Just over a year ago, Alex Shipp witnessed something in the IT security world that could have big implications for the future of online banking and retail.
The MessageLabs futurologist found a malicious program that would wait for people to log into their online payment accounts and then start transferring money automatically to hackers. The tactic is very different from other Trojan horses, which steal passwords and user names, reporting them back to hackers for use at a later date.
“It’s a fairly old piece of malware, which waited until you logged on to transfer money from your account to the other guy’s account,” says Mr Shipp. “The only reason we haven’t seen more of that so far is because stealing user names and passwords is working jolly well.”
A variation of the more common type of theft occurred recently when hackers seized money from Citibank’s ATM network by breaking into a retailer’s server, stealing customer card data and duplicating the cards. Although the bank claims only several hundred US customers were affected, it is sure to have made the company question the security of its card system.
To guard against this type of crime, several countries – but not the US – have implemented chip and Pin technology. It seems to be working, although the figures suggest that fraud is migrating to other areas.
“Card-not-present” fraud over the telephone and internet (where the Pin is not required) is rising fast, as are online “phishing” scams, which dupe people into giving away bank details.
As further protection for customers from these more “traditional” attacks, banks are looking at “two-factor authentication” – a form of additional security, such as a key-ring token that generates a password every few seconds. This means when logging into an account, users type a username, password and the additional password generated by the token, which is synchronised with the bank’s server, to gain access.
Clive Longbottom, head of research for analyst Quocirca, says: “Bringing in two-factor will make it harder to commit fraud.”
But as two-factor authentication deters password-stealing Trojan horses and straightforward data theft, it is feared hackers will switch to methods such as the Trojan which actuates a cash transfer, as witnessed by Mr Shipp.
Other security experts, however, are unconvinced this sophisticated type of attack would bring the same rewards as current data theft methods. Graham Cluley, senior technology consultant at antivirus firm Sophos, says only one cash-grabbing Trojan has been identified so far: “Writing malware like that takes an awful lot more effort for not very much discernible additional gain.
“Even if two-factor authentication becomes more widespread with online banking, spyware Trojans can still steal confidential information by screen-grabbing,” Mr Cluley adds.
“The drawbacks of getting the Trojan to do the cash transfer is that they would have to be written to be bank-specific, integrate closely with the web browser, and [include] details of the bank account to which the money is to be transferred.
“This sounds like it would provide less flexibility for the criminal hacker than the methods they are presently using.”
Existing methods certainly seem to remain popular with criminals: the number of identity-stealing Trojans has grown from 74 per cent to 80 per cent of all malicious programs over the last year, according to research from security firm Symantec.