A security expert says financial institutions must adopt a strong multi-factor security solution, which can protect them from all kinds of online attacks and do not need to be re-written when a new threat is identified."There is a growing number of attacks that are still able to successfully target banks' authentication when security hasn't been ramped up to a high enough level," says Tim Renshaw, VP at security vendor TriCipher.
His comments follow reports of a new attack against 400 banks by a Trojan program which circumvents two-factor authentication.
The Trojan can intercept transactions and silently change the user-entered destination bank account details to the attacker's details instead. Banks under attack include large U.S. institutions, as well as banks in the UK, Ireland, France, Finland and Spain, among others.
Renshaw warns that additional banks could be attacked by the same Trojan in the coming days. "The Trojan has an update functionality. So it could be a different 400 banks next week," he says.
The Trojan can also escalate its level of complexity to match the level of security of a targeted bank. If a transaction can occur at a bank using just a username and password, or if cookies are required to log-on, then the Trojan will steal this information, Renshaw explains.
In order to prevent attacks like these, banks must build security solutions that can address a broad gamut of attacks, so you're not constantly having to update, he says. Threats include phishing or pharming attacks, which direct a customer to a bogus server that completes the connection to the bank's server - and more recent man-in-the-middle attacks, which can modify customer-generated transactions or generate new transactions.
"There's always the man-in-the-middle attack of the day," Renshaw contends.
"But at the end of the day all these attacks are of the same type. They're no different from someone calling my granny and conning her out of her personal information over the phone."
Tricipher itself provides Armored Transactions, a solution that works by displayingn details of each transaction, which users then verify. Users need only enter passwords and click a mouse, but TriCipher says its PKI-based technology digitally signs the transaction through a separate secure connection, legally proving that the user authorized the transaction.A security expert says financial institutions must improve security and adopt a strong multi-factor security solution, which can protect them from all kinds of online attacks and do not need to be re-written when a new threat is identified... Melanie Rodier has worked as a print and broadcast journalist for over 10 years, covering business and finance, general news, and film trade news. Prior to joining Wall Street & Technology in April 2007, Melanie lived in Paris, where she worked for the International Herald ... View Full Bio