04/02/2012 Click


04/02/2012

Gadgets, websites, games and computer industry news. How safe are transactions carried out over the internet? A special investigation looks at the latest threats to online banking.


Similar Content

Browse content similar to 04/02/2012. Check below for episodes and series from the same categories and more!

Transcript


LineFromTo

There is a link there to click on. I will be back at the top of the

:00:05.:00:10.

hour with a full bulletin. Now it is time for Click. I have logged on

:00:10.:00:14.

to my bank website. I have entered my password. I have protected my

:00:14.:00:24.
:00:24.:00:35.

computer. That means I am safe to This week, Click meets the man-in-

:00:35.:00:39.

the-browser who breaks into your bank by getting you to let him in.

:00:39.:00:44.

So, who can you count on to protect you? We will look at how and when

:00:44.:00:48.

your security product may let you down and whether the banks

:00:48.:00:52.

themselves can keep your cash safe. Plus, the latest tech news and the

:00:52.:00:59.

best sites and apps of the week in Webscape.

:00:59.:01:04.

Welcome to Click. I am Spencer Kelly. If you bank online, you may

:01:04.:01:09.

have noticed over the past few years the process of logging on to

:01:09.:01:13.

your bank's website is getting more complicated. Gone are the days when

:01:13.:01:20.

you are asked for your password and user name. Today you are asked for

:01:20.:01:25.

part of your password or shown a picture and asked to identify it.

:01:25.:01:31.

Some send you these and ask you to display the code on it. These

:01:31.:01:35.

measures are designed to keep you safe.

:01:35.:01:40.

For much of the past decade, cybercrime and malicious software

:01:40.:01:45.

have been less about ruining your competer and more about stealthily

:01:45.:01:52.

stealing your credit card numbers and passwords. It costs the US

:01:52.:02:01.

banks $1 billion every year. For example, keylogger records your key

:02:01.:02:05.

strokes and sends them back. Keyloggers are easy to foil. Banks

:02:05.:02:11.

ask for only part of your password, sometimes without even using the

:02:11.:02:15.

keyboard. Hear is another old threat - these are phising e-mails,

:02:15.:02:21.

claiming to be from real banks, which which direct you to fake, but

:02:21.:02:25.

convincing copies of their websites. Enure your details here and they

:02:25.:02:30.

will go straight to the cybercriminal's inbox. To foil the

:02:30.:02:34.

fake phising websites some banks have decided to prove to you they

:02:34.:02:40.

are the genuine site by showing you a picture and a phrase you have

:02:40.:02:43.

previously chosen, something a fake website will not know. Then there

:02:43.:02:52.

are these. Every time you log on or try and make an online transaction

:02:52.:02:56.

you may be asked to put in your PIN and read off the eight dig gets on

:02:56.:03:01.

this screen. Now, to explain high we use this, I will have to

:03:01.:03:05.

introduce you to a much more sophisticated online threat.

:03:05.:03:11.

It is a threat which has been responsible for a number of high-

:03:11.:03:15.

profile security breaches. It's also a particularly ingenious way

:03:15.:03:21.

of stealing money onenline banking customers. Something which has led

:03:21.:03:26.

it to be called financial malware. A computer infected will wait until

:03:26.:03:31.

you visit a banking website and then alter what you see in your

:03:31.:03:37.

browser. Take these two computers. Both have surfed to the same

:03:37.:03:42.

banking website, but spot the difference. The non-infected

:03:42.:03:46.

machine asks for your customer number. Tin fected one asks for

:03:46.:03:51.

your complete password and your debit card's PIN code. There's

:03:51.:03:55.

nothing insecure about this particular bank, as these pictures

:03:55.:03:58.

show financial malware can interfere with the appearance and

:03:58.:04:01.

operation of any website, to ask for extra information, to change

:04:01.:04:06.

the display or even to change the details that you enter after you

:04:06.:04:12.

click OK. There are many types of financial

:04:12.:04:19.

malware going by names such as SpyEye and Carberp. One of the most

:04:19.:04:22.

established and well known is called Zeus. You don't see Zeus.

:04:22.:04:26.

You think you're talking to the bank, but you are talking to Zeus.

:04:26.:04:29.

Zeus is talking to your bank instead. What you think you're

:04:29.:04:33.

doing, in fact you log on, you go and you think you're doing a

:04:33.:04:38.

transaction, in fact it's fooling you. You think you are going to

:04:38.:04:43.

transfer, you look at your balance, in fact Zeus is using your

:04:43.:04:45.

credentials and going back and doing a transaction, but not the

:04:46.:04:52.

transaction you wanted. It's doing its, like unloading your bank

:04:52.:04:55.

account. Financial malware is getting smarter. The first

:04:55.:05:01.

generation would alter the log-in screen to ask for more details,

:05:01.:05:06.

newer versions can mess with your browsing session in more creative

:05:06.:05:10.

ways. One would wait for you to make an on-line payment. After you

:05:11.:05:14.

click confirm, it would change the amount and the account number,

:05:14.:05:19.

instead making a payment to a cybercriminal's account. To avoid

:05:19.:05:24.

detection, the malware would even change the amount displayed on an

:05:24.:05:28.

online statement back to the original figure the user thought

:05:28.:05:33.

they had paid in the first place. The Zeus code has become available

:05:33.:05:40.

online, allowing experts to analyse the design and the code which will

:05:40.:05:47.

-- and the price, just $800. How do threats like this do against the

:05:47.:05:50.

security products you have hopefully already installed on your

:05:50.:05:55.

computer? One of the reasons it is so good at what it does is because

:05:55.:06:00.

it's been designed to avoid detection by your security software.

:06:00.:06:08.

Observe. Security products on your computer

:06:08.:06:11.

spot unwanted intruders in the same way a security guard would in a

:06:11.:06:16.

shop. First, he will look out for known faces.

:06:17.:06:23.

Then, he will watch for unusual or suspicious behaviour.

:06:23.:06:30.

If all else fails he will catch stuff being stolen as it leaves.

:06:30.:06:35.

Modern financial malware like Zeus has been developed to foil these

:06:35.:06:38.

methods. Zeus can disguise its appearance. In fact it changes the

:06:38.:06:43.

way it looks tens of thousands of times a day. Nice hair, Zeus! He's

:06:43.:06:47.

not your average shopper. I'll grant you, but he's not on the

:06:47.:06:54.

wanted list. Zeus is also very discrete, in

:06:54.:07:03.

order not to draw attention to itself. Most importantly when it

:07:03.:07:07.

smuggles data out of your computer, it does so using someone else - the

:07:07.:07:17.

browser. It's called a man-in-the-browser

:07:17.:07:20.

attack, because essentially that's what it is doing. It is attacking

:07:21.:07:24.

your browser. It is getting between you and the website. It is altering

:07:24.:07:28.

what you see and changing the details of what you enter. Each

:07:28.:07:32.

time a new update of Zeus is released, it can take the security

:07:32.:07:38.

companies days, sometimes weeks to learn how to spot it, to learn its

:07:38.:07:43.

common features, regardless of its disguise. It's in this all-

:07:43.:07:48.

important window, before he's been identified, that your security

:07:48.:07:51.

guard has to rely on its other defences to spot and block the

:07:52.:07:56.

threat. This man thinks they are not doing

:07:56.:08:00.

a good enough job. Chris Pickard tests security products against

:08:00.:08:05.

malware. Today, he's running a test to see which of the most popular

:08:05.:08:08.

security products can spot a man- in-the-browser attack, purely by

:08:08.:08:12.

looking at its behaviour. To do this, he has commissioned a new

:08:12.:08:16.

man-in-the-browser threat to be written, which we have called Test

:08:16.:08:20.

