The benefits of assuming the worst

From Technology Review. What should banks and other ‘secure’ services do when dealing with customers who are incapable of keeping their machines free of malware?

“Our premise,” Ledingham says, “is that, rather than trying to clean up the machines, assume the machine is already infected and focus on protecting the transaction that goes on between the consumer and the enterprise website.”

The problem of malware on users’ computers is “the number-one problem that the financial institutions are wrestling with today,” says Forrester Research senior analyst Geoffrey Turner, an expert on online fraud. Financial institutions can take steps to secure the connections between their servers and their customers’ PCs, Turner says; they can even ensure the security of the customer’s Web browser. But they’re stumped, he says, when it comes to the customer’s operating system. Most successful attempts to steal computer users’ identities, Turner says, involve using malware to capture their credentials or conduct transactions behind the scenes without their knowledge. “The challenge is, how do you secure the end-user computer?” he says. “Should you even, as a bank, be trying to do that?”

Needless to say, his answer is “yes”. But then he runs SiteTrust, a tool recently released by a data-security company, Verdasys, which aims to protect users from fraud, even when their computers have been compromised.