As we move into 2015, technical consultant and security specialist Desmond Kong of e-Lock Corporation gives his take to Computerworld Malaysia on the impact of the recent Zeus internet banking malware and the steps needed to enhance security in Malaysia's mobile banking scenario.
Photo - Desmond Kong, CISSP, Technical Consultant and Security Specialist, e-Lock Corporation Sdn. Bhd
Could you give your views on the recent security landscape around Internet and mobile banking in Malaysia?
To be fair, the highly regulated banking industry in Malaysia generally has good security posture with fortified network perimeters, strong security controls, regular third party audits, and two-factor authentication in place.
However, all the security put in place is only as strong as its weakest link, the user. Before this, attackers simply had to create fake look-alike bank websites and send phishing emails to lure the victims in. Users have had a hard time discerning a fake site from a real site. Consequently, many users ended up having their passwords stolen. Banks have since stepped up security by introducing two-factor authentication in the form of SMS authentication codes.
Recent news reports of Zeus banking malware affecting local banks' users are a clear sign that attackers have caught up to the game. Zeus is a Trojan horse malware that originally infects Windows PCs to steal user IDs and passwords by intercepting the data submitted by the users via web browsers. Subsequently, new variants of Zeus, also known as Zitmo (Zeus in the mobile), emerged to infect the mobile devices to steal SMS data, targeting the SMS authentication codes sent by the banks to the users' mobile phones. By having Zeus take control of users' web browsers and Zitmo intercepting SMS codes, attackers can effectively compromise any Internet banking session on the user's PC.
What steps should be taken by the banks and regulating/policing agencies in Malaysia to play their part in enhancing security and consumer protection?
Actually most banking websites have implemented some form of two-factor authentication for security and compliance reasons. Banks have also played their role in raising consumer awareness of common phishing schemes by placing regular up-to-date alerts on login or homepages.
However, the case of the Zitmo malware highlights the dire need of continuous security improvement and speed of adopting new countermeasures to keep up with current threats. First detected in late September 2010, Zitmo is not new and has been operating outside Malaysia for some time. The recently reported incident highlighted the inherent security gap. It was only a matter a time before attackers retrofit and launch a larger scale attack through a malware targeted for our local environments, and this gap will only get narrower.
Bank Negara Malaysia [National Bank of Malaysia] plays a crucial role to spearhead a coordinated effort among the banks while intensify observation of global changing threats to further strengthen the state of readiness of our banking industry against advance security attacks to enhance consumer protection.
Could you detail how e-Lock's approach is important at this time?
The two most common adopted approaches by the banking and financial-related industry for two-factor authentication are SMS authentication codes and hard tokens. Let us not discuss any of their other disadvantages and focus solely on their fundamental security weakness.
Regardless of whether the so-called secure one-time authentication code is sent via SMS or generated by a secure hard token, such an authentication code will eventually need to be entered by the user manually on the web browser to be submitted back to the banking website for verification, and Zeus will be able to easily intercept, steal and even manipulate this authentication code.
Unlike these, e-Lock's GRID Beacon takes a different approach by using a truly independent out-of-band second-factor authentication and it does not use SMS. Hence, GRID Beacon is secure and effective against Zeus attacks.
Out-of-band two-factor authentication means the additional authentication is performed using a separate data delivery and submission channel. So, you may ask, isn't SMS considered out-of-band? The answer is, yes but partially. Even though the authentication code is delivered out-of-band, the submission of the authentication code back to the originating website is still in-band via the same channel as the user's web banking session.
For instance, GRID Beacon offers a true out-of-band two-factor authentication whereby of the delivery and submission of authentication data are performed out-of-band. In addition, the authentication data transmission is fully secured by encryption and is not susceptible to interception by the Zeus malware.
How is your solution superior to those from other service providers - and what has been the response from banks in Malaysia?
The GRID Beacon essentially turns your smartphone into a secure and personalized two-factor authentication device. Users simply install an app on their smartphone and have it securely activated. Besides being truly out-of-band, our solution offers the convenience of not having the user to carry an additional device. The app is user-friendly and simple to use. There is no waiting for SMS codes or entering digits into your computer to authorise an Internet banking transaction. A quick tap is all it takes to have you securely login to your Internet banking account or to authorise a transaction.
Local market response has been very encouraging and mostly touched by its simplicity and how it just works. Meanwhile, outside Malaysia, we are pleased to receive the trust from Japan's largest Internet bank which has successfully implemented the GRID BEACON solution to enhance the security for their 1.8 million banking accounts with 3.3 trillion yen of deposits earlier this year in February 2014.
The solution enables the bank to address its current and future threats of online identity thefts more effectively and heighten customer confidence through the new user transaction approval service. The transaction approval service enables the user to be alerted on any transaction request within their account, anytime, anywhere. Users are able to review each transaction request before authorising or rejecting the request via a user-friendly interface. This enhanced interactive, multi-layered protection ensures that the users' privacy and Internet banking account are always secure and protected from unauthorised access. The GRID BEACON mobile application was launched for two major operating systems, Apple iOS and Google Android.
Moving into 2015, what are the top three takeaways you would emphasise about the Internet and mobile banking security in Malaysia?
In view of the recent slew of reported security threats from malwares such like Zeus and Zitmo, we strongly recommend all Internet banking services providers the re-evaluate their security assurance and consumer protection approach. We believe the enhancement on the three key areas below will significantly enable Malaysia's banking industry to deliver a more secure and trustworthy Internet and mobile banking environment.
i. To improve user verification process during login beyond traditional one-time-password (OTP) or token-based authentication mechanisms. We advocate providing the user with the flexibility and control to personalise access control to their Internet banking account.
ii. To widen the application of transaction notification services to keep the user well-informed on their account activities in real-time while providing a more secure transaction authorisation services, with an out-of-band channel between the bank and the user for transaction authorisation request and user's approval. Such approach greatly enables the banks to mitigate their business risks and demonstrate proactive consumer protection from fraudulent transactions.
iii. To work closely with regulating agencies to monitor for new threats while continuously enhancing security. Information security is a moving target. We have to keep up with the advances in new attacks and counter-measures.
Sign up for CIO Asia eNewsletters.