Avivah Litan

A member of the Gartner Blog Network

Avivah Litan
VP Distinguished Analyst
12 years at Gartner
30 years IT industry

Avivah Litan is a Vice President and Distinguished Analyst in Gartner Research. Her area of expertise includes financial fraud, authentication, access management, identity proofing, identity theft, fraud detection and prevention applications…Read Full Bio

Coverage Areas:

Is bank distribution of anti-malware software a good idea?

by Avivah Litan  |  April 29, 2010  |  Comments Off

Several banks in the U.S. and U.K. are deploying ‘on demand’ desktop protection software to their online banking customers, to help ward off attacks and account raids perpetrated by Zeus and other similar bank-trojans.  Traditionally, most financial institutions haven’t wanted to accept any responsibility for user desktops, but the trojan situation has gotten so bad,  some recently decided the cost of distributing and managing user desktop security software was lower than the benefits.

Of course the competitors in the anti-malware software business are busy exposing holes in the bank-deployed software, further illustrating the ‘cat-and-mouse’ nature of the business.

But the bigger question is:  is ‘on-demand’ software distribution to customer desktops an effective strategy for mitigating fraud?

It depends who you ask.  Some say the more security layers the better. Others say, once you get involved in customer desktops you can become liable for anything ‘bad’ that happens there.

No matter which way you come out, my thoughts are:

a) the existing anti-virus/anti-malware software on the customer desktops has failed to stop these vociferous trojans.   Why not focus on improving what customers already have deployed and how they keep it up-to-date?

b) there is plenty of good fraud detection software that financial institutions can deploy on the server side that can effectively stop these trojans.   See our “Case Study:  Bank Defeats Attempted Zeus Malware Raids of Business Accounts” G00174740.    

 It seems more prudent and effective to tackle the problem using software and computing environments you can control, rather than relying on end-points like customer desktops that you have no control at all over whatsoever.

If a bank wants to help their customers protect their online banking sessions from trojans, it probably is best to go with the FS-ISAC (Financial Services Information Sharing and Analysis Center) advice to use a ‘locked down’ computer. That can be achieved easily and freely by booting a computer from a CD drive loaded with open-source Ubuntu software, and using the browser therein to conduct online banking.  Inconvenient perhaps, but a lot safer. And free.

Comments Off

Category: Uncategorized     Tags: