Crimeware gets worse - How to avoid being robbed by your PC

The malware threat to Windows computers continues to get worse. So much so, there's a new term to describe malicious software that transfers money from online accounts at financial services companies - crimeware.

Last week, an article at Technology Review told about a construction firm that had $447,000 taken out of their bank account by crimeware software on one of their computers. What makes this story particularly interesting is that the unnamed bank employed one time passwords.

Perhaps you've seen the small key fobs that display a new password every minute. If you don't have the key fob, you can't logon. But the computer was already infected and was being used by a legitimate user. Retina scanners would not have prevented the crime.

While the well-verified user was logged on, making legitimate transfers, the crimeware software generated 27 transfers in the space of a few minutes. According the firms president "They not only got into my system here, they were able to ascertain how much they could draw, so they drew the limit". It can't get any worse.

What to do?

Dancho Danchev suggests setting "daily, weekly or monthly account transaction limits", assuming your financial institution allows it. He also suggests being notified of transactions via SMS.

Another possibility is creating, up-front, a list of valid payees so that your financial institution won't pay anyone not on the list. I know a company that does this and it protected them from forged paper payroll checks.

Of course, the bank should flag suspicious activity such as: a group transfers just under $10,000, any large outflow of money, a collection of transfers to new, first-time payees or multiple transfers from a new IP address. Maybe someday. 

But when it comes to your computer, there is one obviously best solution.  

Do online banking from Linux using Firefox.

You can run Linux on pretty much any computer from a CD, a USB flash drive, an SD card or a Compact Flash card.

Linux is free. You can download any of dozens of different versions (called "distributions") in ISO format and burn them to a CD.

If you don't want to create a bootable copy of Linux on your own, you can buy one from CDs are very cheap, flash drives and SD cards are more. If you are new to Linux, I suggest ordering Ubuntu, it's reasonably mainstream and comes with Firefox pre-installed (not all Linux distributions include Firefox).

Concerned about using a new operating system? Windows users may find the learning curve for Ubuntu is very small.

NOTE: As a commenter below pointed out, Ubuntu is unusual in that the company behind it, Canonical, will send you a CD for free. (added Sept 26, 2009)

I expanded on using Firefox under Linux last month in an article at eSecurityPlanet called Consider Linux for Secure Online Banking.

The Washington Post recently wrote about the Sand Springs, Oklahoma school district, which had thieves break into their online bank account and transfer out roughly $150,000. Now they access their bank accounts using "a dedicated, stand-alone system running a Live CD distribution of Linux, in a bid to minimize the chances that future malware may steal banking credentials". 

Schools teach, let this one be a lesson. Think twice before doing online financial transactions on a Windows machine.


Copyright © 2009 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon