Browse content similar to 04/02/2012. Check below for episodes and series from the same categories and more!
Line | From | To | |
---|---|---|---|
There is a link there to click on. I will be back at the top of the | :00:05. | :00:10. | |
hour with a full bulletin. Now it is time for Click. I have logged on | :00:10. | :00:14. | |
to my bank website. I have entered my password. I have protected my | :00:14. | :00:24. | |
:00:24. | :00:35. | ||
computer. That means I am safe to This week, Click meets the man-in- | :00:35. | :00:39. | |
the-browser who breaks into your bank by getting you to let him in. | :00:39. | :00:44. | |
So, who can you count on to protect you? We will look at how and when | :00:44. | :00:48. | |
your security product may let you down and whether the banks | :00:48. | :00:52. | |
themselves can keep your cash safe. Plus, the latest tech news and the | :00:52. | :00:59. | |
best sites and apps of the week in Webscape. | :00:59. | :01:04. | |
Welcome to Click. I am Spencer Kelly. If you bank online, you may | :01:04. | :01:09. | |
have noticed over the past few years the process of logging on to | :01:09. | :01:13. | |
your bank's website is getting more complicated. Gone are the days when | :01:13. | :01:20. | |
you are asked for your password and user name. Today you are asked for | :01:20. | :01:25. | |
part of your password or shown a picture and asked to identify it. | :01:25. | :01:31. | |
Some send you these and ask you to display the code on it. These | :01:31. | :01:35. | |
measures are designed to keep you safe. | :01:35. | :01:40. | |
For much of the past decade, cybercrime and malicious software | :01:40. | :01:45. | |
have been less about ruining your competer and more about stealthily | :01:45. | :01:52. | |
stealing your credit card numbers and passwords. It costs the US | :01:52. | :02:01. | |
banks $1 billion every year. For example, keylogger records your key | :02:01. | :02:05. | |
strokes and sends them back. Keyloggers are easy to foil. Banks | :02:05. | :02:11. | |
ask for only part of your password, sometimes without even using the | :02:11. | :02:15. | |
keyboard. Hear is another old threat - these are phising e-mails, | :02:15. | :02:21. | |
claiming to be from real banks, which which direct you to fake, but | :02:21. | :02:25. | |
convincing copies of their websites. Enure your details here and they | :02:25. | :02:30. | |
will go straight to the cybercriminal's inbox. To foil the | :02:30. | :02:34. | |
fake phising websites some banks have decided to prove to you they | :02:34. | :02:40. | |
are the genuine site by showing you a picture and a phrase you have | :02:40. | :02:43. | |
previously chosen, something a fake website will not know. Then there | :02:43. | :02:52. | |
are these. Every time you log on or try and make an online transaction | :02:52. | :02:56. | |
you may be asked to put in your PIN and read off the eight dig gets on | :02:56. | :03:01. | |
this screen. Now, to explain high we use this, I will have to | :03:01. | :03:05. | |
introduce you to a much more sophisticated online threat. | :03:05. | :03:11. | |
It is a threat which has been responsible for a number of high- | :03:11. | :03:15. | |
profile security breaches. It's also a particularly ingenious way | :03:15. | :03:21. | |
of stealing money onenline banking customers. Something which has led | :03:21. | :03:26. | |
it to be called financial malware. A computer infected will wait until | :03:26. | :03:31. | |
you visit a banking website and then alter what you see in your | :03:31. | :03:37. | |
browser. Take these two computers. Both have surfed to the same | :03:37. | :03:42. | |
banking website, but spot the difference. The non-infected | :03:42. | :03:46. | |
machine asks for your customer number. Tin fected one asks for | :03:46. | :03:51. | |
your complete password and your debit card's PIN code. There's | :03:51. | :03:55. | |
nothing insecure about this particular bank, as these pictures | :03:55. | :03:58. | |
show financial malware can interfere with the appearance and | :03:58. | :04:01. | |
operation of any website, to ask for extra information, to change | :04:01. | :04:06. | |
the display or even to change the details that you enter after you | :04:06. | :04:12. | |
click OK. There are many types of financial | :04:12. | :04:19. | |
malware going by names such as SpyEye and Carberp. One of the most | :04:19. | :04:22. | |
