SpyEye Trojan defeating online banking defenses - Computerworld

Robert Stratton bob at stratton.net
Sun Jul 31 14:24:43 CDT 2011 

I'll give you my two cents, from the perspective of someone who used to run a lab at one of the larger security software companies.

The bottom line is that you have to weigh the risks against the work involved in taking measures to protect yourself. I don't think it's exactly prohibitive to run a tight ship, but being lackadaisical is fraught with peril. I apologize in advance if any of this seems obvious, but taken together, they're pretty much the minimum I'd consider conscientious. 

I think there are things a prudent user can do to make the risk manageable, but nothing is without risk. As mentioned earlier on this list, getting some form of two-factor authentication token from your bank is a good first step. 

Don't be fooled by whizzy features on the bank sites like "virtual PIN pads" where you have to click on buttons rather than typing your password/PIN into a form field. The problem is that some of those simply fill in a hidden field, and malware captures the stored form _after_ that process, so it doesn't buy any additional security. 

The best thing you can do is to have a computer that you keep up-to-date with current patches, and a 
***browser that you keep up-to-date with patches and don't use for anything else***. 

Log out with the log out button when you're done with your banking session. Your banking computer should have legit, updated anti-malware software on it.

Unfortunately, there are lags between the discovery of bugs by malefactors and incorporation of signatures into the AV products by vendors. The same is true of operating system bugs and updates. That's part of why there will always be risk. 

If you really want to be fastidious, I suppose you could avoid keeping your banking computer connected to the Internet when not in use, but you'd have to balance that against the need to download updates. 

Ideally, try to find anti-malware products that also include features like
- periodic automatic scans of your whole computer. Yes they take forever. Have them run in the middle of the night when you're not on your machine. 

- whitelisting of legitimate files/downloads and "reputation" scores for things you download

- data loss prevention - some of these allow you to specify information that shouldn't ever leave your computer without your specifically allowing it (like your social security, driver's license, or credit card numbers) or files that shouldn't be sent without permission, and will flag you if something tries to access/transmit them.

Even if you don't use that particular browser for other activities, it's still important to exercise some judgement about what you download or upon which you click. If you get electronic mail purporting to be from your bank, favorite shopping site, or PayPal, it's important to be sure that it's real before you click on it. In some cases, simply having the message rendered in the preview pane is enough to infect your system with malware, which is why having some sort of anti-malware software is important. 


----- Original Message -----
> 
> 
> 
> Hello All,
> 
> In reading the article, I can only wonder: Is online banking worth
> the risk?
> What do you think?
> 
> Best Wishes
> Richard
> KI4KXJ
> 
> 
> _______________________________________________
> Tacos mailing list
> Tacos at amrad.org
> https://amrad.org/mailman/listinfo/tacos
>

More information about the Tacos mailing list