Monday, October 26, 2009

Windows and Online Banking, Like Oil and Water

Enterprise IT Planet did a story regarding online banking and Windows. Again, it's not necessarily Windows that is the problem. The problem is that 93% (as of July) of Internet users employ Windows and so that's what is being targeted. If everyone switches over to Linux, as recommended below, then so will the bad guys redirect their malware efforts towards targeting that platform. Why are people stuck on band-aids? Swipe, Don't Type. Eliminate phishing completely don't educate people how to recognize it. It's unrecognizably sophisticated and will become even more so. So don't click, don't type, don't not enter. Swipe, Encrypt, Transmit....



By Michael Horowitz

October 26, 2009



In August I wrote an article here that suggested rather than doing online banking from a Windows computer, a much safer approach is to re-boot using Linux (either from a CD, USB flash drive or a memory card) and running Firefox under Linux to access banking websites. (Editor's Note: It's a lot easier to plug in a HomeATM device into the USB port and bank via that separate machine)



Now, a consensus seems to be forming behind this idea. The cons"senses" should be forming around the idea to use a separate machine for online banking. That separate machine is the HomeATM.



For months, Brian Krebs has been writing in the Washington Post about companies, municipalities and school districts that suffered large losses due to online banking fraud. The impetus for my article came from one of his first stories.



After interviewing businesses that suffered these losses, Krebs would inevitably be asked by the owners of the business about protecting themselves going forward. Addressing this in a recent column, he said:
"The simplest, most cost-effective answer I know of? Don't use Microsoft Windows when accessing your bank account online. I do not offer this recommendation lightly ... But I have interviewed dozens of victim companies that lost anywhere from $10,000 to $500,000 dollars because of a single malware infection. I have heard stories worthy of a screenplay about the myriad ways cyber crooks are evading nearly every security obstacle the banks put in their way ... all of the attacks shared a single, undeniable common denominator: They succeeded because the bad guys were able to plant malicious software that gave them complete control over the victim's Windows computer."

The rest of the column goes on to discuss security measures taken by assorted banks and how the bad guys breached every one of them.



Antivirus and Anti spyware Software



If you think anti-virus and/or anti-spyware software will protect a Windows computer, think again. You are certainly safer running anti-malware software but you are not safe. As Randy Abrams of ESET put it recently, "There was a day that anti-virus software could protect you against almost all of the viruses in the world, but that day was significantly more than a decade ago."



Anti-malware software is only one line of defense, and it cannot be your only defense. Whether anti-malware software protects you 10 percent of the time or 90 percent of the time, everyone agrees that it cannot protect you 100 percent of the time.



In one case that Krebs wrote about, the malware that drained the bank account first infected the computer a year earlier, despite antivirus software. When I'm called on to clean up an infected computer, I always run a handful of anti-virus and anti-spyware programs. Normally, the third, fourth and fifth scans find malware that the first few products missed.



The amount of malware targeting Windows is staggering.



Just days after my previous article on online banking was published, Trend Micro reported that "... in the first six months of 2008 ... 253.4 million systems were infected with malware. The comparable volume for 2009 is almost double at 491.2 million." The same blog posting says that AV-Test.org is finding more than a million new malware samples every month. In the good old days of 2007, they had only 5,490,000 samples of malware....


Continue Reading





Reblog this post [with Zemanta]

Hypercom Teams with Voltage Security in Fight Against Fraud





Scottsdale, Ariz., Oct. 26, 2009 -PIN Payments News Blog– Hypercom Corporation (NYSE: HYC) today announced key initiatives to step up the payment card industry’s ability to attack payment card data fraud. Effective immediately, the Company is bringing its Asia-Pacific-based EFTSec Server™ payment data encryption technology to North America, Latin America and Europe, teaming with Voltage Security, Inc. to deliver highly innovative and scalable cryptographic technology, and forming a global data protection business unit to address customer-specific security threats with five key approaches to data security.



