People’s Daily reports:

About one-third of both individual and corporate banking clients in China’s 10 major cities used online services this year, an increase of 4.2 and 1.7 percent from 2006, the China Financial Certification Authority (CFCA) report said.

Security was a key concern:

The report said that over half of the individual online banking customers surveyed saw security as the priority when they chose an online banking service this year. Those who chose not to use online banking services were put off for security reasons.

More than 53.5 percent of the individual respondents used digital certificates to accept online banking services to ensure transaction security, compared to 46 percent in 2006.

The certificates are for the user. China Tech News (2005):

Twenty-five Chinese banks this past week signed the “Digital Certificate Cooperation Agreement” with the China Financial Certification Authority (CFCA), a third-party certification organization, agreeing to adopt the latter’s digital certificate for their online banking services.

From now on, users can apply for such a digital certificate from any of the 25 banks, and the certificate will not only ensure their online transaction security, but also allows unlimited sums for their online payments.

In addition, CFCA will compensate users if their account funds have been stolen. According to Li Xiaofeng, general manager of CFCA, CFCA will compensate enterprise users as much as RMB800000 and individual users a maximum of RMB20000 upon such cases.

The client certificates can either be installed on an external device such as a USB drive or in the browser.

Certificates are meant to ensure identity. Using them in conjunction with a password provides “dual-factor authentication” and is meant to minimize the risk of a thief logging in as someone else and stealing information (or in this case, money).

Before we start rhapsodizing about how wonderful this whole interweb is, consider this from Network World:

A new variant on the “Prg Banking Trojan” malware discovered in June is stealing funds from commercial accounts in the United States, United Kingdom, Spain and Italy with a botnet called Zbot, says Atlanta-based SecureWorks.

…If the attacker succeeds in getting the Trojan malware onto the victim’s computer, he can piggyback on a session of online banking without even having to use the victim’s name and password. The infected computer communicates back to the Trojan’s command-and-controller exactly which bank the victim has an account with. It then automatically feeds code that tells the Trojan how to mimic actual online transactions with a particular bank to do wire transfers or bill payments.

It’s a very sophisticated attack, with specific series of commands designed for each bank’s website. It’s not only designed to steal and re-use credentials (including the much-ballyhooed digital certificates), it can control the victim’s PC remotely. It’s quite convenient, and clever, to use the victims’ PCs to rob them.

At this point, zbot is being used to attack specific banking customers in four western countries. But it is a commercial product in the underground economy. There are beginning to be a lot more inviting targets for Chinese hackers other than online gaming accounts.

Further reading
Secureworks has all the details on the trojan.

Kaspersky Lab’s Viruslist has an interesting analysis on the commercialization of the trojan.

ShareThis