20040731

Worst article ever?

OK, maybe this isn't the worst article ever written about computer security, but I think it comes pretty close. From the Guardian, a story about Computer 'spy' that could clean you out.

Here are some extended excerpts:

Spies sitting in your computer could be sending signals to international fraudsters determined to clean out your bank account or use your credit card.

"Spies" "sitting" in my "computer"? Puh-lease.

No one is safe - even the mighty Google computers collapsed on Monday in the face of concerted hacker attack.

Wrong, wrong, wrong. Google suffered some delays and minor outages as the side-effects of a worm that used search queries to mine for new email addresses to send itself to. This has nothing to do with the rest of this story.


And figures from the national crime squad estimate that computer-enabled financial fraud added up to £195m in 2003 - a figure that is set to grow fast.


I'd like to know if, in the 21st Century, there is any serious financial fraud that is not "computer-enabled". What is the figure for fraud against individuals using phishing and key-logging as opposed to, say, the figure for family members or friends stealing credit cards, or muggings?

Jobs & Money can reveal that fraudsters are now moving away from the simplistic "phishing" first seen late last year.

Phishing has a history of much more than a few months.


Phishing involves criminals attempting to confuse internet bank account holders into divulging user names and passwords by sending them a phony letter from their bank asking for these details to "help upgrade security."
If you comply with their instructions, they can then loot your account or use your plastic card.


Use my "plastic card"? Excuse me? How -- would I email it to them? I think what you are trying to say is that phishing scams attempt to get people to reveal their credit card details so that these can be used by the scammer.

The new menace - which has similarities to the "rogue dialler" scam highlighted in Jobs & Money recently - is called "keylogging," where a small item of computer code is sent to a user. This is usually via an email or attachment. Once this program is in the computer, it remains there until triggered by account holders logging on to a bank. Deats believes criminals have details of more than 1,000 financial institutions including all the major UK banks. The code transmits that you are online to the bank. But the real killer application is that it reads every keystroke you make, as you make it. This means it can replicate your user name and password for future use.

Aha -- so the real part of this story is to highlight the use of keyloggers to capture bank details. Why didn't you say so? Contrary to the implications here, keyloggers have been around for a very long time, and many financial institutions have taken (admittedly not very good) actions to prevent them being effective -- for example, getting you to enter some information from drop down menus rather than typing it in. Such schemes have been in effect for at least four years.

Also, you really don't know what the meaning of the term "killer application" is, do you?

These codes, sometimes known as backdoor trojans, first appeared in Brazil. More recently they have grown exponentially in the US, Australia and now the UK.

When you say 'Brazil', are you referring to the country, or the Terry Gilliam film? To talk about a phenomenon on the global internet as having a specific geographic location is somewhat silly. And "backdoor trojans" is a rather more general term than just keyloggers.

"Warnings and other actions on fake sites were effective. Now all they have to do is to entice you to an email.

Hmm, gosh, just opening an attachment in an email [in Microsoft Outlook] could cause unexpected consequences? I've never heard of that happening before. Oh wait, every dumb email virus for the last three years has done that.

They can be very clever so they will insinuate the executable keylogging code through an email offering information on storms in hurricane zones or about football if you show an interest in sport," Deats says.

Because the computer knows that you like football. And who can resist hurricane information? I know I can't.

Computer experts say they have not yet seen a keylogging trojan that insinuates itself in a system without an opened attachment but believe someone is working on this at the moment.

Computer experts have not yet seen a computer program that is as intelligent as a human being and can carry out complex conversations about the weather and what's on TV, but believe someone is working on this at the moment.

Actually, I shouldn't mock this all that much, becuase the whole Wintel environment is sufficiently insecure that infection without running an attachment seems quite plausible.

Fraudsters have also been helped by the growth of broadband. "Many users keep their machines online all the time - that's the big advantage. But they forget that the longer they are online, the longer they are at risk," Deats says.

Wait a minute, you were talking about email attachments. Are you suggesting that if I leave my machine on longer I will get more email? No. You are confusing email with other attacks on networked machines.

The criminals use different tactics. Some steal your details and may keep them for weeks so that even if you suspected something, you will see no action for a time.

And what difference would it make if I suspected something?

The banks are also fighting back with better software. Lloyds TSB's online users have to prove who they are by answering questions by moving their mouse - mouse moves are not yet picked up by backdoor trojans.

That's not the point: mouse motion could be easily tracked, but unless that could be linked to screen location and what was there, then not much could be done about it.

In conclusion, it is important to understand the real dangers of fraud through online banking systems, but stupid, incorrect and badly researched scare stories like this. Here is some simple advice that will help a lot:

Don't use microsoft email or web browsing software.

Don't open attachments or HTML that is sent masquerading as email.

Don't be an idiot.

Alternatively, do be an idiot and do all these things. Since I don't, then you will get your money stolen and keep the fraudsters busy, while I will be safe from their attentions while their are plenty of idiots like you to be fleeced.

No comments: