04/02/2012 Click

There is a link there to click on. I will be back at the top of the

hour with a full bulletin. Now it is time for Click. I have logged on

to my bank website. I have entered my password. I have protected my

computer. That means I am safe to This week, Click meets the man-in-

the-browser who breaks into your bank by getting you to let him in.

So, who can you count on to protect you? We will look at how and when

your security product may let you down and whether the banks

themselves can keep your cash safe. Plus, the latest tech news and the

best sites and apps of the week in Webscape.

Welcome to Click. I am Spencer Kelly. If you bank online, you may

have noticed over the past few years the process of logging on to

your bank's website is getting more complicated. Gone are the days when

you are asked for your password and user name. Today you are asked for

part of your password or shown a picture and asked to identify it.

Some send you these and ask you to display the code on it. These

measures are designed to keep you safe.

For much of the past decade, cybercrime and malicious software

have been less about ruining your competer and more about stealthily

stealing your credit card numbers and passwords. It costs the US

banks $1 billion every year. For example, keylogger records your key

strokes and sends them back. Keyloggers are easy to foil. Banks

ask for only part of your password, sometimes without even using the

keyboard. Hear is another old threat - these are phising e-mails,

claiming to be from real banks, which which direct you to fake, but

convincing copies of their websites. Enure your details here and they

will go straight to the cybercriminal's inbox. To foil the

fake phising websites some banks have decided to prove to you they

are the genuine site by showing you a picture and a phrase you have

previously chosen, something a fake website will not know. Then there

are these. Every time you log on or try and make an online transaction

you may be asked to put in your PIN and read off the eight dig gets on

this screen. Now, to explain high we use this, I will have to

introduce you to a much more sophisticated online threat.

It is a threat which has been responsible for a number of high-

profile security breaches. It's also a particularly ingenious way

of stealing money onenline banking customers. Something which has led

it to be called financial malware. A computer infected will wait until

you visit a banking website and then alter what you see in your

browser. Take these two computers. Both have surfed to the same

banking website, but spot the difference. The non-infected

machine asks for your customer number. Tin fected one asks for

your complete password and your debit card's PIN code. There's

nothing insecure about this particular bank, as these pictures

show financial malware can interfere with the appearance and

operation of any website, to ask for extra information, to change

the display or even to change the details that you enter after you

click OK. There are many types of financial

malware going by names such as SpyEye and Carberp. One of the most

established and well known is called Zeus. You don't see Zeus.

You think you're talking to the bank, but you are talking to Zeus.

Zeus is talking to your bank instead. What you think you're

doing, in fact you log on, you go and you think you're doing a

transaction, in fact it's fooling you. You think you are going to

transfer, you look at your balance, in fact Zeus is using your

credentials and going back and doing a transaction, but not the

transaction you wanted. It's doing its, like unloading your bank

account. Financial malware is getting smarter. The first

generation would alter the log-in screen to ask for more details,

newer versions can mess with your browsing session in more creative

ways. One would wait for you to make an on-line payment. After you

click confirm, it would change the amount and the account number,

instead making a payment to a cybercriminal's account. To avoid

detection, the malware would even change the amount displayed on an

online statement back to the original figure the user thought

they had paid in the first place. The Zeus code has become available

online, allowing experts to analyse the design and the code which will

-- and the price, just $800. How do threats like this do against the

security products you have hopefully already installed on your

computer? One of the reasons it is so good at what it does is because

it's been designed to avoid detection by your security software.

Observe. Security products on your computer

spot unwanted intruders in the same way a security guard would in a

shop. First, he will look out for known faces.

Then, he will watch for unusual or suspicious behaviour.

If all else fails he will catch stuff being stolen as it leaves.

