ABA Banking Journal - February 2008 - (Page 55) Webnotes refining, and massively propagating variations of existing techniques rather than innovating new strategies. Here are the main differences between phishing and emerging malware: • Phishing expeditions cast wide global nets. It’s as easy to host multitudes of phishing sites as it is to host one. The new banking trojans attack one or a few banks that they know are rich targets. • Phishing gets the victim to cooperate in attacking her bank’s server. Banking trojans rely on stealth to steal crucial software code at the browser. • Anti-phishing strategies first detect new viruses in action worldwide and then devise countermeasures. Strategies against banking trojans constantly probe every site for suspicious behavior and try to disable it before it strikes. F-Secure, the anti-malware vendor, has dubbed the new behavior-based strategy “Man in the browser.” This is a common scenario: The “man” (i.e. trojan) uses some ploy to create a facsimile of crucial elements of a legitimate online banking system. One way to start this chain of events is to intervene in the sign-on procedure by first rejecting the username and password and then copying the user’s second response onto the imposter system. Then the trojan lies in wait in some cozy corner of the browser, doing nothing but watching for useful coding strings, such as “Welcome to Citibank” that identify a rich target. Once inside the banking software, it can execute a fake transaction, such as “Transfer $987.00 to the Guesswho account.” F-secure’s behavioral counterstrategy is to monitor every action on a user’s browser, looking for suspicious strings of code. The string could be an exact copy of the legitimate code, but its mere appearance and reappearance in unlikely places could be judged suspicious and countered before any malicious event occurs. Encrypted banking sessions occur within the browser, so that’s where antimalware should be, F-Secure advises. Speed is essential To protect against attacks by either traditional phishing or stealth trojan strategies, fast reaction time and frequent antimalware updates are essential. In an F- Secure analysis of a typical attack, 200 messages or machines can be infected within ten hours of discovery. That number jumps to 1,000 during the eleventh and twelfth hours. F-Secure has good credentials for speedy reaction and publishing, according to tests by the independent antivirus testing lab, AV-Test.org. In those tests, F-Secure’s average response times for the twelve major outbreaks in the first half of 2005 was 2 hours, 38 minutes, compared with 9:29 and 10:48 for its main competitors. F-Secure, a Finnish company, has “hundreds” of banking clients worldwide, among then an undisclosed number of top 20 banks in the U.S. Beside malware as a hosted service through ISPs, F-Secure also offers its platform to enterprises and gateways, along with security services for mobile devices. A p e r s o n a l c a s e of m a l - s e re n d i p i t y The finished draft of this article lay on my desk, ready to send to my editor. Before doing that, I tried contacting my online banking account on an unrelated matter. I entered my ID and password and got a message that one of those entries was invalid. So I reentered the data. Same message. Suddenly it dawned on me that I might be the victim of the very same “banking trojan” attack I’d just written about. I called the bank. Their online banking provider went over her list of possible cures, among them too many saved “cookies,” too high a setting on my privacy preference, and too many temp files. I fixed all those and tried again. Same result. The bank’s online provider terminated the discussion with: “There’s nothing wrong on our side.” Then I did what any intelligent person does. I called on my son for help. After a few minutes of online sleuthing, he told me I hadn’t updated my anti-virus system for seven months. Impossible, I said. I update it every Friday. More sleuthing revealed that I was the victim of a trojan attack that had been detected a month earlier. It even had a name, New Malware.hi. An overview message explained that, “unlike viruses, trojans do not self replicate. They are spread manually, often under the premise that they are beneficial or wanted. The most common installation methods involve system or security exploitation.” I got online, examined my account history—nothing amiss there, thankfully. Post mortem: Although I had dutifully updated my anti-virus fixes every week, I had neglected to scan those updates into my hard drive. Once done, that cleared up the problem. So it had all been my fault—as the online banking service provider had so curtly implied. I’m still left with the nagging thought that although my bank wasn’t technically responsible, it ought to be concerned with my exposure to serious losses, even if that exposure was due to my error. —Bill Orr www.ababj.com/subscribe.html ABA BANKING JOURNAL/FEBRUARY 2008 55 http://www.ababj.com/subscribe.html
