Hackers Outwit Security Systems
Thanks to “Man in the Browser”, even up-to-date anti-virus software combined with the latest generation of online banking security doesn’t protect those using online banking.
A test witnessed as part of a BBC Click investigation suggests even those with up-to-date anti-virus software could be at risk.
There is no specific risk to any one individual bank.
In the test the majority of web security software on standard settings did not spot that a previously unseen piece of malware created in the software testing lab was behaving suspiciously.
The threat does not strike until the user visits particular websites.
Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered.
Some versions of the MitB will change payment details and amounts and also change on-screen balances to hide its activities.
With the additional security devices, the risk of fraud is only present for one transaction, and only if the customer falls for the “training exercise”.
“The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking,” said Daniel Brett, of malware testing lab S21sec.
“[Although] many products won’t pick this up, they’ve got a much bigger scope, they’re having to defend against all the viruses since the beginning of time.”
Every time a new update to the malware is released, it takes the security companies a number of weeks to learn how to spot it – to learn its common features.
But one security company did privately concede that, if this threat had come from a source not known to be bad and started communicating with a web address also not on the black-list of “bad” sites – until they had discovered and analysed it – it probably would have beaten their protection.
The key in this cat-and-mouse game continues to be the user and how high they set want to set their security settings on anti-virus software. But even then NOTHING is 100% secure when it comes to data.
- Hackers outwit online banking identity security systems (annozijlstra.wordpress.com)
- Hackers may be able to ‘outwit’ online banking security devices (go.theregister.com)
- New ‘Man In The Browser’ Attack Bypasses Banks’ Two-Factor Authentication Systems (gizmodo.com.au)
Posted on February 9, 2012, in attacks, Cybersecurity, Hacking, Internet, Security breach, vulnerability, Web and tagged Anti-Virus, Internet security, malware, Man in the Browser, Online banking, Software testing, Web browser. Bookmark the permalink. Comments Off on Hackers Outwit Security Systems.