Tool, in which known of the security companies will have on

:08:20.:08:26.

their wanted list. To ensure it is a fair test we have drofted in --

:08:26.:08:30.

drafted in independent witnesss, Daniel Brett and David Avila from

:08:30.:08:36.

S21sec. We are testing if each security product will warn us that

:08:36.:08:39.

Test Tool is a suspicious programme when we drop it on the machine and

:08:39.:08:44.

run it, and also whether it will prevent it from stealing our log-on

:08:44.:08:48.

details when we enter them into this website. This product has

:08:48.:08:53.

passed. We are looking for any message alerting us that something

:08:53.:08:57.

untowards is happening. This product, however, has failed. It

:08:57.:09:03.

does not alert us when the threat runs on the machine. We enter our

:09:03.:09:11.

details - still no warning and even worse our user word and password is

:09:11.:09:16.

sent to this laptop. The bad news is when running with standard

:09:16.:09:20.

settings, the majority of the products we tested failed. Only the

:09:20.:09:25.

minority gave us a warning, or stopped our details from being

:09:25.:09:30.

stolen. But, says our independent expert, these products still form

:09:30.:09:34.

an independent part of your computer's defences. The man-in-

:09:34.:09:40.

the-browser attack is a very focused, a very specific advanced

:09:40.:09:45.

threat we are seeing. Specifically focused against banking. Now, many

:09:45.:09:49.

products might not pick this up because they are a bigger scope.

:09:49.:09:54.

They have to defend against all of the viruses we have seen from the

:09:54.:09:58.

beginning of time. So, that means that they are not performing in

:09:58.:10:03.

this area. It doesn't mean they are useless products. Some stuff we

:10:03.:10:08.

have seen that does work against this is narrowly focused. It will

:10:08.:10:14.

only product against that malware. Definitely double them up. Follow

:10:14.:10:20.

the advice of your bank. Get an up- to-date anti-virus, any tools which

:10:20.:10:27.

are effective and be vigilant. Makers of many of the security

:10:27.:10:31.

devises said it was not valid. They said part of their service stops

:10:31.:10:35.

you getting infected in the first place by continuingly blacking out

:10:35.:10:42.

websites and e-mails and other sources of malware, ensuring your

:10:42.:10:47.

computer has no vulnerabilitys and spots if your machine starts to

:10:47.:10:53.

communicate with those with malicious zerers. Many security

:10:53.:10:59.

pro--- servers. Many security products will protect against this

:10:59.:11:05.

if they are set up to maximum. The problem here is they will block

:11:05.:11:11.

many legitimate products too. If this had come from a source not

:11:11.:11:15.

known to have been bad and started to communicate with an address not

:11:15.:11:19.

on the blacklist, until they discovered and analysed it, it

:11:19.:11:23.

probably would have beaten their protection. It's not just the

:11:23.:11:26.

security products which are fighting the cybercriminals. Next,

:11:26.:11:32.

we will look at how the banks have joined the battle against Zeus and

:11:32.:11:35.

its contemporaries. We will have advise on how to spot if you have

:11:35.:11:41.

become a victim. Next up, a look at this week's big tech news stories.

:11:41.:11:46.

Many of us may feel we've got a share in Facebook's success. Soon

:11:46.:11:49.

we'll be able to actually own shares in the company. It is going

:11:49.:11:54.

to float on the Stock Market, with company shares expected to be

:11:54.:11:59.

available for trading in May. The company has had to reveal

:11:59.:12:02.

previously unknown information about the finances which shows Mark

:12:02.:12:07.

Zuckerberg owns just over a quarter of the company. The network of 845

:12:07.:12:12.

million users each month made $1 billion in profit last year.

:12:12.:12:17.

