You Might Be Interested to Know

[Guest guest]

Here is the next phase of scamming the user. Won't even need email

to trigger this one.

Fred

Crime: Crooks Get Behind Plow ; 'Pharming' harvests a new crop of

thieves

---------------------------------------------------------------------

-----------

Mar 1, 2005 - Bank Technology News

Author(s): Grebb

---------------------------------------------------------------------

-----------

As if phishing scams weren't bad enough, security experts have found

a new " phlavor " of the month: " Pharming. " What is pharming? It

operates on the same principle as phishing by fooling on-line users

into thinking they're at a legitimate banking site when, in fact,

they are not. But unlike phishing, which a savvy on- line user can

avoid by not answering suspect e-mails, pharming is almost

undetectable. It relies on trojan viruses that alter the behavior of

Internet browsers so that attempts to log onto a banking site

actually trigger the browser to automatically redirect the user to a

spoof site.

" In these cases, one doesn't even have to click on an e-mail link, "

says Whitener, director of privacy services for EDS. " [it's]

Pretty scary stuff. "

Worst of all, once a machine is infected, someone who has typed the

correct URL into the browser can still end up at the spoof site,

unaware that the user name, password and account information has

been harvested for identity theft or other nefarious purpose. " We're

fairly concerned about pharming, " says Kim Legelis, director of

financial services industry solutions at on-line security firm

Symantec. " This is not a flash-in-the-pan threat. Pharming is

probably where phishing was 12 months ago. " Notes MX Logic's chief

technical officer Chasin, who is widely credited with coining

the " pharming " term: " Pharming is a next-generation phishing attack

without the lure. "

The question, of course, is: What can banks and banking customers do

about pharming? " There needs to be a lot of education done by the

financial institutions related to these crimes, " says

Chasin. " Before this becomes a massive epidemic, the industry needs

to act pretty quickly. " For banks, it may be a matter of

survival. " All of this has institutions absolutely terrified, " says

Heinrichs, CEO of on-line security firm Lightspeed Systems,

which was one of the first firms to react to pharming scams with new

software protections. " It's like a battle with these guys. This is

big-time fraud. "

While security companies are famous for publicizing threats to keep

businesses buying software, pharming is quite threatening. Several

pharming schemes have already proliferated throughout the Internet

with frightening precision. Late last year, Security firm LURHQ's

Threat Intelligence Group publicized one such trojan that targeted

users of the e-gold.com system, which allows account holders to

trade electronic currency backed by gold bullion. The " Win32.grams "

trojan infiltrated machines and tried to transfer currency out of

victims' accounts. " That process could easily be applied at

mainstream financial institutions, " warns Elazar Katz, director of

Unisys' active risk-management practice.

Although Win32.grams contained a bug that prevented it from working

properly, Katz and other experts say it's only a matter of time

before such trojans become bug-free. In the current world, on-line

criminals still often manually perpetuate fraud, creating a backlog

that helps keep them from exploiting information they collect

automatically with software. Automating the fraud process, however,

could spell disaster. " That bottleneck will be addressed next, " Katz

says.

Other recent threats are equally menacing. The " Troj/BankAsh-A "

trojan, which spies on a user's Internet activity until it reaches

an on-line banking site, displays a fake log-in page and records

keystrokes, later sending the stolen details to a remote FTP site.

It also disables Microsoft's new anti-spyware protection. Targeted

banks include Barclays, Cahoot, Halifax, HSBC, Lloyds TSB,

Nationwide, NatWest and the U.K. Internet bank, Smile.

And as early as last summer, the " download.ject " trojan was

capturing keystrokes to steal log-in information, as well as

creating fake dialog boxes that prompted the user to enter

confidential ATM codes, credit card numbers and other financial

data. " That's where you get into some scary stuff, " says

Faulkner, CEO of Web hosting firm CI Host. " When some idiot has

transferred all of your money to Russia, you may get your money

back, but it might take three weeks. Meanwhile, you have to figure

out how to pay your mortgage. "

Indeed, the question is whether such threats will at some point

deter people from conducting business on-line. " Consumers are losing

confidence in the Internet, " laments Jon Ramsey, CTO at on-line

security firm SecureWorks. " If the security risk outweighs the

convenience of on-line banking, then people will revert to other

means. " So far, the banking industry hasn't seen any mass

defections. " The more important thing is to practice the vigilance

so that doesn't happen, " warns Doug , senior policy analyst

at the American Bankers Association. He says the industry tries to

strike a balance between convenience and security, even as online

fraud threats proliferate.

" We all see at the end of the rainbow this promise of electronic

commerce, " he says. " But we don't want to have a customer confidence

issue. " Experts note that banks can take steps to put their

customers (and themselves) more at ease. On the most basic level,

banks are already educating customers about how to protect

themselves from threats. " Educating our customers is the only thing

we can do outside the bank to protect ourselves, " says Mark Payne,

director of technology at sbluff, NB-based Platte Valley

National Bank. " Our best defense is education. " Boston Private Bank

& Trust, a subsidiary of the $2 billion Private Financial Holdings,

recently hired two full-time staff members devoted to fraud

detection and prevention, and formed a committee to coordinate

consumer-education efforts.

" We're trying to get the word out strongly that [consumers] need to

watch their activity, " says Maureen McCarthy, director of the bank's

Financial Intelligence Unit. But she says the bank has shied away

from providing anti- virus software or other computer advice to its

customers. " I don't think any bank wants to be in the business of

providing computer support to its clients, " she says, noting

liability issues that could arise.

Nonetheless, software vendors are urging banks to get more

involved. " It's important for financial institutions to take a

proactive step in getting their customers' PCs protected, " says

Legelis. Symantec works with several banks that allow customers to

check their computers' protection level and even download a Symantec

product at a discount-right through the on-line banking site. Users

can also install browser plug-ins, such as the " Netcraft " plug-in

for Internet Explorer or the " SpoofStick " plug-in for Mozilla's

Firefox. Both can alert the user of spoof sites. " You have to attack

this problem through the browser, " says , security

practice lead at Intellinet.

" The client is the weakest link. "

In addition, experts advise banks to adopt multi-factor

authentication schemes, such as providing customers with a small

device that displays a constantly changing password-to be used in

conjunction with the another static password-or, on a smaller scale,

simply providing a new password every month in bank statements.

Biometric scanners are another option. " Identity management is

really the buzzword of 2005, " says Siciliano, a Boston-based

personal security expert. " Two-tiered identification is really the

way to go. " Banks seem to be listening. " It's incredible, " says Rami

Habal, senior product manager at messaging security firm Proofpoint.

" They're on it. [bankers] understand what the issues are and what

the threats are. " Copyright 2005 SourceMedia, Inc. All Rights

Reserved. http://www.sourcemedia.com http://www.banktechnews.com @