Malicious software (malware) is currently a serious threat to both commercial and retail online banking. As many as one in four computers in the US is infected by malware. The malware most relevant to online banking fraud are of the Trojan horse variety (Trojans). These install themselves on user machines and then may enable a controller to record data from an infected machine (e.g., key loggers), listen in on conversations (e.g., Man in The Middle or MiTM), or even hijack an HTTP session from within a browser (e.g., Man in The Browser or MiTB).
Trojans, as their name implies, are not perceived by the user. They are able to record keyboard entries at given web sites, and thereby steal the users' userIDs and passwords. They are also able to change transactions as they occur, thus the user may think he is performing a legitimate transaction (e.g., paying a bill) but in reality he is sending money to an offshore account. Trojans also allow session hijacking, whereby a remote fraudster performs transactions via the user's infected machine.
This invisible presence allows Trojans to circumvent most current strong authentication models (e.g. one time passwords and certain out of band interactions). In particular, it may be possible for a fraudster to use Trojans both to steal credentials and clean out accounts. For example, in a MiTB attack, a fraudster may use a key logger to steal the user identifier (and, sometimes the confidential password) from a bank and hijack the individual's account by secretly altering user transactions while presenting fictitious transaction confirmation data to the user. Furthermore, the fraudster may take over user's account and clean out his checking account.
In some secure models, users work from a secure virtual environment, taking the form of a disposable virtualized browser environment, which prevents direct interaction between the malware and the online banking site. Such operation protects users from identity theft and misuse of credit information. A user of a bank may download a client interface to the disposable browser environment using strong authentication methods such as an out-of-band phone call or a one-time-password generated by a token to enable the downloading of the interface. The user may also use a secure login process, which includes an authentication server authenticating users of a banking site. A similar approach is described in pending U.S. patent application Ser. No. 12/854,641 by Asaf Shoval, Orit Yaron, and Yedidya Dotan, filed on Aug. 11, 2010, the teaching and contents of which are fully incorporated herein by this reference.