Is there a solution to the ZeuS problem?
Zeus Trojan has for a while now become almost a synonym for banking malware. Its sneakiness and the ability of its makers to constantly change and adapt it would be admirable, were it not for the fact that it is used for criminal purposes.
SearchFinancialSecurity reports that a panel gathering top security management of financial institutions and companies such as the Bank of America, PayPal, and others, was held at this year’s edition of the RSA Conference in San Francisco, but if you were hoping to find out some unknown details about the Trojan itself and its makers, you would have been disappointed.
If, on the other hand, you wanted to know how these organizations go about preventing the thefts executed with the help of this malware, this was the right place for you to be.
“The customer endpoint has become the number one threat,” said David Shroyer, VP of online security at the Bank of America. The institution has, according to him, made “massive strides in its victim recovery services,” but it is still a very difficult and costly process.
One of the problems is to find a balance between security and ease of use. It is only natural that the customers want for the process to be uncomplicated. Shroyer says that the bank plans to ban the use of Internet Explorer 6 for their customers and, possibly, resort to encryption of the transactions and demand the use of strong passwords that will have an expiration date. He predicts that customers won’t be thrilled by this, but the reality is that some compromises will have to made.
Michael Barrett, CISO at Paypal, addressed the issue of the companies’ fraud detection efforts by saying that most financial institution are taking it very seriously and make a considerable effort to discover it before the damage was done, but that the main problem with it is that malware is designed to “act” as an end user and the transactions often don’t raise suspicion.
“Malware is the Swiss army knife of the criminal underworld,” he said. “There’s no question the technology capability of malware is getting nastier and nastier.” That’s why he thinks that sharing information about the breaches with other companies is an excellent idea. “The criminals have no fear of sharing information.”
Having been reminded by the other panelists that privacy issues are one of the reasons this doesn’t happen, he suggested reporting the incidents to law enforcement agencies or the National Cyber Forensics and Training Alliance.