Warning Over Dangerous New Viruses That Look 'Identical' To Online Banking Pages

[Boater]

Criminals are using sneaky new viruses that imitate internet banking pages to trick customers into leaking sensitive details, security experts warn.

A dangerous hacker scam busted in Spain is one of a nasty new breed of viruses set to invade the UK, software firm Trusteer says.

Britain's 25million internet banking users are at risk despite huge improvements in online security at big banks.

Fraud risk: Dangerous new viruses masquerade as internet banking pages, luring customers into entering their details

The roll-out of card readers at the likes of Lloyds, Barclays, and NatWest, one-time mobile phone passcodes at Santander, and a new 'Secure Key' by HSBC have helped drastically reduce online fraud in recent years.

Total cash stolen from bank accounts online fell by 32 per cent over the last twelve months, thanks to new technology.

But experts are now warning that these high-tech safeguards are being cracked by old-school con artists using new and supremely camouflaged viruses.

And, worryingly, a leading software tester has told This is Money that even internet banking users with top-level security software like McAfee, Norton or Trusteer's own Rapport download – used by 7million bank account holders – are at risk.

Read more: http://www.thisismoney.co.uk/money/saving/article-2047543/Warning-dangerous-new-viruses-look-identical-online-banking-pages.html#ixzz1aesIw8pS

[Swiss1960]

Exists for years... I have seen the first such high sophisticated attack on an e-banking system using strong authentication with CAP readers through man-in-the-middle attacks (described above) back in 2004... russian hacker group targeting a highly secure Swiss bank e-banking system... so nothing new...

- keep your anti-virus programs up-to-date

- don't download stuff from sites you don't know

- don't open mails and click on links in mails you don't know

- remember your bank NEVER sends mail asking for account details...

BUT.... 20% of the Internet users (figure in our bank...) are stupid idiots and do either or all of the above on a regular basis...

[rodcourt49]

Exists for years... I have seen the first such high sophisticated attack on an e-banking system using strong authentication with CAP readers through man-in-the-middle attacks (described above) back in 2004... russian hacker group targeting a highly secure Swiss bank e-banking system... so nothing new...

- keep your anti-virus programs up-to-date

- don't download stuff from sites you don't know

- don't open mails and click on links in mails you don't know

- remember your bank NEVER sends mail asking for account details...

BUT.... 20% of the Internet users (figure in our bank...) are stupid idiots and do either or all of the above on a regular basis...

..so what perentage of us 'stupid idiots' are your customers?

[Swiss1960]

Exists for years... I have seen the first such high sophisticated attack on an e-banking system using strong authentication with CAP readers through man-in-the-middle attacks (described above) back in 2004... russian hacker group targeting a highly secure Swiss bank e-banking system... so nothing new...

- keep your anti-virus programs up-to-date

- don't download stuff from sites you don't know

- don't open mails and click on links in mails you don't know

- remember your bank NEVER sends mail asking for account details...

BUT.... 20% of the Internet users (figure in our bank...) are stupid idiots and do either or all of the above on a regular basis...

..so what perentage of us 'stupid idiots' are your customers?

As I said... around 20% of the internet / e-commerce fraud comes from stupid idiots that

- click on EVERY link that promises money

- send card and security details to EVERY spam mail they receive (including Nigeria spams...)

- deactivate the firewalls of their computers because some sites were blocked (and firewalls really only block the worst of the world out there...)

- have either no virus protection program or have not updated it for months and years...

- just ignore EVERY warning they receive at least every three months...

and as the law does not allow us to let them pay for all the fraud caused by there stupidity, we have to write off Millions beause of them...

[Naam]

Exists for years... I have seen the first such high sophisticated attack on an e-banking system using strong authentication with CAP readers through man-in-the-middle attacks (described above) back in 2004... russian hacker group targeting a highly secure Swiss bank e-banking system... so nothing new...

- keep your anti-virus programs up-to-date

- don't download stuff from sites you don't know

- don't open mails and click on links in mails you don't know

- remember your bank NEVER sends mail asking for account details...

BUT.... 20% of the Internet users (figure in our bank...) are stupid idiots and do either or all of the above on a regular basis...

..so what perentage of us 'stupid idiots' are your customers?

As I said... around 20% of the internet / e-commerce fraud comes from stupid idiots that

- click on EVERY link that promises money

- send card and security details to EVERY spam mail they receive (including Nigeria spams...)

- deactivate the firewalls of their computers because some sites were blocked (and firewalls really only block the worst of the world out there...)

- have either no virus protection program or have not updated it for months and years...

- just ignore EVERY warning they receive at least every three months...

and as the law does not allow us to let them pay for all the fraud caused by there stupidity, we have to write off Millions beause of them...

another 20% of "sophisticated" investors use e-banking allowing transfers

[ianguygil]

Without getting too far into this as I am in a meeting, I think it is also very important to differentiate between a Virus and a Trojan, as these really sophisticated attacks we have all seen are normally Trojans. All banks had a problem with this around the end of 2009 and into 2010 and most found a layered approach to get around it.

