Test of software for online banking protection

18 March 2019

This is our next test from the series of comprehensive tests of various types of products for protection of computers and workstations. In February 2019, we tested dozens of solutions to protect the Windows 10 operating system, paying particular attention to the possibility of blocking malicious software and resisting attacks that are aimed at operations on online banking accounts. Less than half of the tested software has so-called special components for protection of online payments which have various names such as “Safe Money”, “Banking Mode”, or “Banking Protection”.

Most of these modules are directly integrated with security suites, and thus can’t be used as separate software. These components add another layer of security, useful in situations when there is a need for confidential data protection while using online banking. We assume that a user has probably installed an antivirus product, so he entrusts the security of his finances to the developer who doesn’t necessarily provide to software dedicated and specialized modules  for the protection of online purchases. Therefore, we decided to check which of the most popular solutions guarantee an unrivaled level of security, regardless of whether they have such technologies.

The test was designed to simulate over a dozen different scenarios of attacks that had focused on theft of important data entered into a browser or data stored in Windows 10 with a security suite installed.

Step by step procedure

All solutions have been tested on default settings, however, it’s often the case that key protection components are disabled, such as anti-keylogger or anti-ARP poisoning. Probably there will never exist an application that will fully cover and secure all attack vectors, therefore education and effective use of appropriate software is very important. For this reason, all products have been tested on modified settings for the second time. We have enabled some features, changed a protection level to more aggressive or run so-called banking mode to check if modifications in settings have an impact on attacks detection and unknown malware blocking. It’s also a hint for developers who should consider the introduction of additional protection against popular attacks. They should also consider enabling features that aren’t activated by default.

Most of the malicious scripts used in the test were written in the Python programming language and compiled into EXE executable files using the PyInstaller tool. We have used the Bettercap 2+ tool for the man-in-the-middle attacks. The reader can treat samples from the test (on the day of testing) as completely undetectable for antivirus software. Malicious software has been sent to developers and should already be detected.

The tests have been carried out on the basis of several steps listed below:

  1. Installation of the tested solution on previously prepared image of Windows 10.
  2. Sequential launching procedures (malware was downloaded to the system through the Chrome browser from a temporary server).
  3. Repeating the tests on the modified settings.
  4. Writing down the results.

Product tested:

  • Arcabit Internet Security
  • Avast Premier
  • Avira Antivirus Pro
  • Bitdefender Total Security
  • BullGuard Premium Protection
  • Check Point ZoneAlarm Extreme Security
  • Comodo Internet Security
  • Dr.Web Space Security
  • Emsisoft Anti-Malware Home
  • Eset Internet Security
  • F-Secure SAFE
  • G Data Total Protection
  • Kaspersky Internet Security
  • mks_vir Internet Security
  • Norton Security
  • Panda Dome Advanced
  • Quick Heal Total Security
  • Sophos Intercept X
  • Sophos Home Premium
  • SpyShelter Firewall
  • Trend Micro Maximum Security
  • Webroot SecureAnywhere Antivirus
  • Windows Defender

Description of carried out tests

1. Clipboard Hijacking Attack. The test verifies whether it’s possible for malware to capture clipboard content and send it to a server controlled by a hacker.

2. Clipboard Swapping Attack. The test verifies whether it’s possible for malware to change clipboard content, for example, copied a bank account number.

3. Keylogger Attack. The test verifies whether it’s possible for malware to register keystrokes on a keyboard while logging into a bank account and send them to attacker’s Gmail account.

4. Screenshot Attack. The test verifies whether it’s possible for malware to take a screenshot when using online banking.

5. RAM Scraping Attack. The test verifies whether it’s possible for malware to extract confidential information from RAM, e.g. credit card numbers, passwords, logins, or bank account numbers.

6. DLL Injecting Attack. The test verifies whether it’s possible to inject malicious DLLs into so-called safe browser, virtual environment, or antivirus processes. Used methods: CreateRemoteThread, QueueUserAPC, RtlCreateUserThread, SetThreadContext.

7. First Man-In-The-Middle Attack. The test verifies whether it’s possible to insert HTML and JavaScript code into websites.

8. Second Man-In-The-Middle Attack. The test verifies whether it’s possible to capture confidential information from websites that are secured by SSL certificate.

9. Hidden Desktop Attack. The test verifies whether it’s possible for malware to establish remote connection with hacker’s server during active banking session.

10. HOSTS Modifying Attack. The test verifies whether it’s possible for malware to manipulate the contents of Windows HOSTS file.

11. Detecting thirteen banking trojans found in-the-wild in February 2019.

12. Description of unique banking protection components to allow better understanding how technology protects users when banking session is active.