established and well known is called Zeus. You don't see Zeus. | :04:22. | :04:26. | |
You think you're talking to the bank, but you are talking to Zeus. | :04:26. | :04:29. | |
Zeus is talking to your bank instead. What you think you're | :04:29. | :04:33. | |
doing, in fact you log on, you go and you think you're doing a | :04:33. | :04:38. | |
transaction, in fact it's fooling you. You think you are going to | :04:38. | :04:43. | |
transfer, you look at your balance, in fact Zeus is using your | :04:43. | :04:45. | |
credentials and going back and doing a transaction, but not the | :04:46. | :04:52. | |
transaction you wanted. It's doing its, like unloading your bank | :04:52. | :04:55. | |
account. Financial malware is getting smarter. The first | :04:55. | :05:01. | |
generation would alter the log-in screen to ask for more details, | :05:01. | :05:06. | |
newer versions can mess with your browsing session in more creative | :05:06. | :05:10. | |
ways. One would wait for you to make an on-line payment. After you | :05:11. | :05:14. | |
click confirm, it would change the amount and the account number, | :05:14. | :05:19. | |
instead making a payment to a cybercriminal's account. To avoid | :05:19. | :05:24. | |
detection, the malware would even change the amount displayed on an | :05:24. | :05:28. | |
online statement back to the original figure the user thought | :05:28. | :05:33. | |
they had paid in the first place. The Zeus code has become available | :05:33. | :05:40. | |
online, allowing experts to analyse the design and the code which will | :05:40. | :05:47. | |
-- and the price, just $800. How do threats like this do against the | :05:47. | :05:50. | |
security products you have hopefully already installed on your | :05:50. | :05:55. | |
computer? One of the reasons it is so good at what it does is because | :05:55. | :06:00. | |
it's been designed to avoid detection by your security software. | :06:00. | :06:08. | |
Observe. Security products on your computer | :06:08. | :06:11. | |
spot unwanted intruders in the same way a security guard would in a | :06:11. | :06:16. | |
shop. First, he will look out for known faces. | :06:17. | :06:23. | |
Then, he will watch for unusual or suspicious behaviour. | :06:23. | :06:30. | |
If all else fails he will catch stuff being stolen as it leaves. | :06:30. | :06:35. | |
Modern financial malware like Zeus has been developed to foil these | :06:35. | :06:38. | |
methods. Zeus can disguise its appearance. In fact it changes the | :06:38. | :06:43. | |
way it looks tens of thousands of times a day. Nice hair, Zeus! He's | :06:43. | :06:47. | |
not your average shopper. I'll grant you, but he's not on the | :06:47. | :06:54. | |
wanted list. Zeus is also very discrete, in | :06:54. | :07:03. | |
order not to draw attention to itself. Most importantly when it | :07:03. | :07:07. | |
smuggles data out of your computer, it does so using someone else - the | :07:07. | :07:17. | |
browser. It's called a man-in-the-browser | :07:17. | :07:20. | |
attack, because essentially that's what it is doing. It is attacking | :07:21. | :07:24. | |
your browser. It is getting between you and the website. It is altering | :07:24. | :07:28. | |
what you see and changing the details of what you enter. Each | :07:28. | :07:32. | |
time a new update of Zeus is released, it can take the security | :07:32. | :07:38. | |
companies days, sometimes weeks to learn how to spot it, to learn its | :07:38. | :07:43. | |
common features, regardless of its disguise. It's in this all- | :07:43. | :07:48. | |
important window, before he's been identified, that your security | :07:48. | :07:51. | |
guard has to rely on its other defences to spot and block the | :07:52. | :07:56. | |
threat. This man thinks they are not doing | :07:56. | :08:00. | |
a good enough job. Chris Pickard tests security products against | :08:00. | :08:05. | |
malware. Today, he's running a test to see which of the most popular | :08:05. | :08:08. | |
security products can spot a man- in-the-browser attack, purely by | :08:08. | :08:12. | |
looking at its behaviour. To do this, he has commissioned a new | :08:12. | :08:16. | |
man-in-the-browser threat to be written, which we have called Test | :08:16. | :08:20. | |
Tool, in which known of the security companies will have on | :08:20. | :08:26. | |
