Online banking: Controls to be implemented

For those who read my article Cracking access to Bank this paper may be interesting from the securing transactions point of view.
As we identified that that the main threat while using the vulnerable ActiveX components within the on-line banking is exposure of data and, maybe, even unauthorized access to bank client's account; this paper will address the main controls that may be implemented (and some of them are already implemented) to mitigate the risks that can occur in case of vulnerable bank client is exploited.

Client-side controls

Actually it does not matter, how intruder is able to get unauthorized remote access to workstation with clien-bank application installed. If the access was obtained using the vulnerable ActiveX component provided by bank (we assume that intruder looked for the bank clients that use this vulnerable component) the risk of financial fraud rises. However, the set of controls, needed to be implemented, is the same.
First of all it is "Segregation of incompatible duties" control. That means that business functions related to online banking should be assigned to different employees of legal entity. For example, operator from Accounting Department may create the payment document, but she/he is unable to send it to bank without approval from the Chief Accountant. The final approval is needed from Chief Financial Officer (CFO) or Chief Executive Officer (CEO). Thereafter, these individuals need to work from different workstations. This would mitigate the risk that someone should detect suspicious payment.
The second recomendation is to use technical controls for securing the workstation and transactions. For example, the use of Personal Firewall, Behavior Monitor and Antivirus software allow prevention of malicious processes to be run. However, we need to remember, that there are lots of techniques that allow to make the presens of intruder to be invisible. But, these controls, especially Behavior Monitor, allow us to collect evidences, that the payment was performed by someone else.

Bank-side controls

Mmmm. As we can see, the exploitation of this vulnerability is aimed against bank's clients, not bank. Since all transactions are ecrypted with bank's public key and signed with client's one, bank whould do nothing. However, there is one control that is regulated by law. And may not be presented in you country due to bank legal specific.
Some banks have to provide client with the hard copy of all pyment documents in a timely manner (monthly, once in two weeks). This kind of control is manual.

And now, just imagine, that someone penetrated you workstation with installed online banking application. Intruder saw all your transactions and, may be, even transferred your money to foreign account (using simple concept described in the next paper) and you identified this transfer in a month.