Click, the BBC’s flagship technology show on BBC News and BBC2 (when you can find it), ran an in-depth piece on Internet security last week (4 Feb 2012) and it actually imparted more than two pieces of information! You could tell presenter Spencer Kelly was enjoying getting his teeth in to a proper story as a change from all the fluffy surface-skimming items he usually has to grin his way through.
The focus was on Internet banking, with a detailed explanation of the current technology and an intelligent assessment not only of the present and future threats but of the available remedies. Spencer writes a lengthy post on the BBC technology blog.
Hackers outwit on-line banking identity security systems, despite the official figures showing fraud fell significantly. Acknowledged on-line banking fraud losses were reported as £16.9 million in the first six months of 2011, according to Financial Fraud Action UK. Knowing the banking industry, with its reputation built on confidence, this is likely to be much higher.
Criminal hackers have found a way round the latest generation of on-line banking security devices given out by banks, all enabled by malware, the cleverest of which is able to mount ‘Man in the Browser’ attacks, intercepting users’ data a after logging in to bank’s real sites.
In another scam, account holders are being tricked by the offer of training in a new “upgraded security system”. Money is then moved out of the account which is also is hidden from the user.
While various bank-issued chip and pin devices (PINSentry from Barclays and SecureKey from HSBC) make the hackers’ job more difficult, by asking users to insert a card or a code to create a one-use unique key at each login, the hackers themselves have raised their game, developing morphing malware which is difficult to detect.
In a test of current security software, the majority of programs on standard settings could not spot that a new piece of malware created in the software testing lab was behaving suspiciously. They are, of course, general-purpose security tools that are reliant on behavioural analysis and/or ‘signature’ updates to spot new threats. Every time a new update to the malware is released, it takes the security companies a number of days or even weeks to learn how to detect it.
“One security company did privately concede that, if this threat had come from a source not known to be bad and started communicating with a web address also not on the black-list of “bad” sites – until they had discovered and analysed it – it probably would have beaten their protection.”
Which sounds a dramatic confession, but in acknowledging the real-world cat and mouse game with the hackers, is fair comment.
The expert guests advocate not only following banks’ advice AND using up-to-date anti-virus software but even to double-up on anti-malware programs as extra defence (which is fine until they trip over each other in practice).
Spencer Kelly on Your and Yours BBC Radio 4 discussing the issue (audio only)
Watch the full report on Click on the BBC News Channel (Saturday 4 February).