:00:05. > :00:10.There is a link there to click on. I will be back at the top of the
:00:10. > :00:14.hour with a full bulletin. Now it is time for Click. I have logged on
:00:14. > :00:24.to my bank website. I have entered my password. I have protected my
:00:24. > :00:35.
:00:35. > :00:39.computer. That means I am safe to This week, Click meets the man-in-
:00:39. > :00:44.the-browser who breaks into your bank by getting you to let him in.
:00:44. > :00:48.So, who can you count on to protect you? We will look at how and when
:00:48. > :00:52.your security product may let you down and whether the banks
:00:52. > :00:59.themselves can keep your cash safe. Plus, the latest tech news and the
:00:59. > :01:04.best sites and apps of the week in Webscape.
:01:04. > :01:09.Welcome to Click. I am Spencer Kelly. If you bank online, you may
:01:09. > :01:13.have noticed over the past few years the process of logging on to
:01:13. > :01:20.your bank's website is getting more complicated. Gone are the days when
:01:20. > :01:25.you are asked for your password and user name. Today you are asked for
:01:25. > :01:31.part of your password or shown a picture and asked to identify it.
:01:31. > :01:35.Some send you these and ask you to display the code on it. These
:01:35. > :01:40.measures are designed to keep you safe.
:01:40. > :01:45.For much of the past decade, cybercrime and malicious software
:01:45. > :01:52.have been less about ruining your competer and more about stealthily
:01:52. > :02:01.stealing your credit card numbers and passwords. It costs the US
:02:01. > :02:05.banks $1 billion every year. For example, keylogger records your key
:02:05. > :02:11.strokes and sends them back. Keyloggers are easy to foil. Banks
:02:11. > :02:15.ask for only part of your password, sometimes without even using the
:02:15. > :02:21.keyboard. Hear is another old threat - these are phising e-mails,
:02:21. > :02:25.claiming to be from real banks, which which direct you to fake, but
:02:25. > :02:30.convincing copies of their websites. Enure your details here and they
:02:30. > :02:34.will go straight to the cybercriminal's inbox. To foil the
:02:34. > :02:40.fake phising websites some banks have decided to prove to you they
:02:40. > :02:43.are the genuine site by showing you a picture and a phrase you have
:02:43. > :02:52.previously chosen, something a fake website will not know. Then there
:02:52. > :02:56.are these. Every time you log on or try and make an online transaction
:02:56. > :03:01.you may be asked to put in your PIN and read off the eight dig gets on
:03:01. > :03:05.this screen. Now, to explain high we use this, I will have to
:03:05. > :03:11.introduce you to a much more sophisticated online threat.
:03:11. > :03:15.It is a threat which has been responsible for a number of high-
:03:15. > :03:21.profile security breaches. It's also a particularly ingenious way
:03:21. > :03:26.of stealing money onenline banking customers. Something which has led
:03:26. > :03:31.it to be called financial malware. A computer infected will wait until
:03:31. > :03:37.you visit a banking website and then alter what you see in your
:03:37. > :03:42.browser. Take these two computers. Both have surfed to the same
:03:42. > :03:46.banking website, but spot the difference. The non-infected
:03:46. > :03:51.machine asks for your customer number. Tin fected one asks for
:03:51. > :03:55.your complete password and your debit card's PIN code. There's
:03:55. > :03:58.nothing insecure about this particular bank, as these pictures
:03:58. > :04:01.show financial malware can interfere with the appearance and
:04:01. > :04:06.operation of any website, to ask for extra information, to change
:04:06. > :04:12.the display or even to change the details that you enter after you
:04:12. > :04:19.click OK. There are many types of financial
:04:19. > :04:22.malware going by names such as SpyEye and Carberp. One of the most
:04:22. > :04:26.established and well known is called Zeus. You don't see Zeus.
:04:26. > :04:29.You think you're talking to the bank, but you are talking to Zeus.
