Once criminals have succeeded in infecting a home computer with
malicious software (malware) such as the Trojan virus Silentbanker,
even two-factor identification becomes useless in protecting
banking customers from online fraud.
This warning comes from, among others, US security software
developer Symantec, which first detected Silentbanker in December
2007.
US technology developer IBM believes it has the answer to the
threat in the form of its Zone Trusted Information Channel (ZTIC),
a device for securing online banking transactions that is now
available to banks for trials.
In essence, malware such as Silentbanker enables a criminal to
manipulate messages seen by and sent by the user. This allows the
attacker to redirect communications and manipulate the data
displayed by the internet browser during the user’s online banking
session, totally unnoticeable to the user.
Symantec researcher Liam OMurchu, who first detected
Silentbanker, commented at the time: “The ability of this Trojan to
perform man-in-the-middle attacks on valid transactions is what is
most worrying. The Trojan can intercept transactions that require
two-factor authentication. It can then silently change the
user-entered destination bank account details to the attacker’s
account details instead.”
This view is supported by the Swiss Reporting and Analysis
Centre for Information Assurance which has warned that currently
established two-factor authentication systems do not afford
protection against malware.

US Tariffs are shifting - will you react or anticipate?
Don’t let policy changes catch you off guard. Stay proactive with real-time data and expert analysis.
By GlobalData“In the presence of an ever more professionally operating
e-crime scene, it became obvious that PC-software based
authentication solutions were potentially vulnerable and we needed
to innovate to stay ahead,” said Peter Buhler, computer science
manager at IBM’s Zurich Research Laboratory where the ZTIC device
was developed.
In essence the ZTIC device, which plugs into the USB port of any
computer, bypasses the computer’s software which could be infected
by malware or susceptible to hacker attacks by moving all
cryptographic and critical user-interface processes away from the
computer onto the device. This creates a direct, secure channel to
a bank’s online transaction server which can be further
strengthened by means of a smartcard which can be inserted into the
device.
“What the user sees on the ZTIC display is identical to what the
server ‘sees’, no matter what malicious intervention may occur on
the PC or anywhere in the internet,” said Buhler.
IBM believes only one alternative to its ZTIC device provides
the same level of security: the use of mobile phone short message
service (SMS) to convey transaction confirmation details between
server and user. This approach is generally referred to as mobile
transaction number or mTAN
“Until more mobile phone malware appears, such solutions are
comparable to the ZTIC with regard to the degree of security they
provide,” noted IBM.
However, IBM added that once issued the ZTIC device does not
incur any further costs per transaction whereas a mTAN solution
incurs the cost of a SMS for each transaction.
mTan solutions also have potential convenience drawbacks such as
requiring the user to manually copy mTANs from the phone into the
browser.