“We are bringing to market innovative and highly adaptable security solutions that can meet each of our customer’s individual implementation requirements and technology choices to protect cardholder data and preserve cardholder trust in the integrity of the electronic payments system,” said Philippe Tartavull, Chief Executive Officer and President, Hypercom Corporation. “Banks, processors, retailers and consumers will not tolerate endless attacks and incessant expenditures on card data security. Just as the threats are multi-faceted, so too must be the security approaches to counter these threats.”



Delivers Five Key Components Required to Protect Payment Card Data



End-to-End Payment Data Protection: Hypercom believes end-to-end payment data protection encompasses protecting data throughout its lifecycle—not only encrypting it when in transit but also when at rest in a merchant or payment processing enterprise environment. Hypercom also believes that the scope of payment data protection includes the use of strong security technology throughout the design, deployment, operation and maintenance of payment terminals and their applications including the loading and storage of debit keys that reside on those devices.

  • Line Encryption for Data in Transit: Line encryption encrypts cardholder data during transaction processing, starting at the payment terminal and ending at a trusted point where the data is decrypted. That trusted point can be within a large merchant or payment service provider environment. Hypercom was the first electronic payment solutions provider to initiate card data encryption with its EFTSec technology introduced in 2006. Developed to combat attacks then prevalent in several Asian countries, EFTSec is now the defacto industry standard for payment terminal initiated link encryption in Asia. EFTSec is already in use by seven major banks with combined assets of more than US$178 billion, and licensed to and implemented by several major terminal manufacturers. Unlike recently introduced competing solutions that require customers to purchase custom equipment or utilize third party decryption services, EFTSec leverages existing network infrastructure.


  • Protection for Data End-to-End: Hypercom has teamed with Voltage Security, Inc. to implement cryptographic technology that delivers an array of end-to-end encryption across its product line. Management of card data at rest and in use is critically important and must be protected at all times. That said, portions of the data must be available for legitimate business purposes. Voltage’s technology provides businesses with strong protection without compromising flexibility or requiring major changes to existing business processes. The key benefit for banks, processors and large retailers: provides the technology to protect cardholder data throughout the enterprise.


  • Protection for Data During Operation and Maintenance: Protecting the operational procedures and maintenance of payment terminals is just as important as protecting cardholder data. Hypercom’s HyperSafe® suite of security products defends terminals from rogue applications and malware, protects the terminal management system from communicating with fraudulent terminals and provides the industry’s only remote key management system. The key benefit for banks, processors and large retailers: protects their investment in the point of sale estate, reduces the potential for fraudulent use of terminals and ensures the secure transport of cryptographic keys.


  • Virtual Terminals: Segmenting a merchant’s point of sale system data from payment data is one method of reducing the scope of PCI DSS compliance for merchants. Virtual terminals are web-based secure platforms which easily integrate payment processing and business critical processes with ubiquitous client side applications and devices. By utilizing advanced server capabilities such as Hypercom’s SmartPayments™ and Wynid® product suites, data segmentation can be easily achieved, enabling “large store functionality” for mid-size business environments. The key benefit for small and mid-size retailers: provides top-level security for sensitive cardholder data, reduces PCI DSS compliance costs.


  • Card Authentication: In addition to complete enterprise-wide end-to-end payment data protection, Hypercom supports the strengthening of card authentication as an important tool to prevent card skimming. Hypercom supports a number of technologies that, if broadly adopted, would significantly reduce fraud through card skimming. Technologies include contact and contactless chip cards, and Magnetic Stripe Image Authentication. Magnetic Stripe Image Authentication is an innovative dynamic digital authentication solution that detects counterfeit magnetic stripe credit, debit, gift and ATM cards. Whenever a card is used at a payment terminal, magnetic stripe security imaging authenticates the card’s legitimacy in real time by matching each magnetic stripe’s unique ‘noise fingerprint’ against the ‘fingerprint’ originally obtained from the legitimate card. The key benefit to retailers: protects the cardholder against credit card ‘skimming’ fraud wherein criminals copy the data encoded on a legitimate card and produce a fraudulent card.


“Hypercom is setting a new global card protection standard by bringing to market the payment industry’s widest choice of protection options to protect businesses and simplify implementation,” said Mark Bower, Vice President, Product Management, Voltage Security, Inc. “Hypercom has long been recognized as the leader in payment security and we are delighted to team with them to help businesses worldwide.”