:04:29. > :04:33.Zeus is talking to your bank instead. What you think you're
:04:33. > :04:38.doing, in fact you log on, you go and you think you're doing a
:04:38. > :04:43.transaction, in fact it's fooling you. You think you are going to
:04:43. > :04:45.transfer, you look at your balance, in fact Zeus is using your
:04:46. > :04:52.credentials and going back and doing a transaction, but not the
:04:52. > :04:55.transaction you wanted. It's doing its, like unloading your bank
:04:55. > :05:01.account. Financial malware is getting smarter. The first
:05:01. > :05:06.generation would alter the log-in screen to ask for more details,
:05:06. > :05:10.newer versions can mess with your browsing session in more creative
:05:11. > :05:14.ways. One would wait for you to make an on-line payment. After you
:05:14. > :05:19.click confirm, it would change the amount and the account number,
:05:19. > :05:24.instead making a payment to a cybercriminal's account. To avoid
:05:24. > :05:28.detection, the malware would even change the amount displayed on an
:05:28. > :05:33.online statement back to the original figure the user thought
:05:33. > :05:40.they had paid in the first place. The Zeus code has become available
:05:40. > :05:47.online, allowing experts to analyse the design and the code which will
:05:47. > :05:50.-- and the price, just $800. How do threats like this do against the
:05:50. > :05:55.security products you have hopefully already installed on your
:05:55. > :06:00.computer? One of the reasons it is so good at what it does is because
:06:00. > :06:08.it's been designed to avoid detection by your security software.
:06:08. > :06:11.Observe. Security products on your computer
:06:11. > :06:16.spot unwanted intruders in the same way a security guard would in a
:06:17. > :06:23.shop. First, he will look out for known faces.
:06:23. > :06:30.Then, he will watch for unusual or suspicious behaviour.
:06:30. > :06:35.If all else fails he will catch stuff being stolen as it leaves.
:06:35. > :06:38.Modern financial malware like Zeus has been developed to foil these
:06:38. > :06:43.methods. Zeus can disguise its appearance. In fact it changes the
:06:43. > :06:47.way it looks tens of thousands of times a day. Nice hair, Zeus! He's
:06:47. > :06:54.not your average shopper. I'll grant you, but he's not on the
:06:54. > :07:03.wanted list. Zeus is also very discrete, in
:07:03. > :07:07.order not to draw attention to itself. Most importantly when it
:07:07. > :07:17.smuggles data out of your computer, it does so using someone else - the
:07:17. > :07:20.browser. It's called a man-in-the-browser
:07:21. > :07:24.attack, because essentially that's what it is doing. It is attacking
:07:24. > :07:28.your browser. It is getting between you and the website. It is altering
:07:28. > :07:32.what you see and changing the details of what you enter. Each
:07:32. > :07:38.time a new update of Zeus is released, it can take the security
:07:38. > :07:43.companies days, sometimes weeks to learn how to spot it, to learn its
:07:43. > :07:48.common features, regardless of its disguise. It's in this all-
:07:48. > :07:51.important window, before he's been identified, that your security
:07:52. > :07:56.guard has to rely on its other defences to spot and block the
:07:56. > :08:00.threat. This man thinks they are not doing
:08:00. > :08:05.a good enough job. Chris Pickard tests security products against
:08:05. > :08:08.malware. Today, he's running a test to see which of the most popular
:08:08. > :08:12.security products can spot a man- in-the-browser attack, purely by
:08:12. > :08:16.looking at its behaviour. To do this, he has commissioned a new
:08:16. > :08:20.man-in-the-browser threat to be written, which we have called Test
:08:20. > :08:26.Tool, in which known of the security companies will have on
:08:26. > :08:30.their wanted list. To ensure it is a fair test we have drofted in --
:08:30. > :08:36.drafted in independent witnesss, Daniel Brett and David Avila from
:08:36. > :08:39.S21sec. We are testing if each security product will warn us that
:08:39. > :08:44.Test Tool is a suspicious programme when we drop it on the machine and
:08:44. > :08:48.run it, and also whether it will prevent it from stealing our log-on
:08:48. > :08:53.details when we enter them into this website. This product has
:08:53. > :08:57.passed. We are looking for any message alerting us that something
:08:57. > :09:03.untowards is happening. This product, however, has failed. It
:09:03. > :09:11.does not alert us when the threat runs on the machine. We enter our
:09:11. > :09:16.details - still no warning and even worse our user word and password is
:09:16. > :09:20.sent to this laptop. The bad news is when running with standard
:09:20. > :09:25.settings, the majority of the products we tested failed. Only the
:09:25. > :09:30.minority gave us a warning, or stopped our details from being
:09:30. > :09:34.stolen. But, says our independent expert, these products still form
:09:34. > :09:40.an independent part of your computer's defences. The man-in-
:09:40. > :09:45.the-browser attack is a very focused, a very specific advanced
:09:45. > :09:49.threat we are seeing. Specifically focused against banking. Now, many
:09:49. > :09:54.products might not pick this up because they are a bigger scope.
