European Banks:  29
American Banks: Zero
During the course of the past year, I have made a huge effort to point out that online banking (the way it is conducted now) is doomed for failure. (see related posts below)  I started with a series I called: "Online Banking is Weak Week."

Bottom line?  Online Banking MUST be done "outside" the browser space.  We've seen the ZeuS, Clampi, URLZone, BlackEnergy2 banking trojans, we've seen lawsuits filed by customers against banks accusing them of lax authentication procedures, we've see keylogging, man in the middle and man in the browser attacks, we've seen billions of phishing attempts, we've seen the head of the FBI swear off online banking, we've been told we need a "dedicated" machine for online banking.  We've seen Avivah state that nothing in the browser can be trusted, I can go on and on... and I will because...




OTP's (One Time Passwords) will be circumvented
by MITB attacks. (and real-time keylogging)
American banks go on and on with their belief they can protect the security of their customers by asking them to type data into boxes in a browser.  (European Banks are trending towards issuing card readers and almost 30 percent (see chart above) of European online banking customers use a card reader)

Either I don't get it or the banks don't.  I'm confident enough to say that if you were to go back through the PIN Debit blog over the past 18 months or so and look at everything I've posted regarding online banking, you will see that I'm not the one who doesn't get it.  (type "online banking security" into the custom search box for proof)

I'm not Nostradamus, but I can tell you this.  Banks would "prophet" from the eradication of all the problems associated with Typing vs. Swiping.

When Kaspersky Labs calls for the mass adoption of peripheral card readers and suggests that banks could be big drivers of this type of hardware, then banks might want to pay more attention.  On the horizon is a new dilemma for online banking security.  



Avivah Litan, distinguished analyst from Gartner Research points out that banks rely on "flash cookies" to identify legitimate users and that's about to change.    Again...Why not use a common sense approach to authenticate legitimate users.  Take your "bank issued" card out of your purse/wallet and swipe it through a PCI certified PIN Entry Device designed for online commerce and securely enter your PIN.  What you have (card) and what you know (PIN) is entered into what the bank owns (the peripheral PED card reader)  


Adobe Flash Player Private Browsing May Force Change in Fraud Fight 


A report from Gartner highlights how the reliance on Flash cookies as an authentication mechanism by online banks may need to change with the release of Adobe Flash Player 10.1. Flash Player's "Private Browsing" feature will make it easier to clear Flash cookies, and e-commerce businesses will need to adjust, some say.


Banks Should Be Big Drivers
of this kind of hardware.  First
they need to admit that they're
in a losing battle with hackers
and must stop with the band-aid
responses to the real threats they face.
When the final version of Adobe Flash Player 10.1 hits desktops later this year, it will bring with it new functionality designed to allow users to automatically clear Flash cookies after a Web session. But while the feature may be lauded in the name of privacy, it may also force online banks to change how they fight fraud.

Flash cookies, also known as LSO (local shared objects), are used by many banks and e-commerce sites to identify legitimate users and block unauthorized or fraudulent access. In a report entitled, "Privacy Collides With Fraud Detection and Crumbles Flash Cookies," Gartner analyst Avivah Litan writes that the practice of using HTTP browser cookies for authentication gained steam roughly three years ago due to guidelines imposed by the Federal Financial Institutions Examination Council.

“Most banks responded by implementing stronger authentication that depended in large part on knowing that their online banking customer was logging in from a known PC,” Litan wrote.

“Upon entering a user ID to log into an online banking session, the bank Web server would check for the presence of this cookie…If the bank software could not find the cookie – for example because the user was logging in from a different PC – then the bank software would generally challenge the user with a series of questions that only the legitimate user could presumably answer.”

But a growing desire for privacy led users to delete their browser cookies more often, meaning banks had to find something else to rely on, the report noted. Enter Flash LSOs, which are “basically hidden from casual users who aren’t aware of them and don’t know how to delete them.”

Now that approach could be threatened as well, Litan told eWEEK...<<read more>>


Read more: http://pindebit.blogspot.com/2010/06/yet-another-reason-banks-should-call.html#ixzz0rEqSGASJ
Enhanced by Zemanta

Posted by John B. Frank Friday, June 18, 2010

0 comments

Payments Industry News Blog

Search the PIN Debit Blog by Subject

Kapersky Calls for Mass Adoption of Card Readers

Kapersky Calls for Mass Adoption of Card Readers