04/02/2012 Click


Gadgets, websites, games and computer industry news. How safe are transactions carried out over the internet? A special investigation looks at the latest threats to online banking.

Similar Content

Browse content similar to 04/02/2012. Check below for episodes and series from the same categories and more!



There is a link there to click on. I will be back at the top of the


hour with a full bulletin. Now it is time for Click. I have logged on


to my bank website. I have entered my password. I have protected my


computer. That means I am safe to This week, Click meets the man-in-


the-browser who breaks into your bank by getting you to let him in.


So, who can you count on to protect you? We will look at how and when


your security product may let you down and whether the banks


themselves can keep your cash safe. Plus, the latest tech news and the


best sites and apps of the week in Webscape.


Welcome to Click. I am Spencer Kelly. If you bank online, you may


have noticed over the past few years the process of logging on to


your bank's website is getting more complicated. Gone are the days when


you are asked for your password and user name. Today you are asked for


part of your password or shown a picture and asked to identify it.


Some send you these and ask you to display the code on it. These


measures are designed to keep you safe.


For much of the past decade, cybercrime and malicious software


have been less about ruining your competer and more about stealthily


stealing your credit card numbers and passwords. It costs the US


banks $1 billion every year. For example, keylogger records your key


strokes and sends them back. Keyloggers are easy to foil. Banks


ask for only part of your password, sometimes without even using the


keyboard. Hear is another old threat - these are phising e-mails,


claiming to be from real banks, which which direct you to fake, but


convincing copies of their websites. Enure your details here and they


will go straight to the cybercriminal's inbox. To foil the


fake phising websites some banks have decided to prove to you they


are the genuine site by showing you a picture and a phrase you have


previously chosen, something a fake website will not know. Then there


are these. Every time you log on or try and make an online transaction


you may be asked to put in your PIN and read off the eight dig gets on


this screen. Now, to explain high we use this, I will have to


introduce you to a much more sophisticated online threat.


It is a threat which has been responsible for a number of high-


profile security breaches. It's also a particularly ingenious way


of stealing money onenline banking customers. Something which has led


it to be called financial malware. A computer infected will wait until


you visit a banking website and then alter what you see in your


browser. Take these two computers. Both have surfed to the same


banking website, but spot the difference. The non-infected


machine asks for your customer number. Tin fected one asks for


your complete password and your debit card's PIN code. There's


nothing insecure about this particular bank, as these pictures


show financial malware can interfere with the appearance and


operation of any website, to ask for extra information, to change


the display or even to change the details that you enter after you


click OK. There are many types of financial


malware going by names such as SpyEye and Carberp. One of the most


established and well known is called Zeus. You don't see Zeus.


You think you're talking to the bank, but you are talking to Zeus.


Zeus is talking to your bank instead. What you think you're


doing, in fact you log on, you go and you think you're doing a


transaction, in fact it's fooling you. You think you are going to


transfer, you look at your balance, in fact Zeus is using your


credentials and going back and doing a transaction, but not the


transaction you wanted. It's doing its, like unloading your bank


account. Financial malware is getting smarter. The first


generation would alter the log-in screen to ask for more details,


newer versions can mess with your browsing session in more creative


ways. One would wait for you to make an on-line payment. After you


click confirm, it would change the amount and the account number,


instead making a payment to a cybercriminal's account. To avoid


detection, the malware would even change the amount displayed on an


online statement back to the original figure the user thought


they had paid in the first place. The Zeus code has become available


online, allowing experts to analyse the design and the code which will


-- and the price, just $800. How do threats like this do against the


security products you have hopefully already installed on your


computer? One of the reasons it is so good at what it does is because


it's been designed to avoid detection by your security software.


Observe. Security products on your computer


spot unwanted intruders in the same way a security guard would in a


shop. First, he will look out for known faces.


Then, he will watch for unusual or suspicious behaviour.


If all else fails he will catch stuff being stolen as it leaves.


