Malware is hardly a new threat in the security landscape. Banking Trojans that specialize in stealing user credentials, hijacking authenticated sessions and manipulating transactions in order to steal funds have been around since the inception of online banking. The threat that malware poses to banks, however, is more serious than ever. According to a 2015 study conducted by the Federal Reserve, 52% of adults with smartphones use mobile banking to conduct at least some of their banking transactions. 81% of people bank online. Those are big numbers that represent lots of points of vulnerability for banks. If even a handful of those customers were to get infected with malware, the consequences to the banks they do business with could be catastrophic, including liability for the losses in retail accounts as well as potentially irreparable damage to their reputations. Take, for example, GozNym, the evil offspring of two particularly virulent strains of malware.
The program stole roughly $4 million dollars from 24 banks in the U.S. and Canada in just a few days. No bandit masks were needed and no note was ever handed to a teller demanding money. Just sneaky, hidden computer code that nested itself into account holders computers when they clicked on infected attachments or links, lying in wait for users to access their bank accounts. Add the severity of GozNym to the fact that in 2015 there were 1.9 million registered notifications about attempted malware infections designed to steal money via online access to bank accounts, and it’s easy to see that malware is a threat vector that needs to be taken seriously. Unfortunately, banks have been limited in their ability to protect themselves against the threat posed by malware, largely because they have little control over what their users do or download. Attempts have been made to push anti-virus software to customers in the hopes that it would limit the risk of infection, but the results have been less than helpful. Customers resist downloading the software for fear of the impact it will have on their system performance, as well as concerns that the software itself might pose an infection risk.
Consequently, less than 50% of users ever even download it. For those that do, the safety effects are short-lived as the software requires frequent updates to keep up with constantly emerging threats. In their search for solutions that are non-invasive to customers yet still provide the robust security they require, banks have investigated a variety of different measures, including behavioral and technical analysis of the communication between the user and the bank. These methods have demonstrated varying degrees of success. Behavioral analysis, which identifies when customer behavior deviates from typical actions, has proven to be relatively successful. Many banks rely on it as the sole method of protection from infections carried by their customers. The premise for this type of protection is simple: if a hacker initiates an online banking session instead of the authorized account holder, they will behave differently than the account holder would. Even a slight deviation in typical behavior would trigger an alert to investigators that an account takeover was potentially in progress. While this type of monitoring often works, it also has its drawbacks.
The biggest issue is that hackers are now sophisticated enough to easily evade this type of detection method by simply doing a better job of mimicking the behavior of the authorized user. Technical analysis, an approach used by some of the most secure banks, delivers an even greater level of security by analyzing the HTTP requests and responses between customers and the online banking portal. This type of analysis detects indicators of compromise that reveal when a customer is logging in with malware on their machine. Despite being significantly more secure than any of the alternatives, however, even technical analysis isn’t a silver bullet against the threat of malware, The key to true protection is to implement a multi-layered approach to security. A single line of defense will only serve as a stop gap. By employing multiple protection methods (such as behavioral analysis in conjunction with technical analysis), banks can dramatically increase the likelihood that their networks will be protected against an attempted malware infection.