Modern financial malware like Zeus has been developed to foil these

methods. Zeus can disguise its appearance. In fact it changes the

way it looks tens of thousands of times a day. Nice hair, Zeus! He's

not your average shopper. I'll grant you, but he's not on the

wanted list. Zeus is also very discrete, in

order not to draw attention to itself. Most importantly when it

smuggles data out of your computer, it does so using someone else - the

browser. It's called a man-in-the-browser

attack, because essentially that's what it is doing. It is attacking

your browser. It is getting between you and the website. It is altering

what you see and changing the details of what you enter. Each

time a new update of Zeus is released, it can take the security

companies days, sometimes weeks to learn how to spot it, to learn its

common features, regardless of its disguise. It's in this all-

important window, before he's been identified, that your security

guard has to rely on its other defences to spot and block the

threat. This man thinks they are not doing

a good enough job. Chris Pickard tests security products against

malware. Today, he's running a test to see which of the most popular

security products can spot a man- in-the-browser attack, purely by

looking at its behaviour. To do this, he has commissioned a new

man-in-the-browser threat to be written, which we have called Test

Tool, in which known of the security companies will have on

their wanted list. To ensure it is a fair test we have drofted in --

drafted in independent witnesss, Daniel Brett and David Avila from

S21sec. We are testing if each security product will warn us that

Test Tool is a suspicious programme when we drop it on the machine and

run it, and also whether it will prevent it from stealing our log-on

details when we enter them into this website. This product has

passed. We are looking for any message alerting us that something

untowards is happening. This product, however, has failed. It

does not alert us when the threat runs on the machine. We enter our

details - still no warning and even worse our user word and password is

sent to this laptop. The bad news is when running with standard

settings, the majority of the products we tested failed. Only the

minority gave us a warning, or stopped our details from being

stolen. But, says our independent expert, these products still form

an independent part of your computer's defences. The man-in-

the-browser attack is a very focused, a very specific advanced

threat we are seeing. Specifically focused against banking. Now, many

products might not pick this up because they are a bigger scope.

They have to defend against all of the viruses we have seen from the

beginning of time. So, that means that they are not performing in

this area. It doesn't mean they are useless products. Some stuff we

have seen that does work against this is narrowly focused. It will

only product against that malware. Definitely double them up. Follow

the advice of your bank. Get an up- to-date anti-virus, any tools which

are effective and be vigilant. Makers of many of the security

devises said it was not valid. They said part of their service stops

you getting infected in the first place by continuingly blacking out

websites and e-mails and other sources of malware, ensuring your

computer has no vulnerabilitys and spots if your machine starts to

communicate with those with malicious zerers. Many security

pro--- servers. Many security products will protect against this

if they are set up to maximum. The problem here is they will block

many legitimate products too. If this had come from a source not

known to have been bad and started to communicate with an address not

on the blacklist, until they discovered and analysed it, it

probably would have beaten their protection. It's not just the

security products which are fighting the cybercriminals. Next,

we will look at how the banks have joined the battle against Zeus and

its contemporaries. We will have advise on how to spot if you have

become a victim. Next up, a look at this week's big tech news stories.

Many of us may feel we've got a share in Facebook's success. Soon

we'll be able to actually own shares in the company. It is going

to float on the Stock Market, with company shares expected to be

available for trading in May. The company has had to reveal

previously unknown information about the finances which shows Mark

Zuckerberg owns just over a quarter of the company. The network of 845

million users each month made $1 billion in profit last year.

Microsoft is connecting TCs. Its movement detection system,

originally for the 360 games console, has been released, with

home running Windows. Microsoft says it has enhanced voice

recognition and skeletal tracking, which may explain high the PC price

tag is almost double that of the Xbox model. A British couple have

been denied entry to the US after one tweeted he would go and destroy

America, before he travelled. This and another message about digging

up Marilyn Monroe's grave were considered enough reason to stop

homeland security -- to enable homeland security to stop Lee Van

Bryan and his girl at Los Angeles airport. This did manage to fool

some on-looking. The devices, designed to look like flying people,

Financial malware are right under your nose, it's not surprising then

that the banks have taken steps to defend themselves against man in

the browsary tacks. And that brings us back to these things. They may

be inconvenient but they have proved incredibly effective at

stopping financial malware fromalityering the details that you

enter. Whether it's at the log-on stage or when you make an online

payment, these devices generate knew mairk codes based on the

account number, amount and your card's pin code. If Zeus changes

any of these behind-the-scenes, your bank will expect a different

code from the one your device has generated and the transaction will

fail. In the US, new guidance has

recently been issued that insists on tougher online banking security.

One suggestion is to use your mobile phone to authenticate a

transaction. For example, try to set up a new payee using this

online banking system and you'll receive an automated phone call

which verbly confirms the bank account number, which should warn

you if it's actually someone else who's logged into your account. And

to confirm that the details haven't been changed en route, you'll be

asked to enter a code into your phone which confirms the specific

details of your transaction. And while these defences are in place

at the front end, the banks have more tricks up their sleeves

behind-the-scenes. If you ever log into your bank and you notice that

their main web page has changed and you notice that it seems to be

changing on a regular basis, that's to foil Zeus. Because Zeus is tied

to the way the page is formated. It's tied to exactly the way the

page looks. So the way the banks get around it is they reorganise

the web page you're talking to at the bank. That slows down Zeus

until its next update. The UK Payments Council, which oversees

the strategy for payments for the British banks, says that

understanding customers' normal behaviour is also vital. Banks also

employ back end security, that's what's happening behind-the-scenes

to protect you from being a victim of online banking fraud. So they've

got fraud detection software, it's intelligent software used to seeing

how you operate your online bank account. Any deviations from the

norm, that software will pick it up. That may be the type of transaction

you've made, the amount, one of the things that the criminals will do,

and this potentially acts as a, will put a flag on your account. If

criminals have got your details they will typically put a pound

transaction through, maybe to a utility company even a charity

payment. They're testing that the details they have are correct and

that the account is still active. Those are the types of things that

actually the fraud detection software are looking out for.

methods are however only the latest step in the inevitable cat-and-

mouse game with the cybercriminals. There are now reports of financial

malware which calculates how much it can take from your account

without appearing suspicious. New aversions -- newer versions of Zeus

are there to foil multiaction authentication techniques to fool

you into giving your mobile phone number. Do this and you will be

sent a link which will infect your phone. This one tries to fool you

into using your chip and PIN device to generate a correct code for its

transaction. Once logged into your bank, it offers to train you in

your bank's new upgrated security system. As part of that you're

invited to make a transaction to a fictitious bank account, though

you're told this is just a training exercise, the transaction is real.