Forms Data Card Protection Business Unit



Hypercom’s new Global Data Protection Business Unit will consult with customers to determine individual system configurations, security threats and the best security solutions to address their specific needs, and then direct the implementation. TK Cheung, Hypercom’s Vice President, Global Quality and Security, heads the new business unit. He also serves as Vice Chairman and Chief Technical Officer of The Secure POS Vendor Alliance (SPVA).



“One solution does not fit all when it comes to payment card data protection. The payment industry is highly complex and requires a range of solutions each of which can protect the various elements that comprise an end-to-end solution. To that end, we are making available the smartest array of security approaches providing choices for businesses of all types to fortify their defenses and protect cardholder data against current and future threats. The addition of Voltage Security’s end-to-end encryption to our arsenal of crime-fighting technologies together with EFTSec and HyperSafe suite of security products allows us to deliver the industry’s most comprehensive selection of security solutions,” said Mr. Cheung.



Mr. Cheung has more than 30 years of experience in the telecommunications and electronic payment industries. Prior to his current positions, Mr. Cheung was Managing Director for Hypercom’s Asia-Pacific region, where he successfully launched the hardware and software based EFTSec security products to combat increasing levels of credit card fraud prevalent to this region and to satisfy stringent customer requirements.



For information on EFTSec, visit: http://www.hypercom.com/products/eftsec.asp .

For additional information on Voltage Security, visit: http://www.voltage.com .



About Hypercom (www.hypercom.com )



Global payment technology leader Hypercom Corporation delivers a full suite of high security, end-to-end electronic payment products and services. The Company's solutions address the high security electronic transaction needs of banks and other financial institutions, processors, large scale retailers, smaller merchants, quick service restaurants, and users in the transportation, petroleum, healthcare, prepaid, unattended and many other markets. Hypercom solutions enable businesses in more than 100 countries to securely expand their revenues and profits. Hypercom is a founding member of the Secure POS Vendor Alliance (SPVA) and is the second largest provider of electronic payment solutions and services in Western Europe and third largest provider globally.



Source: Company press release.

In Banks We Mistrust - New Aite Report















A New Report From Aite Group
In Banks We Mistrust: Something the French, Americans and British Agree Upon


Engendering a minimum level of consumer trust is insufficient for banks to drive referrals or customers' intention to grow their relationships with their bank.



Boston, MA, October 21, 2009 – A new report, issued jointly by Aite Group, LLC and Plenitudes Prospective & Management, explores the degree of trust that U.S., U.K. and French consumers have in the financial institutions with which they do business.



Based on a February 2009 survey of 1,222 consumers in the United States, United Kingdom and France, the report identifies drivers of consumer trust in banks, and how trust levels impact consumers' relationships with their banks.



Though the level of consumer trust in banks varies across countries, few consumers in the U.S., U.K. or France have a high degree of trust of banks in general. Consumers are more forgiving of their primary bank, however, with 22% of U.S. consumers expressing a great deal of trust in their primary bank, compared to only 4% of U.S. consumers expressing a great deal of trust in banks in general.



And despite the financial crisis in the United States, Americans still have a higher level of trust in their banks than British or French consumers have in theirs. In order to assess the level of trust consumers have in banks, Aite Group and Plenitudes define four dimensions of trust - symbolic, institutional, relationship and cognitive - and find that the most valuable trust dimension is the one consumers generally view to be the weakest.



"High levels of trust drive both referral behavior and future purchase intention," says Ron Shevlin, senior analyst with Aite Group and author of this report. "Engendering a minimum level of consumer trust is insufficient for banks to drive referral behavior or customers' intention to grow their relationships with their bank. While cognitive trust attributes - like competency and efficiency - are considered the most important drivers of trust by consumers in the U.S., U.K. and France, consumers in all three countries agree that these attributes do not describe their banks to the extent that other trust attributes do."



This 35-page Impact Report contains 25 figures and three tables. Clients of Aite Group's Retail Banking services can download the report by clicking on the icon to the right.



