SpyEye Trojan defeating online banking defenses - Computerworld

John Teller jsteller at spottydog.us
Tue Aug 2 19:45:25 CDT 2011 

These days giving a check to a stranger provides them with nearly all 
the information they need to hack your account.  Think of it - a nice 
piece of paper that contains not only your signature, but the bank you 
work with and your account number - as well as the number of checks 
you've written etc.

---JST



On 08/02/2011 07:03 PM, Richard wrote:
>
> Hi All,
>
> Bob, I wonder if online banking is worth bothering with.  I read what 
> you had to say.  As I understand it, one can do everything the right 
> way, and still get hacked.  It seems so much easier just to write a 
> check, and mail it.   There are risks here too, but is would seem much 
> safer, and easier to prove one's case if there was fraud.
>
> Best Wishes
> 73s
> Richard Demaret
> KI4KXJ
>
> --- On *Sun, 7/31/11, Robert Stratton /<bob at stratton.net>/* wrote:
>
>
>     From: Robert Stratton <bob at stratton.net>
>     Subject: Re: SpyEye Trojan defeating online banking defenses -
>     Computerworld
>     To: "Richard" <revo753 at yahoo.com>
>     Cc: "Tacos" <tacos at amrad.org>
>     Date: Sunday, July 31, 2011, 12:24 PM
>
>     I'll give you my two cents, from the perspective of someone who
>     used to run a lab at one of the larger security software companies.
>
>     The bottom line is that you have to weigh the risks against the
>     work involved in taking measures to protect yourself. I don't
>     think it's exactly prohibitive to run a tight ship, but being
>     lackadaisical is fraught with peril. I apologize in advance if any
>     of this seems obvious, but taken together, they're pretty much the
>     minimum I'd consider conscientious.
>
>     I think there are things a prudent user can do to make the risk
>     manageable, but nothing is without risk. As mentioned earlier on
>     this list, getting some form of two-factor authentication token
>     from your bank is a good first step.
>
>     Don't be fooled by whizzy features on the bank sites like "virtual
>     PIN pads" where you have to click on buttons rather than typing
>     your password/PIN into a form field. The problem is that some of
>     those simply fill in a hidden field, and malware captures the
>     stored form _after_ that process, so it doesn't buy any additional
>     security.
>
>     The best thing you can do is to have a computer that you keep
>     up-to-date with current patches, and a
>     ***browser that you keep up-to-date with patches and don't use for
>     anything else***.
>
>     Log out with the log out button when you're done with your banking
>     session. Your banking computer should have legit, updated
>     anti-malware software on it.
>
>     Unfortunately, there are lags between the discovery of bugs by
>     malefactors and incorporation of signatures into the AV products
>     by vendors. The same is true of operating system bugs and updates.
>     That's part of why there will always be risk.
>
>     If you really want to be fastidious, I suppose you could avoid
>     keeping your banking computer connected to the Internet when not
>     in use, but you'd have to balance that against the need to
>     download updates.
>
>     Ideally, try to find anti-malware products that also include
>     features like
>     - periodic automatic scans of your whole computer. Yes they take
>     forever. Have them run in the middle of the night when you're not
>     on your machine.
>
>     - whitelisting of legitimate files/downloads and "reputation"
>     scores for things you download
>
>     - data loss prevention - some of these allow you to specify
>     information that shouldn't ever leave your computer without your
>     specifically allowing it (like your social security, driver's
>     license, or credit card numbers) or files that shouldn't be sent
>     without permission, and will flag you if something tries to
>     access/transmit them.
>
>     Even if you don't use that particular browser for other
>     activities, it's still important to exercise some judgement about
>     what you download or upon which you click. If you get electronic
>     mail purporting to be from your bank, favorite shopping site, or
>     PayPal, it's important to be sure that it's real before you click
>     on it. In some cases, simply having the message rendered in the
>     preview pane is enough to infect your system with malware, which
>     is why having some sort of anti-malware software is important.
>
>
>     ----- Original Message -----
>     >
>     >
>     >
>     > Hello All,
>     >
>     > In reading the article, I can only wonder: Is online banking worth
>     > the risk?
>     > What do you think?
>     >
>     > Best Wishes
>     > Richard
>     > KI4KXJ
>     >
>     >
>     > _______________________________________________
>     > Tacos mailing list
>     > Tacos at amrad.org
>     > https://amrad.org/mailman/listinfo/tacos
>     >
>
>
> _______________________________________________
> Tacos mailing list
> Tacos at amrad.org
> https://amrad.org/mailman/listinfo/tacos

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://amrad.org/pipermail/tacos/attachments/20110802/8789aa1d/attachment.html>

More information about the Tacos mailing list