Microsoft is connecting TCs. Its movement detection system,

:12:17.:12:27.
:12:27.:12:27.

originally for the 360 games console, has been released, with

:12:27.:12:32.

home running Windows. Microsoft says it has enhanced voice

:12:32.:12:36.

recognition and skeletal tracking, which may explain high the PC price

:12:36.:12:40.

tag is almost double that of the Xbox model. A British couple have

:12:41.:12:45.

been denied entry to the US after one tweeted he would go and destroy

:12:45.:12:52.

America, before he travelled. This and another message about digging

:12:52.:12:58.

up Marilyn Monroe's grave were considered enough reason to stop

:12:58.:13:08.
:13:08.:13:09.

homeland security -- to enable homeland security to stop Lee Van

:13:09.:13:17.

Bryan and his girl at Los Angeles airport. This did manage to fool

:13:17.:13:26.

some on-looking. The devices, designed to look like flying people,

:13:26.:13:36.
:13:36.:13:40.

Financial malware are right under your nose, it's not surprising then

:13:40.:13:43.

that the banks have taken steps to defend themselves against man in

:13:43.:13:49.

the browsary tacks. And that brings us back to these things. They may

:13:49.:13:53.

be inconvenient but they have proved incredibly effective at

:13:53.:13:57.

stopping financial malware fromalityering the details that you

:13:57.:14:02.

enter. Whether it's at the log-on stage or when you make an online

:14:02.:14:05.

payment, these devices generate knew mairk codes based on the

:14:05.:14:11.

account number, amount and your card's pin code. If Zeus changes

:14:11.:14:14.

any of these behind-the-scenes, your bank will expect a different

:14:14.:14:17.

code from the one your device has generated and the transaction will

:14:17.:14:22.

fail. In the US, new guidance has

:14:22.:14:26.

recently been issued that insists on tougher online banking security.

:14:26.:14:30.

One suggestion is to use your mobile phone to authenticate a

:14:30.:14:34.

transaction. For example, try to set up a new payee using this

:14:34.:14:37.

online banking system and you'll receive an automated phone call

:14:37.:14:40.

which verbly confirms the bank account number, which should warn

:14:40.:14:44.

you if it's actually someone else who's logged into your account. And

:14:44.:14:48.

to confirm that the details haven't been changed en route, you'll be

:14:48.:14:52.

asked to enter a code into your phone which confirms the specific

:14:52.:14:57.

details of your transaction. And while these defences are in place

:14:57.:15:01.

at the front end, the banks have more tricks up their sleeves

:15:01.:15:05.

behind-the-scenes. If you ever log into your bank and you notice that

:15:05.:15:09.

their main web page has changed and you notice that it seems to be

:15:09.:15:14.

changing on a regular basis, that's to foil Zeus. Because Zeus is tied

:15:14.:15:18.

to the way the page is formated. It's tied to exactly the way the

:15:18.:15:23.

page looks. So the way the banks get around it is they reorganise

:15:23.:15:26.

the web page you're talking to at the bank. That slows down Zeus

:15:26.:15:31.

until its next update. The UK Payments Council, which oversees

:15:31.:15:35.

the strategy for payments for the British banks, says that

:15:35.:15:40.

understanding customers' normal behaviour is also vital. Banks also

:15:40.:15:43.

employ back end security, that's what's happening behind-the-scenes

:15:43.:15:49.

to protect you from being a victim of online banking fraud. So they've

:15:49.:15:53.

got fraud detection software, it's intelligent software used to seeing

:15:53.:15:58.

how you operate your online bank account. Any deviations from the

:15:58.:16:02.

norm, that software will pick it up. That may be the type of transaction

:16:02.:16:07.

you've made, the amount, one of the things that the criminals will do,

:16:07.:16:11.

and this potentially acts as a, will put a flag on your account. If

:16:11.:16:16.

criminals have got your details they will typically put a pound

:16:16.:16:20.

transaction through, maybe to a utility company even a charity

:16:20.:16:23.

payment. They're testing that the details they have are correct and

:16:23.:16:28.

that the account is still active. Those are the types of things that

:16:28.:16:32.

actually the fraud detection software are looking out for.

