Behavior Based Transaction Verification – More of the Same

Wednesday, November 17, 2010

Eli Talmor

7af56c65866a442699d6dd1dfb02b528

Malware, such as Zeus Trojan, is widespread. Nearly half of computers are infested.

As the result: “Security measures such as one-time passwords , smart-cards ,biometrics and phone-based user authentication, considered among the most robust forms of security, are no longer enough to protect online banking transactions against fraud," a report from research firm Gartner Inc. warns.

Consequently, a US FS ISAC alert urged business bank customers to “carry out all online banking activity from a stand-alone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.”

Therefore, Gartner continues to recommend fraud detection that monitors user access behavior. This method captures and analyzes all of the user’s Web traffic (assuming the targeted application is Web-based), including login, navigation and transactions, and can spot abnormal access patterns that indicate that an automated program is accessing the application rather than a human being.

The rationale for that : authentication methods described above fail to operate in malware-infested environment. Therefore we should add behavioral- based methods, which have one obvious advantage – they are transparent to a use.

But do they make a difference in preventing Identity Fraud???

Indeed behavioral-based methods may utilize web-site visit sequence, that may be specific for a user. For example one user usually logs-in, checks his balance, then goes to transfer funds, another user usually checks his balance, then checks his stock portfolio, and only then goes to transfer funds.

Therefore we may differentiate different users by this sequence monitoring. In other words to use it as user-transparent “authentication”. But does it provide malware-resistance we are looking for? Obviously not.

Malware is not a human – it does not need to generate its own sequence. All it needs is to change funds transfer destination. It has nothing to do with user behavior. Oops…

As we all know malware can even play games with behavior-based systems, by using key-logging and screen capture recording of web-site sequencing. So that next time malware will initiate its own visit sequence, without bothering the user to log-in.

How “inconvenient” user transparency may evolve!

Behavior based transaction verification does not solve the problem of malware attack on third-party fund transfer.

Gartner , and others, should look elsewhere , to protect user’s acconts. Meanwhile – the picture is not rosy . See for yourself: http://www.batchgeo.com/map/483cd995e217a9dc46d4386db15413c5

Cross-posted from http://sentry-com.net/blog

Possibly Related Articles:
3340
Webappsec->General
malware Identity Management Gartner Transaction Verification
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.