Community
‘State-sponsored banking virus found in Middle East’ ran the recent headline, referencing the latest cunning plan to fleece banking customers of their access credentials, but the article’s conclusions struck me as flawed for a number of reasons.
First and foremost there is nothing new about malware stealing banking access credentials - as my last blog pointed out, ENISA guidance now states that banks should assume that such malware is present.
But the real red herring here was that this was being ‘state-sponsored’ – if a state wants to take money from a bank, it has far more straightforward methods of achieving it – just ask Standard Chartered, HSBC or Barclays over the past few weeks! In reality, ‘state-sponsored’ viruses are more likely to be aimed at damaging centrifuges for uranium enrichment, or disrupting the effective automation of oil production facilities, for two obvious Middle East examples. These are ‘clear and present dangers’, to coin the US term, for these industries, who surely ought to be investing heavily in preventing such attacks from proliferating. But, this being a blog on Finextra rather than CNI weekly, my concern is that for banking to use comparisons with Stuxnet and Flame in the same breath as ‘state-sponsored’ strikes me as being an attempt to reclassify simple online bank fraud as more akin to Force Majeure.
This brings me back to where I had left off on the last blog, following which a number of people contacted me with queries along the lines of ‘how do I ensure my customers keep their anti-virus (AV) up to date?’, ‘I provide them with free AV, isn’t that enough?’, or more simply ‘Help – what should I do?’ – for today, I’ll look at the first two.
ENISA didn’t specifically go into the issue, but the underlying premise is that you should assume your customer’s machine is infected not because they’re careless or don’t have security on their computer, but because the current generation of AV solutions have fundamental weaknesses.
The most obvious flaw is in the very nature of the way they operate, looking for a ‘signature’ to detect what is or is not known to be malicious. This means that they essentially rely on someone becoming infected before they can identify what infected them, hence the basis of zero-day attacks, where a new strain of malware passes through undetected by its very nature. Then the virus can lie hidden until such a time as the attacker unleashes the payload, whether it’s a criminal after your bank credentials or a foreign power interfering with the smooth operation of that nuclear centrifuge you keep in your garage (what, just me?).
Enex test labs, the UK Government’s CESG approved security test lab carry out monthly analysis on the major AV solutions providers, and over the last year (to August 2012) they have caught an average of just under 93% of viruses, falling as low as 63% in one month’s test. And in a separate analysis in August 2010 Cyveillance found that even after a virus had been out in the wild for a full month, only 61% of solution providers could identify the threat. More contentiously a report by another research group, Carbon Black, reported in the Register (http://www.theregister.co.uk/2012/08/23/anti_virus_detection_study/) suggests that where an AV solution doesn’t identify a new strain within 6 days it never will – I won’t wade into that debate on these pages, as that is far too much detail, but the underlying point is clear.
So if we can’t rely on signatures, what should we be looking for? White listing (only allowing known good) is logistically too restrictive to deploy, and as customers will have online relations with multiple banks, retailers, public sector bodies, etcetera, there’re far too many applications to keep track of. A number of universities are researching novel approaches towards the next generation of AV solutions, and some techniques are now beginning to emerge commercially, but they have yet to reach the mainstream.
Little wonder then that ENISA conclude that banks and other organisations should assume their customers’ machines are infected, given the constant barrage of attacks. But let’s not blame the Government – ours or anyone else – if the AV providers use a flawed methodology and the banks (or other bodies) don’t adopt measures to counteract interception of access credentials, we should look to blame them, rather than spooking the market with the actions of some sinister foreign power.
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Ellison Anne Williams CEO at Enveil
30 October
Damien Dugauquier Co-Founder & CEO at iPiD
Kyrylo Reitor Chief Marketing Officer at International Fintech Business
Prashant Bhardwaj Innovation Manager at Crif
Welcome to Finextra. We use cookies to help us to deliver our services. You may change your preferences at our Cookie Centre.
Please read our Privacy Policy.