E-commerce heads in the sand

Infoworld.com’s security adviser columnist and contributing editor Roger Grimes loves his job. And why not? As senior instructor and consultant at security consultancy Foundstone, he “teaches good hackers how to hack like bad hackers.” Even better, he gets paid by vendors to break into their businesses (electronically, of course), then report back on what holes he found. “It’s usually trivial, a few hours’ work at most,” he says.

Given Grimes’ unusual job description, it’s hard to find a security exploit that can shock him. Yet a recent discovery sent him reeling. “I was consulting for a bank,” he says, “and someone asked me to take a look at a Trojan that had infected 100 bank clients.” The malware was secretly siphoning money out of customers’ accounts, something he’s seen plenty of times before. But there was a kicker: The reassuring SSL lock icon -- that guarantor of a secure e-commerce experience -- appeared intact on these customers’ browser screens.

Turns out, Grimes had stumbled on a sophisticated type of Trojan that sidesteps SSL, avoiding authentication and working in the background to steal money, all the while making it appear as if the session were protected by SSL. The implications, Grimes realized, could be devastating, as consumer confidence in online banking and e-commerce in general rests largely on the assumption that SSL means safety.

Grimes began digging into these nasty SSL-evading Trojans (see "E-Commerce in crisis: When SSL isn’t safe"), and discovered that they had been around for a while, yet almost no one had heard of them. Worse, those who had didn’t seem all that interested in doing anything about them.

The problem, according to Grimes, is that banks and other businesses that support online transactions have bought into two-factor authentication; it’s perceived as the silver bullet for stopping e-commerce fraud. Yet such measures won’t stop this kind of Trojan, which bypasses authentication tunneling mechanisms. The solution is to take a page from the credit card companies’ playbook, aggressively monitoring transactions in real time, and demanding further authorization for moves that look fishy.

Unfortunately, in talking to regulators and many people who form bank security policy, Grimes kept hearing the same story. “They’ve put so much effort into pitching authentication that they simply can’t sell the brand-new idea of transactional authorization to their bosses,” he explains.

The stakes are huge, potentially billions in cash. Then there’s the lost opportunity costs to businesses, which could mount quickly if consumers lose confidence in e-commerce and stop making purchases online. “The attackers are moving faster than the defenders are willing to move,” Grimes says. “But no one will do anything about this until it gets too bad. We’re going to be reactionary sheep as usual.”