SOURCE: PhoneFactor


December 08, 2010 09:30 ET

ZeuS-Style Malware Beats Out Password Phishing as "The Greatest Threat to Online Banking Today"

Survey Indicates That Banks Are Aware of the Shift Toward Malware-Driven Attacks, but Not Fully Educated About What to Do to Protect Their Customers

OVERLAND PARK, KS--(Marketwire - December 8, 2010) - PhoneFactor, the leading global provider of phone-based multi-factor authentication, today released the results of its recent survey on the state of online banking security. The results point to a rapid shift in the prevalence of real-time attacks from online banking trojans, such as ZeuS, which are now more common than password phishing attacks, but a lack of understanding about what to do to protect against these threats.

The survey, conducted in November 2010, included responses from financial services professionals at more than 70 banks. Key findings in PhoneFactor's study include:

  • Real-time attacks from online banking trojans (ZeuS, Clampi, etc), also referred to as Man-In-The-Middle attacks, are seen as the greatest threat to online banking today for more than half (51%) of survey respondents, and 69% indicated an increase in the frequency of these attacks over the last 12 months. In fact, 37% of respondents reported that online banking trojans are the most prevalent type of attack at their bank.
  • Password phishing and pharming were a distant second with 24% of respondents believing password attacks to be the greatest threat to online banking. These attacks, however, continue to rage on. 55% of respondents indicated an increased frequency of these attacks over the last 12 months.
  • Online ACH and wire transfers were seen as being most vulnerable to attack with nearly one in three respondents rating these types of transactions as either "extremely" or "very" vulnerable.
  • There is still widespread misunderstanding about whether current security measures, such as one-time-passcodes, protect against today's top threats. Only 37% of respondents recognize that one-time-passcodes do not protect against ZeuS. Of those who recognize the weakness of these methods, 79% are either using today or plan to use next generation methods, such as out-of-band phone calls, transaction verification, and biometrics to protect against ZeuS.

"Password phishing attacks have plagued online banking for nearly a decade, but have been outpaced in the last year by a surge in real-time attacks from the likes of ZeuS, Clampi, and SpyEye, among countless other malware variants," said Steve Dispensa, Chief Technology Officer at PhoneFactor. "Banks are implementing a number of measures to strengthen the security of their online banking platforms, which is unquestionably good. Unfortunately, many don't understand the vulnerability of methods like one-time-passcodes, which these attacks easily circumvent. As banks become more educated, we expect them to move even more quickly toward methods like out-of-band authentication and transaction verification to protect against these threats."

PhoneFactor defeats online banking trojans like ZeuS by verifying account logins and transactions through an out-of-band channel -- the telephone network. PhoneFactor works by placing an automated voice call or sending a text message to the user's registered phone number to authenticate account logins, ACH transactions, wire transfers, bill payments, and account changes. The account holder simply answers a call or responds to the SMS text message from PhoneFactor to authenticate. Because confirmation is completed through the telephone network, PhoneFactor protects against attacks initiated by malware running on the user's computer as well as less sophisticated password phishing and pharming schemes. Real-time fraud notifications and voice biometric options are also available.

About PhoneFactor
PhoneFactor is a leading provider of multi-factor authentication. The company's award-winning platform uses any phone as a second form of authentication. PhoneFactor's out-of-band architecture and real-time fraud alerts provide strong security for enterprise and consumer applications. It's easy and cost effective to set up and deploy to large numbers of geographically diverse users. In 2010 PhoneFactor was named to the Bank Technology News FutureNow list of the top 10 technology innovators securing the banking industry today and was a finalist in the SC Magazine Reader Trust Awards. Learn more at

Contact Information