MGR Effitas - Online Banking / Browser SecurityCertification Q3 2019

[harlan4096]

Introduction

MRG Effitas is a world-leader in independent IT security efficacy testing, research and expertise.

In the drive to protect businesses and home users from ever more advanced malicious threats, malware and viruses, our innovative research and testing helps IT security vendors to be the best they can be.

Our technical competence and insight into future trends and challenges is trusted by IT security vendors across the world.

About our Online Banking test

MRG Effitas published an Online Banking Browser Security Report every year. Since 2013, a single report has been replaced by quarterly assessments. This report is the assessment for Q32019.

While similar to our previous reports, it employs more sophisticated assessments that result in an extremely accurate level of efficacy assessments, so much so that we now award quarterly certifications to products that meet specific assessment criteria.

We provide two levels of testing: Level 1, where we test a vendor’s product and provide a report for that quarter’s assessment, and Level 2 (which incorporates Level 1), where we liaise with vendors during testing, alerting them to any issues found with their technology and providing the engineering and technical support required for them to counter these issues. Level 2 participation serves as an external QA service for vendors, helping them improve the efficacy of their product. Level 1and 2 reports are published separately. This is a Level 1 report.

Early in our online banking work we recognised that although many vendors protect their clients’ browsers from data exfiltration, the techniques employed were not effective against financial malware. Since then we have been at the forefront of online banking testing and are the only testing house in the world whose tests map 100% against in-the-wild threats.

In this test we focus on in-the-wild financial malware, using cloud-based testing systems to create botnets that map identically to those we find in the real world. It is a criminal offence to test in-the-wild botnets in the UK, so we use IBM technology to host malware in a safe environment. We can create our own financial malware from scratch by reverse-engineering existing threats and modifying them slightly.

Our tests comprise existing malware and real botnets. We can assess whether protective software detects existing malware and whether data exfiltration occurs against the browsers. We can anticipate future threats and advise our clients accordingly.

In 2010 we began reverse engineering financial malware to create simulators that employ the same “Man in the Browser” attacks as the in-the-wild code, and for the first time were able to determine whether secure browsers were capable of preventing data exfiltration.

Simulators are used in industries including aerospace, automotive, law enforcement, the military and finance. There are two major types of simulators: those used to teach students (e.g. pilots) and those used to simulate attacks (e.g. military). This is why we decided to start creating simulators: by developing test tools, we simulate attacks that may not be prevalent now, but could become more so in the future.

Simulators can point out potential weaknesses in products and even use new types of attacks that can be useful for developers as they can learn about these from a testing lab, rather than from their users when an attack of this type occurs in the wild.
...

Full PDF Report