Home » Learning Curve » Red Hat Diaries
Silentbanker
Good advice doesn't come cheap; when 'safe' is better than 'safer'.
There's a new trojan in town. They're calling it Silentbanker. It's a tough customer. Liam OMurchu at Symantec has written a lengthy piece on this clever piece of malware. Seriously: skip the details. We don't need to know them. We know why things like this work.
Marc Fossi, also of Symantec, follows the first piece up with one of his own laughably entitled 'Banking with Confidence'. Seems the Landed Gentry of Security are shook over this one. Marc has a number of tips for you online banking people. This to make you safer. Not safe, mind you: given the limitations of what is going to be recommended (and what must remain unsaid) it's only 'safer' and not safe. Let's look at the list.
- 'Use a strong password to access your online banking and change it often.' Yeah that will help us immensely. Of course a keystroke logger is going to pick it up anyway. More of a placebo than anything else. And in computer security placebos suck.
- 'Don't save your online banking password when your web browser asks you to.' Wow this is really profound.
- 'Don't get lulled into a false sense of security.' Oh don't worry, dude. Where your customers are running there's no risk of that.
- 'Do not access your online banking from any computer other than your own.' Changing the subject. Given what that 'own computer' is most likely running the good advice would instead seem to be 'use any computer but your own'.
- 'Always manually type the Internet address of your bank into your web browser.' This is a classic. That platform is so bloody insecure you have to watch out for what gets put on the clipboard. So you have to use easier passwords instead. Some security.
- 'If you receive email from your bank and want to phone them to verify its authenticity, dial the number located on your bankcard or look it up in the phone book.' First piece of good advice yet. Anyone watching The Real Hustle has seen how this one goes down. But on The Real Hustle they deliberately set up the mark to get suspicious - because they've already rigged her phone to contact their own. Great piece of work and the mark still loses.
- 'Don't store your passwords in a file on your desktop (or anywhere else on your computer for that matter).' Gee we may have to reassess what the lowest common denominator here is. Perhaps an IQ of 25 amongst those who have more money than they know how to handle. Why shouldn't they share?
This at any rate is what Symantec tell you. After admitting they were scared shitless by a new trojan that passes two factor authentication. You can't be safer if you believe Symantec.
But there's never been a reason to settle for 'safer' instead of 'safe'. The one thing Symantec could tell you to do they will never tell you. If they did they'd be out of business.
See Also
Symantec Security Response Weblog: Banking in Silence
Symantec Security Response Weblog: Banking with Confidence
|