Wednesday, April 21, 2010

Your browser preference won't keep you safe

The Zeus Trojan, a nasty piece of malware has been rewritten to target users of the Firefox browser. With an estimated 30% market share, Firefox was the natural next step for the trojan writers to target, after getting such 'great' results attacking Internet Explorer. The fraudulent financial success for the trojan has been its ability to perform online banking transactions within the user's browser directly through the real website, rather than having to try and compromise banking security in some other way.

So one of the options for protecting yourself from this nasty piece of software has been removed. Previously, your easiest option was to avoid using Internet Explorer for online banking, instead using one of the major competitors out there: Firefox, Chrome, Safari or Opera (yes, I know there are other browsers, though most regular computer users are probably not going to use them).

As I discussed in Protecting online bank accounts - is there an app for that?, another option may be the use of a browser that resets itself to its initial installation after each use - a common implementation of this being delivered as a virtual machine appliance that saves no data or changes, running a whole operating system and browser within your PC to simulate a fresh, new install every time. For a while VMWare was pushing an appliance to do this, although I don't see it now. The advantage of this is obvious: even if a trojan does make it to your browser VM, the next time you run the machine will have reset itself to 'pre-trojan' state, so your risk of anything bad happening is much reduced.

What other options are there? As suggested by some, a completely separate, secure hardware device may be an option. A cut down netbook style PC that is limited to only your online banking account, though I see this being less cost effective and only equivalent in security to a virtual machine.

Another alternative is an application written for the native operating system, making it easier to lock down and harder to subvert than a browser, which by design has to be open to developer 'hacks'. Or, we could all jump in bed with Apple and their highly restrictive software practices, to use only online banking applications on the iPhone or iPad.

Wherever we go with online banking security, the current approach to blaming Microsoft for our woes is not going to continue to work. The writers of trojans that perform fraudulent transactions for criminal money-making do not have a care which businesses or organizations they damage along the way, so open-source and Microsoft are equally fair game if the opportunities are there to extract cash out of unsuspecting consumers.

A post from the Improving It blog

No comments: