Reading this piece of research earlier in the week served as a reminder of the primary vulnerability that banking malware exploits, human trust. It’s valuable, stuck deep down in the digital trenches, to occasionally pull your head up for the big picture.
The research demonstrated how over a third of people surveyed could not tell a scam banking app from the real thing, making them very susceptible to having bank account data stolen. And this was in a manufactured scenario when people knew they were looking for a fake.
Now imagine how much higher the criminal hit rate is when an online bank user is logging on to his/her account on a trusted PC running anti-virus software to pay a friend or family member, as they have done a thousand times. However, this time an extra form field pops up below the Username and Password fields, asking for the secure Personal Identification Number (PIN) – this malware technique is called a web inject. This PIN field rings a distant alarm bell in the user’s head, but upon re-reading the web page the user is told this is all part of a new security process and that he/she shouldn’t worry. And after all, it is on the official website with the padlock in the address bar. Satisfied, they enter the required details. Unfortunately, both the new form field and the updated website copy are Zeus web injects and all information is broadcast immediately to a malware command and control (C&C) server.
It is exactly this trusted environment that banking malware abuses countless times every day worldwide to siphon money from individuals’ bank accounts.
An interesting body of psychological research has been carried out related to why this is. Broadly, it has found that people tend to approach technological transactions of all kinds from a starting point of trust – innately believing systems to be built securely. Even nascent technologies are often trusted as much as mature systems that have demonstrated they’re stable. This generic blanket trust is the result of two factors, the increasing embedding of technology in every facet of life, coupled with an inability to understand what differentiates ‘good’ technology from ‘bad.’ Ultimately, people just want to achieve an end goal with their transactions and typically don’t have the ability or desire to critically question the environment in which it takes place.
Combine this psychological state of non-questioning ignorant bliss with the brand of a big global bank website, and people will pretty much do whatever they are told by the web injects. Goodbye savings.
Banks can do one of two things in this situation. First, they can try to fix the direct source of the vulnerability, the humans themselves, teaching them to question everything they are asked to do online, even on the bank’s own website. Changing preordained behaviors in this way is a worthy goal, but is ultimately very costly and near impossible to measure.
Second, they can rely on technology as a solution. This brings scale and some degree of measurability. However, up until now, it has been technically implausible and has even emphasized the misplacement of trust – relying on an outdated approach to endpoint protection developed in the late 1980’s and bolted onto ever since.
A new approach is starting to challenge this issue for banks. By deploying full transaction stack protection (FTSP), as opposed to fighting an unwinnable battle on consumer devices, banks can stop malware from being able to exploit customer trust. It does this by stopping its ability to web inject the type of form fields and malicious copy onto websites previously mentioned. It also stops any data being exfiltrated from the user session by wrapping each transaction in an invisible layer of protection. The best thing? The user knows nothing about it, there are downloads to install, no buttons to press – so trust is never even a factor.