:09:54. > :09:58.They have to defend against all of the viruses we have seen from the
:09:58. > :10:03.beginning of time. So, that means that they are not performing in
:10:03. > :10:08.this area. It doesn't mean they are useless products. Some stuff we
:10:08. > :10:14.have seen that does work against this is narrowly focused. It will
:10:14. > :10:20.only product against that malware. Definitely double them up. Follow
:10:20. > :10:27.the advice of your bank. Get an up- to-date anti-virus, any tools which
:10:27. > :10:31.are effective and be vigilant. Makers of many of the security
:10:31. > :10:35.devises said it was not valid. They said part of their service stops
:10:35. > :10:42.you getting infected in the first place by continuingly blacking out
:10:42. > :10:47.websites and e-mails and other sources of malware, ensuring your
:10:47. > :10:53.computer has no vulnerabilitys and spots if your machine starts to
:10:53. > :10:59.communicate with those with malicious zerers. Many security
:10:59. > :11:05.pro--- servers. Many security products will protect against this
:11:05. > :11:11.if they are set up to maximum. The problem here is they will block
:11:11. > :11:15.many legitimate products too. If this had come from a source not
:11:15. > :11:19.known to have been bad and started to communicate with an address not
:11:19. > :11:23.on the blacklist, until they discovered and analysed it, it
:11:23. > :11:26.probably would have beaten their protection. It's not just the
:11:26. > :11:32.security products which are fighting the cybercriminals. Next,
:11:32. > :11:35.we will look at how the banks have joined the battle against Zeus and
:11:35. > :11:41.its contemporaries. We will have advise on how to spot if you have
:11:41. > :11:46.become a victim. Next up, a look at this week's big tech news stories.
:11:46. > :11:49.Many of us may feel we've got a share in Facebook's success. Soon
:11:49. > :11:54.we'll be able to actually own shares in the company. It is going
:11:54. > :11:59.to float on the Stock Market, with company shares expected to be
:11:59. > :12:02.available for trading in May. The company has had to reveal
:12:02. > :12:07.previously unknown information about the finances which shows Mark
:12:07. > :12:12.Zuckerberg owns just over a quarter of the company. The network of 845
:12:12. > :12:17.million users each month made $1 billion in profit last year.
:12:17. > :12:27.Microsoft is connecting TCs. Its movement detection system,
:12:27. > :12:27.
:12:27. > :12:32.originally for the 360 games console, has been released, with
:12:32. > :12:36.home running Windows. Microsoft says it has enhanced voice
:12:36. > :12:40.recognition and skeletal tracking, which may explain high the PC price
:12:41. > :12:45.tag is almost double that of the Xbox model. A British couple have
:12:45. > :12:52.been denied entry to the US after one tweeted he would go and destroy
:12:52. > :12:58.America, before he travelled. This and another message about digging
:12:58. > :13:08.up Marilyn Monroe's grave were considered enough reason to stop
:13:08. > :13:09.
:13:09. > :13:17.homeland security -- to enable homeland security to stop Lee Van
:13:17. > :13:26.Bryan and his girl at Los Angeles airport. This did manage to fool
:13:26. > :13:36.some on-looking. The devices, designed to look like flying people,
:13:36. > :13:40.
:13:40. > :13:43.Financial malware are right under your nose, it's not surprising then
:13:43. > :13:49.that the banks have taken steps to defend themselves against man in
:13:49. > :13:53.the browsary tacks. And that brings us back to these things. They may
:13:53. > :13:57.be inconvenient but they have proved incredibly effective at
:13:57. > :14:02.stopping financial malware fromalityering the details that you
:14:02. > :14:05.enter. Whether it's at the log-on stage or when you make an online
:14:05. > :14:11.payment, these devices generate knew mairk codes based on the
:14:11. > :14:14.account number, amount and your card's pin code. If Zeus changes
:14:14. > :14:17.any of these behind-the-scenes, your bank will expect a different
:14:17. > :14:22.code from the one your device has generated and the transaction will
:14:22. > :14:26.fail. In the US, new guidance has
:14:26. > :14:30.recently been issued that insists on tougher online banking security.
