A new breed of malware called a Man in the Browser (MitB) attack can successfully bypass a bank's two-step online authentication process. In most cases, the victim isn't even aware their account has been compromised until it's too late.
Once the malicious code finds its way to your computer, it lays dormant until the user navigates to a specific website - a secure bank. During the typical log in process, the malware is activated and acts as a middleman between the user and the bank's website. Most variants will ask the victim to reenter their credentials as part of an "enhanced security measure." If the victim falls for this prompt, the attacker then has full access to the bank account.
Once inside, the attacker can perform a number of dastardly deeds such as spoofing balances, changing payment details and even hiding records of money transfers.
The BBC points out that even if you have the latest anti-virus software and follow your bank's official advice, the malicious code could still find its way to your machine. During their own in-house testing, they found that the majority of web security software on standard settings didn't detect the malware, even when it was activated. Results were much better when products were set to maximum security, but this blocks many legitimate programs as well.
"The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking," said Daniel Brett, of malware testing lab S21sec. "[Although] many products won't pick this up, they've got a much bigger scope; they're having to defend against all the viruses since the beginning of time."
The best defense at this point is to keep your anti-virus up to date and take note of any unusual behavior when logging into your bank account online.