Man in the browser is new security threat to online banking
Posted by Steven Parker on 27 November 2007 - 10:00 · 3 comments & 2362 views
About the Author
Full name: Steven Parker
Forum name: Neobond
Contact: via forum PM
Submissions: Normal · Headline
Full name: Steven Parker
Forum name: Neobond
Contact: via forum PM
Submissions: Normal · Headline
Slashdot It!
Submit to reddit
Submit to blinklist
Bookmark on del.icio.us
Add to furl
Share on Facebook
Add to Windows Live
Add to Google- Advertisement
-
-
(1 reply)
#1 Posted by rich.bradshaw on 27 Nov 2007 - 10:21
- I'm surprised that banks don't offer their own applications to use for online banking - for instance, a virtual machine that saves it's state running something like damn small linux + a web browser. This could be packaged with qemu.
You'd boot the virtual machine, use your banking, then when you closed it off, the virtual machine wouldn't save changes, so it would always be the same.
This could be distributed on read only flash memory, or even plain old CDs to avoid modifying the image.
Good idea?
Tutorial on how to do this on my blog.
Last edited by rich.bradshaw on 27 Nov 2007 - 10:42 -
#1.1 Posted by lunamonkey on 27 Nov 2007 - 10:34
- In theory. But people don't like security. People don't like change. People don't know how to boot from a disk.
With 13 million potential banking customers from one organisation alone (Nationwide), they would be swamped with support requests and complaints for months to come. Let alone the logistics and legal reasons why distributing software could be a bad idea. And hardware support?
Also, you can never guarentee the quality of preloaded software. (Mp3 players with viruses preloaded)
Also, you can't stop people giving out fake disks either. It would unlease new spam-snail-mail with "Your new banking CD".
-
#2 Posted by tiagosilva29 on 27 Nov 2007 - 10:29
- I'm the man in the browser
Buried in my ****
Won't you come and save me, save me...
Once a user's PC is infected, the malicious code is only triggered when the user visits an online bank. The 'man in the browser' attack then retrieves information, such as logins and passwords, entered on a legitimate bank site. This personal data is sent directly to an FTP site to be stored, where it is sold to the highest bidder.
Security products using behavioural analysis were the best solution against such attacks, because the malware was only distributed to the users of specific banking sites, said Mikko Hypponen, chief research officer at F-Secure. This meant anti-malware software vendors were unlikely to be able to quickly release codes to tackle all the new threats. Following the enhancements that banks have made to authentication on their websites, “phishing attacks are becoming less and less effective and attacks of the 'Man in the Browser' are set to increase", he warned.