Posted by Kevin on February 16, 2015.
We’re talking financial fraud – malware-instigated theft from your bank account…
This will be sacrilege to many, but I’m no fan of two-factor authentication (2FA). In fact, I think it can be positively dangerous. There are two primary reasons:
So the danger is that 2FA doesn’t protect you, but lulls you into taking less care than you would without it. My own view is that a seriously strong password policy is probably better than any 2FA.
The problem remains, however, that a keylogger can steal your password and bank details and send them to the bad guys. But this is tricky, because the banks’ own anti-fraud system will see that you have suddenly demanded a withdrawal via a strange computer in South America and will flag it.
That leaves the man-in-the-browser (web-inject) malware as the most dangerous threat to your banking security. This malware effectively sits inside your browser and interferes with what you send to the bank and what the bank sends to you. It allows you to log into your bank account, but changes your instructions to those of its own. So you might instigate and see a transfer from your active account to your savings account; but your bank sees an instruction to send money to a new bad guy’s account that will probably only be there very briefly.
Man-in-the-browser attacks are one of the biggest causes of banking fraud. And the best-known defence against that is probably Trusteer‘s Rapport (Trusteer is now a part of IBM). But Trusteer had best look to its laurels, because it has a new rival: Minded Security‘s AMT. The biggest difference between the two is, to my mind, friction. Rapport has it while AMT does not.
Friction is the force that powers inertia. Inertia is the force that stops us doing anything. One of the things we don’t do is install security software on our own devices – even when it’s free. Many of us simply do not wish – or cannot be bothered – to install Rapport. That’s friction. Rapport could be forced upon us, of course, if the banks made it a condition of us doing business with them – but the banks don’t like telling their customers what to do in case it drives them somewhere else. More friction.
And then there’s the biggest friction of all: paragraph #2 of the Rapport EULA. It reads:
2. In addition, You authorize personnel of IBM, as Your Sponsoring Enterprise’s data processor, to use the Program remotely to collect any files or other information from your computer that IBM security experts suspect may be related to malware or other malicious activity, or that may be associated with general Program malfunction. IBM does not use the Program to target collection of Your personal information. Nevertheless, the information collected could contain personally identifiable information that has been obtained by the malware without Your permission or is relevant to identifying malicious activity or addressing general Program malfunction. IBM will delete any collected information, including personal information of which we become aware, that is not relevant for the purposes described above and will retain other information only for the duration of the relevant analysis. To avoid accidentally retaining data longer than necessary, IBM reviews all retained files for relevance once every three months.
[emphasis is mine]
Now I may be paranoid, but I simply do not want some third party big conglomerate collecting information from my computer. You can be certain that if IBM has it, then the NSA can have it; and if the NSA can have it, then GCHQ can get it.
Nor do I accept the pathetic arguments of government that if I don’t do anything wrong, then I have nothing to fear about government surveillance. Who defines ‘wrong’ in these circumstances? I quite openly believe that David Cameron is the most dangerous politician in my living memory (goes back to Harold Wilson) because of the way he is selling our liberty to big business and cementing a police state to enforce it. With every new business protection that fucks the people (fracking, Big Pharma, businesses avoiding and evading taxes, benefit reductions to pay for lower taxes for the higher paid) I am getting more and more angry. Does that make me subversive? Am I a potential terrorist because that anger might tip over into some form of political activity? Do I deserve closer scrutiny as a potential terrorist?
So, to put it bluntly, Rapport comes with so much friction that I simply will not install it on my computer.
Minded Security’s AMT has no friction. The customer is the bank – and nothing is installed on the user’s computer. AMT takes a completely different approach. When the user logs into his or her bank account, AMT script is sent to the user’s browser. Having also just delivered the web page, the script knows what the browser should look like. The script examines the browser and compares what it finds to what it should find. It can see if there is something happening that should not be happening – if malware has injected something new. If it sees anything untoward, it communicates details to the AMT cloud infrastructure – which the bank can watch continuously. The bank sees the risk, and acts in accordance with its own policies.
The effect of this approach is threefold:
A side effect of checking the browser is that AMT can also detect other malware. “Everytime a user logs on to the protected online service,” such as a bank, Marco Morana Managing Director of Minded Security UK told me, “AMT understands if the PC is infected. The technology looks inside the browser to find adware, spyware and web inject malware.” In fact, the statistical returns to the AMT cloud infrastructure show that 5% of all of its bank customer’s users are infected with one or other of these threats.
(Just as an aside, if you get an email purporting to come from Minded Security and claiming that you have an infection, do not respond to it. Minded Security will not notify you. Its client is the bank, not you. So if you do get such an email, you can be sure that someone is phishing you.)
Don’t get me wrong – Rapport is pretty good; but comes with baggage. AMT is also pretty good – but comes with less baggage. The bottom line is that the incumbent Rapport now has a serious competitor in Minded Security’s AMT in fighting web-inject financial fraud.