their wanted list. To ensure it is a fair test we have drofted in -- | :08:26. | :08:30. | |
drafted in independent witnesss, Daniel Brett and David Avila from | :08:30. | :08:36. | |
S21sec. We are testing if each security product will warn us that | :08:36. | :08:39. | |
Test Tool is a suspicious programme when we drop it on the machine and | :08:39. | :08:44. | |
run it, and also whether it will prevent it from stealing our log-on | :08:44. | :08:48. | |
details when we enter them into this website. This product has | :08:48. | :08:53. | |
passed. We are looking for any message alerting us that something | :08:53. | :08:57. | |
untowards is happening. This product, however, has failed. It | :08:57. | :09:03. | |
does not alert us when the threat runs on the machine. We enter our | :09:03. | :09:11. | |
details - still no warning and even worse our user word and password is | :09:11. | :09:16. | |
sent to this laptop. The bad news is when running with standard | :09:16. | :09:20. | |
settings, the majority of the products we tested failed. Only the | :09:20. | :09:25. | |
minority gave us a warning, or stopped our details from being | :09:25. | :09:30. | |
stolen. But, says our independent expert, these products still form | :09:30. | :09:34. | |
an independent part of your computer's defences. The man-in- | :09:34. | :09:40. | |
the-browser attack is a very focused, a very specific advanced | :09:40. | :09:45. | |
threat we are seeing. Specifically focused against banking. Now, many | :09:45. | :09:49. | |
products might not pick this up because they are a bigger scope. | :09:49. | :09:54. | |
They have to defend against all of the viruses we have seen from the | :09:54. | :09:58. | |
beginning of time. So, that means that they are not performing in | :09:58. | :10:03. | |
this area. It doesn't mean they are useless products. Some stuff we | :10:03. | :10:08. | |
have seen that does work against this is narrowly focused. It will | :10:08. | :10:14. | |
only product against that malware. Definitely double them up. Follow | :10:14. | :10:20. | |
the advice of your bank. Get an up- to-date anti-virus, any tools which | :10:20. | :10:27. | |
are effective and be vigilant. Makers of many of the security | :10:27. | :10:31. | |
devises said it was not valid. They said part of their service stops | :10:31. | :10:35. | |
you getting infected in the first place by continuingly blacking out | :10:35. | :10:42. | |
websites and e-mails and other sources of malware, ensuring your | :10:42. | :10:47. | |
computer has no vulnerabilitys and spots if your machine starts to | :10:47. | :10:53. | |
communicate with those with malicious zerers. Many security | :10:53. | :10:59. | |
pro--- servers. Many security products will protect against this | :10:59. | :11:05. | |
if they are set up to maximum. The problem here is they will block | :11:05. | :11:11. | |
many legitimate products too. If this had come from a source not | :11:11. | :11:15. | |
known to have been bad and started to communicate with an address not | :11:15. | :11:19. | |
on the blacklist, until they discovered and analysed it, it | :11:19. | :11:23. | |
probably would have beaten their protection. It's not just the | :11:23. | :11:26. | |
security products which are fighting the cybercriminals. Next, | :11:26. | :11:32. | |
we will look at how the banks have joined the battle against Zeus and | :11:32. | :11:35. | |
its contemporaries. We will have advise on how to spot if you have | :11:35. | :11:41. | |
become a victim. Next up, a look at this week's big tech news stories. | :11:41. | :11:46. | |
Many of us may feel we've got a share in Facebook's success. Soon | :11:46. | :11:49. | |
we'll be able to actually own shares in the company. It is going | :11:49. | :11:54. | |
to float on the Stock Market, with company shares expected to be | :11:54. | :11:59. | |
available for trading in May. The company has had to reveal | :11:59. | :12:02. | |
previously unknown information about the finances which shows Mark | :12:02. | :12:07. | |
Zuckerberg owns just over a quarter of the company. The network of 845 | :12:07. | :12:12. | |
million users each month made $1 billion in profit last year. | :12:12. | :12:17. | |
Microsoft is connecting TCs. Its movement detection system, | :12:17. | :12:27. | |
:12:27. | :12:27. | ||
originally for the 360 games console, has been released, with | :12:27. | :12:32. | |
