Banking malware is a hot topic these days. With Account Takeover being of particular concern for major banking and retail institutions. In a recent post, Avivah Litan emphasized what she calls the “Invisibility of Banking Malware,” claiming that about “half the malware attacking global banks is not visible to banks.” The concern being that because malware is using attacks like Man-in-the-Browser (MITB) to “redirect bank customers to their own spoof sites and social engineering processes as soon as the customer tries to log in to their bank,” anti-malware tools within the banks systems are ineffective.
While two-factor authentication and device identification would seem to reduce the effectiveness of attacks that redirect compromised users, we think the discussion should be around what’s being protected, how to identify when there’s something suspicious taking place, and then deciding how to handle it, and less about malware and the tools used to compromise.
Avivah talks about the layered approach Gartner recommends for eliminating the malware threat, that’s also our approach. For while identifying malware may to some degree make it harder for hackers to cause damage, it’s only one aspect of the attack vector, and you have little to no control over malware installed on your customers computers. There are various solutions available that have different degrees of success in stopping malware and protecting data assets. Though most of these solutions have little visibility into what is actually taking place where it counts – in the heart of transactions. They’re lacking a level of granularity which not only prevents them from determining if a transaction is valid or risky, but pretty much guarantee any solution addressing malware will only be partially effective.
To have a fighting chance at preventing the costs resulting from these attacks, you need to:
- See and analyze every transaction taking place with your web applications
- Understand if it is humans or bots conducting these transactions
- Identify if logins are being fed as part of other methods such as brute force or dictionary attacks
- Determine if the source of logins are obfuscated, for example originating from anonymous proxies or TOR networks
- Parse the credentials and try to identify if they were stolen as the results of other breaches
- Identify specific devices and user agents on those devices (device fingerprinting), or alternatively
- See if multiple devices are trying to use a single login in a short period of time
A good engine that can conduct all of these activities can be used to mitigate different types of attacks whether directly on data or through business logic used by your company’s website, and most importantly, protect your data and reduce costs by only allowing valid transactions to take place. No doubt, identifying and protecting against any of these types of attacks is challenging, but not impossible. With real-time threat intelligence, together with the capability of looking at, and understanding various factors of each and every transaction, you can protect your business and your customers, malware or otherwise.