:16:32.:16:37.

methods are however only the latest step in the inevitable cat-and-

:16:37.:16:41.

mouse game with the cybercriminals. There are now reports of financial

:16:41.:16:44.

malware which calculates how much it can take from your account

:16:44.:16:51.

without appearing suspicious. New aversions -- newer versions of Zeus

:16:51.:16:55.

are there to foil multiaction authentication techniques to fool

:16:55.:17:00.

you into giving your mobile phone number. Do this and you will be

:17:00.:17:05.

sent a link which will infect your phone. This one tries to fool you

:17:05.:17:10.

into using your chip and PIN device to generate a correct code for its

:17:10.:17:13.

transaction. Once logged into your bank, it offers to train you in

:17:13.:17:17.

your bank's new upgrated security system. As part of that you're

:17:17.:17:21.

invited to make a transaction to a fictitious bank account, though

:17:21.:17:26.

you're told this is just a training exercise, the transaction is real.

:17:26.:17:30.

We asked the bank what's they think we should watch out for and here's

:17:30.:17:35.

what they said: If your transaction seems to be taking longer than

:17:35.:17:39.

normal, there's a chance it's going via a fraudster's system. If you're

:17:39.:17:44.

asked for more information than normal, especially entire passwords,

:17:44.:17:47.

where previously you were only asked for parts, your machine may

:17:47.:17:50.

have been infected. If you suspect that something's amiss, contact

:17:50.:17:55.

your bank by phone, not by e-mail. Tell them the time and date that

:17:55.:17:58.

you believed you were accessing your bank account and if the bank's

:17:58.:18:01.

records don't match, it's likely that your computer has been

:18:01.:18:07.

compromised. Now, if all that sounds alarming, then first of all,

:18:07.:18:11.

don't panic. In the UK at least banks usually refund Vic tums of

:18:11.:18:16.

online fraud as a matter of course. Do use a security product. You'll

:18:16.:18:20.

stand a greater chance of not getting infected in the first place.

:18:20.:18:24.

You'll find all of these details and more on how to stay safe online

:18:24.:18:31.

at our website. OK. Next up it's Kate Russell with

:18:31.:18:37.

Webbescape. The internet doesn't recognise boundaries. If you meet

:18:37.:18:40.

someone on a social network they're as likely to come from the other

:18:41.:18:45.

side of the planet as the house next door. When it comes to Twitter,

:18:45.:18:49.

you can see where your followers come from at TweepsMap.com. Just

:18:49.:18:53.

link your account and then share the results. It's a great

:18:53.:18:58.

conversation starter. 0 but not so good if you have a huge volume of

:18:58.:19:03.

followers, like our account at BBC click, Twitter only lets software

:19:03.:19:06.

like this do a certain amount of queries every hour. It couldn't

:19:06.:19:11.

handle our traffic. Luckily the nice people at TweepsMap.com were

:19:11.:19:20.

able to bypass their system and create our own special map. View

:19:20.:19:24.

the results as a map or a list, with an accompanying pie chart for

:19:24.:19:29.

that extra geek factor. You can even check out a followers

:19:29.:19:33.

TweepsMap.com and share the results, a great way to make them aware of

:19:33.:19:36.

the service. But it might get you blocked for being a little bit

:19:36.:19:46.
:19:46.:19:49.

Discovery engines are all about helping you find new things you'll

:19:49.:19:52.

love based on what everyone else on the web thinks. There are lots to

:19:52.:19:57.

help you explore new areas of music, but not many that do it in such a

:19:57.:20:03.

stylish way as discover music. It's for iPhones and iPad and is an

:20:03.:20:06.

infinitely more rewarding experience on the larger screen of

:20:06.:20:11.

the tablet. As you explore you can tap through for samples, buy yoing

:20:11.:20:15.

