The New Scientist Article
How Web 'virus' could steal your money

GERMAN hackers have found a way to commit the perfect bank robbery. By exploiting security loopholes in Microsoft's Internet software and a popular financial management program called Quicken, the Chaos Computer Club claims it can make someone transfer money to another bank account without knowing they are doing so. The first a victim would know about the crime is seeing the transaction on their bank statement.

There are about 9 million people who use Quicken money management software. Anyone using it to administer their finances via a modem link with their bank is at risk from the silent sting, which begins when they start surfing the World Wide Web.

The hackers have shown they can create a malicious program that can be hidden in a Web page and surreptitiously copies itself onto the computer of any surfer browsing that site. The Web page need have nothing to do with money or hacking.

The tiny program is known as an "applet". Applets are usually used to liven up Web pages, by animating icons or creating sounds, for example. The two most popular computer languages for writing applets are Java and ActiveX; the Chaos Computer Club wrote its bank robber program using ActiveX.

Once the malicious applet is downloaded, the program looks around its unsuspecting host for Quicken. If it finds the package, the applet creates a transaction order requesting that money be transferred from the owner's account to one owned by the thief.

Quicken does not check the origins of its transaction orders. So when the victim connects to his or her bank to pay a bill, check a balance or order a chequebook, the malicious instruction is also transferred. The bank then acts on the instructions it assumes have come from the customer and moves money to another account.

Tony Macklin of the British branch of the software development company Intuit says: "It is certainly something that is a valid concern." Macklin, who is product manager for Quicken, adds that Intuit is currently researching ways to close the loophole.

In January, the Royal Bank of Scotland became the first British bank to offer a home PC banking service. A spokeswoman for the bank says it is aware of the problem but that its robust security procedures are likely to defeat any such scam.

The problem of malicious applets is likely to get worse, however, as the software used to navigate the Web evolves. Current popular Web browsers such as Microsoft's Internet Explorer and Netscape's Navigator are large, multimegabyte programs. But soon they will be nothing but loosely connected applets written in Java, ActiveX or another similar language. This will mean that every browse of the Internet will involve swapping many applets back and forth.

The Computer Emergency Response Team at Carnegie Mellon University in Pennsylvania monitors security loopholes. It has issued a warning about Java and ActiveX, although it has yet to receive reports of anyone falling victim to a malicious applet. It recommends that surfers turn off Java and ActiveX controls unless their browser software is an up-to-date version in which the holes have been plugged.

Mark Ward

See also:

zur ckzurück © 1996-2024 Lutz Donnerhacke @ IKS GmbH Jena Wednesday | 25.Dec.2024