Online banking remains under threat to MitB and Trojan attacks

According to experts from banking and IT-Security, banks are not really interested in security unless they forced to. Some even try to threaten experts who show the loopholes in their systems

Safety and security for online financial transactions has always remained a cause of worry for all customers. Be it ATM frauds or online banking or mobile banking, the onus to prove that he was robbed remains on the customer. Several times it is found that banks do not even pay heed to security requirements. It is often said that in a chain, it is the weakest link that is most vulnerable. In banking sector, unfortunately, the bank itself comes out as the weakest link.

In addition, banks are often found not to pay any heed on any warnings on Trojans and malware and always tell us that their systems are 100% safe and sound like a forte-Knox. While, there are several cases on bank Trojans stealing thousands of dollars from customer accounts, especially from western world, Indian banks are even not ready to pay any heed to these threats.

In fact, many banks 'shut out' security expert, Yash KS, who has demonstrated how sites of several Indian banks are vulnerable. Mr Yash shot the video showing how Trojan can breach bank sites and uploaded it on public platform so that the lenders can increase the level of security. All these banks responded immediately by blocking and successfully removing the video from public domain like YouTube but failed to enhance security levels of their sites.

Mr Yash says, "Citibank has never responded when I contacted them to talk about malware. But when I posted my videos online, they mitigated the risk to some level within 10 days. It’s a good response. (However) Before fixing it, they blocked my video in YouTube saying it is harmful content."   

Recently British Broadcasting Corp (BBC) published an article on how hackers are outwitting online banking identity security systems ( The article says, "Criminal hackers have found a way round the latest generation of online banking security devices given out by banks."

The article, however, says that a test witnessed by its team suggests even those with up-to-date anti-virus software could be at risk, and there is no specific risk to any on individual bank. "Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered," it said.

To get rid of the risks involved in online banking transactions, financial institutions brought two-factor authentication (2FA). But this is also not without problems. In 2005, renowned security technologist and author, Bruce Schneier, wrote an essay where he predicted that attackers would get around multi-factor authentication systems with tools that attack the transactions in real time: man-in-the-middle attacks and Trojan attacks against the client endpoint.

This exactly was the issue Mr Yash has been trying to explain to all the banks in India. But there is no response so far. According to Mr Yash, he met senior officials from ICICI Bank and demonstrated to them that how a malware can harm their account holders. However, the bank officials claimed that their systems are more secured compared with other banks and no such can happen to their customers.

When Mr Yash again demonstrated that even more secure site of ICICI Bank as claimed by its officials is vulnerable to malware attacks. After waiting for several months for a response from the Bank, he finally put the demo video in public domain. The Bank then sent Mr Yash a defamation notice through its corporate communications department saying that he trying to sell his product to them and that he should immediately remove the video from his website else they may take the legal action.

According to Mr Yash, another lender, HSBC Bank, also tried to remove his videos from public domain. He claims that the Bank asked the hosting services provide to disable his site and later forced them to remove the video that showed how HSBC’s online accounts can fall prey to malware attacks. Mr Yash also alleged that the lender sent some goons to his residence. He said,”…after failure attempts to bring down content with the help of service provider, HSBC sent goons to my residence. I was not present at that time; they have asked my family members rude questions.”

However, there is no verification for his claims about the goons and whether they were indeed sent by the lender.

Coming back to the security loopholes in online transactions, the Financial Fraud Action UK reported that during the first six months of 2011, online banking fraud losses in that country totalled 16.9 million pounds. Banks in UK usually refund victims of online fraud as a matter of course.

In case, you are wondering what is the situation in India, well, the numbers of frauds in online transactions are much less compared with other countries. This is because we Indians (and our bankers) prefer to do most of our transactions by visiting the bank branch in person.

According to Reserve Bank of India, managing security is more challenging in online and phone banking as compared to other delivery channels and online threats in the form of phishing attacks, spyware, viruses, Trojans, key loggers are frequent. “Fraudsters are not only tech savvy but have clear understanding of the systems and procedures obtaining in banks,” said G Padmanabhan, executive director of RBI while speaking at a Secure Banking conference last year.

This leaves all net-savvy bank customers from India wondering if online banking is really safe and secure. The answer is yes and no. Yes, if you are taking all precautions like regularly updating the anti-virus installed on your computer and using good anti-malware software and practising safe browsing practices. No, if you do not follow the above mentioned practices or using public computer (like a cyber café) or your bank do not have enough checks in place to block malware or Trojan attacks.

From July 2011, the RBI has mandated a system of alerts for all card transactions, irrespective of the channel used. However, the central bank made it clear that it is for banks to make this effective by ensuring that the customers are persuaded to register their mobile phone numbers for receiving such alerts.

So far the second-factor authorisation (2FA), introduced by RBI about three years ago, appears to be working fine. Some banks have also issued small devices that generate authentication codes that can be used only for one time for secure card transactions. The report from BBC states, “While these chip and pin devices make the hackers' job more difficult, the hackers themselves have raised their game.”

MitB and Trojan attacks are just examples of what hackers and criminals can do to steal your money. So, how one can protect oneself from online banking frauds? According to Mr Schneier, multi-factor authentication like the 2FA does not solve anything. “In case of MitB, the attacker can pass the ever-changing part of the password to the bank along with the never-changing part. And in case of Trojan, the attacker is relying on the user to log in,” he said.

“The solution is not to better authenticate the person, but to authenticate the transaction. Think credit cards. No one checks your signature. They really don't care if you're you. They maintain security by authenticating the transactions,” Mr Schneier says.

Are the banks listening, especially when innovative methods of hacking and stealing are coming to the fore regularly?

Andrea Smith
1 decade ago
maybe they can start telesigning people in to further prevent fraud and hacks.
Free Helpline
Legal Credit