Test interpretation

Samples used in the test were in fact 0-day threats. This way we could see how the individual protection modules of each tested solution react to newly developed malware and whether these technologies actually work. It didn’t matter if the solution had a special banking session protection or not. The task of the security suite is to protect user data in every situation which is why we recommend using products from reputable companies. The default settings aren’t always the best. Is it native security built into Windows or external software – configuration needs to be approached with limited trust. It’s worth using additional components that offer one more layer of protection. Users with more technical knowledge realize that the default configuration isn’t always the right one. Sometimes a developer decides for a reason to reduce the level of protection at the expense of better performance or to save customers nerves which are most often caused by too frequent alarms. Internet users who require antivirus to be almost full automatic represent the majority of consumers in relation to computer geeks who are aware of threats and Internet attacks, but aren’t necessarily able to deal with them. If something goes wrong, they blame software for losses caused by, for example, ransomware and publicly give negative opinions. From every failure we should become stronger and wiser, so we need to consider why security software haven’t lived up to its task and what could have been configured better.

If in the test malware wasn’t blocked on the default settings, we tried to retry the test with a banking mode enabled by modifying protection in such a way that an unknown threat (or an attack) caused the alert to be displayed. We were trying to change settings of Internet firewall, IPS/IDS modules, HIPS, and even heuristic scanning to the maximum level. We were also enabling additional application control or protection against poisoning ARP tables.

In the test, we have presented the results for two types of attacks related to the man-in-the-middle technique. These attacks allow to listen transmitted messages between the device and the router in the LAN (not necessarily in the home network), and manipulate the website or steal logins and password. A protection against similar attacks is very important in public networks. In such places, MITM attacks are feasible, so the user device should be properly secured – the Internet traffic should preferably be encrypted using VPN.


General recommendation for online banking

Financial data and funds accumulated on an account can be better protected by following the instructions below. Using the VPN tunnel will eliminate the risk of listening data transmission. Moreover, if a user is robbed, despite measures taken in the form of tools and software, a security suite installed on victim’s computer may be a solid argument for the defense against a bank. That’s what the Supreme Court ruled in 2018 (File reference V CSK 141/17) concerning the theft of over PLN 60 000 from user’s bank account. The court accepted the complaint brought by an injured party to reimburse full stolen amount and court costs. The bank didn’t prove that the victim didn’t do due diligence when using the banking system.

In order to fulfill the obligation… upon receipt of the payment instrument a user takes the necessary measures to prevent violations of the individual safeguards of this instrument, in particular is obliged to store the payment instrument with due diligence and not disclose it to any unauthorized person.


The plaintiff haven’t lost money from the bank account in the circumstances described in the aforementioned provisions, but as a result of an offence committed by an undefined third party, who has benefited from improper security of ISC (Internet Services Centre, ed.).


The defendant haven’t proved that that the plaintiff committed a serious negligence when performing a contract for the provision of online banking services… The burden of proof that the payment transaction was authorized by the user or performed correctly shall lie with the provider.


The provider is obliged to prove other circumstances indicating the payment transaction authorization by the payer, or circumstances indicating the fact that the payer deliberately led to an unauthorized payment transaction, either intentionally or with gross negligence, he has violated at least one of his obligations.


The bank hasn’t demonstrated that the plaintiff deliberately led to an unauthorized payment transaction.

1. If you need to make a quick money transfer, it’s unwise to use public networks. It’s much safer to connect to the Internet through your mobile operator (preferably with installed VPN software). Thanks to progressive miniaturization, fake BTS fit into a small suitcase, and those more advanced are embedded in drones. An additional security for the network layer is VPN installation. An encrypted VPN tunnel protects the device owner against carelessness or indiscretion when logging into Internet services. It will protect, among others, against the KRACK on Wi-Fi vulnerability, and allow to bypass the restrictions on services or websites imposed by government dictatorships.

2. The installation of HTTPS Everywhere extension for the browser ensures that websites will always be loaded with an encrypted protocol (if they have SSL certificate implemented). This mainly concerns the smaller online stores. It’s important to remember that the SSL certificate (green padlock) doesn’t guarantee security.

3. Using the so-called modules for online banking protection is much safer way to make money transfers.

4. It’s a good idea to install a Linux system on a virtual machine or on a pendrive. Separating banking operations from potentially infected Windows system will allow you to learn good habits.

5. NEVER install unnecessary software from Google Play. The official Android repository contains many banking trojans that are hidden in the form of regular applications.

6. Installing a reputable antivirus software is a very good idea. It improves the safety of online banking, but in the event of litigation, a bank will have to prove that a victim of a crime “hasn’t exercise due diligence”.

A user is particularly vulnerable to sensitive information to be intercepted by malicious software when using Internet services. Modules that check the behavior of a suspicious application and monitor the triggered system API functions, aren’t always effective against a well-prepared banking trojan. We recommend using the so-called bank modes which can be found under different names in different products. Individual developers have their own ways of protecting operations on bank accounts. Some of these ways are more effective, and others less. The common denominator connecting all tested solutions isn’t always sufficient default settings. Enabling some features or increasing the protection aggressiveness will allow to achieve better efficacy without affecting performance. Online banking is a boon of the 21st century. Everyone is individually responsible for the safety of their finances, so they should learn how to use technologies to protect them.

Download full report.






Comparison of protection solutions