|
People who use online banking, stockbrokers, and other financial sites have gotten used to the need to confirm they are using a secure connection. They make sure the URL begins with "https" and that the appropriate icon for their browser is displayed, so they are assured of having an SSL connection that encrypts all information between their browser and the website.
And even the unsophisticated users are learning never to click links in phishing emails because of increased publicity in the general media.
Unfortunately, those involved in cybercrime have realized that while phishing scams are still effective, they are becoming less and less productive. So they are turning to a relatively new and frightening method – SSL-evading Trojans.
The danger of these Trojans is that the SSL encryption is not broken – the encrypted connection remains intact. The user still sees the URL beginning with "https". But the Trojans still compromise the user’s accounts if they can manage to infect a user’s PC beforehand.
These Trojans, once on a user’s PC, can bypass any existing authentication. All the Trojan has to do is watch patiently until the user visits a financial site and successfully logs in. The most dangerous form of these Trojans can then initiate payments or transfers to anywhere by creating hidden browser windows to make transactions. Since the user already was logged on, the Trojan doesn’t need any authentication information. The financial site cannot detect anything wrong since the transaction is being initiated from an authorized user. A Trojan using this method was first seen in 2004 and there is no more protection available today than there was then.
A different method used by SSL-evading Trojans is termed Bogus SSL. The Trojan, when installed, finds web pages from financial sites in the browser cache, then creates fake local pages. When the user attempts to go the real site, the Trojan intercepts the log on and the user is sent to the local copy instead. As the user enters the log on information, the Trojan captures it while sending it to the real site and therefore avoids alerting the user that anything is wrong.
And a third method is a more sophisticated password-grabbing scheme. Financial sites have implemented different methods to ensure a real human is on the other end of the session. One method is to display a number of graphics and ask the user to choose the one the user previously identified as the secret choice. Other methods are displaying a keyboard with randomly placed keys for the user to select characters from, or displaying a “magic word” that is not machine-readable that the user must key in. The Trojans can take snapshots of parts of the screen and send them back to the hacker.
As these methods become more and more sophisticated, users will need to be even more vigilant in keeping malicious applications from being installed, because relying on SSL creates a false sense of security if a Trojan is already on the system.
Depending on financial institutions to protect the users is not the answer, either. They could choose to have customers confirm transactions via a separate email or phone call, but they are reluctant to ask customers to jump through additional hoops, especially with the number of online transactions that some people perform.
It is possible that down the road, it may be necessary to have authentication tied to each transaction, and not just to initiate a secure session with an institution. Regardless of the solution, for now it is essential to frequently check your accounts for unrecognized transactions so any problems can be addressed promptly. And if your institutions do not provide the level of protection that you desire, move your accounts to one that does.
|
