Wednesday, January 20, 2010

Do you have a spare $447,000 laying around?

Today's topic is not new news - the incident happened last July - but I've thought about it many times since hearing about it. This makes me ever more paranoid about doing any financial transactions online... I still do them just because it's so dang convenient, but I wonder how long the model that's in place (authenticated "secure" browser sessions) can continue to work.

Full details can be found in a Technology Review article, but the gist of this is that a construction company in Mountain View, California was liberated of $447K from its commercial bank account, while one of its employees was signed in to it.

You might think "oh someone got his password" - but the company had implemented what everyone thought was the Safe And Secure thing to do: the account was set up to not only require a normal password, but also a second, "one time" password that is generated by a small electronic device or card that the person logging in has to have in his or her physical possession (I have one that I use with my PayPal account).

Unfortunately, his system had been infected with a malware program that basically waited for him to sign into the commercial account, and then while he was signed in, perform transactions in the background to withdraw and transfer the loot to several Bad Guy Accounts.

So - what to do? I'm going to sound like one of those magical round plastic disc things that everyone used to have, that had music on them (I think they were called "phonograph records") - I've said most of this before... But I feel reasonably secure in doing these things on my systems:
  • keeping antivirus software updated (I'm now using Microsoft's new and free Security Essentials on almost all of my PCs)
  • making sure the web browser is up-to-date
  • disabling scripting (JavaScript and ActiveX) in the browser. I use NoScript in Firefox, which lets me selectively enable or disable scripts on a per-site basis
  • keeping browser plugins and standalone programs such as Adobe Acrobat and Flash updated
  • using a one-time password device on all financial accounts that support it, in order to have the magic that's called Dual Factor Authentication. Paypal and eBay, as well as many other banks/institutions support these, and sometimes a device that is obtained from one place can be used elsewhere - for instance, the Verisign device that I got from PayPal is supported by my credit union
I'll close by saying that I think some of my friends roll their eyes when I start yammering about these things - all I'll say is, "don't come cryin' to me when something very bad happens because you weren't taking precautions."

Hmmm, I think my Dad told me that, a long time ago.

1 comment:

  1. Yes, Lyn & I shut off all of our electronic banking and bill-paying capabilities. Each month as I write checks (which I drive down to the post office and put in the mail slot myself) I feel hopelessly behind the times. But the alternatives... well, I think that the Bad Guys will just keep getting better and better at ripping us off.