:14:30. > :14:34.One suggestion is to use your mobile phone to authenticate a
:14:34. > :14:37.transaction. For example, try to set up a new payee using this
:14:37. > :14:40.online banking system and you'll receive an automated phone call
:14:40. > :14:44.which verbly confirms the bank account number, which should warn
:14:44. > :14:48.you if it's actually someone else who's logged into your account. And
:14:48. > :14:52.to confirm that the details haven't been changed en route, you'll be
:14:52. > :14:57.asked to enter a code into your phone which confirms the specific
:14:57. > :15:01.details of your transaction. And while these defences are in place
:15:01. > :15:05.at the front end, the banks have more tricks up their sleeves
:15:05. > :15:09.behind-the-scenes. If you ever log into your bank and you notice that
:15:09. > :15:14.their main web page has changed and you notice that it seems to be
:15:14. > :15:18.changing on a regular basis, that's to foil Zeus. Because Zeus is tied
:15:18. > :15:23.to the way the page is formated. It's tied to exactly the way the
:15:23. > :15:26.page looks. So the way the banks get around it is they reorganise
:15:26. > :15:31.the web page you're talking to at the bank. That slows down Zeus
:15:31. > :15:35.until its next update. The UK Payments Council, which oversees
:15:35. > :15:40.the strategy for payments for the British banks, says that
:15:40. > :15:43.understanding customers' normal behaviour is also vital. Banks also
:15:43. > :15:49.employ back end security, that's what's happening behind-the-scenes
:15:49. > :15:53.to protect you from being a victim of online banking fraud. So they've
:15:53. > :15:58.got fraud detection software, it's intelligent software used to seeing
:15:58. > :16:02.how you operate your online bank account. Any deviations from the
:16:02. > :16:07.norm, that software will pick it up. That may be the type of transaction
:16:07. > :16:11.you've made, the amount, one of the things that the criminals will do,
:16:11. > :16:16.and this potentially acts as a, will put a flag on your account. If
:16:16. > :16:20.criminals have got your details they will typically put a pound
:16:20. > :16:23.transaction through, maybe to a utility company even a charity
:16:23. > :16:28.payment. They're testing that the details they have are correct and
:16:28. > :16:32.that the account is still active. Those are the types of things that
:16:32. > :16:37.actually the fraud detection software are looking out for.
:16:37. > :16:41.methods are however only the latest step in the inevitable cat-and-
:16:41. > :16:44.mouse game with the cybercriminals. There are now reports of financial
:16:44. > :16:51.malware which calculates how much it can take from your account
:16:51. > :16:55.without appearing suspicious. New aversions -- newer versions of Zeus
:16:55. > :17:00.are there to foil multiaction authentication techniques to fool
:17:00. > :17:05.you into giving your mobile phone number. Do this and you will be
:17:05. > :17:10.sent a link which will infect your phone. This one tries to fool you
:17:10. > :17:13.into using your chip and PIN device to generate a correct code for its
:17:13. > :17:17.transaction. Once logged into your bank, it offers to train you in
:17:17. > :17:21.your bank's new upgrated security system. As part of that you're
:17:21. > :17:26.invited to make a transaction to a fictitious bank account, though
:17:26. > :17:30.you're told this is just a training exercise, the transaction is real.
:17:30. > :17:35.We asked the bank what's they think we should watch out for and here's
:17:35. > :17:39.what they said: If your transaction seems to be taking longer than
:17:39. > :17:44.normal, there's a chance it's going via a fraudster's system. If you're
:17:44. > :17:47.asked for more information than normal, especially entire passwords,
:17:47. > :17:50.where previously you were only asked for parts, your machine may
:17:50. > :17:55.have been infected. If you suspect that something's amiss, contact
:17:55. > :17:58.your bank by phone, not by e-mail. Tell them the time and date that
:17:58. > :18:01.you believed you were accessing your bank account and if the bank's
:18:01. > :18:07.records don't match, it's likely that your computer has been
:18:07. > :18:11.compromised. Now, if all that sounds alarming, then first of all,
:18:11. > :18:16.don't panic. In the UK at least banks usually refund Vic tums of
:18:16. > :18:20.online fraud as a matter of course. Do use a security product. You'll
:18:20. > :18:24.stand a greater chance of not getting infected in the first place.
:18:24. > :18:31.You'll find all of these details and more on how to stay safe online
:18:31. > :18:37.at our website. OK. Next up it's Kate Russell with
:18:37. > :18:40.Webbescape. The internet doesn't recognise boundaries. If you meet
:18:41. > :18:45.someone on a social network they're as likely to come from the other
:18:45. > :18:49.side of the planet as the house next door. When it comes to Twitter,
:18:49. > :18:53.you can see where your followers come from at TweepsMap.com. Just
:18:53. > :18:58.link your account and then share the results. It's a great
:18:58. > :19:03.conversation starter. 0 but not so good if you have a huge volume of
:19:03. > :19:06.followers, like our account at BBC click, Twitter only lets software
:19:06. > :19:11.like this do a certain amount of queries every hour. It couldn't
:19:11. > :19:20.handle our traffic. Luckily the nice people at TweepsMap.com were
:19:20. > :19:24.able to bypass their system and create our own special map. View
:19:24. > :19:29.the results as a map or a list, with an accompanying pie chart for
:19:29. > :19:33.that extra geek factor. You can even check out a followers
:19:33. > :19:36.TweepsMap.com and share the results, a great way to make them aware of
:19:36. > :19:46.the service. But it might get you blocked for being a little bit
:19:46. > :19:49.