home running Windows. Microsoft says it has enhanced voice | :12:32. | :12:36. | |
recognition and skeletal tracking, which may explain high the PC price | :12:36. | :12:40. | |
tag is almost double that of the Xbox model. A British couple have | :12:41. | :12:45. | |
been denied entry to the US after one tweeted he would go and destroy | :12:45. | :12:52. | |
America, before he travelled. This and another message about digging | :12:52. | :12:58. | |
up Marilyn Monroe's grave were considered enough reason to stop | :12:58. | :13:08. | |
:13:08. | :13:09. | ||
homeland security -- to enable homeland security to stop Lee Van | :13:09. | :13:17. | |
Bryan and his girl at Los Angeles airport. This did manage to fool | :13:17. | :13:26. | |
some on-looking. The devices, designed to look like flying people, | :13:26. | :13:36. | |
:13:36. | :13:40. | ||
Financial malware are right under your nose, it's not surprising then | :13:40. | :13:43. | |
that the banks have taken steps to defend themselves against man in | :13:43. | :13:49. | |
the browsary tacks. And that brings us back to these things. They may | :13:49. | :13:53. | |
be inconvenient but they have proved incredibly effective at | :13:53. | :13:57. | |
stopping financial malware fromalityering the details that you | :13:57. | :14:02. | |
enter. Whether it's at the log-on stage or when you make an online | :14:02. | :14:05. | |
payment, these devices generate knew mairk codes based on the | :14:05. | :14:11. | |
account number, amount and your card's pin code. If Zeus changes | :14:11. | :14:14. | |
any of these behind-the-scenes, your bank will expect a different | :14:14. | :14:17. | |
code from the one your device has generated and the transaction will | :14:17. | :14:22. | |
fail. In the US, new guidance has | :14:22. | :14:26. | |
recently been issued that insists on tougher online banking security. | :14:26. | :14:30. | |
One suggestion is to use your mobile phone to authenticate a | :14:30. | :14:34. | |
transaction. For example, try to set up a new payee using this | :14:34. | :14:37. | |
online banking system and you'll receive an automated phone call | :14:37. | :14:40. | |
which verbly confirms the bank account number, which should warn | :14:40. | :14:44. | |
you if it's actually someone else who's logged into your account. And | :14:44. | :14:48. | |
to confirm that the details haven't been changed en route, you'll be | :14:48. | :14:52. | |
asked to enter a code into your phone which confirms the specific | :14:52. | :14:57. | |
details of your transaction. And while these defences are in place | :14:57. | :15:01. | |
at the front end, the banks have more tricks up their sleeves | :15:01. | :15:05. | |
behind-the-scenes. If you ever log into your bank and you notice that | :15:05. | :15:09. | |
their main web page has changed and you notice that it seems to be | :15:09. | :15:14. | |
changing on a regular basis, that's to foil Zeus. Because Zeus is tied | :15:14. | :15:18. | |
to the way the page is formated. It's tied to exactly the way the | :15:18. | :15:23. | |
page looks. So the way the banks get around it is they reorganise | :15:23. | :15:26. | |
the web page you're talking to at the bank. That slows down Zeus | :15:26. | :15:31. | |
until its next update. The UK Payments Council, which oversees | :15:31. | :15:35. | |
the strategy for payments for the British banks, says that | :15:35. | :15:40. | |
understanding customers' normal behaviour is also vital. Banks also | :15:40. | :15:43. | |
employ back end security, that's what's happening behind-the-scenes | :15:43. | :15:49. | |
to protect you from being a victim of online banking fraud. So they've | :15:49. | :15:53. | |
got fraud detection software, it's intelligent software used to seeing | :15:53. | :15:58. | |
how you operate your online bank account. Any deviations from the | :15:58. | :16:02. | |
norm, that software will pick it up. That may be the type of transaction | :16:02. | :16:07. | |
you've made, the amount, one of the things that the criminals will do, | :16:07. | :16:11. | |
and this potentially acts as a, will put a flag on your account. If | :16:11. | :16:16. | |
criminals have got your details they will typically put a pound | :16:16. | :16:20. | |
transaction through, maybe to a utility company even a charity | :16:20. | :16:23. | |
