(no subject)
I hate to be the one forwarding warnings about the latest and greatest 'virus' or 'trojan'. I dare not try to estimate the number of these 'warnings' I've received over the years.
However, anybody who uses the internet for banking, whether to do transfers, pay bills, or even just to check balances, needs to read this SecurityFocus blog. It describes the 'latest and greatest trojan', which is attacking banking sessions across the globe. Even if you're using an RSA tag, or SMS verification, you may be at risk.
Now I'm very aware that these 'latest and greatest threat' warnings are usually hoaxes. However, working as I do in the financial sector, and having just written my thesis on financial account security, I can tell you this for sure: the threats described in that blog post are real, in-the-wild, stealing-people's-money-as-we-speak threats, even if this particular super-trojan doesn't actually exist.
My advice: if your bank doesn't offer SMS security, change banks. Further, there is a specific way SMS security needs to work to be effective. When you do a transfer to an account you haven't sent money to before, it should send an SMS to your phone, with two pieces of information: a single-use code, and the details of the transaction. You need to CHECK CAREFULLY that the transaction details are correct, and then enter the code into the confirmation page on your internet banking session.
The reason you need to check the transfer details in the SMS (which is the same reason RSA tags don't work) is outlined fully in the blog post I linked to, but it's basically because trojans (malicious programs which infect your computer) can change the transfer details sent to the bank, but then substitute the details you entered into the confirmation page, so you think you're confirming the transaction you entered, when you're actually confirming a transfer to a thief.
If your bank offers this correctly-done SMS security on pay anyones, but NOT on BPay, DO call them and complain. We're not talking about backyard thieves here: these are large criminal syndicates, with payrolls and budgets. They are certainly not above registering a company, getting switched on to receive BPay payments, and using that to receive stolen funds until they're caught, and the company shut down. BPay is NOT inherently safe.
Keep in mind, if you have an RSA tag, or SMS security but don't (or can't) check the transfer details in the SMS, you're going to have a harder time convincing your bank that the transfer wasn't authorized, and you're LESS likely to get your money back. Refunds for stolen money is (currently, pending changed legislation or a court challenge to the current interpretation) at the SOLE discretion of your bank, unless they manage to recover the money (which is unlikely).
Now, for the hard part. So many people I talk to don't know about this. I've had members of my own family fall victim to these trojans WHILE I was writing my thesis on this exact problem. People don't know, and if they do, they don't bother. PLEASE tell your friends and family about this. PLEASE DO NOT, however, start chain emails. I don't want to receive this warning back 37 times in the next three days. Write a blog post (even summarise, and link to this one), or have a word in person, or chat on the 'phone.
Actually, I'd prefer if you pointed people here. I'll try to actually log in to my LJ regularly for a change, and answer any questions posted in the comments. I do know this stuff, I work with it daily, so I'm happy to field even the most technical of questions. Well, I'll do my best, anyway.
PS Virus and spyware scanners are SIGNIFICANTLY less than perfect. You could have two of each, completely up-to-date, with a proper firewall and all the latest state-of-the-art security software, and still get hit by a new threat. DO NOT rely on stop-gap measures like firewalls and virus scanners, although you should definitely be using them for the protection they do offer.
However, anybody who uses the internet for banking, whether to do transfers, pay bills, or even just to check balances, needs to read this SecurityFocus blog. It describes the 'latest and greatest trojan', which is attacking banking sessions across the globe. Even if you're using an RSA tag, or SMS verification, you may be at risk.
Now I'm very aware that these 'latest and greatest threat' warnings are usually hoaxes. However, working as I do in the financial sector, and having just written my thesis on financial account security, I can tell you this for sure: the threats described in that blog post are real, in-the-wild, stealing-people's-money-as-we-speak threats, even if this particular super-trojan doesn't actually exist.
My advice: if your bank doesn't offer SMS security, change banks. Further, there is a specific way SMS security needs to work to be effective. When you do a transfer to an account you haven't sent money to before, it should send an SMS to your phone, with two pieces of information: a single-use code, and the details of the transaction. You need to CHECK CAREFULLY that the transaction details are correct, and then enter the code into the confirmation page on your internet banking session.
The reason you need to check the transfer details in the SMS (which is the same reason RSA tags don't work) is outlined fully in the blog post I linked to, but it's basically because trojans (malicious programs which infect your computer) can change the transfer details sent to the bank, but then substitute the details you entered into the confirmation page, so you think you're confirming the transaction you entered, when you're actually confirming a transfer to a thief.
If your bank offers this correctly-done SMS security on pay anyones, but NOT on BPay, DO call them and complain. We're not talking about backyard thieves here: these are large criminal syndicates, with payrolls and budgets. They are certainly not above registering a company, getting switched on to receive BPay payments, and using that to receive stolen funds until they're caught, and the company shut down. BPay is NOT inherently safe.
Keep in mind, if you have an RSA tag, or SMS security but don't (or can't) check the transfer details in the SMS, you're going to have a harder time convincing your bank that the transfer wasn't authorized, and you're LESS likely to get your money back. Refunds for stolen money is (currently, pending changed legislation or a court challenge to the current interpretation) at the SOLE discretion of your bank, unless they manage to recover the money (which is unlikely).
Now, for the hard part. So many people I talk to don't know about this. I've had members of my own family fall victim to these trojans WHILE I was writing my thesis on this exact problem. People don't know, and if they do, they don't bother. PLEASE tell your friends and family about this. PLEASE DO NOT, however, start chain emails. I don't want to receive this warning back 37 times in the next three days. Write a blog post (even summarise, and link to this one), or have a word in person, or chat on the 'phone.
Actually, I'd prefer if you pointed people here. I'll try to actually log in to my LJ regularly for a change, and answer any questions posted in the comments. I do know this stuff, I work with it daily, so I'm happy to field even the most technical of questions. Well, I'll do my best, anyway.
PS Virus and spyware scanners are SIGNIFICANTLY less than perfect. You could have two of each, completely up-to-date, with a proper firewall and all the latest state-of-the-art security software, and still get hit by a new threat. DO NOT rely on stop-gap measures like firewalls and virus scanners, although you should definitely be using them for the protection they do offer.