You read about it in the news all the time these days: “Zeus Banking Trojan steals $1 million from U.K bank accounts”or “SpyEye: New PC virus steals your money!”
More and more people are doing their banking online and criminals go where the money is. It is clear that malware designed to steal money from online banks has become a real and actual threat.
Creating banking trojans, unfortunately, is now pretty easy. There are ready made toolkits that criminals without the technical know-how can buy in order to create their own variant. A few clicks and the criminal has created his own personal piece of nastiness, designed to steal money from specific banks or accounts. Malware-as-a-service as our own Mikko Hyppönen put it.
So what exactly is a Banking Trojan? As with any other Trojan, it is a program that has been installed to your computer one way or another without you knowing its real purpose. Once there, it simply waits quietly in the background until you access your online bank. It will then start recording the information that you enter and send it back to criminals. It can now do automatic transactions in the background or alter the information that you see in order to buy time for the attacker to use your bank credentials for fraudulent transactions. Once the criminal has gotten your bank details there is no knowing what he or she can do.
So how to you protect yourself?
Here are 4 ways to make sure that when you bank on your PC, it’s as safe as it can possibly be.
1. Keep your operating system updated.
Think of your operating system as the walls around your house that keeps developing holes. Luckily, the maker of the wall will keep patching the holes. All you have to do is update your system software. You can do this on your Windows PC by going to windowsupdate.microsoft.com. On your Mac, you can go to the Apple menu and selecting “Software Update.”
2. Keep your software updated.
The programs on your PC also develop vulnerabilities that need to be patched or you may allow criminals a foothold into your life. You can update each application individually or you can use our free Health Check, which checks all of your major applications and your operating system to make sure they’re patched and protected.
3. Don’t click on links in emails from your bank.
It’s a good idea not to click on links in an email unless you specifically asked for it, such as a password refresh. A common practices is to spoof a bank’s look and send a scam email to thousands of recipients hoping to find a few that use the bank. You can avoid this by going to your bank’s site directly and calling them if you have a question.
4. Use Internet Security that has banking protection.
F-Secure’s Banking Protection automatically detects when you’re visiting an online bank. It notifies you that additional Banking Protection is enabled and adds an extra layer of security by only allowing access to banks or trusted sites that are necessary to do online banking. All other new connections will be prevented. In other words, there is no possibility for the attacker to get your bank details. Once you’re finished with your online banking, you simply end the Banking Protection mode and everything is back to normal. Sort of like unbuckling your safety belt when you’ve reached your destination. And no extra apps, plug-ins, or special browsers are required.
Banking Protection is a part of F-Secure Internet Security 2013 and works together with all the other security layers. All existing users of F-Secure Internet Security 2013 will receive Banking Protection as an automatic update in the first quarter of 2013, and those who do not want to wait can download the update now.
We hope you enjoy the protection!
Image credit: MoneyBlogNewz
This year’s Mobile World Congress (MWC) is coming up next week. The annual Barcelona-based tech expo features the latest news in mobile technologies. One of the biggest issues of the past year has enticed our own digital freedom fighter Mikko Hypponen to participate in the event. Hypponen, a well-known advocate of digital freedom, has been defending the Internet and its users from digital threats for almost 25 years. He’s appearing at this year’s MWC on Monday, March 2 for a conference session called “Ensuring User-Centred Privacy in a Connected World”. The panel will discuss and debate different ways to ensure privacy doesn’t become a thing of the past. While Hypponen sees today’s technologies as having immeasurable benefits for us all, he’s become an outspoken critic of what he sees as what’s “going wrong in the online world”. He’s spoken prominently about a range of these issues in the past year, and been interviewed on topics as diverse as new malware and cybersecurity threats, mass surveillance and digital privacy, and the potential abuses of emerging technologies (such as the Internet of Things). The session will feature Hypponen and five other panelists. But, since the event is open to public discussion on Twitter under the #MWC15PRIV hashtag, you can contribute to the conversation. Here’s three talking points to help you get started: Security in a mobile world A recent story broken by The Intercept describes how the American and British governments hacked Gemalto, the largest SIM card manufacturer in the world. In doing so, they obtained the encryption keys that secure mobile phone calls across the globe. You can read a recent blog post about it here if you’re interested in more information about how this event might shape the discussion. Keeping safe online It recently came to light that an adware program called “Superfish” contains a security flaw that allows hackers to impersonate shopping, banking, or other websites. These “man-in-the-middle” attacks can be quite serious and trick people into sharing personal data with criminals. The incident highlights the importance of making sure people can trust their devices. And the fact that Superfish comes pre-installed on notebooks from the world’s largest PC manufacturer makes it worth discussing sooner rather than later. Privacy and the Internet of Things Samsung recently warned people to be aware when discussing personal information in front of their Smart TVs. You can get the details from this blog post, but basically the Smart TVs voice activation technology can apparently listen to what people are saying and even share the information with third parties. As more devices become “smart”, will we have to become smarter about what we say and do around them? The session is scheduled to run from 16:00 – 17:30 (CET), so don’t miss this chance to join the fight for digital freedom at the MWC. [Image by Hubert Burda Media | Flickr]