Fiz, videos and other interesting bits. The apps aren't free, but

:20:15.:20:20.

they're not that expensive either. They do work brilliantly and look

:20:20.:20:24.

gorgeous while they're at it. And if you happen to be a Macintosh

:20:24.:20:33.

owner, there's a desk top download for you too.

:20:33.:20:37.

If you're not crazy about music, you might be interested in the

:20:37.:20:42.

developer's other offering instead, discover apps. Same principle, but

:20:42.:20:46.

building a map of content you might like from the world of smartphone

:20:46.:20:56.
:20:56.:20:58.

apps, now that really make me appy. Ever had a burning question, an

:20:58.:21:01.

intellectual itch that needed scratching but you don't have hours

:21:01.:21:05.

and hours to ask your friends and trawl through the internet looking

:21:05.:21:12.

for answers? Qoura.com hopes to be the best destination to hear a

:21:12.:21:16.

range of theories and opinions crowd sourced and rating by the

:21:16.:21:25.

webizens of the world. All the pages can be edited by

:21:25.:21:30.

anybody, so the content should grow and change organically over time.

:21:30.:21:35.

Like Wikipedia, then, only geared towards answering questions with

:21:35.:21:38.

commentary and debate rather than just delivering pages and pages of

:21:38.:21:43.

straightforward data. It's early days yet, so the community isn't

:21:43.:21:47.

huge, but there's already some interesting content building. I

:21:47.:21:50.

like the addition of their first mobile app for iPhone. Let's hope

:21:50.:21:56.

it wonts be too long before the other hand sets are covered. A nice,

:21:56.:21:59.

simple idea executed well enough that they deserve to succeed.

:21:59.:22:02.

Whether the internet needs another collaborative archive of

:22:02.:22:10.

information is another matter entirely.

:22:10.:22:14.

Riding on the top deck of a London bus is a great way to see the city.

:22:14.:22:19.

Now you can enjoy a bit of art on 30 red and black LED screens around

:22:19.:22:23.

London on the roofs of bus shelters. Anyone in the world can design a

:22:23.:22:33.

screen using the browser-based tool at bus-tops.com. My efforts won't

:22:33.:22:37.

win awards, but maybe tourists riding round the city later this

:22:37.:22:47.
:22:47.:22:48.

year, will enjoy your creation. With radical changes in Google's

:22:48.:22:51.

privacy coming on March 1, you might be interested to see what

:22:51.:22:56.

Google thinks about you, head to Google.com/ads/preferences to see

:22:56.:22:59.

what assumptions the company has made about you based on your

:23:00.:23:03.

activity through their services such as search terms queer rid and

:23:03.:23:09.

websites visited. They use this information to target users with

:23:09.:23:13.

personalised advertising, but pigeon holing can be a hit-and-miss

:23:13.:23:20.

science, as apparently I'm a male aged 18 to 24.

:23:20.:23:26.

# If you don't know me by now... # Luckily you have the option to

:23:26.:23:34.

change, delete or even opt out of the service all together. And

:23:34.:23:38.

finally, this week, the web has been alive with the story about

:23:38.:23:41.

Twitter announcing it might block specific content on a country by

:23:41.:23:45.

country basis if required. A lot of people online have voiced their

:23:45.:23:50.

objections and as a result the web is awash with reports of a very

:23:50.:23:54.

easy work around, by simply editing your account settings to say you're

:23:54.:23:57.

in another country, as the block isn't based on the physical

:23:57.:24:01.

location from your IP address. Do be aware though, that doing this

:24:01.:24:07.

might actually be considered illegal where you live.

:24:07.:24:12.

And if you missed any of those links, they're on our website.

:24:12.:24:16.

Along with everything else from this week's programme too. Feel

:24:16.:24:22.

Guide to the latest gadgets, websites, games and computer industry news. How safe is it to carry out transactions over the internet? A special investigation looks at the latest threats to online banking.


Download Subtitles

SRT

ASS