Modern financial malware like Zeus has been developed to foil these


methods. Zeus can disguise its appearance. In fact it changes the


way it looks tens of thousands of times a day. Nice hair, Zeus! He's


not your average shopper. I'll grant you, but he's not on the


wanted list. Zeus is also very discrete, in


order not to draw attention to itself. Most importantly when it


smuggles data out of your computer, it does so using someone else - the


browser. It's called a man-in-the-browser


attack, because essentially that's what it is doing. It is attacking


your browser. It is getting between you and the website. It is altering


what you see and changing the details of what you enter. Each


time a new update of Zeus is released, it can take the security


companies days, sometimes weeks to learn how to spot it, to learn its


common features, regardless of its disguise. It's in this all-


important window, before he's been identified, that your security


guard has to rely on its other defences to spot and block the


threat. This man thinks they are not doing


a good enough job. Chris Pickard tests security products against


malware. Today, he's running a test to see which of the most popular


security products can spot a man- in-the-browser attack, purely by


looking at its behaviour. To do this, he has commissioned a new


man-in-the-browser threat to be written, which we have called Test


Tool, in which known of the security companies will have on


their wanted list. To ensure it is a fair test we have drofted in --


drafted in independent witnesss, Daniel Brett and David Avila from


S21sec. We are testing if each security product will warn us that


Test Tool is a suspicious programme when we drop it on the machine and


run it, and also whether it will prevent it from stealing our log-on


details when we enter them into this website. This product has


passed. We are looking for any message alerting us that something


untowards is happening. This product, however, has failed. It


does not alert us when the threat runs on the machine. We enter our


details - still no warning and even worse our user word and password is


sent to this laptop. The bad news is when running with standard


settings, the majority of the products we tested failed. Only the


minority gave us a warning, or stopped our details from being


stolen. But, says our independent expert, these products still form


an independent part of your computer's defences. The man-in-


the-browser attack is a very focused, a very specific advanced


threat we are seeing. Specifically focused against banking. Now, many


products might not pick this up because they are a bigger scope.


They have to defend against all of the viruses we have seen from the


beginning of time. So, that means that they are not performing in


this area. It doesn't mean they are useless products. Some stuff we


have seen that does work against this is narrowly focused. It will


only product against that malware. Definitely double them up. Follow


the advice of your bank. Get an up- to-date anti-virus, any tools which


are effective and be vigilant. Makers of many of the security


devises said it was not valid. They said part of their service stops


you getting infected in the first place by continuingly blacking out


websites and e-mails and other sources of malware, ensuring your


computer has no vulnerabilitys and spots if your machine starts to


communicate with those with malicious zerers. Many security


pro--- servers. Many security products will protect against this


if they are set up to maximum. The problem here is they will block


many legitimate products too. If this had come from a source not


known to have been bad and started to communicate with an address not


on the blacklist, until they discovered and analysed it, it


probably would have beaten their protection. It's not just the


security products which are fighting the cybercriminals. Next,


we will look at how the banks have joined the battle against Zeus and


its contemporaries. We will have advise on how to spot if you have


become a victim. Next up, a look at this week's big tech news stories.


Many of us may feel we've got a share in Facebook's success. Soon


we'll be able to actually own shares in the company. It is going


to float on the Stock Market, with company shares expected to be


available for trading in May. The company has had to reveal


previously unknown information about the finances which shows Mark


Zuckerberg owns just over a quarter of the company. The network of 845


million users each month made $1 billion in profit last year.


Microsoft is connecting TCs. Its movement detection system,


originally for the 360 games console, has been released, with


home running Windows. Microsoft says it has enhanced voice


recognition and skeletal tracking, which may explain high the PC price


tag is almost double that of the Xbox model. A British couple have


been denied entry to the US after one tweeted he would go and destroy


America, before he travelled. This and another message about digging


up Marilyn Monroe's grave were considered enough reason to stop


homeland security -- to enable homeland security to stop Lee Van


Bryan and his girl at Los Angeles airport. This did manage to fool


some on-looking. The devices, designed to look like flying people,


Financial malware are right under your nose, it's not surprising then


that the banks have taken steps to defend themselves against man in


the browsary tacks. And that brings us back to these things. They may


be inconvenient but they have proved incredibly effective at


stopping financial malware fromalityering the details that you


enter. Whether it's at the log-on stage or when you make an online


payment, these devices generate knew mairk codes based on the


account number, amount and your card's pin code. If Zeus changes


any of these behind-the-scenes, your bank will expect a different


code from the one your device has generated and the transaction will


fail. In the US, new guidance has


recently been issued that insists on tougher online banking security.


One suggestion is to use your mobile phone to authenticate a


transaction. For example, try to set up a new payee using this


online banking system and you'll receive an automated phone call


which verbly confirms the bank account number, which should warn


you if it's actually someone else who's logged into your account. And


to confirm that the details haven't been changed en route, you'll be


asked to enter a code into your phone which confirms the specific


details of your transaction. And while these defences are in place


at the front end, the banks have more tricks up their sleeves


behind-the-scenes. If you ever log into your bank and you notice that


their main web page has changed and you notice that it seems to be


changing on a regular basis, that's to foil Zeus. Because Zeus is tied


to the way the page is formated. It's tied to exactly the way the


page looks. So the way the banks get around it is they reorganise


the web page you're talking to at the bank. That slows down Zeus


until its next update. The UK Payments Council, which oversees


the strategy for payments for the British banks, says that


understanding customers' normal behaviour is also vital. Banks also


employ back end security, that's what's happening behind-the-scenes


to protect you from being a victim of online banking fraud. So they've


got fraud detection software, it's intelligent software used to seeing


how you operate your online bank account. Any deviations from the


norm, that software will pick it up. That may be the type of transaction


you've made, the amount, one of the things that the criminals will do,


and this potentially acts as a, will put a flag on your account. If


criminals have got your details they will typically put a pound


transaction through, maybe to a utility company even a charity


payment. They're testing that the details they have are correct and


that the account is still active. Those are the types of things that


actually the fraud detection software are looking out for.


methods are however only the latest step in the inevitable cat-and-


mouse game with the cybercriminals. There are now reports of financial


malware which calculates how much it can take from your account


without appearing suspicious. New aversions -- newer versions of Zeus


are there to foil multiaction authentication techniques to fool


you into giving your mobile phone number. Do this and you will be


sent a link which will infect your phone. This one tries to fool you


into using your chip and PIN device to generate a correct code for its


transaction. Once logged into your bank, it offers to train you in


your bank's new upgrated security system. As part of that you're


invited to make a transaction to a fictitious bank account, though


you're told this is just a training exercise, the transaction is real.