Related Aite Group Research:





Boston, Oct. 26, 2009 -– A new report from Aite Group, LLC assesses the true costs assumed by the card industry when U.S. cardholders experience difficulties making card payments abroad. The report is based on a September 2009 Aite Group online survey of 1,019 U.S. resident cardholders that traveled to countries outside of Canada, the Caribbean and Mexico between 2006 and 2009. It provides insight into the frequency of failed card payments abroad, the emotional response and lingering effect caused by failed card payments, and how the U.S. card industry can address this problem.



The promise of ubiquitous card payments acceptance falls apart once U.S. cardholders cross their national border. For cardholders traveling to one of the most popular destination for U.S. travelers - Western Europe - over the past three years, there is an almost 50% chance that they have experienced some form of problem using a U.S. payment card. Aite Group estimates that 9.7 million U.S. cardholders experienced issues with card payments abroad in 2008, and that the U.S. card industry missed out on US$3.9 billion in transactions and US$447 million in revenues as a result of these lost card payments. Interestingly, the responsibility for the majority of negative issues experienced by U.S. cardholders abroad lies squarely on the shoulders of U.S. card issuers, which cause 64% of the deterrents.



"Nearly two-thirds of cardholders adjust payment behavior after a bad experience, directly resulting in lower usage of the problem card," says Nick Holland, senior analyst with Aite Group and co-author of this report. "An issue caused by incompatible card technology is treated far more seriously by cardholders than issues stemming from card acceptance, fees or merchant policies. A quarter of cardholders experiencing these types of problems will agree either somewhat or totally that the problem ruined or almost ruined their trip."



This 54-page Impact Report contains 39 figures. Clients of Aite Group's Retail Banking service can download the report.



Related Aite Group Research:



Engaging Gen Y: Cultivating a New Generation of Banking Customers

Card Data Security: In Search of a Technology Solution

The Card Industry: Between a Rock and a Hard Place

The Mobile Transactions Landscape: Mapping New Territory

Aite Group Study on 2010 Capital Markets IT Spending Trends



Aite Group, LLC invites C-level technology and operations executives at securities firms to participate in an important survey and share their views on U.S. IT spending trends in the capital markets for 2010.*  he survey should take approximately 15 minutes to complete. For your participation, you will be entered into a drawing for a Dell Inspiron 11z Netbook.



To participate, please click on the following link: http://aitegroup.2010ITPrioritiesSpend.sgizmo.com

*All responses will be reported anonymously and in aggregate. Individual responses will remain strictly confidential.



About Aite Group, LLC

Aite Group is a leading independent research and advisory firm focused on business, technology and regulatory issues and their impact on the financial services industry. It was founded by leading industry experts in Banking and Securities & Investments. Aite Group brings together a team of business strategy, technology and regulatory experts to deliver comprehensive, timely and actionable advice to financial institutions and technology vendors. It seeks to become a true partner, advisor and catalyst by exchanging ideas with and challenging basic assumptions of its clients, ensuring that they always stay one step ahead of the competition.



Source: Company press release.

MasterCard Announces Webcast Scheduled on November 5th

MasterCard IncorporatedImage via Wikipedia

Purchase, N.Y., Oct. 26, 2009 -- On Thursday, November 5, Chris McWilton, president, U.S. Markets for MasterCard (NYSE:MA) will participate in the SunTrust Robinson Humphrey Business Services Unconference in New York City. The discussion will begin at 1:00 p.m. (EST) and last for approximately 40 minutes.



A listen-only live audio webcast will be accessible through the Investor Relations section of the MasterCard website at www.mastercard.com. An audio replay of the session will also be available for 30 days at the same website location.



About MasterCard Incorporated



MasterCard Incorporated advances global commerce by providing a critical economic link among financial institutions, businesses, cardholders and merchants worldwide. As a franchisor, processor and advisor, MasterCard develops and markets payment solutions, processes approximately 21 billion transactions each year, and provides industry leading analysis and consulting services to financial-institution customers and merchants. Powered by the MasterCard Worldwide Network and through its family of brands, including MasterCard® Maestro® and Cirrus® MasterCard serves consumers and businesses in more than 210 countries and territories. For more information go to www.mastercard.com .



Source: Company press release.
Reblog this post [with Zemanta]

Here's An Online Banking Promotion That Works!



I've been blogging about the inherent weakness surrounding online banking.  I've even used the toaster analogy when it comes to providing banks with an online banking promotion.  Instead of giving away a toaster, they should give away our online banking HomeATM.  Heck, it's less expensive than the promotions they are currently running and it would solve a problem.  It would eliminate phishing, it would eliminate fear, it would eliminate anxiety and it would eliminate the already obsolete username/password log-in procedure. 



It would attract customers looking for security, it would create trust, it would create loyalty and it would create peace of mind.  Why give away $125?  When that's gone there's nothing there.  Why not provide a promotion that "enables" the online banking customer to conduct safe and secure eCommerce transactions, such as funds transfers, online bill payments and more?



Here's an interesting article on the return of banking promotions.  Banks simply need to decipher what will have the strongest long-term impact.   I would use logic to infer that by giving away our Online Banking HomeATM, banks would not only drastically reduce fraud, but they would drastically increase loyalty and profit from the transactional revenue model derived each time a customer swiped their card in their new device in order to conduct a safe and secure "outside the browser" eCommerce payment...



From the Houston Chronicle:



Banks offering ‘free' money

Banks that survived the bust try new ways to entice customers











Uncertainty in the banking industry means banks are trying harder than ever to recruit new clients who might be fleeing from competitors.

Resources

BIGGER THAN A TOASTER

Here are some recent promotions offered by banks with branches in the Houston area:

Chase

• Promotion: $125 bonus offer to targeted customers for opening a new checking account, plus rewards and cash back for existing checking account holders.

• Fine print: $100 minimum opening deposit, and set up direct deposit.

Wells Fargo

• Promotion: $50 bonus for a new checking account, expired Aug. 15.

• Fine print: $100 minimum deposit.

Bank of America

• Promotion: $100 bonus for opening a checking account this summer, now expired.

• Fine print: Minimum $250 deposit, plus use the bank's online bill pay service for at least two bills within 30 days.

BBVA Compass

• Promotion: Win an iPod Touch.

• Fine print: Current customers can earn entry points for signing up for and using a check card, switching to paperless statements, using direct deposit and online bill pay. Runs through Dec. 31.

Capital One Bank

• Promotion: $50 bonus for opening a savings account online.

• Fine print: Open your first account by Nov. 25 and deposit $10,000 or more.

TDECU

• Promotion: Save 30 cents a gallon at Buc-ee's gas stations when you fill up with your debit card.

• Fine print: Participating Buc-ee's stores until Oct. 31.

Source: bank promotional materials



The banking industry has always been highly competitive. But as smaller banks fold in waves nationwide and the behemoths lumber on with government help, surviving companies are finding new ways to entice the customers who are fleeing their competitors.



Big banks are promoting their stability and security, while smaller banks are marketing the very fact that they're not the big banks. On every level, promotions abound.



“In the '80s it was: you open a checking account and get a toaster. Now we're harkening back to that,” said Dick Barnes, a marketing consultant for the Bellevue, Wash.-based Freeland Group. “You'll see some things in the next year or two that we haven't seen in decades.”



While Barnes mentions a Seattle-area bank that did give away toasters — “it was kind of tongue-in-cheek, but it was close to a $200 toaster” — most of the promotions are financial.



In targeted mailings, Chase Bank has been offering a $125 bonus for opening a new checking account. Bank of America and Citibank offered $100 bonuses over the summer.



That's not pocket change for the banks, considering that personal checking accounts alone tend not to be lucrative, and that opening a new account can cost them roughly $200 in administrative costs, experts say.



It's a gamble they're willing to take because the market's upheaval offers new opportunities to glean clients, and banks are anxious to shore up capital reserves.



“There's a lot of money in motion, and banks need to demonstrate core deposit growth,” said Les Dinkin, a managing director at the New York management consulting firm Novantas. “The kinds of offers range from financial incentives to rewards points to gadgets. We see offers ranging from iPods to Crock-Pots.”



