Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Editor's Blog and Industry Comments

Phishing moves on to present a bigger threat

02 May, 2008
Cronto white paper explains how phishing has developed into more sophisticated attacks that need ever increasing levels of sophistication to defend against.
Cronto's "beyond phishing" white paper sets out to inform online banking users of the potential perils that lie in wait for them. Given the recent changes to the UK banking code, this serves as a timely reminder of the vulnerabilities of using online transactions, vulnerabilities which the banks are now keen to offset the blame for against those corporate customers who don't have adequate protection in place.

Adequate protection as far as the bank is concerned, although unclear, would constitute regularly updated anti-virus software and a card reader if one has been issued by the bank. However, according to Cronto, even these might not be sufficient to ward off the changing threats that banking consumers now face.

Phishing has moved on and now incorporates "man in the middle" and "man in the browser" attacks. With man in the middle attacks, fake websites are set up to mirror those of the bank's and act as an intercept between the bank and the customer changing transaction details en route. Although some serious frauds have taken place using this technique, the banks are becoming savvy to it and are implementing origin verification technology to make sure the source of the transaction is genuine rather than coming from a third party.

Man in the browser attacks are performed using malicious software on the client computer. As the customer enters details into the browser, the malware changes them. Although the transaction has changed, the details (including the confirmation details returned by the bank) are changed so that the actual account numbers and amounts aren't displayed.

This latest development is the worst kind for the banks since the source of the transaction is the customer's computer and the attack is immune to two factor authentication including card readers. For this kind of attack, it would be hard for banks to claim that the customer didn't have inadequate protection because it could easily be argued that there is no adequate protection in existence.

For more information on these kind of attacks, take a look at Cronto's white paper "Beyond phishing â€" de-mystifying the growing threat of internet banking fraud" which gives detailed explanations accompanied by clear illustrations and offers an alternative solution.
Bookmark and Share