Malicious software (malware) is currently a serious threat to both commercial and retail online banking. As many as one in four computers in the U.S. is infected by malware. The malware most relevant to online banking fraud are of the Trojan horse variety (Trojans). These install themselves on user machines and then may enable a controller to record data from an infected machine (e.g., key loggers), listen in on conversations (e.g., Man in The Middle or MiTM), or even hijack a session from within a browser (e.g., Man in The Browser or MiTB).
Trojans, as their name implies, are not perceived by the user. They are able to record keyboard entries at given web sites, and thereby steal the users' userIDs and passwords. They are also able to change transactions as they occur, thus the user may think he is performing a legitimate transaction (e.g., paying a bill) but in reality he is sending money to an offshore account. Trojans also allow session hijacking, whereby a remote fraudster performs transactions via the user's infected machine.
This invisible presence allows Trojans to circumvent most current strong authentication models (e.g. one time passwords and certain out of band interactions). In particular, it may be possible for a fraudster to use Trojans both to steal credentials and clean out accounts. For example, in a MiTB attack, a fraudster may use a key logger to steal the user identifier (and, sometimes the confidential password) from a bank and hijack the individual's account by secretly altering user transactions while presenting fictitious transaction confirmation data to the user. Furthermore, the fraudster may take over user's account and clean out his checking account.