Devices, credentials can help protect online transactions
The old way of robbing a bank meant busting into a branch, brandishing a weapon and ordering a teller to hand over all the money.
Next-gen criminals accomplish their stealing from the comfort of their own homes. Their weapon of choice is malware, and the scene of the crime is often a bank’s website. Although they may have abandoned some of the more violent tactics, today’s thieves are more dangerous when it comes to emptying money out of bank accounts.
“The bad guys used to be in it for fame and agenda,” says Sam Curry, chief technologist for Bedford, Mass.-based RSA, the security division of data storage firm EMC Corp. “But the vast majority now are financially motivated. It’s not just about how to make money; it’s about how to make more money.”
Enter the arena of secure web browsing, a tactic more security firms are deploying to protect commercial banks from online thieves, specifically those who target business bank accounts. It also has the potential to make inroads in securing identity, industry experts say.
“You really are running another computer inside your computer. We run that virtual machine from a read-only part of the USB device. You can’t override it, so malware can’t get into it.”
— Kevin Bocek, IronKey
The most common secure browsing solutions are those that produce a hardened version of the browser, usually stored in a portable USB device or a smart card that users can plug into a PC. The browser that is stored and secured on the device or credential is used to access the bank’s secure Web site and protect the user from viruses and malware. The USB devices typically use smart card microprocessors to secure the sessions.
Through secure browsing, banks are focusing more of their security on their online presence. Traditionally, banks have spent a lot of time and energy strengthening their physical infrastructure, such as their branches. Yet online banking customers have remained vulnerable. The average customer uses his computer for a number of different things outside of online banking, such as Facebook, email, online shopping and other areas that create opportunities for breaches.
“The frustrating part about this is that an attack is on the banking customer’s computer, so it’s not an attack on the bank itself,” says Kevin Bocek, director of product marketing for IronKey, an online banking security firm based in Sunnyvale, Calif.
For example, a customer may log in to what they believe is their banking site, when in reality their computer has been attacked and they are using a false site that looks identical to the one their bank runs. They perform payment transactions they believe are real, when malware is actually manipulating the transaction.
“And now they’re executing code that’s been inserted by this criminal malware, which then proceeds to steal money,” Bocek says.
In terms of how identity can be matched to secure browsing, observers point to a few areas where these two worlds could coincide. Not only does the user need to authenticate to the system, the system should authenticate itself to the user. “We see the two as ultimately being very related,” Bocek says.
Secure browsing could also come into play in countries that are fostering e-government systems, where there is more digital interaction between the government and citizens. Such is the case in Brazil, which employs an electronic voting system.
In the United States, secure browsing could be used by organizations such as the U.S. Census, which must build up and tear down environments full of data on identities, Curry says.
Secure browsing could also be used for food stamp distribution on the municipal level and, on the federal level, building a better national structure for security and identification, he says.
In the private sector, companies are shifting more to the cloud, which creates a greater need for secure browsing, Curry says.
IronKey employs two-factor authentication on its secure browsing product, IronKey Trusted Access for Banking, when users log on. “Certainly in the future, we see authentication becoming more and more important,” Bocek says.
Last July, when the malware problem was becoming more acute, IronKey began offering IronKey Trusted Access for Banking, to enable commercial banks to protect their users and transactions.
With the product, users connect their IronKey portable USB security device to automatically launch a secure, virtualized browsing environment. The Trusted Access Browser starts at the bank’s home page and allows users to navigate only to bank-authorized sites.
“You really are running another computer inside your computer,” Bocek says. “We run that virtual machine from a read-only part of the USB device. You can’t override it, so malware can’t get into it,” Bocek says.
IronKey takes all the browsing traffic for users and channels it through a separate encrypted tunnel that’s connected to the bank’s website to lock out man-in-the-middle attacks. Advanced encrypted keyboard input protects users from keyloggers, who track and log an individual’s keystrokes. This is how usernames, passwords and other authentication credentials can get stolen.
In developing Trusted Access, IronKey has taken cues from federal regulators and industry experts that have issued guidance on how banks can help customers to protect themselves from browser attacks, Bocek says.
In 2009, the FBI and the Electronic Payments Association–formerly the National Automated Clearinghouse Association, or NACHA–recommended that banking customers should use a separate, dedicated computer for online banking that contains all of the latest updates and anti-malware software. Authorities also said the computer should support the latest in two-factor authentication.
“Of course, for each banking customer to have a computer only for online banking is pretty difficult,” Bocek says.
IronKey has also thrown its support behind the Federal Financial Institutions Examination Council’s development of new guidelines containing expectations for banks to strengthen their security controls. One of those mechanisms is the USB device, which separates users and their banking system from the computer.
Since launching Trusted Access, IronKey has acquired more than a dozen customers in the United States and Europe. IronKey markets the product to banks, which then offer it to customers, often bundling it into existing services.
RSA does not have any secure browsing products on the market yet but has been researching the service in recent years. RSA is in the advanced development stage and anticipates bringing secure browsing products to market. “It’s our objective to (provide) thought leadership and prod the industry,” Curry says. “Companies are coming to us consistently for guidance on how they can secure these (services).”
Following a cyber attack in March targeting RSA’s two-factor authentication system, SecurID, RSA said they do not anticipate that the attack will affect its other products.
The attack sent shock waves throughout the industry and has highlighted the need for secure browsing as a way to secure individual account holders, and not just the bank itself, Bocek says. “Banks are seeing it’s not just about the layers they have on their infrastructure,” Bocek says. “They also need to be protecting their clients on their (personal) computers. This attack is only going to accelerate that understanding.”
Malware on the market
In what has become a billion-dollar global underground economy, criminals have set up portals to share experiences and market wares and services.
Attackers can now buy commercial malware, costing anywhere from a few hundred dollars to in excess of $10,000, from online markets. “These attacks are very easy to marshal,” Bocek says.
The criminals fall into a few different categories. There are those who create the malicious code, those who sell it and those who recruit individuals to act as money mules receiving and transferring the stolen money–often without knowing it, Bocek says. Much of the crime originates out of Eastern Europe.
This problem has become far too real for many individuals. “In the morning (a banking customer) will have a certain bank balance and in the afternoon find that hundreds of thousands of dollars have been stolen,” Bocek says. Business banking in particular is affected because of the larger transactions made.
The real criminals directing the scheme are much harder for authorities to track because they rely on mules to transfer the money. Often the mules are unknowingly recruited into the criminal enterprise through what appear to be legitimate businesses, such as work-at-home offers.
“Criminals will set up what look like very real companies with real training programs, and what appears to be real task management, in that you as an employee now have certain tasks to carry out during the day,” Bocek says. “It gives you the feeling that this is a real-life business,” Bocek says. “Unfortunately, what happens after a certain time is that law enforcement does come.”
The software that now attacks online banking users is rapidly changing, Bocek says.
“It is in almost every case undetectable by traditional virus software because of the way it’s constructed. When they create a new attack, the fingerprint of the software changes,” Bocek says. “So traditional antivirus software can’t keep up with thousands of different attacks.”