We asked the bank what's they think we should watch out for and here's


what they said: If your transaction seems to be taking longer than


normal, there's a chance it's going via a fraudster's system. If you're


asked for more information than normal, especially entire passwords,


where previously you were only asked for parts, your machine may


have been infected. If you suspect that something's amiss, contact


your bank by phone, not by e-mail. Tell them the time and date that


you believed you were accessing your bank account and if the bank's


records don't match, it's likely that your computer has been


compromised. Now, if all that sounds alarming, then first of all,


don't panic. In the UK at least banks usually refund Vic tums of


online fraud as a matter of course. Do use a security product. You'll


stand a greater chance of not getting infected in the first place.


You'll find all of these details and more on how to stay safe online


at our website. OK. Next up it's Kate Russell with


Webbescape. The internet doesn't recognise boundaries. If you meet


someone on a social network they're as likely to come from the other


side of the planet as the house next door. When it comes to Twitter,


you can see where your followers come from at TweepsMap.com. Just


link your account and then share the results. It's a great


conversation starter. 0 but not so good if you have a huge volume of


followers, like our account at BBC click, Twitter only lets software


like this do a certain amount of queries every hour. It couldn't


handle our traffic. Luckily the nice people at TweepsMap.com were


able to bypass their system and create our own special map. View


the results as a map or a list, with an accompanying pie chart for


that extra geek factor. You can even check out a followers


TweepsMap.com and share the results, a great way to make them aware of


the service. But it might get you blocked for being a little bit


Discovery engines are all about helping you find new things you'll


love based on what everyone else on the web thinks. There are lots to


help you explore new areas of music, but not many that do it in such a


stylish way as discover music. It's for iPhones and iPad and is an


infinitely more rewarding experience on the larger screen of


the tablet. As you explore you can tap through for samples, buy yoing


Fiz, videos and other interesting bits. The apps aren't free, but


they're not that expensive either. They do work brilliantly and look


gorgeous while they're at it. And if you happen to be a Macintosh


owner, there's a desk top download for you too.


If you're not crazy about music, you might be interested in the


developer's other offering instead, discover apps. Same principle, but


building a map of content you might like from the world of smartphone


apps, now that really make me appy. Ever had a burning question, an


intellectual itch that needed scratching but you don't have hours


and hours to ask your friends and trawl through the internet looking


for answers? Qoura.com hopes to be the best destination to hear a


range of theories and opinions crowd sourced and rating by the


webizens of the world. All the pages can be edited by


anybody, so the content should grow and change organically over time.


Like Wikipedia, then, only geared towards answering questions with


commentary and debate rather than just delivering pages and pages of


straightforward data. It's early days yet, so the community isn't


huge, but there's already some interesting content building. I


like the addition of their first mobile app for iPhone. Let's hope


it wonts be too long before the other hand sets are covered. A nice,


simple idea executed well enough that they deserve to succeed.


Whether the internet needs another collaborative archive of


information is another matter entirely.


Riding on the top deck of a London bus is a great way to see the city.


Now you can enjoy a bit of art on 30 red and black LED screens around


London on the roofs of bus shelters. Anyone in the world can design a


screen using the browser-based tool at bus-tops.com. My efforts won't


win awards, but maybe tourists riding round the city later this


year, will enjoy your creation. With radical changes in Google's


privacy coming on March 1, you might be interested to see what


Google thinks about you, head to Google.com/ads/preferences to see


what assumptions the company has made about you based on your


activity through their services such as search terms queer rid and


websites visited. They use this information to target users with


personalised advertising, but pigeon holing can be a hit-and-miss


science, as apparently I'm a male aged 18 to 24.


# If you don't know me by now... # Luckily you have the option to


change, delete or even opt out of the service all together. And


finally, this week, the web has been alive with the story about


Twitter announcing it might block specific content on a country by


country basis if required. A lot of people online have voiced their


objections and as a result the web is awash with reports of a very


easy work around, by simply editing your account settings to say you're


in another country, as the block isn't based on the physical


location from your IP address. Do be aware though, that doing this


might actually be considered illegal where you live.


And if you missed any of those links, they're on our website.


Along with everything else from this week's programme too. Feel


Guide to the latest gadgets, websites, games and computer industry news. How safe is it to carry out transactions over the internet? A special investigation looks at the latest threats to online banking.

Download Subtitles