Banking's BIG Dilemma: How to Stop Cyberheists

Friday, June 18, 2010

John Frank


There's a great article at Network World written by Ellen Messmer.  Here's a sampling and my thoughts about the article (which I shared with Ms. Messmer) about providing online bank customers with security software an imperfect cybercrime.

In online banking and payments, customers' PCs have become the Achilles' heel of the financial industry as cyber-crooks remotely take control of the computers to make unauthorized funds transfers, often to faraway places.

The dilemma for banks boils down to this: How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?

Suggested Answer: Provide "something that IS owned by the bank" (and uses existing bank rails)  i.e. Issue bank-owned PCI Certified they have a dedicated machine for online banking  (wouldn't have to purchase another PC).

Banks are faced with the prospect that "customers own PCs that have been in the hands of Russian crime syndicates," says Jeff Theiler, senior vice president at Hancock Bank, which primarily operates along the Gulf Coast region. Like many other banks, Hancock finds itself getting more involved in helping customers defend their machines.

Here's my response to Ellen's story...

Good morning Ellen:

After reading your article today on Network World I thought you might be interested in learning that there is indeed a simple solution to the online banking problem to which you refer: The dilemma for banks boils down to this: How far can they go to help protect customer desktops that function like part of their shared network but aren't owned by the bank?

Question: If you are 2000 miles from your bank, at 2:00 AM and need $200.00 what process is trusted to authenticate you and disperse the $200?

Answer: You insert/swipe your "bank issued card" then enter your "bank issued PIN" into a "bank owned ATM" and voilla.  In seconds, you get your $200.  That same trusted process is what should be used to authenticate online banking sessions. In Europe, almost 30% of consumers use a card reader for online banking? (see graphic below)  In America that number is ZERO.

HomeATM manufactures the worlds "only" PCI 2.1 Certified PIN Entry Device designed specifically for online banking authentication and eCommerce.  It also provides for "real-time" P2P payments.

Cost?  Less than what banks are already dishing out for "useless giveways.   (When I say "useless" I am simply implying that the promotions they run don't "solve the problem.")

Our device plugs into the USB port or smartphone and encrypts the cardholder data (including the Track 2 data) at the maghead using 3DES encryption.  It then DUKPT encrypts the PIN for the only genuine end-to-end encryption.

The most important thing our device does is it "eliminates" typing "login" data into a box in a browser.  That's the inherent problem.  That's why (as you mention in your article) the Russian's get/got control of the PC's. (malware/phishing)

Our PED eliminates the usage of inadequate and way obsolete "username/password" login...thus it eliminates phishing.  What do phishers phish phor?  "Online Banking Credentials" AND "credit/debit card numbers.  How do they get them?  They fool people into thinking they are "typing" their card numbers/online banking authentication into a legitimate site when in fact it is not.  That problem would be "eradicated" with our device.

Thus if all a banks customers securely login by doing what they do at an ATM, swipe their bank issued card, enter their bank issued PIN and do it on a bank issued PCI certified PIN Entry Device the problem created by "typing" would be eliminated by "swiping."

I'd be happy to provide further insight as to why this is a "no-brainer" for banks to deploy.

Kaspersky Labs (which provides software security) knows that hardware is required as their recent proclamation calling for "mass adoption of card readers" professes.  Software helps but at the end of the day it is simply a band-aid.

The internet was NOT designed to conduct financial transactions.  It's called a "browser" for a reason and between malware, keylogging and phishing, the only solution to the problem is to replicate what we do at ATM's and/or brick and mortar retailers.  Swipe vs. Type.  As I like to say on the company blog.  "If someone is going to "Swipe" your card information online, shouldn't it be you?

Question: Why would banks want to fork out $18 to give their customer a PCI Certified PED?
Answer: Well besides the obvious (they would save the millions of dollars lost to phishing) banks have a big problem.

Most everyone is aware that fraud is running at epidemic levels and that what banks report is only a fraction of the real losses.

Other benefits:  In addition to providing "True Two-Factor Authentication (username and password is NOT 2FA) our device also completely  eliminates the threats and fraud losses/costs created by typing...AND there is a return on investment in the form of Interchange revenue every time the device is used for online shopping or P2P payments.

If interested, feel free to holler back.  I'd love to hear your thoughts.

Thanks Ellen.

Cross-posted from PinDebit Blogspot

Possibly Related Articles:
Accounting Banking Financial Services
Identity Theft Banking
Post Rating I Like this!
Anup Shetty Good stuff...So true is the fact that no matter how "supposedly" advanced an authentication mechanism is, if online banking continues to be conducted "inside the browser" it will be eventually defeated by attacks. Online banking authentication, and for that matter, ALL financial transactions, MUST be conducted OUTSIDE the browser.

Although,PIN-entry devices (PEDs) have been vulnerable to tampering and skimming attacks, it would be interesting to watch the impact these attacks have on personal PEDs as compared to the publicly accessible ATM machines...I would need to carry my PED all the time.. just be sure I dont end up borrowing and using a tampered one ;)
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.