check out the
bank’s SSL certificate closely, thus ensuring that you are
connected correctly. If a trojan is intending to manipulate the
contents of a transaction, there is no point in doing so when
the victim is connecting not to the bank but to a ‘service’
operated by a rival criminal concern!)
Initially, the most common PC-based attack against banking
was indeed the keylogger. The concept is simple: watch for a
banking transaction, record the keys typed in (hopefully
including account number, password or other personally
identifiable information) and later pass those keystrokes to
someone outside.
An early response to keyloggers was the so-called virtual
keyboard, a script-based or image-based system which
requires you to click on pictures of keys using the mouse.
Often, the letters or numbers on the virtual keyboard move
around randomly each time you visit the site, so that the
location of the mouse movements cannot be replayed. Many
banks still use this system, believing that it provides
additional security.
Malware authors were quick to respond, painting over input
forms and popping up virtual keyboard simulators which
captured your details before forwarding them to the bank (or,
to simplify the programming, before faking an error and
forcing you to start again, this time with the trojan allowing
your connection to proceed normally).
We can expect this sort of arms race to continue.
Unfortunately, the phishers are more nimble than the banks. It
might take a bank more than a year to introduce brand new
web programming and access control
Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24