|
GERMAN hackers have found a way to commit the perfect bank robbery. By
exploiting security loopholes in Microsoft's Internet software and a popular
financial management program called Quicken, the Chaos Computer Club claims
it can make someone transfer money to another bank account without knowing
they are doing so. The first a victim would know about the crime is seeing
the transaction on their bank statement.
There are about 9 million people who use Quicken money management software.
Anyone using it to administer their finances via a modem link with their
bank is at risk from the silent sting, which begins when they start surfing
the World Wide Web.
The hackers have shown they can create a malicious program that can be
hidden in a Web page and surreptitiously copies itself onto the computer of
any surfer browsing that site. The Web page need have nothing to do with
money or hacking.
The tiny program is known as an "applet". Applets are usually used to liven
up Web pages, by animating icons or creating sounds, for example. The two
most popular computer languages for writing applets are Java and ActiveX;
the Chaos Computer Club wrote its bank robber program using ActiveX.
Once the malicious applet is downloaded, the program looks around its
unsuspecting host for Quicken. If it finds the package, the applet creates a
transaction order requesting that money be transferred from the owner's
account to one owned by the thief.
Quicken does not check the origins of its transaction orders. So when the
victim connects to his or her bank to pay a bill, check a balance or order a
chequebook, the malicious instruction is also transferred. The bank then
acts on the instructions it assumes have come from the customer and moves
money to another account.
Tony Macklin of the British branch of the software development company
Intuit says: "It is certainly something that is a valid concern." Macklin,
who is product manager for Quicken, adds that Intuit is currently
researching ways to close the loophole.
In January, the Royal Bank of Scotland became the first British bank to
offer a home PC banking service. A spokeswoman for the bank says it is aware
of the problem but that its robust security procedures are likely to defeat
any such scam.
The problem of malicious applets is likely to get worse, however, as the
software used to navigate the Web evolves. Current popular Web browsers such
as Microsoft's Internet Explorer and Netscape's Navigator are large,
multimegabyte programs. But soon they will be nothing but loosely connected
applets written in Java, ActiveX or another similar language. This will mean
that every browse of the Internet will involve swapping many applets back
and forth.
The Computer Emergency Response Team at Carnegie Mellon University in
Pennsylvania monitors security loopholes. It has issued a warning about Java
and ActiveX, although it has yet to receive reports of anyone falling victim
to a malicious applet. It recommends that surfers turn off Java and ActiveX
controls unless their browser software is an up-to-date version in which the
holes have been plugged.
Mark Ward
See also:
|
zurück