Can You Bank on IE Security? - a BOL Team Special Report
- New Threat Targets 50 Financial Institutions
- Targeted FIs Identified
- Security Precautions
- CERT recommends not using Internet Explorer!
- Implications of the CERT Warning
- If Your Internal Users Switch Browsers
- If Your Customers Start Using Other Browsers
- Disclaimers for Web Linking
New Threat Targets 50 Financial Institutions
Fifty large institutions have been targeted.
Is yours next?
You've heard it all before, but in "tech talk", so read on because this is from bankers, to bankers.
A file named "img1big.gif" is actually an executable file that divides into two parts. One of those parts looks for logon information for Internet banking. Before the logon information is encrypted, a keylogger forwards that information to a designated location. Yes, your customers and employees may be at risk.
This time, the list seems to contain mostly large, foreign institutions. But the expectation is that this malicious code will be adapted and redistributed with other financial institution targets. This alteration would be simple to accomplish and the major security organizations are warning financial institutions to expect more of this in the future. The list below contains the names of the institutions currently targeted. But be careful. And be prepared. Your organization could be next.
How Do the Threats Work?
These latest threats exploit vulnerabilities with Microsoft's Internet Explorer and can automatically supply account and password information (through keystroke logging) to the perpetrator of the attack. This is not an email threat. This intrusion can happen unwittingly when a user visits an infected Web site and the offending file is downloaded and installed. All outward appearances lead the user to believe they are dealing with nothing more than an image - a harmless .gif file.
CERT recommends not using Internet Explorer!
Although these warnings are based upon specific threats, the level of danger has reached the point where the basic advice has changed. No longer are the major organizations suggesting that users merely download the latest patches, check their security settings, and scan their systems for viruses, this time the advice is - CHANGE TO A DIFFERENT BROWSER!
And the advice is not coming from any lightweight organization with a bias. This is coming from the most respected international security watchdog organizations. (See links below.)
The following advice is contained in this bulletin from CERT, the U.S. Government's Emergency Readiness Team. Examine the following list of action items.
- Disable Active scripting and ActiveX
- Apply the Outlook Email Security Update
- Read and send email in plain text format
- Maintain updated anti-virus software
- Do not follow unsolicited links
- Use a different web browser
Use a different browser?!
At BankersOnline.com, more than 95% of our users visit the site with some version of IE. That percentage may be in line with your experience on your financial institution Web site. What will it mean if your visitors begin to using a different browser? This is not idle speculation. Major organizations and educational institutions have begun acting on the CERT warning. Strongly worded 'suggestions' are appearing in Intranet notices urging users to change browsers. Major media outlets are changing the tone of the advice from 'update your virus checking software' to 'consider using a different browser'. Have we reached the point where people will make a switch? And how many? No one knows for certain, but the recommendations are changing.
Security experts contacted by BankersOnline.com had this to say:
Lawrence T. Levine, managing director of SecurePipe, Inc. (a provider of managed network security for financial institutions) said, "You have to assume that in this interconnected world that the dangerous parts and the safe parts are virtually indistinguishable. This is absolute validation that financial institutions are absolutely a target of real cyber criminal activity. The smart bad guys do not wave guns around. Smart technology driven criminals do not break into your vault (because that is not where the money is). Even worse, smart technology driven criminals can steal your assets and damage your reputation without ever setting foot in your lobby. Right now these attacks target the top 50 banks. It is inevitable that the remaining financial institutions will eventually be targets. The criminals really don't care which banks and bank customers they steal from. They are more interested in finding easy targets. Unfortunately, many banks are easy targets. There are still broad gaps in the way that many banks manage their information security and even broader gaps in the way their end-users (customers) manage their security."
Kryptec.net's Lawrence A. Rowell says, "Organizations in today?s environment must be prepared to deal with any form of security breech, whether it be through a virus, Trojan horse, worm or unauthorized access. How do you do this? Here are some suggestions:
- Have a thorough security assessment done on your company?s critical infrastructure. This will determine if your organization is at risk to known vulnerabilities, ensure that your systems are patched properly, and determine if adequate access controls are in place.
- Assess and update your incident response plan frequently. When there is an emergency, you must know what to do and be ready to move.
- Ensure that your organization has the necessary resources in place to carry out your plan.
- After it is all over there should be time for a ?Lessons Learned?. Your IT staff should look at what can be done better and integrate these fixes into your incident response plan.
