In the arms race between malware writers and your bank for control of your online account, the game is akin to Whack-A-Mole, and the criminals have a big advantage — at least for now.
"These guys are well ahead of the security community," said Karim Hijazi, CEO of Unveillance, a Wilmington, Del., company that provides computer security for corporations and specializes in eliminating malware. "They can make mistakes, but we can't. One error on our part is a mess."
Cybercriminals, in other words, can practice all they want, and it doesn't matter if they fail. A bank that fails only once in its defenses, on the other hand, can lose millions of dollars and end up with as just many compromised accounts.
It might sound like the situation is hopeless, but it isn't completely. That's because it's not the bank itself that's the problem. Often, it's the customer.
The preferred route: Banking Trojan botnets
There are several kinds of attacks, but the most popular use variations on botnet-creating, information-stealing Trojans. A botnet Trojan is a small program that first infects a computer and then, acting in concert with others of its kind, sends information from infected computers to remote servers.
Botnet Trojans, whether or not they're programmed to steal banking credentials, often get into computers when a user opens a corrupted email attachment or visits a compromised website.
When thousands of copies of a botnet Trojan have been installed on computers all over the Internet, you get a network of machines under the remote control of a cybercriminal — a botnet. The owners of the infected machines usually aren't even aware that anything wrong is happening.
In some cases, botnets are used to mount distributed denial-of-service (DDoS) attacks, send out spam emails or even crack encrypted data. Banking Trojan botnets, which so far are known to only infect Windows PCs, are used specifically to snag login credentials to PayPal or to online bank accounts.
Banks are constantly refining online account security by coming up with new methods for authenticating users. These methods include having users type in passwords using an onscreen keyboard, send text messages to users' phones, answer identity-verification secret questions and by carry electronic keyfobs that generate random authentication tokens. Two or more verification methods are often combined for even greater security.
Attacking the user
Facing such obstacles, online criminals have turned instead to hijacking bank clients' computers, which is a lot easier than attacking the bank itself.
"It is incredibly hard to control what computer users come in from," said Josh Daymont, principal of Atlanta-based Securisea.
It's also easier for criminals to attack a client's computer than to try to listen to unencrypted wireless traffic.
Classic "man-in-the-middle" attacks do occur in which a criminal will secretly position himself between a customer and his online account, but listening to data traffic in a coffee shop or airport might snag only a few passwords.
A good banking Trojan, such as Zeus or its rival SpyEye, is much more sophisticated. Thousands of times per day, banking Trojans embed themselves into unsuspecting users' Web browsers, silently wait until they log into banking websites and then send the login credentials to remote servers operated by cybercriminals.
In a matter of days, such "boy in the browser" attacks, if well-distributed, can snag a million sets of account details, which can then be re-sold on the black market. Banking Trojans are inexpensive to buy and run, making such operations much more profitable than staking out airport departure lounges.
"Credential stealing is really the forte of [cybercrime] mafia groups," said Dave Aitel, chief executive officer of Immunity, Inc., in Miami Beach, Fla.
Aitel points that all users will sooner or later make a mistake and click on the wrong link or open the wrong attachment.
"Ultimately, there's no really good way to stop people from stealing credentials," he said.
Fighting back: Traffic cops
To fight this kind of attack, many security pros are turning to analyzing network traffic in and out of corporate servers. For instance, rather than try to eliminate malware directly, some companies look for the traffic patterns that give away a banking Trojan like Zeus.
"We have these tools that can analyze net traffic to see if there's anything that points to suspicious activity," said Tak Chijiiwa, principal consultant at Toronto-based Security Compass. "It's a way to become a bit more preventative and reduce the window of opportunity [for data thieves]."
Unveillance's Hijazi noted that in some cases, law enforcement will subpoena the records of the servers hosting the domains to which the botnet Trojans are sending the data. It's not uncommon for the server owners to be completely unaware anything criminal is going on.
Once the records are in hand, the identities of the botnet's masters can be found, although sometimes that doesn't help much if the operators aren't in the United States.
Of course, cybercriminals and the hackers who work for them have come up with ways for malware to avoid detection.
Hijazi said one method is for malware distributors to just send out lots of infectious software at once. Typical anti-virus software will pick up some of it, perhaps even most of it, but the really sophisticated Trojan will be buried somewhere the anti-virus software wasn't told to look — and the user will think his computer is clean.
How to protect yourself
On the bright side, users' computers are actually getting better at resisting banking Trojans. Aitel said Google's inexpensive Chromebooks, for example, are actually quite good at stopping most Trojans and malware — ideal for a small business to dedicate to online banking.
Other security experts recommend using a "live" CD, in which a PC runs Linux from a compact disc, or a Mac to do online banking. (The recent wave of Mac Trojans may make the latter option less appealing.)
Eventually, it may become so difficult to infect a PC with a banking Trojan that the criminals will move on to other ways of making money.
That's a key point the experts make: Digital criminals take the path of least resistance. Making, buying and operating banking Trojans is simply too cheap and easy — at least for now. That will change, just as the situation did for directly attacking banks.
So what's ahead? Once the defense against banking Trojans gets good enough, expect a new round of threats to focus on mobile devices.
Chijiiwa said his firm is being asked to test smartphones and tablets more often, and he expects that will become the focus of criminal activity.
"It keeps the world interesting," he said.