We asked the bank what's they think we should watch out for and here's

what they said: If your transaction seems to be taking longer than

normal, there's a chance it's going via a fraudster's system. If you're

asked for more information than normal, especially entire passwords,

where previously you were only asked for parts, your machine may

have been infected. If you suspect that something's amiss, contact

your bank by phone, not by e-mail. Tell them the time and date that

you believed you were accessing your bank account and if the bank's

records don't match, it's likely that your computer has been

compromised. Now, if all that sounds alarming, then first of all,

don't panic. In the UK at least banks usually refund Vic tums of

online fraud as a matter of course. Do use a security product. You'll

stand a greater chance of not getting infected in the first place.

You'll find all of these details and more on how to stay safe online

at our website. OK. Next up it's Kate Russell with

Webbescape. The internet doesn't recognise boundaries. If you meet

someone on a social network they're as likely to come from the other

side of the planet as the house next door. When it comes to Twitter,

you can see where your followers come from at TweepsMap.com. Just

link your account and then share the results. It's a great

conversation starter. 0 but not so good if you have a huge volume of

followers, like our account at BBC click, Twitter only lets software

like this do a certain amount of queries every hour. It couldn't

handle our traffic. Luckily the nice people at TweepsMap.com were

able to bypass their system and create our own special map. View

the results as a map or a list, with an accompanying pie chart for

that extra geek factor. You can even check out a followers

TweepsMap.com and share the results, a great way to make them aware of

the service. But it might get you blocked for being a little bit

Discovery engines are all about helping you find new things you'll

love based on what everyone else on the web thinks. There are lots to

help you explore new areas of music, but not many that do it in such a

stylish way as discover music. It's for iPhones and iPad and is an

infinitely more rewarding experience on the larger screen of

the tablet. As you explore you can tap through for samples, buy yoing

Fiz, videos and other interesting bits. The apps aren't free, but

they're not that expensive either. They do work brilliantly and look

gorgeous while they're at it. And if you happen to be a Macintosh

owner, there's a desk top download for you too.

If you're not crazy about music, you might be interested in the

developer's other offering instead, discover apps. Same principle, but

building a map of content you might like from the world of smartphone

apps, now that really make me appy. Ever had a burning question, an

intellectual itch that needed scratching but you don't have hours

and hours to ask your friends and trawl through the internet looking

for answers? Qoura.com hopes to be the best destination to hear a

range of theories and opinions crowd sourced and rating by the

webizens of the world. All the pages can be edited by

anybody, so the content should grow and change organically over time.

Like Wikipedia, then, only geared towards answering questions with

commentary and debate rather than just delivering pages and pages of

straightforward data. It's early days yet, so the community isn't

huge, but there's already some interesting content building. I

like the addition of their first mobile app for iPhone. Let's hope

it wonts be too long before the other hand sets are covered. A nice,

simple idea executed well enough that they deserve to succeed.

Whether the internet needs another collaborative archive of

information is another matter entirely.

Riding on the top deck of a London bus is a great way to see the city.

Now you can enjoy a bit of art on 30 red and black LED screens around

London on the roofs of bus shelters. Anyone in the world can design a

screen using the browser-based tool at bus-tops.com. My efforts won't

win awards, but maybe tourists riding round the city later this

year, will enjoy your creation. With radical changes in Google's

privacy coming on March 1, you might be interested to see what

Google thinks about you, head to Google.com/ads/preferences to see

what assumptions the company has made about you based on your

activity through their services such as search terms queer rid and

websites visited. They use this information to target users with

personalised advertising, but pigeon holing can be a hit-and-miss

science, as apparently I'm a male aged 18 to 24.

# If you don't know me by now... # Luckily you have the option to

change, delete or even opt out of the service all together. And

finally, this week, the web has been alive with the story about

Twitter announcing it might block specific content on a country by

country basis if required. A lot of people online have voiced their

objections and as a result the web is awash with reports of a very

easy work around, by simply editing your account settings to say you're

in another country, as the block isn't based on the physical

location from your IP address. Do be aware though, that doing this

might actually be considered illegal where you live.

And if you missed any of those links, they're on our website.

Along with everything else from this week's programme too. Feel