Malware threats continue to advance in online banking - what is the legal position on this?
by Svenja Koch
Online banking Trojans - what is the danger posed by this threat?
Phishing and Trojans themselves are not a new phenomenon. Cybercriminals have been trying to steal user data using these methods for many years. The focus on online banking, on the other hand, has increased significantly in recent years. Nokia's Threat Intelligence Report 2021 speaks of an 80 percent increase in the first half of 2021 compared to the same period last year. The attackers are concentrating on South America and Europe so that online banking users in this country are also under threat. In this context, new malware has also emerged that is highly sophisticated and sophisticated. These online banking Trojans are targeted at the banks' special login procedures, apps, and websites. This makes the current situation even more threatening.
One reason for this is the increasing prevalence of online banking. While it used to be mainly young, tech-savvy users who did their banking online, it now comprises all age groups. The Corona pandemic has also contributed to an increase in online banking. Older people, in particular, are vulnerable to phishing or fail to recognize online fraud attempts.
What methods do online banking Trojans use to steal credentials?
There are various techniques that cybercriminals use to target online banking users. One of the oldest methods is phishing. Here, the attackers try to get the opera to voluntarily enter the online banking access data on a fake website. For this purpose, the attackers mainly use e-mails and SMS. These messages contain links to websites, some of which perfectly imitate online banking sites. If the victim tries to log on to the fake website, the access data ends with the cybercriminals. They then use the data to log in to the actual bank and use it to confirm transfers.
Pharming is a further development of phishing. Here, the hackers manipulate the browser or the host file in the victim's operating system. The target is the DNS system. DNS is responsible for redirecting input from web addresses in the browser to the correct destination. If the attackers succeed in turning these DNS requests, the user does not get to his bank's website but to a fake version of the hackers. Pharming is dangerous because the victim does not make a mistake at that moment. Even if he types the bank's Internet address into the browser by hand, he will get to the fake website. Moreover, the attackers do not need to know the bank where the victim is a customer. It is possible to redirect the DNS queries of a large number of the known banks and thus increase the chance of hits.
To infect a system for pharming, it is necessary to compromise the computer with malware beforehand. This gets onto the victim's computer either via attachments in e-mails, via drive-by download on infected websites, or via messages with links to appropriately manipulated downloads.
Particularly treacherous are the different variants of banking malware that hackers use. The cybercriminals also initially place these on the victims' systems via manipulated messages with links. It is this form of online banking Trojans that has proven to be very successful recently. Primarily smartphones with the Android operating system are affected. Android is open source, and the store through which apps can be downloaded and installed is less controlled than with Apple's competitor iOS. Thus, online banking Trojans potentially hide in apps that users download from the official store as well.
This banking malware uses different techniques to obtain online banking credentials. Thus, this malware can also often redirect users to fake websites when they visit their bank's page. Another option is invisible overlays. The banking malware places them directly above the input fields in online or mobile banking. The user enters his credentials in good conscience, but the login fails. The malware intercepts the input and sends it to the hackers. Banking malware that captures keystrokes works the same way. Thus, this malware records all keyboard inputs and transmits them to the hackers. This way, the attackers obtain the login details for online banking.
How do attacks with online banking Trojans work?
Banks use a few different techniques to authenticate users. The goal is to implement login procedures that are as secure as possible and cannot be hacked. That is why, for example, simple systems with a password are not in use because they do not provide enough protection.
Instead, banks generally use login procedures with one-time keys. Here, transmission takes place in real-time to confirm transactions. In practice, this is implemented with a combination of PIN and TAN. The PIN is a fixed identity that is unique to the respective user. If login to the bank takes place with the PIN, online banking verifies the user's identity via two-factor authentication. For this purpose, the customer's account is connected to his smartphone. Here, the bank requires confirmation from the user that it is indeed him and that a login has just occurred. Only after confirmation by the user does online banking grant access.
For example, if the user makes a bank transfer, the bank sends a TAN to the smartphone. The user must then enter this TAN in online banking to confirm the transfer. Other methods, especially in mobile banking, run entirely in the app. The app then also requires confirmation of every action by the personal PIN or a TAN.
In theory, these login methods are very secure. As long as an online banking Trojan does not compromise the smartphone or PC, this is true. However, suppose the criminals have infected the computer or cell phone through phishing or other methods. In that case, the attackers will also outsmart the secure two-factor authentication, for example, with the help of online banking Trojans that place an overlay over the app. The victim then believes that he is entering the mTAN he has just received and confirming a transfer. The entry ends up with the criminals. They now have the PIN and TAN. Even if the mTAN is time-limited, the criminals have such professional structures that the victim's account is plundered within a few minutes.
Online banking case law - why aggrieved parties often do not receive compensation
In principle, injured parties are entitled to compensation because they are victims of fraud. In practice, however, the case law in online banking looks different. There have already been several court decisions in the past when banks have refused compensation. The case law in online banking often went in favor of the banks.
One example from 2012: in the case heard by the Federal Court of Justice, a victim sued for 5,000 euros that had been stolen from his account. The criminals had stolen several TANs that are required to confirm transactions. With these TANs, the cybercriminals had made transfers from the victim's account. It turned out that the victim had entered these TANs on a fake website that the cybercriminals had set up. On the one hand, the bank had placed a warning against phishing on its website. Secondly, the Federal Court of Justice ruled that there had been a negligent breach of due diligence by the bank customer in this case. The decision states that it is evident to the customer that this was not a typical transaction. The criminals' website prompted him to enter ten TANs as well as his PIN and account number. It is never necessary to enter ten TANs to carry out a transfer.
Since 2009, the case law in online banking has been based on the fact that consumers are liable themselves in the event of grossly negligent behavior. However, the Act on the Provision and Use of Payment Services (sections 675j - 676c of the German Civil Code) is silent on exactly when grossly negligent behavior exists. Thus, in the case of online banking, case law must decide on a case-by-case basis whether a bank customer acted negligently or whether it was not apparent to him that his bank data had fallen into the hands of criminals.
What measures offer protection in online banking?
Attachments in e-mails are dangerous because this is the way attackers start phishing attempts. As long as the sender and the attachment are not 100 percent trustworthy, opening them is not advisable. Links in messages that supposedly come from your bank are also a clear sign of phishing. It is crucial always to enter the address of your bank in the browser yourself and check each time before interacting with the website. Anyone who does not do this is acting negligently according to online banking case law.
It is equally important to make sure that the system is up to date. This includes, in particular, the operating system, the browser, and anti-virus software. If there are signs of infection, the use of the computer or smartphone for online banking is ruled out. Before that, the system must be free of malware and viruses. In case of doubt, only a complete reinstallation of the operating system offers absolute security.
Online banking has always been at risk from cybercrime. Even the comparatively high security of the systems does not deter the hackers. For one thing, attackers have refined their phishing methods. Nowadays, fake messages and websites are much harder to distinguish from the real ones than they were a few years ago. On the other hand, the hackers know the most significant security hole in the system - the user. The jurisdiction in online banking also invokes this source of error. Since banks have consistently implemented very high-security measures to identify the user's identity, the blame usually lies with the customer. In practice, it is almost always compromised by the customer's system and has allowed the cybercriminals to access the bank account. Thus, a claim for damages is futile in many cases. For this reason, only absolute caution and up-to-date security techniques protect users in online banking.