Security measures such as the use of one-time passwords and phone-based user authentication -- considered among the most robust forms of IT defences - are no longer enough to protect online banking systems against fraud, a Gartner report warns.
Cybercriminals are using increasingly sophisticated tactics to outmanoeuvre security systems so they can steal customers' log-in credentials and pillage their bank accounts , according to Gartner analyst Avivah Litan , who wrote the report.
Trojan horse programs lurking inside a customer's web browser can steal one-time passwords and immediately transfer funds, or intercept a transaction between a bank and a customer and make changes unbeknownst to the user or the bank, Litan said.
In cases where a bank uses a phone-based, "out of band" authentication system, criminals use call forwarding so that the fraudster, not the legitimate customer, gets the call from the financial institution, Litan said.
Banks need to quickly implement additional layers of security, she advised.
Because any authentication method that relies on a browser can be attacked and defeated, banks should start using server-based fraud detection to monitor transactions for suspicious patterns, Litan said. The goal is to monitor log-in, navigation and transaction activity to spot any abnormalities that suggest an automated program is accessing an application, she said.
For example, a European bank using that kind of monitoring technology discovered that a Trojan completes transactions much faster than a human would; a Trojan can take as little as one second to enter a money transfer amount and press OK, whereas a human would take 20 to 30 seconds.
Litan recommended that fraud monitoring tools be used to check for significant differences between online banking transaction patterns and a customer's usual behaviour.
The FBI's Internet Crime Complaint Center reports that each week, the FBI sees several new cases opened involving complaints of cyberfraud.
In most instances, the crooks used sophisticated keystroke logging Trojan horse programs to steal login credentials from company employees authorised to initiate funds transfers on behalf of the business, the FBI noted.