It is estimated that GameOver Zeus botnet is responsible for a loss exceeding $100 Million US Dollars.
The problem with a lot of online theft today is that from the bank’s perspective, the theft occurred as a legitimate transaction. In other words, the bank acted on the customer’s computer instruction to transfer the money out. Meanwhile, from a customer’s perspective it was outright theft since it was done via a compromised computer, controlled by a thief.
The problem at the root of this type of theft that we’ve witnessed many times (after we get called into client premises for the first time, that is) is the lack of authentication. The bank has no way of knowing whose hands (real or virtual) are behind any sequence of keystrokes or mouse clicks.
That is about to change – at least if you and I demand it! Banks, however, are in the business to make a profit! Since most losses are not their fault, fraud doesn’t cost them much (except in western countries where some regulation forces them to incur some costs). This will get their attention, because the CBA (cost/benefit analysis) is simple now.
If you have an iPhone with TouchID, then it is within grasp for the banks to offer an additional factor at no cost to them whatsoever. Here are the pieces of technology for it to work:
- SQRL (pronounced squirrel) – this is something your bank’s IT department would add as a secondary authentication system, in addition to your current username and password
- iOS 8 TouchID-enabled app. Your bank would create an app (or modify its existing one) to use TouchID as a second factor for any financial transaction.
We will bank with the first bank that offers this. Then we’ll know they’re actually interested in protecting us and our little enterprises.
I confirmed this with Steve Gibson, the creator of SQRL on Twitter today:
“Biometric” web app authentication is now within reach with SQRL+inApp TouchID in iOS8, am I right, @SGgrc ?
— David Redekop (@DRtheNerd) June 4, 2014
to which he responded:
@DRtheNerd You’re absolutely right David. I’m not 100% confident in the TouchID anti-spoofing, but ADDING it as another factor… yes!!!
— Steve Gibson (@SGgrc) June 4, 2014