Monday, September 28, 2009

Online Banking Trojans Infesting the Web



Evidence Clearly Points towards Need for more Secure Online Banking Log-in.



Why not replicate what consumers and banks already trust to dispense money at ATM's?  Swipe Your Card, Enter Your PIN.  We've got it backwards.  Right now the only ones doing the "swiping" are the Hackers. 




There has been a mind-boggling "4995% Growth in Data Stealing Trojans since 2007"...1424% Growth in the Past Year! 37,000 New Ones Everyday!  You are aware that hackers can redirect users to "a PERFECT COPY" of the bank web site they are "EXPECTING" to see. Problem is, when log-in details are "typed/entered" they are sent to the hackers providing them with the information they need to steal you blind.



A PandaLab research that says that approximately 37,000 malware samples are discovered every day - and more that half of them are modified during the first 24 hours to bypass anti-virus programs.







Other research shows that the number of data-stealing Trojans has increased 1,424 percent in the past year (and a whooping 4,955 percent since 2007!).



The focus? Online Banking...



"Security experts have warned that the on-line banking Trojan known as Zeus or Zbot could become one of the most challenging yet, confirming the malware often goes undetected by popular anti-virus packages.



Trusteer Inc, has reported (click here for the PDF) the Trojan could already have infected as many as 1% (3.6 MILLION) of all US PCs and stands as the world’s number one botnet. The company said in tests based on data collected from consumer PCs during one day in September it found that 55% of machines were infected with the Trojan, despite 71% of the machines having to-date anti-virus systems"



Zeus, which is also known as Zbot, WSNPOEM, NTOS and PRG, is the most prevalent financial malware on the internet today, the company said.


About Zeus



Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time.  (sorry One-Time Password Phans)  Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc. 
Translation: Zeus can modify web pages from the genuine bank's servers in the user's browser and create whatever they want you to see.  Of course,  if you didn't type it...they couldn't swipe it!  







Zeus uses some rootkit techniques to evade detection and removal. Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. approximately 1% of the PCs in the US), according to a recent report.  This is backed by Trusteer’s field figures as well, as can be seen on the pie chart (left) of relative financial malware distribution: 





If the bad guys are focusing on how to steal username's and passwords, isn't it time for the good guys to focus on a better way to authenticate an online banking session.  Can you think of a better way than one which is already trusted by banks and consumers alike?  Swipe your card...enter your PIN.  HomeATM manufactures the worlds ONLY PCI 2.x PIN Entry Device designed to do exactly that.  I could MAYBE see the argument FOR username/passwords in 2002..BEFORE what we knew what we know now.  But shouldn't we KNOW BETTER?



Let's be realistic here.  A 4,995% increase in data stealing trojans since 2007?  A barrage of phishing attacks? Lawsuits against banks? The threat of losing 49% of your customers?  In my mind, requiring that consumers access their online banking session the same way they access cash at an ATM is a no-brainer... If the methodology is trusted enough to dispense CASH in real-time, it's got to be good enough to be trusted to log-in to your banking session. 
where am I wrong here?





Reblog this post [with Zemanta]

Disqus for ePayment News