Australian security firm TrustDefender is expanding into fraud detection with the release of software designed to spot banking Trojans that manipulate web sessions. Variants of the ZeuS Trojan and other strains of malware use tricks such as installing phoney dialogue boxes when users log into online banking sites from malware- …
js-based diff as malfeance detection tool
Well, as a tool it looks fairly useful. As a workflow enhancement it's that more popups. Dashboards that let you keep an eye on all sorts of things that you really shouldn't need idem dito. They're useful more from an engineer's viewpoint than from a user's viewpoint.
Also likely useful mostly from an engineer's viewpoint would be something that made transparent just what came from where on the page. Including pictures and other content from a wildly different domain is /de rigeur/ these days, but it does little but subvert the notion that what you see on the screen is from where the adress bar says it is from, too.
How to translate all that into something truly useful for DAUs, avoiding creating yet more GWF type trouble, is something the various "it security" firms should concentrate on. But they're not doing it, at least not that I can see. It's really quite depressing how unimaginatively the IT security business innovates.
It's a mostly-futile arms race...
As soon as there's something untrustworthy in the channel between the bank and its client, all bets are off. No sort of checking is infallible if the trojan software can modify the input to and/or output from the checks. And since trojan writers aren't constrained by release cycles, beta-testing and customer acceptance procedures, they can usually turn round a response to the latest threat (as they would see it) rather sooner than a legitimate developer.
Banks are desperate for a "magic bullet" to solve the trojan problem because their customers (with their nasty infected insecure PCs) are resistant to the incovenience of out-of-band verification and banks are resistant to having to issue and support additional PC hardware like smart cards. They're likely to remain desperate unless they start to have some serious conversations with each other and with the browser developers.