It seems that a "trojan" named Zeus is being sold by hackers to criminal organizations who are wanting to use it to empty business bank accounts. Zeus makes it easy for online banking passwords to be recorded by the criminals, then used to transfer funds from the account through the standard, legitimate online banking system. The FT story claims that new versions of the trojan also allow criminals to bypass some of the additional physical security that banks are employing, such as tokens with rotating passkeys and SMS confirmation messages. If this really is the case, it is a worrying development, although I can't technically understand how the hack could do that unless these security systems are incredibly poorly implemented.
If the additional security measures that banks employ are being bypassed by hackers, it seems that banks may eventually have to act. If the losses start to approach those of other fraudulent transactions, and banks continue to push responsibility to the customers, the large base of small and mid-sized businesses may just mutiny finding a way to protect their money without feeding the coffers of the worst offending banks. How long will it be before we see a league table of banks and percentage of losses due to fraudulent transactions - at least with this type of information companies could pick the most reliable bank, reducing their risk.
When banks finally decide to act, and they find that they are unable to secure online accounts and transactions through a web-browser, some may just decide that it is time to develop full, installable, self-validating applications as the only access mechanism to online banking facilities. If "there is an app for that", the flexibility for accessing accounts from anywhere is lost, but it may be the only way security can be maintained.
A post from the Improving It blog
Let us help you improve your business today. Visit www.consected.com