‘Bribing people'



A promotion may get people in the door, but banks have to find a way to keep those customers, industry analysts warn. Otherwise they'll be out the door again the next time a competitor offers them $100.



“It's not building loyalty. It's not about what you do as a bank. It's more about bribing people,” said Adam Isler, client services director for PNT Marketing Services in New York. “Given the competitive environment, that kind of short-term thinking is getting a lot of play right now.”



Rewards programs are one way to ensure customers stay around longer and do more banking, Isler said. Companies like Chase and Capital One Bank use rewards to encourage customers to use their debit card, pay bills online, and take advantage of other features.



Chase has long offered rewards, said company spokesman Greg Hassell, but it is emphasizing them more lately and rolling out new benefits for current customers.



“The strategy behind that is to get the checking account as the core relationship. Then if you have that, you can get a better deal on your CD, on your mortgage, on your car loan,” he said. “You can deepen your relationship with the customers.”



Smaller financial institutions aren't offering incentives on the same scale, but many see their own opportunity in the chaotic market. They've upped their marketing efforts, promising good customer service without the flashy promotions.



“We don't really have what you might call loss leaders out there at this time,” said Graham Painter, executive vice president at Houston-based Sterling Bank. “We're pricing things effectively for the market and doing a lot of what you might call knocking on doors.”



‘A flight to safety'



Local credit unions, too, are finding newfound favor.



“As we watch the big banks implode, we see what you might call a flight to safety,” said Lucilla Henderson, vice president of marketing for TDECU, a credit union with 19 branches in Texas, 10 of them in the greater Houston area. “Basically our intent is to let (prospective customers) know that we're not responsible for this mess in regard to the nation's financial institutions.”



The company is also running a local promotion: Until the end of the month, members get a 30-cent-a-gallon gas discount at participating Buc-ee's stores.



As attractive as a cash bonus can be, some people say frustration with big banks makes them immune to the siren call of free money.



Orit Pennington banked with one of the giants for more than 15 years, but became fed up in recent months with new policies that she said put the bank's interests ahead of her own. Now the Houston small business owner banks with USAA, a company that offers online banking to military families. It didn't offer her an incentive to join.



“The $100 isn't worth it,” she said. jennifer.latson@chron.com



























Reblog this post [with Zemanta]

Cambridge Exposes Flaw in Barclays PINSentry Device

A team from Cambridge University's Computer Lab demonstrated how they could access an account protected by Barclays' online card reader system.



Some banks, including Barclays, are giving online customers hand-held card readers - devices used to help raise security on transactions which are vulnerable to fraud because they can be carried out with card details only and do not require a PIN or signature.



The card reader gives the user a unique pin code every time it is used, allowing the consumer to assert, even from a distance, that they are in possession of the genuine card and not just the details of that card.





But the Cambridge team say that by using a fake chip and pin terminal attached to a laptop the fraudster can learn the customer's name and unique pin code.



A Video Demonstration of the Barclays Hack can be seen by clicking here...



Once they have also tricked the customer into giving out their bank membership number, the fraudster can go into the online account and make transactions. According to Steven Murdoch at the lab, this fraud is already being perpetrated. He said: "I believe this is something fraudsters are already doing, the technology has been out there and they've had time to learn how to do it."



Barclays told the BBC it did not believe this demonstration to be a plausible risk.



Read the Entire Article from the BBC Here



The full report can be seen on Inside Out in the East 1930 BBC One on 26 October .




 

Reblog this post [with Zemanta]

"Pizza Boy" Hacks into ATM





According to Finextra, a "Pizza Boy" hacked into an ATM's hard drives, changed their settings, stole $30k, got caught, was  facing two years in prison, but agreed to pay the money back and join the Australian Military in exchange for no jail time...

Pizza boy uses ATM manual to steal A$30,000 in under an hour



An Australian pizza boy who hacked into ATMs and changed their settings before stealing around A$30,000 in under an hour has escaped a prison term, according to local press reports.



