Several banks in the U.S. and U.K. are deploying ‘on demand’ desktop protection software to their online banking customers, to help ward off attacks and account raids perpetrated by Zeus and other similar bank-trojans. Traditionally, most financial institutions haven’t wanted to accept any responsibility for user desktops, but the trojan situation has gotten so bad, some recently decided the cost of distributing and managing user desktop security software was lower than the benefits.
Of course the competitors in the anti-malware software business are busy exposing holes in the bank-deployed software, further illustrating the ‘cat-and-mouse’ nature of the business.
But the bigger question is: is ‘on-demand’ software distribution to customer desktops an effective strategy for mitigating fraud?
It depends who you ask. Some say the more security layers the better. Others say, once you get involved in customer desktops you can become liable for anything ‘bad’ that happens there.
No matter which way you come out, my thoughts are:
a) the existing anti-virus/anti-malware software on the customer desktops has failed to stop these vociferous trojans. Why not focus on improving what customers already have deployed and how they keep it up-to-date?
b) there is plenty of good fraud detection software that financial institutions can deploy on the server side that can effectively stop these trojans. See our “Case Study: Bank Defeats Attempted Zeus Malware Raids of Business Accounts” G00174740.
It seems more prudent and effective to tackle the problem using software and computing environments you can control, rather than relying on end-points like customer desktops that you have no control at all over whatsoever.
If a bank wants to help their customers protect their online banking sessions from trojans, it probably is best to go with the FS-ISAC (Financial Services Information Sharing and Analysis Center) advice to use a ‘locked down’ computer. That can be achieved easily and freely by booting a computer from a CD drive loaded with open-source Ubuntu software, and using the browser therein to conduct online banking. Inconvenient perhaps, but a lot safer. And free.
Category: Uncategorized Tags: