RSA 2009 Internet Banking Fraud and a boss with no silver bullets

Banks are sceptical, and the PC security industry is to blame

I meet with a lot of banks, ten in the last 2 months. The subject, unsurprisingly....... Internet Banking fraud. The audience in most cases are risk managers, security professionals or those in charge of retail banking - all have seen at least 10 security vendors in the last 2 months. There's always an air of scepticism, and who can blame them. After all the reason they have an issue is because the PC Security Industry has failed to stop wave, after wave of Internet banking Trojans that have cost them, well literally millions. So, we start from a position of being damned by the failings of our predecessors. But wait it gets worse than this.......... our CEO, won't let me say I can solve their issues. In fact he often comes with me and starts with something like 'You know this malicious software epidemic your fighting...... well we can't solve it'. The first time I heard this I thought he must be crazy. After all, nearly every other security vendor talks about 'total protection' or 'all you ever need security'.

Total Protection that isn't

After giving this some thought I remember a business studies lecture which discussed marketing and more specifically advertising. Sadly, the conclusion was that successful adverts often overplayed the strengths of a product through illusion or bare face lying. Then the penny dropped, if Banks are suffering because of a failing of the Security Industry offering 'total protection' which patently isn't, maybe, just maybe this 'we can't solve it approach' won't come as such a shock. It often solicits the response so what can you do to help?

A new ZEUS Banking Trojan will pass right by most PC Security products for hours or days

I am fairly new to the security industry, but it is patently obvious that the industry's credibility is tarnished by its under-performance compared to the talents of Malware inc. I get access to a lot of data that isn't publicly available which shows beyond doubt that no single PC security product will protect users from more than 70% of today's malware creations. In fact on tests I have seen myself with ZEUS, just about any new ZEUS Trojan will walk right through most PC security products for hours or even days - more than enough time to do a lot of damage.

In the land of the blind, the one eyed man is King

Coming back to the bit about my CEO and the answer to the 'So what can you do to help?' point, it seems that the most compelling part of the answer is when he says 'we can help you measure it, understand it and stop quite a lot of it'. That's when the penny dropped for me.

Banks trying to improve Customer Security, make Enterprise Security look like 'a walk in the park

I have worked with our Enterprise customers their task is tough enough. But compared with the Banks issues of Internet Fraud securing an Enterprise I reckon is orders of magnitude easier. The enterprise owns the PCs, they employ the PC users, they dictate and control what is run, all PCs have reasonable up to date security, users are blocked from surfing dodgy web sites and the latest microsoft security patches are mostly applied pretty quickly. Banks on the other hand have the ultimate in de-perimeterized networks with millions of customers. Banks don't know if their customer PC has security, if it is up to date, if critical patches have been applied, if the PC is infected. Nevertheless they are about to transact with millions of customers every day with billions of dollars changing hands and not knowing who may be watching, or if any of those users was a cyber criminal just using the customers credentials, their online session or other....

For a friendly chat about Internet Banking Fraud, drop by Prevx on stand 2732

So if you are going to RSA in SF next week, and you are interested in discussing Internet Banking Fraud, stop by stand 2732, and you can hear me say 'I can't solve your problem......... but I may be able to help'.

We really can help you, here's how

And we really can help. We can help identify and remove malware from your customers' PCs, our Secure Browser will help protect against new, unidentified banking Trojans, our DNS triangulation and anti-phishing will really help keep your customers away from fake web sites hosted by criminals, and we can even tell your banking applications and risk engines quite a bit about how to reduce risk and avoid internet banking fraud.

I look forward to seeing you on the stand. If you're not going to RSA then drop me an email at sales@prevx.com. I look forward to chatting with you.