Table of Contents Feed for the Digital Edition of ABA Banking Journal - February 2008 ABA Banking Journal - February 2008 Contents On ABABJ.COM: Have You Visited Our Brand-New Website? Editor's Column "That's Edutainment" Snapshot: Tier 1 Ratios Stable so Far 100th Anniversary: Then and Now ABA Resources ABA Chairman's Position Don't Despair Pass the Aspirin Cover Story: Socially Responsible Banking Profitably - Incoming America's Community Bankers Council Chairwoman, Dorothy Bridges Demonstrates the Way A True "Rags-to-Banker" Story Retail Banking: On the Money Hunt Community Bank Management: The Ugly Truth About Board Relations Does Core Really Matter? Security 2.0: Not Just a New Kettle of Phish A Personal Case of Mal-Serendipity DOD Credit Regs Demand Attention Mailbox Banker's Mart To Advertise/Index of Advertisers The Economy ABA Banking Journal - February 2008 ABA Banking Journal - February 2008 - ABA Banking Journal - February 2008 (Page Cover1) ABA Banking Journal - February 2008 - ABA Banking Journal - February 2008 (Page Cover2) ABA Banking Journal - February 2008 - ABA Banking Journal - February 2008 (Page 1) ABA Banking Journal - February 2008 - ABA Banking Journal - February 2008 (Page 2) ABA Banking Journal - February 2008 - Contents (Page 3) ABA Banking Journal - February 2008 - Editor's Column (Page 4) ABA Banking Journal - February 2008 - Editor's Column (Page 5) ABA Banking Journal - February 2008 - Editor's Column (Page 6) ABA Banking Journal - February 2008 - "That's Edutainment" (Page 7) ABA Banking Journal - February 2008 - 100th Anniversary: Then and Now (Page 8) ABA Banking Journal - February 2008 - 100th Anniversary: Then and Now (Page 9) ABA Banking Journal - February 2008 - 100th Anniversary: Then and Now (Page 10) ABA Banking Journal - February 2008 - 100th Anniversary: Then and Now (Page 11) ABA Banking Journal - February 2008 - 100th Anniversary: Then and Now (Page 12) ABA Banking Journal - February 2008 - ABA Resources (Page 13) ABA Banking Journal - February 2008 - ABA Chairman's Position (Page 14) ABA Banking Journal - February 2008 - ABA Chairman's Position (Page 15) ABA Banking Journal - February 2008 - Don't Despair (Page 16) ABA Banking Journal - February 2008 - Don't Despair (Page 17) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 18) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 19) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 20) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 21) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 22) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 23) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 24) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 25) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 26) ABA Banking Journal - February 2008 - Pass the Aspirin (Page 27) ABA Banking Journal - February 2008 - Cover Story: Socially Responsible Banking Profitably - Incoming America's Community Bankers Council Chairwoman, Dorothy Bridges Demonstrates the Way (Page 28) ABA Banking Journal - February 2008 - Cover Story: Socially Responsible Banking Profitably - Incoming America's Community Bankers Council Chairwoman, Dorothy Bridges Demonstrates the Way (Page 29) ABA Banking Journal - February 2008 - Cover Story: Socially Responsible Banking Profitably - Incoming America's Community Bankers Council Chairwoman, Dorothy Bridges Demonstrates the Way (Page 30) ABA Banking Journal - February 2008 - A True "Rags-to-Banker" Story (Page 31) ABA Banking Journal - February 2008 - A True "Rags-to-Banker" Story (Page 32) ABA Banking Journal - February 2008 - A True "Rags-to-Banker" Story (Page 33) ABA Banking Journal - February 2008 - A True "Rags-to-Banker" Story (Page 34) ABA Banking Journal - February 2008 - A True "Rags-to-Banker" Story (Page 35) ABA Banking Journal - February 2008 - A True "Rags-to-Banker" Story (Page 36) ABA Banking Journal - February 2008 - A True "Rags-to-Banker" Story (Page 37) ABA Banking Journal - February 2008 - Retail Banking: On the Money Hunt (Page 38) ABA Banking Journal - February 2008 - Retail Banking: On the Money Hunt (Page 39) ABA Banking Journal - February 2008 - Retail Banking: On the Money Hunt (Page 40) ABA Banking Journal - February 2008 - Retail Banking: On the Money Hunt (Page 41) ABA Banking Journal - February 2008 - Retail Banking: On the Money Hunt (Page 42) ABA Banking Journal - February 2008 - Retail Banking: On the Money Hunt (Page 43) ABA Banking Journal - February 2008 - Retail Banking: On the Money Hunt (Page 44) ABA Banking Journal - February 2008 - Retail Banking: On the Money Hunt (Page 45) ABA Banking Journal - February 2008 - Community Bank Management: The Ugly Truth About Board Relations (Page 46) ABA Banking Journal - February 2008 - Community Bank Management: The Ugly Truth About Board Relations (Page 47) ABA Banking Journal - February 2008 - Community Bank Management: The Ugly Truth About Board Relations (Page 48) ABA Banking Journal - February 2008 - Community Bank Management: The Ugly Truth About Board Relations (Page 49) ABA Banking Journal - February 2008 - Community Bank Management: The Ugly Truth About Board Relations (Page 50) ABA Banking Journal - February 2008 - Community Bank Management: The Ugly Truth About Board Relations (Page 51) ABA Banking Journal - February 2008 - Does Core Really Matter? (Page 52) ABA Banking Journal - February 2008 - Does Core Really Matter? (Page 53) ABA Banking Journal - February 2008 - Security 2.0: Not Just a New Kettle of Phish (Page 54) ABA Banking Journal - February 2008 - A Personal Case of Mal-Serendipity (Page 55) ABA Banking Journal - February 2008 - A Personal Case of Mal-Serendipity (Page 56) ABA Banking Journal - February 2008 - DOD Credit Regs Demand Attention (Page 57) ABA Banking Journal - February 2008 - Mailbox (Page 58) ABA Banking Journal - February 2008 - Mailbox (Page 59) ABA Banking Journal - February 2008 - Mailbox (Page 60) ABA Banking Journal - February 2008 - Banker's Mart (Page 61) ABA Banking Journal - February 2008 - To Advertise/Index of Advertisers (Page 62) ABA Banking Journal - February 2008 - To Advertise/Index of Advertisers (Page 63) ABA Banking Journal - February 2008 - The Economy (Page 64) ABA Banking Journal - February 2008 - The Economy (Page Cover3) ABA Banking Journal - February 2008 - The Economy (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.