Why Banks are Losing the Desktop Security War
This is the perspective of web security expert Jeremiah Grossman, who sees banks and credit unions at a distinct disadvantage in the fight to secure the desktop.
In this interview, Grossman discusses:
- Why he believes financial institutions have actually surrendered the desktop;
- What they can do to get back into the fray;
- Exactly what it will take to win the war against fraudsters.
Grossman is a frequent speaker at industry events including the Black Hat Briefings, RSA Conference, ISACA, CSI, InfoSec World, OWASP, ISSA, and Defcon as well as a number of large universities. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks: Cross Site Scripting Exploits and Defense.
He frequently alerts the media community to the latest attacks and is not only able to offer in-depth commentary, but also provide his perspective of what's to come. Grossman was named a "friend of Google" and is also an influential blogger (www.jeremiahgrossman.blogspot.com) who offers insight and encourages open dialogue regarding current research and vulnerability trend information.
Prior to WhiteHat, Grossman was an information security officer at Yahoo! responsible for performing security reviews on the company's hundreds of websites. Before Yahoo!, Mr. Grossman worked for Amgen, Inc.
TOM FIELD: Just for some context for our audience, why don't you tell us a little bit about yourself and your role at WhiteHat please.
JEREMIAH GROSSMAN: Sure. My role at WhiteHat is Chief Technology Officer, and part of that is to focus on what's going on in the area of web security, and that could be the security of the browsers or the security of the website. By day, WhiteHat Security and my role here is about looking for vulnerabilities in websites and helping our customers fix those particular vulnerabilities before they are exploited by the bad guys. But the other half of web security often gets ignored a lot of times and that is the security of the browser, which is also under attack. So I kind of play in both worlds.
FIELD: And it is fair to say you are also a founder of the Web Application Security Consortium?
GROSSMAN: That's correct. The Web Application Security Consortium is a group of web security professionals (some are from vendors, some are from enterprises) that really spend a lot of time focusing on this problem and developing standards for the industry and just to help progress the industry forward.
FIELD: So, Jeremiah, let's talk about the topic at hand, the desktop security war. In your view, what is this war, and why do you believe that financial institutions have thrown up the white flag?
GROSSMAN: Here's the thing: When a bad guy, whether they are interested in money or hacking bank accounts -- one of the easiest ways for them to hack online bank accounts is to infect or to control a desktop PC of an everyday user. That code, that malware will sit in that machine and wait for the person to do online banking, and when they do online banking that malicious code will sit in between that channel and piggyback a lot of times additional requests, additional transactions to liquidate that particular account.
So, really the interface that a customer has with a bank, their online bank, is the browser, and that war is taking place over the desktop. Now what has happened is that the banking organizations -- they don't write operating systems and they don't write browsers, so they have to play in this zone and expect security of this desktop operating system that is largely beyond their control. So what happens is when these malicious or fraudulent requests come across the wire to their banking institution, it is from a logged in user, it is from their PC, but the transaction is not one that the customer expected so it is very difficult for them to understand which transactions are fraudulent and which ones are not, and it has gotten so bad to the point that a lot of the institutions just we are not going to help anymore, or at least we are not going to focus and spend the resources as we have in the past.
FIELD: So let's talk a little bit about this war. You spoke about sort of the bad guys in general terms, but who are the real combatants here and what is at stake in this war?
GROSSMAN: For the point or aspect of I would say, banking fraud, the bad guys are monetarily driven, and they are from all over the world. They are going to be from the U.S., they are going to be from abroad, from Europe, for Asia, from South America, from all over the place, and they are finding that, at least U.S. institutions are really good targets to monetize because all you have to do is break into one user's machine, largely on a mass scal,e and you can start making a whole lot of money. So that is the general aspect of the bad guys.
Now the bad guys want that desktop footprint, and in a lot of ways the user is in a war for control over their own machine, and they lost. They lost because there is really no good way for a user to force control over their own machine. It's really difficult to fend off attackers who make it their mission in life to attack their machines, and by extension a lot of times the bank ends up being the victim as well in this war.
FIELD: So let's talk about the alternative - surrender. What could financial institutions be doing? What should they be doing?
GROSSMAN: Well, I think a lot of times when they surrender the desktop battle it is probably just, how should I say, practical at this point - they lost a long time ago, and now they are just getting around to realizing it. So now what they are doing today is instead of focusing on identity, two-factor tokens, mobile ID's and things of that nature that have really - in a lot of ways are a lost cause there -- they are going to put their resources into transactional-based security and try to do fraud metrics, so when they see transactions coming across the wire they will look for normal user patterns.
This customer normally takes out money or puts money into their account in these frequencies; they normally don't wire transfer $50,000 dollar increments three times in a row outside of the country, so you flag that for extra checking. So they are going to put a lot more emphasis on transactional security rather than an identity security.
FIELD: So, let's talk about some ways that institutions can get back into this fight and maybe win some battles en route to the winning the war. What areas would you recommend they focus on?
GROSSMAN: Well, I can tell you where they are going. The desktop battle is going to be over for quite some time, but where banking and a lot of applications are moving is to the mobile client and the mobile desktop right now, and we are talking iPhones, BlackBerry's, Google's Android, there are going to be financial applications on those devices, and fortunately for the moment those devices are not littered with malware as they are on the desktop PC's.
So they have an opportunity right now to start placing better controls into those mobile applications, and the handset or the operating system vendors for those particular platforms have a real opportunity now to shore up those [devices]. That is where banking and banking transactions are moving; they are moving to the mobile clients. Hopefully, in the next three to five years, as that footprint expands, we are not going to repeat the same problems that we had on the desktop.
FIELD: Well, what would your advice then be, Jeremiah, to financial institutions that want to make sure that they are protected in the new frontier better than they were in the old one? What do they have to be doing now?
GROSSMAN: So there are three ways to go about it - nothing is going to be perfect, but there are three ways to really help this particular problem. One is the browser; it is more than just recommending antivirus and recommending patching to your users. Recommend a really good modern browser. This could be Internet Explorer 8, it could be Google's Chrome, it could be FireFox, anything except older browsers. No more IE 6, no more IE 7 -- those are like a kid in a candy store for bad guys to infect machines; so that is on the client side, and so that is really going to help.
The second one is really transactional-based security. Again, identity is nice and all, tokens are nice if your customers will accept it -- a lot of them won't. But focus on the transactions, the so-called familiar customer. Know their behavior patterns, know what transactions they make, and put fraud metrics into your transactional based systems.
And thirdly, and this is where WhiteHat helps our customers out, is know the vulnerabilities in your websites ahead of time. Bad guys will target banking websites; they have targeted banking websites in mass. So you are going to get a pen test whether you like it or not. Hack yourself first, as the saying goes, so you can understand your website vulnerabilities and get them fixed before the bad guys give you a really bad day.