The biggest problem in Thailand are the very large number of "idiots" who use unlicensed software. Such unlicensed software almost always comes with one or more "presents" often in the form of Trojans or other malware. I can not tell you how false a saving this is. We are just about to launch another free product for customers to help to protect them when they use our sites against Trojans and other malware. But more about that later.

I will post more on our recommended best practices later. Please note that Trojans affect all platforms. I will hear Apple fans tell me that the App Store protects them, and that is true to some extent. But given the HUGE percentage of Jailbroken i-everythings in this market, again because they are "idiots" and like to have "free" software, that partial protection is pretty much negated.

The only real protection is the multi-layered approach with out of band authentication and processing using things like SMS for sensitive transactions as we do on iBanking. Strong authentication on APPS is NO protection against Trojans, in fact I once met the CISO of JP Morgan who told me their most hacked application had tokens at logon.

More later. I am in a meeting.

Ian

[Swiss1960]

Was actually waiting for Ian to tell us "more later" so that I could compare what his bank does compared to the one I am working for... but give you my thoughts about it

First, Ian is right, there is no such thing as a fail-safe PC or App or whatever you use for e-banking. And when I say that, there is ALSO no such thing as safe smart-phones... today they get hacked on a regular basis, things like the Zeus trojan for smart-phone is widely available and on sale in special web-shops for the fraudsters. maybe when I have time, I'll tell you few stories about how this fraud industry works...

Yes, Ian is right, we need multi-layered securty systems... and all starts with the user of the system, that is YOU: You have to keep your devices safe, using personal firewalls, keep your anti-virus SW running and up-to-date (up-to-date means DAILY updates of the SW), you shall not open mails you don't know, you shall not click on links you don't know... and you shall use the latest versions of browsers availabe, i.e. browsers like Firefox that have built-in web-site checks from McAffee telling you "the website you are about to visit is deemed to have dangerous code included"... and then NOT click "I accept the risk"... and using Internet Caffee computers for e-banking generally is seen as problematic... once a Trojan / Virus is on a computer, not even the https connection does protect from this Trojan...

And then yes, we as bank will introduce many more security features that may make your life a little more complicated using our sites, but protects from the "easy" and "standard" man-in-the-middle attacks that we see (those coming from the Trojans on your PC...). So we do use strong authentication. Strong authentication means we need you to have three things:

- something that you are (user-ID, contract-ID, other authentication data)

- something you know (password, birthday of somebody...)

- something you possess (card reader, whether CAP or proprietary solutions)

That is the first step. Within our bank, we do NOT use OTP or MTAN (one-time-passwords) over SMS. We see (smart) mobile phones as the current biggest thread for security of our systems. When you ever have been dropping on a phishing web-site, you will see that those fraudsters do not only ask for your account details, but also ask for your mobile number. They will then send you an SMS and once you open it or click on a link sent in this SMS, you will download Trojans like Zeus directly on your phone... and currently, most users are NOT aware that their smart-phones can be hacked in the same manner as their Computer at home... it will take LOT of education until user's are aware of this thread...

Now finally, we also do what Ian has said, we double check sensitive transactions that user's do. Sensitive for us means, EVERY transaction, EVERY payment to a third party which has not been registered / used before. For these transactions, we do request another authentication using the CAP reader (whilst Ian's bank uses SMS codes sent). This way, we can make sure that the "real" user sees the transaction, does confirm the transaction and we can be sure that it is not the Fraudster who has highjacked the computer of our customer. You might find this to be not very user-friendly, but it is protecting your account and it is protecting our bank from the huge effort of dealing with fraud and writing off money.

There is no such thing as absolute security! Security in the Web is a combination of you guys out there being careful what you do and us the banks investing money and time into secure systems. We have teams of people scanning the Web for phising sites and fake banking sites 24 hours a day 7 days a week. We block hundreds of fake sites every week, but as soon a s site is blocked, it pops up on another server within hours only... fraudsters are highly organized, have networks around the globe and have organisational charts that match the organisational chart of every big bank's security organisation...

To summarize: We do want you to use internet banking, because it saves us a lot of cost for human interactions. BUT we do want you do use it in a safe way, as otherwise it will cost much more to undo the damage inflicted to you by the fraudster...

[TwentyBaht]

Thanks to you, Ian & Swiss1960.

Very good information.

We, the banking public, need to know this.

I'll simply add also that booting a live-cd on a pc adds a layer of protection also.

Of course, currently this would be Linux live-cd. Which, the general public is mostly not aware of.

But, I recently noticed a bank in AU was suggesting this approach.

Cheers