What Does This Mean for your Institution?
Customers: You'll need to think very carefully about the implications. Transactions committed in your Internet banking program may be unauthorized even when a valid username and password were used. Reg. E claims could skyrocket and you have several risks here, reputational as the customer blames you and financial as you may have losses to pay out.
You need to reassure employees and customers of your bank that your site is safe and secure, but that you have no control over other sites they visit. You need to ensure there is no malicious code embedded on your servers. You do need to address any concerns immediately and by an informed staff. This means you need to have this information disseminated immediately. It should also be predominantly posted on your Web site. Sometimes the best defense is a good offense. Don't assume it can't happen to your Web site or to your customers. Proactively tell them what is recommended, virus protection, updated programs and operating systems, spyware/adware detectors and not allowing executable files to be installed (this may mean not running in administrator mode in XP). This is how this Trojan was caught in the first place.
Microsoft is releasing a configuration change for Windows XP, Windows 2000, and Windows Server 2003, to address some of these recent malicious attacks against Internet Explorer, also know as Download.Ject. More information is available at www.microsoft.com/presspass. Proactively, if your site was designed to work primarily with IE because that is what you recommend and what the majority of your customers use, you may re-think that strategy for the longer term. Attacks like this may well move users from one browser to another. But a first step is required.
Refer to the "Customers" section above as employees are customers too. In addition, get the straight information and your bank's position on this disseminated to your employees immediately. They have to answer customer concerns and do so confidently without promising call backs. To change your browser deployment, enterprise wide, may be more time consuming. In the interim you may want to consider limiting where your employees are allowed to surf and execute your patch management procedures to ensure all the computers are up to date. This also relates to virus prevention mentioned in a prior Tech Alert and information security procedures you already have in place. As copycats duplicate these type programs, you can't guesstimate which passwords they'll be looking at next, perhaps VPN information? Your internal users may need to switch browsers. Some of the options available include:
There are two issues most users face when switching between browsers. The first is making sure that their favorite bookmarks are available to them when surfing the Web with a new browser. Bookmarks can be easily exported from IE and saved temporarily on your hard drive for later import into your new browser. If switching from IE to Firebird browser this step is unnecessary since Firebird automatically imports your IE favorites and stores them in a folder, not surprisingly called Imported IE Favorites.
To export your favorites follow these steps:
- From the File menu, select Import and Export and follow the Wizard.
- You can export your list of Favorites as well as your Cookies, which are small files that web pages will leave on your computer so that the next time you visit a site it will remember you.
- You will be asked to specify the folders you wish to export, select the ones you wish to export.
- Select export to File or Address. You may browse your hard drive to select the appropriate folder for exporting. Name the file so you will be able to locate it for later importing into your new browser.
To import your favorites to Netscape perform the following steps:
- Open the Bookmarks menu and choose Manage Bookmarks.
- In your Bookmarks window, click a bookmark.
- Click Properties.
- In the bookmark Properties dialog box, click the Schedule tab.
- Use the pull down lists to specify how frequently you want Netscape to check the bookmarked page for changes.
- If you want to be notified when the bookmarked page changes, click the Notify tab and choose a notification option.
References for Importing Favorites from IE
Import Your Favorites from IE
Download Mozilla and Import your Favorites from IE
Download Opera and Import your Favorites from IE
If Your Customers Start Using Other Browsers
If your customers begin using a browser other than Internet Explorer, you will need to make sure your site will load correctly for them and all the functionality will remain intact. There are steps that you can take both in the short term and in the longer term. Consider the following:
Is your Web site compatible with other browsers? Your site may work fine with the latest versions of IE and Netscape, but have you tested all your pages with Mozilla and its different flavors such as the popular Firefox? You may have some work to do to ensure compatibility.
Do you remind your users when they leave your secure site? If your site has links to other Web sites, you want to make it clear to your users that they are leaving your secure site. You may also point out that when "https" is present or they see a "lock" icon in the lower right of their browser, they are in a secure site. This Trojan not considered, they should always look for those when entering confidential information. If you use some other means you consider secure and those common signs do not appear, explain what you are doing to promote confidence in your procedures and the safety of their information. See the advice on disclaimers below.
Do you have any software that requires a specific browser? If your software requires IE, and the public decides to begin to use alternative browsers, you'll want to be ready with a solution. Investigate alternatives that do not require the use of a specific browser for compatibility. Reduce your dependence on IE-specific functions like ActiveX controls.