payment. They're testing that the details they have are correct and | :16:23. | :16:28. | |
that the account is still active. Those are the types of things that | :16:28. | :16:32. | |
actually the fraud detection software are looking out for. | :16:32. | :16:37. | |
methods are however only the latest step in the inevitable cat-and- | :16:37. | :16:41. | |
mouse game with the cybercriminals. There are now reports of financial | :16:41. | :16:44. | |
malware which calculates how much it can take from your account | :16:44. | :16:51. | |
without appearing suspicious. New aversions -- newer versions of Zeus | :16:51. | :16:55. | |
are there to foil multiaction authentication techniques to fool | :16:55. | :17:00. | |
you into giving your mobile phone number. Do this and you will be | :17:00. | :17:05. | |
sent a link which will infect your phone. This one tries to fool you | :17:05. | :17:10. | |
into using your chip and PIN device to generate a correct code for its | :17:10. | :17:13. | |
transaction. Once logged into your bank, it offers to train you in | :17:13. | :17:17. | |
your bank's new upgrated security system. As part of that you're | :17:17. | :17:21. | |
invited to make a transaction to a fictitious bank account, though | :17:21. | :17:26. | |
you're told this is just a training exercise, the transaction is real. | :17:26. | :17:30. | |
We asked the bank what's they think we should watch out for and here's | :17:30. | :17:35. | |
what they said: If your transaction seems to be taking longer than | :17:35. | :17:39. | |
normal, there's a chance it's going via a fraudster's system. If you're | :17:39. | :17:44. | |
asked for more information than normal, especially entire passwords, | :17:44. | :17:47. | |
where previously you were only asked for parts, your machine may | :17:47. | :17:50. | |
have been infected. If you suspect that something's amiss, contact | :17:50. | :17:55. | |
your bank by phone, not by e-mail. Tell them the time and date that | :17:55. | :17:58. | |
you believed you were accessing your bank account and if the bank's | :17:58. | :18:01. | |
records don't match, it's likely that your computer has been | :18:01. | :18:07. | |
compromised. Now, if all that sounds alarming, then first of all, | :18:07. | :18:11. | |
don't panic. In the UK at least banks usually refund Vic tums of | :18:11. | :18:16. | |
online fraud as a matter of course. Do use a security product. You'll | :18:16. | :18:20. | |
stand a greater chance of not getting infected in the first place. | :18:20. | :18:24. | |
You'll find all of these details and more on how to stay safe online | :18:24. | :18:31. | |
at our website. OK. Next up it's Kate Russell with | :18:31. | :18:37. | |
Webbescape. The internet doesn't recognise boundaries. If you meet | :18:37. | :18:40. | |
someone on a social network they're as likely to come from the other | :18:41. | :18:45. | |
side of the planet as the house next door. When it comes to Twitter, | :18:45. | :18:49. | |
you can see where your followers come from at TweepsMap.com. Just | :18:49. | :18:53. | |
link your account and then share the results. It's a great | :18:53. | :18:58. | |
conversation starter. 0 but not so good if you have a huge volume of | :18:58. | :19:03. | |
followers, like our account at BBC click, Twitter only lets software | :19:03. | :19:06. | |
like this do a certain amount of queries every hour. It couldn't | :19:06. | :19:11. | |
handle our traffic. Luckily the nice people at TweepsMap.com were | :19:11. | :19:20. | |
able to bypass their system and create our own special map. View | :19:20. | :19:24. | |
the results as a map or a list, with an accompanying pie chart for | :19:24. | :19:29. | |
that extra geek factor. You can even check out a followers | :19:29. | :19:33. | |
TweepsMap.com and share the results, a great way to make them aware of | :19:33. | :19:36. | |
the service. But it might get you blocked for being a little bit | :19:36. | :19:46. | |
:19:46. | :19:49. | ||
Discovery engines are all about helping you find new things you'll | :19:49. | :19:52. | |
love based on what everyone else on the web thinks. There are lots to | :19:52. | :19:57. | |
help you explore new areas of music, but not many that do it in such a | :19:57. | :20:03. | |
stylish way as discover music. It's for iPhones and iPad and is an | :20:03. | :20:06. | |
infinitely more rewarding experience on the larger screen of | :20:06. | :20:11. | |
