A better solution would be to send the consumer the relevant details -- such as the date, from, to, amount, and so on -- along with the authorization code, thus allowing the consumer to confirm the transaction. Some banks and e-commerce sites do this already using in-band e-mail confirmations. Schneier has his doubts about the out-of-band approach. "These types of authorization schemes would work, but it sounds a little extreme as a solution. Unfortunately, we live in an economic reality where users will not accept extremes. They want convenience."

Bank officials concur. One regulator said, "Most banks, because of their customers, would probably not accept such an extreme form of authentication. How often would the out-of-band device fail or not be available? Requiring users to confirm every banking transaction out-of-band would not be accepted by today's consumers."

The regulator speculated that a better solution might be for the bank to offer out-of-band confirmations as an option and allow the consumer to pick the dollar amount at which the transaction would require additional confirmation measures.

Other bank security officers thought implementing added intelligence on the back end would provide more value. "How about not allowing online transfers to banks and countries with strong ties to crime?" offered one officer. "We could deny any transaction that the bank deemed highly suspicious, like your credit card company does now, and require a second confirmation."

Close observation of consumer behaviour can also help. In one case, nearly 100 customers of one large bank were infected with an SSL-evading Trojan. As usual, the phishing e-mail used mostly legitimate links to the real bank's Web site. After noticing outside requests to links, most of which were normally referenced from other internal links, the bank's IT staff realized a Trojan was to blame.

The solution was to rename one of the requested links. If any user went to the real bank's Web site, the renamed link was now referenced by the legitimate Web site. Only the phishing customers would request the link's old name, enabling the bank to tell how many of its customers were compromised.

Yunus Emre Alpozen, a consultant for one of the world's largest banks, says, "Every customer requesting the old Web page link was redirected to a new page that notified them that they were the victims of a phish attack, and how to proceed. We used the phisher's e-mail against them."

Self-defence for consumers

Sadly, infection can't be stopped merely by convincing users not to execute untrusted software. No consumer knowingly installs malicious software, and SSL-evading Trojans can easily go unnoticed by the most careful user.

One of the best defences is simply to convince consumers to check their online balances frequently. Beyond this, consumers need to lobby financial institutions and move their accounts from institutions that keep their head in the sand.

Banks that require stronger authentication and transactional authorization should be rewarded. Those institutions should also encourage customers to report phishing attacks to the site's security reporting e-mail address so they can take down fake Web sites or otherwise minimize risk.

Currently, log-on-stealing Trojans are still the No. 1 threat to the banking industry, but SSL-evading Trojans that can bypass any authentication scheme are emerging as a particularly frightening challenge. They need to be dealt with now before consumer confidence in e-commerce goes into serious decline.