:19:49. > :19:52.Discovery engines are all about helping you find new things you'll
:19:52. > :19:57.love based on what everyone else on the web thinks. There are lots to
:19:57. > :20:03.help you explore new areas of music, but not many that do it in such a
:20:03. > :20:06.stylish way as discover music. It's for iPhones and iPad and is an
:20:06. > :20:11.infinitely more rewarding experience on the larger screen of
:20:11. > :20:15.the tablet. As you explore you can tap through for samples, buy yoing
:20:15. > :20:20.Fiz, videos and other interesting bits. The apps aren't free, but
:20:20. > :20:24.they're not that expensive either. They do work brilliantly and look
:20:24. > :20:33.gorgeous while they're at it. And if you happen to be a Macintosh
:20:33. > :20:37.owner, there's a desk top download for you too.
:20:37. > :20:42.If you're not crazy about music, you might be interested in the
:20:42. > :20:46.developer's other offering instead, discover apps. Same principle, but
:20:46. > :20:56.building a map of content you might like from the world of smartphone
:20:56. > :20:58.
:20:58. > :21:01.apps, now that really make me appy. Ever had a burning question, an
:21:01. > :21:05.intellectual itch that needed scratching but you don't have hours
:21:05. > :21:12.and hours to ask your friends and trawl through the internet looking
:21:12. > :21:16.for answers? Qoura.com hopes to be the best destination to hear a
:21:16. > :21:25.range of theories and opinions crowd sourced and rating by the
:21:25. > :21:30.webizens of the world. All the pages can be edited by
:21:30. > :21:35.anybody, so the content should grow and change organically over time.
:21:35. > :21:38.Like Wikipedia, then, only geared towards answering questions with
:21:38. > :21:43.commentary and debate rather than just delivering pages and pages of
:21:43. > :21:47.straightforward data. It's early days yet, so the community isn't
:21:47. > :21:50.huge, but there's already some interesting content building. I
:21:50. > :21:56.like the addition of their first mobile app for iPhone. Let's hope
:21:56. > :21:59.it wonts be too long before the other hand sets are covered. A nice,
:21:59. > :22:02.simple idea executed well enough that they deserve to succeed.
:22:02. > :22:10.Whether the internet needs another collaborative archive of
:22:10. > :22:14.information is another matter entirely.
:22:14. > :22:19.Riding on the top deck of a London bus is a great way to see the city.
:22:19. > :22:23.Now you can enjoy a bit of art on 30 red and black LED screens around
:22:23. > :22:33.London on the roofs of bus shelters. Anyone in the world can design a
:22:33. > :22:37.screen using the browser-based tool at bus-tops.com. My efforts won't
:22:37. > :22:47.win awards, but maybe tourists riding round the city later this
:22:47. > :22:48.
:22:48. > :22:51.year, will enjoy your creation. With radical changes in Google's
:22:51. > :22:56.privacy coming on March 1, you might be interested to see what
:22:56. > :22:59.Google thinks about you, head to Google.com/ads/preferences to see
:23:00. > :23:03.what assumptions the company has made about you based on your
:23:03. > :23:09.activity through their services such as search terms queer rid and
:23:09. > :23:13.websites visited. They use this information to target users with
:23:13. > :23:20.personalised advertising, but pigeon holing can be a hit-and-miss
:23:20. > :23:26.science, as apparently I'm a male aged 18 to 24.
:23:26. > :23:34.# If you don't know me by now... # Luckily you have the option to
:23:34. > :23:38.change, delete or even opt out of the service all together. And
:23:38. > :23:41.finally, this week, the web has been alive with the story about
:23:41. > :23:45.Twitter announcing it might block specific content on a country by
:23:45. > :23:50.country basis if required. A lot of people online have voiced their
:23:50. > :23:54.objections and as a result the web is awash with reports of a very
:23:54. > :23:57.easy work around, by simply editing your account settings to say you're
:23:57. > :24:01.in another country, as the block isn't based on the physical
:24:01. > :24:07.location from your IP address. Do be aware though, that doing this
:24:07. > :24:12.might actually be considered illegal where you live.
:24:12. > :24:16.And if you missed any of those links, they're on our website.
:24:16. > :24:22.Along with everything else from this week's programme too. Feel