New Application Keeps Out Trojan Horses, Viruses

By Maria Trombly | Securities Industry News | February 23, 2004

February 23, 2004 - Raymond James & Associates has a problem. Employees, independent advisers and customers are all logging in from insecure machines at home, so when family members download free content off the Internet, hidden nasty software may be attached. these Trojan horses run in the background, watching everything the user types, everywhere the user goes. That includes their brokerage account activity.

Fortunately, Raymond James may have found a solution. A tiny application--taking just a few seconds to download--checks to see whether anything is secretly monitoring keystrokes on a user's machine.

"It's already caught a couple of keystroke loggers, some malware [malicious software], a couple of viruses," said Gene Fredriksen, VP of information security at Raymond James, who's already rolled it out to a few hundred employees. "In the case of an infection with a keystroke logger, that's of great concern to us because those are corporate credentials to log into Raymond James' system. It's proved itself very well."
The tool is called Confidence Online, from Austin, Texas-based WholeSecurity. The portal version, suitable for protecting customers, was just released last week. An enterprise version, for protecting access through virtual private networks (VPNs), has been available since April. Other companies using the product include Deutsche Bank and Comerica.

Within three months, Fredriksen said, he expects to have all 6,000 employees using the tool. Then it will be extended to independent financial advisers and retail customers--somewhere in the neighborhood of 200,000 people. "Anyone connecting to us with a computer that we cannot control or cannot monitor, we want that person to go through a process that's going to give them some confidence that they're not infected with a Trojan or keystroke logger."

The way Confidence Online works is the first time an employee logs onto the company's VPN, or a customer visits the online portal, a small application is downloaded. The process takes 10 to 15 seconds, and is even faster on subsequent logins, when the application only needs to check for updates, said Fredriksen, who added that he hasn't received any complaints from users about download times.

It's not an anti-virus program, said WholeSecurity spokesman Scott Olson.

"That is why we can be downloaded in a matter of seconds rather than 10 to 20 minutes," he said.

It's also significantly cheaper than an anti-virus program. According to Olson, an annual license costs $5 per user, and volume discounts and perpetual licenses are also available.

Today, the program only works on Windows computers, not Macintoshes or PCs running other operating systems. Most computers run Microsoft's operating system, Olson said, and the majority of attacks target those computers as well.

"But down the road this will be extended to other operating systems like the Macintosh and other devices like handhelds," he added.

Confidence Online doesn't check for all possible viruses based on comparing them to a library of virus signatures. Instead, it looks for suspicious behavior. By focusing on a very small subset of worms and viruses, namely those that can do the most damage to financial services firms, the application can be very effective. "We've got some independent testing where an agency collected a number of new threats that we've never seen before, and we caught 100 percent of them," Olson said. "We were catching things like Blaster and SoBig and MyDoom at zero hour, with no signature updates. It's been tremendously effective and our customers are very happy with it."

According to Olson, traditional antivirus programs only catch threats that have been identified and catalogued, which is why anti-virus programs always need to be kept up to date. And Trojan horses, which users voluntarily download and install, can bypass traditional antivirus systems, he added.

According to IDC analyst Christian Christiansen, the Confidence Online product offers complete transparency to the user while ensuring that every remote computer is safe from eavesdropping and remote control.

WholeSecurity isn't the only vendor helping financial services companies ensure their customers' security. PostX is testing a product that helps customers make sure that e-mails looked as if they came from a trusted brokerage actually originated there, blocking would-be "phishing" attacks (Securities Industry News, Feb. 2).

Phishing is a scam in which consumers receive e-mail letters purporting to come from their banks and brokerages directing them to a Web site that asks for login information. Both the letters and Web sites can look very realistic, sometimes using the actual graphics and other content from the financial firm. In addition to stealing customers' login information, phishing attacks can also fool recipients into downloading keyloggers and other Trojan programs.

According to a recent report from the Anti-Phishing Working Group, phishing attacks were up 50 percent in January-and the financial services industry was the most targeted sector. The Web sites can even show real-looking URLs--according to the report, eight percent of phishing attacks now take advantage of a Microsoft Explorer flaw that allows hackers to disguise Web addresses.

But Damon Kovelsky, an analyst at Framingham, Mass.-based Financial Insights, warned that brokerages could cause problems for themselves by extending keylogging protection to their customers. "In some ways it's good, but it could create a false sense of security," he said. He explained that an anti-keylogging application won't have the same protections as a fully-featured and up-to-date anti-virus program and may make financial firms, employees or customers more complacent about other security precautions.

But Larry Tabb, CEO of Westborough, Mass.-based The Tabb Group, argues, "That's a possibility, but I'm certain that keylogging and other distributed security software will come with a certain number of warnings, caveats and user agreements."

He added that even if a security breach is from a customer's customer, the brokerage is still likely to pay for any losses that result. "And it's much cheaper to fix problems on the front end than go back and figure out what happened, how much money was taken," he said. "In this day and age, you can't just shut down all your remote access. Whatever firms can do to protect their employees, their infrastructure, and their clients, it will become the cost of doing business."

Raymond James' Fredriksen said he wants the Confidence Online product to do even more than it does now--at least for the employee-focused applications. For example, the product could check to see how insecure the employee's home machine is.

"We're talking to them about our desire to be able to check for specific versions of systems, specific patch levels, check for certain registry settings," he said. "But we're not looking to do anything on the customer side except increase the customers' confidence and the integrity of their connection to us."