the tablet. As you explore you can tap through for samples, buy yoing | :20:11. | :20:15. | |
Fiz, videos and other interesting bits. The apps aren't free, but | :20:15. | :20:20. | |
they're not that expensive either. They do work brilliantly and look | :20:20. | :20:24. | |
gorgeous while they're at it. And if you happen to be a Macintosh | :20:24. | :20:33. | |
owner, there's a desk top download for you too. | :20:33. | :20:37. | |
If you're not crazy about music, you might be interested in the | :20:37. | :20:42. | |
developer's other offering instead, discover apps. Same principle, but | :20:42. | :20:46. | |
building a map of content you might like from the world of smartphone | :20:46. | :20:56. | |
:20:56. | :20:58. | ||
apps, now that really make me appy. Ever had a burning question, an | :20:58. | :21:01. | |
intellectual itch that needed scratching but you don't have hours | :21:01. | :21:05. | |
and hours to ask your friends and trawl through the internet looking | :21:05. | :21:12. | |
for answers? Qoura.com hopes to be the best destination to hear a | :21:12. | :21:16. | |
range of theories and opinions crowd sourced and rating by the | :21:16. | :21:25. | |
webizens of the world. All the pages can be edited by | :21:25. | :21:30. | |
anybody, so the content should grow and change organically over time. | :21:30. | :21:35. | |
Like Wikipedia, then, only geared towards answering questions with | :21:35. | :21:38. | |
commentary and debate rather than just delivering pages and pages of | :21:38. | :21:43. | |
straightforward data. It's early days yet, so the community isn't | :21:43. | :21:47. | |
huge, but there's already some interesting content building. I | :21:47. | :21:50. | |
like the addition of their first mobile app for iPhone. Let's hope | :21:50. | :21:56. | |
it wonts be too long before the other hand sets are covered. A nice, | :21:56. | :21:59. | |
simple idea executed well enough that they deserve to succeed. | :21:59. | :22:02. | |
Whether the internet needs another collaborative archive of | :22:02. | :22:10. | |
information is another matter entirely. | :22:10. | :22:14. | |
Riding on the top deck of a London bus is a great way to see the city. | :22:14. | :22:19. | |
Now you can enjoy a bit of art on 30 red and black LED screens around | :22:19. | :22:23. | |
London on the roofs of bus shelters. Anyone in the world can design a | :22:23. | :22:33. | |
screen using the browser-based tool at bus-tops.com. My efforts won't | :22:33. | :22:37. | |
win awards, but maybe tourists riding round the city later this | :22:37. | :22:47. | |
:22:47. | :22:48. | ||
year, will enjoy your creation. With radical changes in Google's | :22:48. | :22:51. | |
privacy coming on March 1, you might be interested to see what | :22:51. | :22:56. | |
Google thinks about you, head to Google.com/ads/preferences to see | :22:56. | :22:59. | |
what assumptions the company has made about you based on your | :23:00. | :23:03. | |
activity through their services such as search terms queer rid and | :23:03. | :23:09. | |
websites visited. They use this information to target users with | :23:09. | :23:13. | |
personalised advertising, but pigeon holing can be a hit-and-miss | :23:13. | :23:20. | |
science, as apparently I'm a male aged 18 to 24. | :23:20. | :23:26. | |
# If you don't know me by now... # Luckily you have the option to | :23:26. | :23:34. | |
change, delete or even opt out of the service all together. And | :23:34. | :23:38. | |
finally, this week, the web has been alive with the story about | :23:38. | :23:41. | |
Twitter announcing it might block specific content on a country by | :23:41. | :23:45. | |
country basis if required. A lot of people online have voiced their | :23:45. | :23:50. | |
objections and as a result the web is awash with reports of a very | :23:50. | :23:54. | |
easy work around, by simply editing your account settings to say you're | :23:54. | :23:57. | |
in another country, as the block isn't based on the physical | :23:57. | :24:01. | |
location from your IP address. Do be aware though, that doing this | :24:01. | :24:07. | |
might actually be considered illegal where you live. | :24:07. | :24:12. | |
And if you missed any of those links, they're on our website. | :24:12. | :24:16. | |
Along with everything else from this week's programme too. Feel | :24:16. | :24:22. |