Security Watch

Mobile Madness

More hackers are turning their attention to mobile phones, a trend that should concern bankers who are making a big push into the mobile banking market, particularly as smartphones now have greater annual sales than personal computers, with more than 400 million expected to sell in 2011, according to a Feb. 23 story in The New York Times.

Market research indicates there are more than 500 malicious applications for mobile devices. And while about 88% of attacks affect Nokia Corp.'s Symbian platform, and are primarily launched against consumers in Eastern Europe and China, the West is not immune. Specifically, the Times story suggests that Google Inc.'s Android smartphones may be the most likely targets of attack, since the open platform that makes it easy for Android developers to design applications also makes it easy for hackers to design malware.

By contrast, Research In Motion Ltd.'s BlackBerry was the least targeted, thanks to the tight controls frequently placed on users by the many corporations that distribute these smartphones to workers. The most frequent fraud involves phishing, or getting users to divulge their usernames and passwords by sending fake requests from banks and other companies.

The report recommends users research all applications before they download them, and to make sure they download applications from trusted sources. Security programs for mobile phones are also available from vendors like Kaspersky Lab, F-Secure Corp. and Symantec Corp.

Mac Attacked

It is widely believed Apple Inc.'s Macintosh computers are safe from viruses.

New Trojan Horse malware not only targets the computers — it mocks users for their false sense of security, CNet reported in a Feb. 28 story.

When the Trojan infects a computer, it replaces the user's desktop wallpaper with this message: "I am a Trojan Horse, so I have infected your Mac computer … I know, most people think Macs can't be infected, but look, you ARE Infected!"

Many bank customers use Mac computers, so bankers may want to take heed: The Trojan is called "BlackHole RAT." And though security researchers said it appears to be a relatively low-level threat that can be removed by antivirus software, the Trojan also places text files on computers that can issue "shell commands," and it phishes for administrator passwords.

Dutch Process

The Dutch financial institution Rabobank Group was recently hit by a distributed denial of service attack, according to a Feb. 23 article in Computerworld.

The attack, from an unknown group of hackers, shut down Rabobank's website for two days, blocking access for mobile and desktop users.

Around the same time, hackers launched a DDOS attack against iDeal, a Dutch alternative to Paypal, which was hit with thousands of returned transaction notifications.

Banks linked to iDeal were also unable to process iDeal's payments, Computerworld reported. To deflect the attack, Rabobank changed its domain name system so hackers could no longer find the bank on the Web — but neither could customers.

Some clients have reportedly complained that they are still unable to access online accounts, even though Rabobank claims the attack has been resolved, Computerworld said.

Spam Nation

It turns out that the top countries hosting Web content are also the top countries serving malware, according to the cloud security company Zscaler Inc.'s State of the Web fourth-quarter 2010 report.

In order, Latvia, Romania, Ukraine, Russia and China led the pack. More specifically, 1 in 167 Web transactions in the top three countries were deemed malicious. But residents of the U.S. shouldn't rest easy: The U.S. was the biggest spammer, accounting for nearly 12% of all spam messages globally.

The report from the Sunnyvale, Calif., company pointed out the growing threat of malware to mobile devices where customers conduct their banking with increasing frequency.

For example, the so-called Zeus in the middle attacks, which seek to steal financial data in mobile transactions, first surfaced in September to attack BlackBerry and Symbian operating system phones. A number of Trojan variants have shown up since then to attack Android phones.

Bankers can now add to the list something called "sidejacking," which appeared in late October.

With sidejacking, hackers try to steal cookies during Web sessions in an attempt to gain access to usernames and passwords by replaying entire sessions.

Tube Trouble

There's a new twist on the old card-skimming scam, which typically involves criminals placing a card reading device over the slot at ATMs or unattended gas station pumps to steal card user information.

The London Evening Standard reported March 1 that fraudsters are now targeting London's public transportation system, placing skimmers on the payment slot for the Tube's ticket vending machines.

Though the U.K. has moved to a much more secure chip and PIN environment in recent years to protect card transactions, investigators from that country's Dedicated Cheque and Plastic Crime Unit say the card details can still be reproduced on to blank cards and used in other countries that don't have the same security standards.

No ATM Is Safe

Most thefts of automated teller machines target stand-alone ATMs in convenience stores, but a bold thief in South Carolina stole a machine from a bank.

The perpetrator used a fork lift to extract the ATM from a BB&T Corp. branch in Pawleys Island, The Sun News of Myrtle Beach reported Tuesday.

The fork lift was stolen from a construction site next door to the branch, the story said. Police responded to the theft at 4:30 a.m. Tuesday in response to an ATM alarm.

The suspect fled driving what appeared to be a white Dodge pick-up truck, the story said. Police said they would release more details as well as the surveillance video when they are available.

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.