Banks’ own systems have to be rock-solid — but banks’ customers’ computers are a different story.
In an era where more customers connect to banks digitally every day, a secure connection between the two systems is essential, but this can be difficult since customer devices are outside the banks’ control. Problems experienced while attempting to connect to banks’ systems may be blamed on the banks, even if the customer’s own infected machine is the cause.
An Israeli firm called Namogoo notes that as many as 30% of customers could be vulnerable to invisible client-side malware attacks due to infected systems. Namogoo’s solution offers a “session firewall” to ensure a secure connection between client and server — the customer and the bank.
Bad actors “will use you [the customer] as a vector to attack the bank,” said Chemi Katz, co-founder and CEO of Namogoo. “They attack the server through the client side and inject malicious code to compromise the session. This could take the form of invisible toolbars or the like that the user never sees, and may be invisible to the bank as well.”
Client systems could be compromised for many reasons, but common ones are malicious files they have downloaded and insecure WiFi sessions, Katz said. The malware may inject itself into bank pages containing forms, for example, to present extra fields for harvesting card numbers and expiration dates. Compromised sessions, no matter the cause, damage trust with the bank, Katz said.
Malware follows user patterns and is growing on mobile devices, including iPhones, Katz noted. Apps are a different story, but browser-based mobile sessions are no more secure than online sessions, and are more likely to take place over public WiFi networks.
Namogoo counters this threat by adding JavaScript to bank webpages. The code calls out to software that knows which behavior is expected and which is not, and can halt sessions where malicious activity is taking place, or alert system administrators. “Some software we block in realtime, and sometimes we alert in realtime,” Katz said. Namogoo uses machine learning to understand what is legitimate and what may be malware, and its protection improves over time. This is crucial, as hackers are improving and innovating over time too.
“The software we decided to develop requires no installation,” Katz said. “Customers don’t need to do anything. It is deployed on the session itself. No install or uninstall is needed for the customer.” Integration on the bank side is likewise quite lightweight and simple.
Namogoo has been live in other industries, such as online retail, for two years and is now beginning to serve banks with a product called CyberKnight.
As banks’ means of connecting with customers proliferates, hackers will follow, and so must cybersecurity firms. “Our focus is on detecting code on browser pages that is not served by banks,” Katz said. Even in external channels such as Skype, Namogoo could check for code injections, but for now it is focused on browsers.