Thursday, September 24, 2009

Wells Fargo Introduces Mobile Banking Money Transfer...Be Careful!



Wells Fargo & Co. has launched a service ...er ...application ...that allows customers to transfer money to each other.  Here's how it works!  You "type" in your username and password, then simply cross your fingers that either Zeus or Clampi  (Online Banking Trojans) are not present on your computer.   Then you "type" in your buddy's "bank account number"  and he crosses his fingers for the same reason.  Finally you make a transfer and cross your fingers that you don't lose $1000 a day thereafter!  Customers can transfer up to $1,000 daily!(Subsequent transfers can be made from mobile devices by logging onto wf.com and following the prompts, or by going online.  Oh phun! 



First Clampi...then Zeus...



The best strategy to defend against Clampi is to use separate machines for Web surfing and funds transfer" said Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks. "It's too dangerous to do transactions on the same machine you do for Web surfing," he says. "You can't have any crossover between them."



Editor's Note:  The HomeATM which plugs into your USB port in milliseconds IS a separate machine.  Ask your bank to give you one free so you don't have to buy another computer...


More from Wells Fargo: More and more Americans are using mobile devices for banking, and we want to be there for our customers where and when they need us... (Editor's Quip: How about being there for them when they Log-In?) — whether they are waiting in line at a store or traveling by bus,” Arah Erickson, vice president and head of retail mobile banking, said in a statement. The bank doesn’t charge for the service but mobile carriers’ text messaging and web-access charges may apply...yeah and the hackers usually cost you some dough as well.



Wells Fargo (NYSE: WFC) is based in San Francisco...Zeus and Clampi reside in personal computers. And yes, I'm being and have been playfully sardonic. Let's see what Zeus has to say...



There is an online banking Trojan out there that is bypassing up-to-date anti-virus programs as much as 77% of the time, according to security company Trusteer. The Zeus Trojan is also known as Zbot, WSNPOEM, NTOS and PRG. It is the most prevalent financial malware on the web, Trusteer says. (Editor's Note:  Others say it's Clampi



According to Trusteer: "When we set out to measure the efficiency of anti-virus products in the wild against Zeus, we had no idea what kind of results we would get," said Amit Klein, CTO of Trusteer and head of the company’s research organization. "The findings, that up-to-date anti-virus programs were only effective at blocking Zeus infections 23 percent of the time, are disturbing.

This is bad news for consumers and banks, since the vast majority of Zeus infections are going unnoticed."

(Editor's Note:  Hence "crossing of the fingers") 



About Zeus



Zeus is a financial malware. It infects consumer PCs, waits for them to type their username and passworrd when they log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in in real time.   Yes..."real time" meaning OTP's (one-time-passcodes) are even problematic as the bad guys get them the same time you do and can log-in and cash out.



Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc.  Translation: Zeus can modify web pages from the genuine bank's servers in the user's browser.  Of course,  if you didn't type it...they couldn't swipe it!  



Oh...and if you are adamant about making sure you stay up to date with the latest Anti-Virus Software, take a graphic look at how much that helps!







Full report is here (PDF)









Reblog this post [with Zemanta]

Disqus for ePayment News