In 2007, Brian Sommer, 23, used information he found on the Internet and in an ATM handbook to hack into cash machine hard drives and change their settings, enabling him to withdraw huge amounts of money.



He stole A$21,120 from an ATM at a service station in Bundaberg, Queensland, before taking a further A$7500 from another machine in nearby Hervey Bay, according to the Fraser Coast Chronicle.



However, his plan had a major flaw - to make the withdrawals he used his own card and those of his mother, girlfriend and two friends.



Continue Reading at Finextra

Phishing Surge Causes Concern





FROM THE EDITOR





Phishing surge causes concern

[by Eric B. Parizo, Senior Site Editor]

eparizo@techtarget.com







Here at SearchSecurity.com, we've been tracking phishing attacks for years, but this month's headlines leave little doubt that phishing has reemerged as a top-of-mind threat to enterprise information security.



Proving just how widespread and pervasive organized phishing has become, just a couple weeks ago the FBI and Egyptian authorities announced they had charged nearly 100 people in the U.S. and Egypt with allegedly sending out phishing email messages that directed victims to malicious webpages cloaked as legitimate banking sites. It was the largest number of defendants ever charged in a cybercrime case, and it's merely the tip of the iceberg.



Earlier this month, we reported that gangs of cybercriminals have fueled a dramatic increase in new phishing websites and rogue antivirus programs, and the number of unique phishing websites is closing in on an all-time high. InGuardians' Ed Skoudis said in a recent edition of our Security Wire Weekly podcast that attackers continue to use spear phishing Web content and emails to exploit individual client machines, and from there can easily gain access to any other enterprise resource -- including servers and databases with sensitive or mission critical data.



With so many ways to distribute phishing attacks -- email, websites (both legitimate and rogue) and emerging methods like social networking services -- experts say that the average Internet user could come face to face with a phishing attack at virtually any moment. The digital underground knows how much money stands to be made from phishing, and attackers keep cashing in -- often at the expense of enterprises that haven't mounted a proper defense.



So where should a defense against phishing begin? Security expert Eric Ogren argues that technology -- such as the use of SSL and certificates, as well as security-aware DNS services -- can help, but enterprise security organizations must launch their own user-focused antiphishing programs. Show end users what recent and proven phishing attacks look like, and do so often; getting users' attention regularly is the only way to enforce good habits. For those enterprises looking to take phishing prevention to the next level, expert Sherri Davidoff has advice on how to use social engineering tests to prevent phishing attacks.



Phishing isn't going away anytime soon, so invest the time now to make sure your enterprise has its antiphishing strategy in place. I've included a few more helpful resources below.



Stay safe out there,

Eric

Clampi Online Banking Trojan Wreaks Havoc

Clampi Trojan Virus Attacks the World of Online Banking







From Fight Identity Theft dot com...



July 2009 not only brought the hopes of fun summer activities, but it also brought the new vicious Trojan virus called Clampi.



Clampi is a newly sophisticated virus designed to attack online banking systems.  And unlike most Trojan viruses this virus can be picked up from trusted sites like blogs, online magazines, search engines and mainstream news websites, not just gambling and pornography sites.  It also is only designed to attack computers running the Microsoft Windows operating system.  So Mac users are safe from Clampi, for now.


Currently, Clampi is tracking over 4,500 financial websites.  Most Trojan viruses usually track 30-40 sites at a time.  Clampi is designed to watch: banks, credit card companies, e-mails, retail sites, utilities, online casinos, wire transfer services, share brokerages, government sites and mortgage lenders. Clampi is also not just limited to the United States.  It has been found attacking in the United States, Britain and other English speaking countries.

How Clampi Operates

Once Clampi has been picked up it settles into your computer and waits.  What does it wait for?  It waits for the user to log on to a bank account, credit card or some other financial website.  Once the login information is entered, Clampi grabs it and shoots it to the cyber criminal's computer.  From there the criminal uses the information to fulfill their desires.  Whether it is taking money from a bank account, using a credit card to make purchases or reek whatever havoc they may.



Continue Reading at FightIdentityTheft.com

Disqus for ePayment News