Wall Street & Technology: Blog: Banks Must Heighten Security Following New Round of Attacks

Banks Must Heighten Security Following New Round of Attacks

A security expert says financial institutions must adopt a strong multi-factor security solution, which can protect them from all kinds of online attacks and do not need to be re-written when a new threat is identified.

"There is a growing number of attacks that are still able to successfully target banks' authentication when security hasn't been ramped up to a high enough level," says Tim Renshaw, VP at security vendor TriCipher.

His comments follow reports of a new attack against 400 banks by a Trojan program which circumvents two-factor authentication.

The Trojan can intercept transactions and silently change the user-entered destination bank account details to the attacker's details instead. Banks under attack include large U.S. institutions, as well as banks in the UK, Ireland, France, Finland and Spain, among others.

Renshaw warns that additional banks could be attacked by the same Trojan in the coming days. "The Trojan has an update functionality. So it could be a different 400 banks next week," he says.

The Trojan can also escalate its level of complexity to match the level of security of a targeted bank. If a transaction can occur at a bank using just a username and password, or if cookies are required to log-on, then the Trojan will steal this information, Renshaw explains.

In order to prevent attacks like these, banks must build security solutions that can address a broad gamut of attacks, so you're not constantly having to update, he says. Threats include phishing or pharming attacks, which direct a customer to a bogus server that completes the connection to the bank's server – and more recent man-in-the-middle attacks, which can modify customer-generated transactions or generate new transactions.

"There's always the man-in-the-middle attack of the day," Renshaw contends.

"But at the end of the day all these attacks are of the same type. They're no different from someone calling my granny and conning her out of her personal information over the phone."

Tricipher itself provides Armored Transactions, a solution that works by displayingn details of each transaction, which users then verify. Users need only enter passwords and click a mouse, but TriCipher says its PKI-based technology digitally signs the transaction through a separate secure connection, legally proving that the user authorized the transaction.

Posted by Melanie Rodier at 01:50 PM

This is a public forum. CMP Media and its affiliates are not responsible for and do not control what is posted herein. CMP Media makes no warranties or guarantees concerning any advice dispensed by its staff members or readers.

Community standards in this comment area do not permit hate language, excessive profanity, or other patently offensive language. Please be aware that all information posted to this comment area becomes the property of CMP Media LLC and may be edited and republished in print or electronic format as outlined in CMP Media's Terms of Service.

Important Note: This comment area is NOT intended for commercial messages or solicitations of business.