Thursday, March 23, 2006

Bank trojans - it's just beginning

There are lots of news in the last days about trojans targeting bank customers. Although they are making noise because of their ability to capture authentication data, I still think this is nothing very different from what was being predicted for a long time.

My main concern is with code that still has not appeared. Last year I made a presentation with a PoC about a code that installs itself as a BHO (Browser Helper Object). It is not a trojan that steals information, it changes information. A user can access his Internet Banking website with two factor authentication (like a SecureID) and authenticate again when doing a transaction, but the trojan will not save any information. It just changes the target account. It does not need to be able to send information back to its creator, it fullfills the fraud alone, while being authenticated by the user.

Internet Banking security won’t be safe until the endpoint security problem is not solved. You can build fraud detection and prevention process to live with the risk, but if you want to solve the problem you will need to provide endpoint security.