Online banking giant, ING will begin providing software to its customers in the hopes that they’ll be able to bank online without having their accounts hacked on compromised machines.

...The software works by assuming control over the application programming interfaces or APIs in Windows…A more advanced type of malware – known as a “form grabber” – hijacks the “WinInet” API – which sets up the SSL (think https://) transaction between the user’s browser and the encrypted Web site. By hijacking this API, a form grabber can rip out usernames and passwords even when the user is submitting them into a site that encrypts the data during transmission because it grabs that information at the lower level of the operating system, before it is encrypted.

Trusteer’s software examines these and other vital Windows APIs to see if any other process is trying to intercept sensitive data. It then blocks those that do.

I think this is a bad move – end-user computer security, while very relevant to ING’s online banking structure, isn’t within their control enough to be able to make a beneficial change.

ING can only make real changes on their side, to servers, Web pages, etc. Brian Krebs has pointed out 3 good reasons that will cause this venture to fail.

1- Customers who install the tool flood ING with support calls and questions.
2- Nobody adopts it.
3- Malware writers figure out a way around it to steal lots of money from customers.

It will be virtually impossible to avoid any of these pitfalls – besides, some tricks never get old.

This entry was posted on Wednesday, May 28th, 2008 at 4:06 pm by Anil Polat and is filed under software. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.