« ANZ Visa - first class security | Main | The Blogbar wars? »
March 07, 2006
Greetings: and thanks for giving us all your money
We didn't see this until Paul H. drew it to our attention. You've got to admit it's efficient. Rather than going to all the trouble of logging your keystrokes, the latest trojans just wait until you log in to your online bank account, and then transfer the money into the hacker's account.
Coincidentally, just yesterday we took delivery of one of those little devices that HSBC issues to its customers which generates random passwords. We were feeling just that little more secure until we read the comments of Alex Shipp, a senior anti-virus technologist at MessageLabs: "All of the authentication, little keys you have to have in your hand, biometrical things, it doesn't matter. The bad guy just waits until you're there and then takes the money out," Shipp said.
These little pests are likely to dampen enthusiasm for those on-line greeting cards. According to Shipp, the malicious software typically arrives in an e-mail with an apparently innocent Web link, for example, to an online greeting card. "If you click on it, you will download an executable that installs itself into your browser and then just waits until you go to your bank site."
Posted by cw at March 7, 2006 05:37 PM
Comments
It was an interesting discussion last night at the Microsoft Security Seminar 'discussion' session. 'Individual Transaction Verification' is the only way to stop online fraud and there already has been a case overseas of fingerprint identity theft, they took the entire finger. Currently what information is being asked for is the card number and pin number. People need to make a conscious decision to enter their own pin number into some device or form. As soon as you remove this human function in the-transaction process and you give it to a computation device the nasty information thief no longer needs the human at all. So fingerprint, smartcard, biometric are useless because they take out the human reason of choice which no computer can accurately compute. So to monitor your credit card and make sure no one is stealing from you , you have to implement a human check every x amount of transactions or transactions above x cost or x amount of time. The only safe option here is for each time you make a transaction you are already making a human mind-based decision so the likely option is to then verify the transaction with your provider and verifying the integrity of the data transaction.
Posted by: Stephen at March 8, 2006 12:48 AM
The easiest way to overcome this threat is to use a simple verification system - just as you do to prevent comment bot spam.
To fix the entire system, you need to use Transaction Numbers, as a number of banks already do. This requires the bank send you a sequence of numbers. Each time you make a transaction you enter the next TN in sequence. Then it doesn't matter if someone else has your login details, they can only read the data.
cheers, Paul
Posted by: Paul at March 8, 2006 03:03 AM
It sounds like the biggest risk in internet banking is the 'pay anyone' function, whereby funds can be transferred to any bank account.
I think my compromise on the internet banking convenience vs security issue may be to disable this facility as most banks let you do. That way my biggest risk is someone Bpaying something without authorisation - and this should be less of a risk.
Posted by: brendonhh at March 8, 2006 10:45 AM
NAB has recently added a one time authorisation code to their on line banking. When you start a transaction you receive a transaction summary & transaction authorisation code via SMS which you have to enter into the web page to complete the transaction.
Posted by: brad at March 8, 2006 09:01 PM