trojans, users remain blissfully unaware of the risk, even though the average damages per case are around £4,000. Consumers assume they are safe when they install security software on their computer. And no one, banks nor AV vendors will tell them otherwise.