ING Introduces Tool for Safe E-Banking on Infected PCs

ahmedvisham · #1 26-05-2008, 08:15 PM

ING Direct, the nation's largest online-only bank, said this week that it was giving away a software tool that would allow customers to bank online safely at ING, even if the user's PC was already infected with data-stealing malicious software.

ING made the somewhat bold claim in partnering with an Israeli company named Trusteer, which offers an installable program called Rapport. Trusteer's main invester is a man named Shlomo Kramer, co-founder of Check Point Software, the company that makes and markets the ZoneAlarm firewall products. Kramer is now CEO of Imperva, an application data protection company, which he co-founded with Mickey Boodaei, who is CEO of Trusteer.

Boodaei said Rapport creates a "secure pipe" within the user's computer that encapsulates data as it flows to the ING Direct Web site. Boodei said the software works by assuming control over the application programming interfaces or APIs in Windows, the set of tools which allow software developers to create programs that interact with key Windows functionalities.

Some of today's nastiest data-stealing malware works by hijacking these Windows APIs. For example, keyloggers simply hijack or "hook" the Windows API that handles the transmission of data from user interfaces, such as the keyboard and mouse. A more advanced type of malware - known as a "form grabber" - hijacks the "WinIntet" API - which sets up the SSL think transaction between the user's browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.

Trusteer's software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.

"We analyzed all of the different channels and methods in which attackers can grab credentials from the computer or tamper with communications, and we built a technology that addresses all these threats the same way using the same techniques," Boodaei said.

To log into their accounts, ING customers must enter a customer ID, and then use their mouse to click their password using a PIN pad displayed on their screen. Boodaei said Rapport uses the combination of customer ID and PIN to compute a "hash" value or unique fingerprint tied to those credentials. The software then looks to see if any data matching that hash value is entered in at any site other than ING's. If so, it throws up a warning to the user that they might be trying to enter their ING credentials at a phishing site, and blocks the transmission of that data.

What struck me most about this offering was that it's the first time in a long while that a U.S. bank has publicly raised the idea of installing software on customer systems as a means of combating fraud. ING says it will cover losses for unauthorized activity -- whether or not customers use Rapport -- provided that customer notifies ING of the compromise within 60 days of receiving a statement listing the activity.

Online trading firm Ameritrade tried something similar a few years back with a product from WholeSecurity (since purchased by Symantec), but the offering was never really publicized that well and the program seemed to fade away after a while.

ING keeps its costs low mainly by not having any physical branch locations. Avivah Litan, a fraud analyst with Gartner Inc., said ING's partnership with Trusteer will suffer the same fate as the Ameritrade-Wholesecurity program if one or more of the following things happen:

1- Customers who install the tool flood ING with support calls and questions
2- Nobody adopts it
3- Malware writers figure out a way around it to steal lots of money from customers

Litan said if the offering fails, most banks believe it will be as a result of reason #1.

"The banks are really afraid of getting involved in consumer desktops," Litan said. "Every bank I've talked to about this just doesn't want to go there because they think it means a lot of customer service calls and troubleshooting."

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Hiren Boot CD 9.4	fireeater	PC Software	3	15-03-2008 11:25 PM
Hacker group releases automated 'Google hacking' tool	ahmedvisham	Announcements & News	1	25-02-2008 07:41 PM
Hundreds of sites infected with dynamic malware	MAXIMUS	Satellite TV General	0	21-01-2008 07:58 PM

The Following User Says Thank You to ahmedvisham For This Useful Post:
AngelEye (27-05-2008)

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)