E-commerce in crisis: When SSL isn't safe

The Great Train Robbery of 1963 netted $69 million in today's dollars. The largest bank heists have scored more than $80 million. But "stick-'em-up" bank robberies offer high risks and low rewards: according to the FBI, the average US bank heist yields just $4200 -- and between 50 and 75 percent of perpetrators get caught

Robbing a brick-and-mortar bank seems like petty theft compared with a new breed of cybercrime that, according to a growing number of security experts, is siphoning untold millions of dollars from banks and their customers using SSL-evading Trojans and ever more refined phishing techniques. Every antivirus and antimalware vendor can report thousands of bank and e-commerce-specific Trojans designed to steal money and identities, often collectively referred to as Bancos/Banker variants. Yet given the vast investment in quelling consumers' fears about conducting business online, it's no surprise that few sources are anxious to provide information that highlights the severity of the problem.

Although the banking officials and security officers contacted for this article refused to be quoted on the record, all of them agreed that online bank fraud is an increasing problem. One banking regulatory security auditor said that in some instances, online bank fraud drains as much as 2 to 5 percent from a bank's overall revenue.

Mark Sunner, CTO of e-mail security provider MessageLabs, thinks it will take "a single, high-value tipping-point event" to wake up the general public, which would then pressure public officials. "I think the world's largest bank heist will soon be committed using malware," he says.

Phishing with a hook

Phishing remains the weapon of choice for online bank theft -- and the sleight of hand that tricks users into visiting a phishing Web site continues to get more sophisticated. Phishing e-mails now show up with the user's address, postcode, or account information already filled in, indicating that professional criminals are using other, previously compromised resources to gain the trust of consumers.

Yet as phishing gets slicker, users are getting smarter. As the average Joe becomes less likely to type in authentication information in response to an e-mail, more and more cybercriminals are turning to SSL-evading Trojans.

These Trojans install themselves on unsuspecting users' PCs and either capture user log-on credentials or manipulate transactions after a successful log-on. In both cases, the SSL connection between PC and bank remains intact. The user may think the confidential online transaction is protected against mischief -- but it is not.

That shift has enormous implications. Ever since Netscape released SSL in 1996, consumers have been told that a confirmed SSL-connection icon indicates that it's safe to conduct online business.

"The problem is," according to one bank regulatory security auditor, "SSL isn't broken. SSL states that the connection between your PC's network card and the bank's network card isn't compromised. This is still true. Nobody is sniffing the transaction off the wire. Instead, this is a 'man-in-the-end-point' attack". In other words, the Trojan is sniffing or manipulating the transaction before it is ever sent across the Internet to the bank.

According to Mitchell Ashley, CTO of network security provider StillSecure, "Traditional phishing attacks have duped end users into clicking on a link, but in the newest evolution, even the most security-savvy can fall victim to attack. Once you're infected, the game is up."

Although the theft of credentials remains the biggest threat to online e-commerce, SSL-evading Trojans are quickly becoming the criminal hacker's favourite tool, mainly because SSL-evading Trojans can bypass any authentication scheme.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about BillCounterpaneCounterpane Internet SecurityFBIFinancial InstitutionsMessageLabsVIA

Show Comments