Page d'accueil // SnT // Distinguishe... // Banks versus Trojans: a tour of the battlegrounds - October 1, 2009

Banks versus Trojans: a tour of the battlegrounds - October 1, 2009

It is our pleasure to host this distinguished Lecture by Dr. Jan Joris Vereijken, Global Security Architect for ING Direct. The lecture will be followed by a reception. Please feel free to forward this invitation.

Abstract: As man-in-the-browser Trojan attacks evolved over the past few years, they become increasingly effective, and are now able to circumvent every "first generation" security measure banks developed in their classic crypto-driven internet-banking security-architectures. As e.g. SSL and token authentification have lost most of their efectiveness, a whole new arms-race has developed between Trojan writers and banks. In this new " second generation" arms race, the focus has shifted away from crypto, towards control over the Windows API's, use and abuse of out-of-band channels, and developing and disrupting fraud detection heuristics and forensic capabilities.

In this talk, we examine the various gory details of these banking Trojan wars. We look at security enhancements banks made, and how Trojans evolved to counter those measures. Some of these battles have been squarely lost by the banks, while others are still raging on. We visit a number of them, count the casualties, and speculate on the outcome. Our focus will be on deeply technical aspects, but surprisingly, the conclusions will turn out to revolve around economics and social engineering, rather than technical solutions.

Dr. Vereijken did his Ph.D. work on timed process algebra at the Eindhoven University of Technology. After a brief stint at Bell Laboratories to work on Software Engineering, he moved to ING Group, the Dutch financial services conglomerate. Today, he is the Global Security Architect for ING Direct, which is, with 22 million customers in 9 countries, the largest internet bank worldwide.