We have repeatedly countered the arguments that people don’t have anything to hide, and can comfortable ignore the privacy threats on the Internet. That’s a very unwise attitude and here’s some more examples why. We have also talked a lot about on-line scams and how to avoid them. A key challenge for any scammer is to be trustworthy in the eyes of the victim. And this is where your data enters the picture. I have written a story about how a scammer can be more convincing if he knows your travel plans. Let’s cover a more business-oriented case this time. A controller at a firm in Omaha, Nebraska received mails from the CEO asking him to make a series of money transfers to China, and he transferred a total of $17.2 millions. Yes, you guessed it. The sender was not the CEO and a scammer made a nice profit. The obvious lesson we learn in both these cases is naturally that mail isn’t trustworthy. Mail itself does not provide any kind of sender authentication. The sender address is easily faked. Authentication of the other part must rely on the mail contents, a cryptographic signature or information that only the perceived sender can know. And this leads us to the less obvious lesson we can learn here. It looks like the Ohama-scammer had information about the victim. He knew who can handle money transfers. He also knew that the CEO had some business in China, which made the transfers sound legit. He probably also knew that this person doesn’t meet the CEO face to face daily as that would have ruined the scam. Part of this info is publicly available, like the name of the CEO. We don’t know how he got hold of the rest, but it is obvious that it helped the scammer. So here we have an excellent example of how criminals can utilize tiny grains of info to scam huge piles of money. But what should this Ohama-company have done differently? The controller should have called the CEO to verify the transactions. The company should analyze what info the scammer had, and go through their security policies. And that is pretty much what private persons should do too. Learn to think critically when someone approaches you by mail and verify the sender if in doubt. Also guard all your data to make this kind of targeted attack as hard as possible. This company responded by firing the controller. That's not an option for you if you fall for a scam and let go of your own money. Safe surfing, Micke PS. Was it right to fire the controller? Hard to say. Part of the responsibility naturally lies on the one who was gullible enough to trust an e-mail. But it also depends on if the company had proper rules in place for validating transfer requests. Did he break any concrete rules when sending the money? If he didn't, then the company is responsible too. Photo by Images Money
Ordinary people here in Finland have been confronted with yet another cybersecurity acronym lately, DoS. And this does not mean that retro-minded people are converting back to the pre-Windows operating system MS-DOS that we used in the eighties. Today DoS stands for Denial of Service. This case started on New Year’s Eve when customers of the OP-Pohjola bank experienced problems withdrawing cash from ATMs and accessing the on-line bank. The problems have now continued with varying severity for almost a week. What happens behind the scene is that someone is controlling a large number of computers. All these computers are instructed to bombard the target system with network traffic. This creates an overload situation that prevents ordinary customers from accessing the system. It’s like a massive cyber traffic jam. The involved computers are probably ordinary home computes infected with malware. Modern malware is versatile and can be used for varying purposes, like stealing your credit card number or participating in DoS-attacks like this. But what does this mean for me, the ordinary computer user? First, you are not at risk even if a system you use is the victim of a DoS-attack. The attack cannot harm your computer even if you try to access the system during the attack. Your data in the target system is usually safe too. The attack prevents people from accessing the system but the attackers don’t get access to data in the system. So inability to use the system is really the only harm for you. Well, that’s almost true. What if your computer is infected and participates in the attack? That would use your computer resources and slow down your Internet connection, not to speak about all the other dangers of having malware on your system. Keeping the device clean is a combination of common sense when surfing and opening attachments, and having a decent protection program installed. So you can participate in fighting DoS-attacks by caring for your own cyber security. But why? Who’s behind attacks like this and what’s the motive? Kids having fun and criminals extorting companies for money are probably the most common motives right now. Sometimes DoS-victims also accuse their competitors for the attack. But cases like this does always raise interesting questions about how vulnerable our cyber society is. There has been a lot of talk about cyber war. Cyber espionage is already reality, but cyber war is still sci-fi. This kind of DoS-attack does however give us a glimpse of what future cyber war might look like. We haven’t really seen any nations trying to knock out another county’s networks. But when it happens, it will probably look like this in greater scale. Computer-based services will be unavailable and even radio, TV, electricity and other critical services could be affected. So a short attack on a single bank is more like an annoyance for the customers. But a prolonged attack would already create sever problems, both for the target company and its customers. Not to talk about nation-wide attacks. Cyber war might be sci-fi today, but it is a future threat that need to be taken seriously. Safe surfing, Micke Image by Andreas Kaltenbrunner.