Online Business Banking? Be Afraid. Be Very Afraid
If there wasn't enough for small business owners to worry about, with the economy, rising costs and higher taxes weighing heavily, here's something that could truly rob you of sleep: ZeuS. Not the god of Greek mythology, but a "botnet," or rogue software, that can step in between you and your bank and extract tens of thousands of dollars before you even know what's going on.
This bit of malware got its start around 2007 and is now being sold - believe it or not - for prices up to $10,000 a copy. A criminal then can "seed" other PCs, via e-mail promising free music or a video clip, with a piece of the program that will give them access to your computer, allowing the criminal to implement a "Man in the Browser" attack on a company's online bank connection. The innocent businessperson thinks they're paying the electric bill; the "Man in the Browser" blocks those instructions and instead sends directions to siphon off money via wire transfer to criminals thousands of miles away.
On March 22, according to a report at the Krebs on Security weblog (http://bit.ly/bOaTx6), SmileZone, a children's dental practice in Springfield, Missouri, was the victim of a $205,000 extraction from their corporate bank account. A "Man in the Browser" bot apparently was used to compromise the firm's accounts at Great Southern Bank, which blogger Brian Krebs, a former Washington Post reporter, says isn't reimbursing the dental clinic.
According to Bill Conner, a respected, veteran technology executive, who began his career at AT&T's long distance unit, these malware attacks are a growing security concern: they are "the number one threat that banks are dealing with big time. The average corporation or consumer doesn't know there's an issue there," he said in a telephone interview last week.
Mr. Conner added, it's not the business user's fault: a company can have the latest patches to its antivirus software, Web browser and operating system, but still can be vulnerable: "You can have all that stuff current and you're still not safe."
Mr. Conner is president and CEO of Entrust (www.entrust.com), a Dallas, Texas-based firm which provides security solutions to the federal Department of Homeland Security, many other federal agencies, as well as some 2,000 groups in 60 nations. The firm is expanding their range of security solutions for banks and businesses. But, he admits, fighting malware-led attacks has been a struggle: "It's an arms race. What I would say is we're keeping up with the speed of their assaults [more] than anyone else."
On April 20, the firm will unveil some new weapons in the war against ZeuS and similar attacks. One, a mobile version of Entrust's IdentityGuard program, puts a fair amount of power onto a mobile device such as an iPhone or BlackBerry. What the software does is automate an "out of band" authentication: when a bank receives instructions to wire $22,000 to someone in Topeka, the "out of band" method sends a text message to your mobile device and you, securely, either verify or deny the transfer. Because it takes place on a device separate from your office computer, it's another way of confirming the data and offers a stumbling block for cyberthieves.
Other Entrust products help banks monitor, detect and thwart suspicious activity. If you are a veterinarian in Vienna, Virginia, it's not likely that you'll often wire $10,000 to someplace 13 time zones away. Spotting such transactions early can help banks block them, as well as "profile" (in a helpful manner) other customers likely to be hit, and thus warn them, too.
As you might imagine, the ZeuS botnet attacks computers running the Microsoft Windows operating system. Macintosh users are safer, Mr. Conner said, because the Mac "but they are not immune." Some Linux advocates, I've read, suggest using a "Live CD" of a bootable Linux OS to log onto a bank and then quit that system after you're done. But that's cumbersome and perhaps incompatible with some bank systems.
For now, banks and their customers will likely look to firms such as Entrust to help out or risk a turnaround in the rise of mobile and online banking.
Every weekday JewishWorldReview.com publishes what many in the media and Washington consider "must-reading". Sign up for the daily JWR update. It's free. Just click here.
JWR contributor Mark Kellner has reported on technology for industry newspapers and magazines since 1983, and has been the computer columnist for The Washington Times since 1991.Comment by clicking here.