ABbstract The last decade has witnessed the emergence of a plethora of approaches for securing financial transactions over the Internet. During the same period, attacks have matured from isolated exploits to an organized e-criminal industry. In the midst of this evolution stood the End User, whose instances have often been neglected under the assumption that refunding financial losses is all that mattered. This paper analyzes the existing deployments of Internet banking services from the perspective of the End User, whose main goal is completing the online transaction. The sole use on the client side of so-called “trusted” hardware devices will be discussed and shown to fall short of the requirements for truly secure Internet banking. Evidence will be provided in support of the need to protect the client components using connected devices and applying software hardening techniques to lower the hacking ROI and help rebalance forces in the fight against cyber criminals. A new metric for gauging the effectiveness of security software will be described and applied to measure the practical security of existing Internet banking systems. Finally, a number of guidelines will be provided for assuring that reasonable care is exercised in the design and deployment of Internet banking systems.
展开▼
