Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

RSA Upgrades Malware Defenses For Bank Transactions

Latest adaptive authentication technology adds new Trojan and man-in-the-middle defenses, plus risk assessment for ATM machine transactions.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
RSA, a division of EMC, Tuesday announced the release of the latest version of its adaptive authentication technology, which is used by banks to help spot and block unauthorized transactions or account takeovers.

The new version of adaptive authentication is already available for users of the on-premises version, while the new cloud-based version is due out Jan. 20. According to Amy Blackshaw, senior product marketing manager for RSA's identity verification and protection products, RSA counts about 70 out of top 100 U.S. banks as adaptive authentication customers.

The goal of most financial malware is to take over a target's bank account, allowing the attackers to transfer the money it holds into an account they control. "Account takeover is currently the single most important issue for our customers," said Manoj Nair, general manager for RSA's identity and data protection group, in a statement.

[ Read Fast Flux Botnet Nets Fraudsters $78 Million. ]

That's because the quantity of account-takeover attacks -- meaning an attacker has cloned an ATM card or stolen related details, perhaps including account access codes and PINs -- continues to increase. According to a survey of 100 financial service institutions released by the Financial Services Information Sharing and Analysis Center (FSISAC) earlier this year, and conducted by the American Bankers Association, account takeover more than tripled between 2009 and 2011. Respondents said they've helped address account-takeover fraud by pursuing customer education (for 92% of respondents), changing their multi-factor authentication system (67%), freezing a customer's account whenever anomalous activity is detected (59%), and modifying an existing multifactor authentication system to make it work better (50%).

To help businesses better spot account takeover attempts, the RSA adaptive authentication revamp includes better Trojan-detection features -- for example, to detect proxy attacks in which an attacker logs onto a bank site from a proxy IP address, rather than a verified IP address for the customer. The updated software also has new techniques for detecting HTML injection attacks, which attempt to make surreptitious transactions when a user is logged onto a banking site, as well as attempt to harvest additional user credentials, such as social security numbers and website PIN codes.

The updated software also includes "man versus machine" technology to guard against attack scripts that can be used to automatically add payees to accounts and automatically disperse money to outside, attacker-owned accounts. The software detects this in part by literally assessing whether mouse movements and keystrokes are being used to enter data, or whether the information is being entered by a script.

Finally, the software also can watch for man-in-the-middle attacks, which involve eavesdropping or substituting communications; as well as man-in-the-browser exploits, in which a Trojan application is used to infect a browser and intercept application calls between the browser and its security mechanisms or libraries.

One of the new adaptive authentication features involves risk assessment for ATMs themselves, in part to help spot and block money mule operations. These involve teams of criminals who apply stolen account credentials to faked ATM or credit cards, and then attempt to withdraw lots of money at once, sometimes covering multiple states in a single day.

"Something we've heard loud and clear, specifically from a lot of developing countries, is that fraud has migrated into the ATM channel," said Blackshaw, speaking by phone.

RSA's product can watch for geographical anomalies -- for example, a user is attempting to withdraw money from an ATM in a location never before visited -- as well as odd withdrawal amounts and frequency, or unusual date and time access patterns. "The way we're getting that data is through the batch files of the ATM, so we'd be doing a risk analysis on the card, the account, and the user behavior," she said. This type of analysis is designed in part to stop attempts by a criminal gang that attempts to withdraw money from many different locations in a short period of time. "In many cases, fraudsters use mules to transfer the money into a mule's account, and then in many cases the mules will go to an ATM to withdraw those funds," Blackshaw said.

For now, the ATM security tools only offer monitoring. "There's no inline blocking mechanism at this point," said Blackshaw -- unlike when adaptive authentication is used to assess website, portal, or mobile transactions.

On the mobile front, finally, Blackshaw said financial services firms can use an adaptive authentication API to send transaction information from the mobile app to an adaptive authentication server, which analyzes the proposed transaction using RSA's risk analysis tools, and then can either approve the transaction, request additional authentication from the user, or block the transaction entirely.

Looking for anomalous types of transactions also now can be done via mobile applications, and using Wi-Fi hotspot, cell tower, as well as GPS data to identify the rough geographic location of a user. Interestingly, RSA said it can also watch for whether multiple transactions involving the same account are being made from geographic locations that a user wouldn't have been able to traverse in the intervening time.

Faster networks are coming, but security and monitoring systems aren't necessarily keeping up. Also in the new, all-digital Data Security At Full Speed special issue of InformationWeek: A look at what lawmakers around the world are doing to add to companies' security worries. (Free registration required.)

Comment  | 
Print  | 
More Insights
//Comments
Oldest First  |  Newest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-40942
PUBLISHED: 2022-09-28
Tenda TX3 US_TX3V1.0br_V16.03.13.11 is vulnerable to stack overflow via compare_parentcontrol_time.
CVE-2022-40912
PUBLISHED: 2022-09-28
ETAP Lighting International NV ETAP Safety Manager 1.0.0.32 is vulnerable to Cross Site Scripting (XSS). Input passed to the GET parameter 'action' is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in cont...
CVE-2022-22523
PUBLISHED: 2022-09-28
An improper authentication vulnerability exists in the Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 Web-App which allows an authentication bypass to the context of an unauthorised user if free-access is disabled.
CVE-2022-22524
PUBLISHED: 2022-09-28
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an unauthenticated remote attacker could utilize a SQL-Injection vulnerability to gain full database access, modify users and stop services .
CVE-2022-22525
PUBLISHED: 2022-09-28
In Carlo Gavazzi UWP3.0 in multiple versions and CPY Car Park Server in Version 2.8.3 an remote attacker with admin rights could execute arbitrary commands due to missing input sanitization in the backup restore function