Help Your Customers
And what can you do for your customers and visitors to help them? Well, it would be nice if, once your site is tested for browser compatibility, you helped them with some of the issues that they will face. For e
ample, how can they transfer their address book information and their favorite bookmarked sites? What security settings should be in place in those new browsers? The more information you can provide, the easier the transition will be for a customer who has heard repeatedly from national news sources that there are recommendations that they switch browsers. You can reassure them about your sites security, but you also have to adopt common alternatives your customers will now want. Provide information and links on browsers and browser add-ins that increase functionality as well, especially if it is required for optimal use. Employees may need video conferencing capabilities or spell checkers. These may require additional downloads to work properly. Your customers may face the same issues. Simply recommending they swim upstream and ignore recommendations they are hearing may not be the course you want to follow. Determine internally what your strategy will be, and get the word out to your customer contact employees and your Web site.
Resources and Links
We've provided an extensive list of resources to help both your institution and your users. Use these to help formulate a policy in the event that your institution decides to make a move away from IE, or, with equal importance, that your customers and visitors make that decision.
These sites offer tools that can aid you with browser compatibility checks
Browser Compatibility Testing Online - A simple, reliable, straightforward way to test your browser compatibility across the whole spectrum of possibilities.
Browser Compatibility Tutorial Test your pages with HTML Toolbox and review its Browser Compatibility report.
Browser Compatibility Checker - The Browser Compatibility Checker is currently configured to test certain Microsoft Windows-based browsers.
The Template Store - Web Site Cross Browser Compatibility - How can I be sure my website is cross-browser compatible?
Netscape Gecko Compatibility Handbook - Netscape Gecko is a cross-platform browser engine, compatible with a number of Windows versions including Windows XP, as well as Mac.
Test Your Browser
etest associates - Web Browser Compatibility Testing Services Experts in functional & browser compatibility testing for Internet & Intranet development projects.
Browser Compatibility Testing - a part of the functional testing phase of a digital media service.
Website Link Tracking
Disclaimers Are More Important Than Ever
browser! It's difficult enough to police the pages on your own server, looking for any malicious code that may have been appended to them. It is virtually impossible, however, to guard against problems on a third-party's Web site. With the increasing sophistication of Trojans and worms, if your institution provides links to external Web sites, it is more important than ever for you to effectively warn your customer about the possible dangers of clicking.
This is an example of a pop-up box used in a Web site to indicate to the user that he is about to leave one Web site and go to another.
This particular pop-up box is taken from the Federal Reserve's Web site. When you click on the link on their Web site for the GPO version of the Federal Reserve regulations, this pop-up box appears.
Note that it requires the user to click "OK" to eliminate the box. This helps ensure the user's attention is captured.
Also note that the HTML coding was done in such a way that the "title tag" for the box reflects and reinforces the "leaving the Federal Reserve Web site" message.
Why is this type of disclaimer important? Because you don't want your bank's reputation to be harmed by poor server performance, malicious scripting, or inappropriate content on a site you link to.
You Might Not Want to Use a Pop-Up In light of the fact that many individuals are employing pop-up blockers to ward off spyware and adware, using a pop-up box to deliver your disclaimer may not be the most prudent course of action. Instead, it may be desirable to build an intermediary Web page from each link. Clicking the link would take the customer to a Web page containing the disclosure. On that intermediary Web page, following the disclaimer, would be a button to signify the reader understands the warning. Clicking the button would then take them to the external site.
The Interagency Guidance on Weblinking has this to say:
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.
In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.
A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer. -- Interagency Guidance
In the Longer Term As banks try to avoid these issues in the future additional security considerations will be made so there is less reliance on only password authentication. Certain Web sites may require a biometric authentication such as a thumbprint first. Readers for this are becoming more affordable and could be incorporated with today's technology. You may also consider dual factor authorizations. Some foreign companies now send a scratch-off card to its customers. That card has codes on it that may only be used once. The bank is able to use this code in conjunction with the user's information to verify authenticity of the user. When the user is near the end, they request another card to be mailed to them. No electronic virus or Trojan can access the scratch off card in the user's physical possession. But this is futuristic and there are other problems to address today. Deal with today, and then plan for the future.
First published on BankersOnline.com 7/2/04
First published on 07/02/2004