August 14, 2012
Safe Money: A Virtual Safe for Virtual Money – that Actually Works.
Apart from petty cash carried on the person, where in general does money mostly get stored?
Sure, gangsters still prefer cash stashed in a grubby cubby hole, while grandma still resorts to the trusty in-a-stocking-under-the-matrass option. But in most other cases the sensible move is to have cash converted into non-cash funds – or virtual money – ASAP, and put in banks and the like, where it can at least earn a bit of interest. And banks tend to keep cash in big safes. With this sensible option today come various useful knick-knacks like online banking, online shopping, and online just about whatever.
Of course, wherever lots of money and the Internet are closely connected there’ll always be plenty of cyber-scoundrels close by trying to get at that money – be it in folks’ current, savings or credit card accounts. And we’re not talking here about an occasional threat posed by a pair of unwashed, long-haired marginals from da cyber-underground either. It’s a real serious problem on a worldwide scale. A well-organized and smoothly running criminal industry with a multi-billion dollar turnover. It’s no wonder then that the security of financial transactions on the Internet has become the No. 1 problem (pdf) in the world for the majority of users.
Now, just like with banks with safes for paper money, this virtual money accessed via the Internet could also do with a safe – a virtual one, but one no less secure than a high-tensile steel armor-plated one. So let me tell you about our new Safe Money technology, which will be appearing in the next version of KIS towards the end of August/the beginning of September (depending on the country).
Before going through the details and advantages of Safe Money, it’s probably best first to look at how the cyber-swine try to get their grubby mitts into your virtual pockets. Or, less figuratively, to get at your user logins and passwords to access your online banking and other ‘monied’ accounts.
So, three ways how the cyber-baddies tend to break in:
- Infecting the computer of a victim with a Trojan to thieve data, take screenshots, and log keyboard strikes. Infection frequently occurs via a vulnerability in popular software;
- Phishing and social engineering: imitating genuine online stores, bank websites, dialog boxes, even telephone calls, etc.; and
- Different high-profile attacks like sniffing, DNS/Proxy server substitution, fraudulent certificate use, etc. to intercept traffic using man-in-the-middle attacks, and also man-in-the-browser threats, wardriving, etc.
And now – another threesome: the three main problems in terms of security against financial cyber-fraud:
- a lack of reliable site identification;
- a lack of trusted connections via the Internet between online services and clients; and
- a lack of guarantees that software installed on a computer doesn’t contain vulnerabilities that could be exploited by malware.
Luckily (for some), many aspects of this problem are comfortably dealt with by the latest Internet Security-class protection products. Only the most slothful of IT Security vendors these days don’t offer built-in protection against phishing; however, the quality of protection is another matter. But this is in no way enough to be safe in real life scenarios (about scenarios – see below). Still, the majority of products don’t have all the necessary features to provide fully comprehensive protection. What’s worse, the features they do have don’t work together harmoniously in solving specific problems, even though what’s really needed here is a multi-faceted, wide-spectrum “medicine”.
And so, if you’ll please now welcome onto the stage… Safe Money technology!
Safe Money resides in the upcoming version of KIS. What you do is enter the address of an online service that needs to be protected that uses money (a bank, store, auction system, payment system, etc.). Or you can choose a site from the built-in database, which includes 1500 different banks and 84 domains. On entering the site you need to choose the “Run the protected browser automatically” option, and from then on all sessions with that site are automatically launched in a special protected browser mode.
So what does this here protected browser mode do then?
First off, it brings the user a whole range of anti-phishing technologies, including site reputation checking with our cloud-based KSN (video, details) plus heuristic analysis of sites. This way, even if a cyber-crook dupes a user with an e-mail supposedly from his bank and has him or her open a fake site, Safe Money recognizes the attack, warns the user thereof, and blocks the threat. And it goes without saying that spoofing (substituting site names) also won’t get past Safe Money either.
Second, the new KIS checks the validity of digital certificates (again with the KSN database) to establish genuinely trustworthy, secure connections with sites and prevent the use of fake certificates.
Third, with each launch of a site KIS runs an express scan of the operating system to uncover critical vulnerabilities that can be used by cyber-baddies to attack the computer and bypass standard protection. If a vulnerability is found the user is informed and advised to run the Windows updater to download and install updates and “fix the hole“.
And finally, the protected browser includes enhanced Application Control (HIPS) specially for websites, and protects input characters with the help of (i) our virtual keyboard inherited from earlier versions of our products, plus now (ii) new Secure Keyboard technology, which protects against keyloggers at the driver level of the operating system.
So – as you’ll have gathered, with Safe Money we’ve come up with integrated, multi-layer protection tailored specifically for the fight against financial fraud and specialized malware. What’s important to note is that the protection synchronizes all the components of the product (including [did I forget to mention?] Automatic Exploit Prevention for blocking both known and unknown attacks via vulnerabilities) to enable safe web operations with online money-services. Put simply, under the “management” of Safe Money, various protective technologies don’t work on their own anymore. On the contrary, they work together, jointly, exchanging information among themselves – following a unified strategy, but with each carrying out its own particular task.
There are a number of other advantages that come with Safe Money:
The technology is fully transparent to users. You don’t need to manually switch on a specially protected mode each time – it occurs automatically, while the browser visually signals activation of the protected mode by highlighting the window, just so you can keep track of what’s going on. The technology doesn’t have any settings that need adjusting and doesn’t pester the user with superfluous questions. All the user gets is a warning about attacks being blocked. And yes, of course, Safe Money is compatible with the most popular (thus, most attacked) browsers – Internet Explorer, Chrome and Firefox.
And now for the real life scenarios touched upon above.
We asked authoritative independent Czech laboratory Matousec to conduct a comparative test emulating the most widespread attacks on online money-using services to check the quality of virtual safes in various security products. Matousec tested 15 common scenarios (pdf) and looked at how 14 different products dealt with them:
As you can see the security situation on the whole is pretty dismal. Half of the so-called virtual safes prevented hardly any attacks at all, while at the other end of the spectrum 100% results were returned – by just two products, one of which was Safe Money-powered KIS. The second product, btw, is a highly tailored, narrow-application solution for online banking (the only one of its kind in the testing), which banks give out for free. It contains no – zero! – useful features for complex protection from other types of threats.
It might seem logical at this point, at least to those who’ve a bit of experience of using online banking, to ask what’s the point of all this Safe Money technology, since banks worth their salt use multiple-factor authentication, one-time passwords, SMS notifications and secure connections, run password strength checks, and even sometimes provide virtual keyboards. Maybe Safe Money is redundant?
Well, it’s true that the salt-worthy banks have been doing a good job in improving security with the above-listed measures. Good work! But…
First, like banks, cybercriminals also don’t stay in one place all the time; they are continually learning to get round the methods for confirming online operations. For example, there’s ZeuS-in-the-mobile – bespoke-tailored malware for stealing one-time access codes sent via SMS.
Second, alas, there aren’t that many salty banks around at the mo. And when it comes to online stores – they’re all generally real bad: stores’ main interest is not security but usability; thus security is real lax. One just has to look at Amazon and its 1-Click Ordering for processing an order and paying with a card: all that’s asked of you is to enter a password!
And last but by no means least, while money operations on the Internet are already highly susceptible to attack, the development of threats to them are among the fastest developing and most unpredictable. Therefore, an extra layer of protection will never go amiss.
So, here’s looking forward and the new KIS launch!