Source:
https://scmp.com/article/686848/no-quick-fix-bank-virus-security-experts-warn

No quick fix to bank virus, security experts warn

SCMP Reporter
SCMP Reporter

Updated: 12:00am, 15 Jul, 2009

Why you can trust SCMP

Internet security experts warn that there is no quick way to counter the malicious virus programs used by hackers to steal thousands of dollars from customers' bank accounts.

The warning follows an order by the Monetary Authority on Monday demanding that banks step up online banking security after three clients, from two banks, lost HK$289,000 between April and June from unauthorised online transactions. Eight banks have reported being targeted.

The customers who lost money were believed to have accessed their online banking accounts using personal computers infected with Trojan horse programs that record keystrokes and send the information to a hacker. The hacker then logged in to the account using the stolen usernames and passwords.

A one-time password - generated by a security device given by the bank or sent as a text message - to authenticate transactions was also intercepted in the same manner and enabled hackers to transfer the money.

Roy Ko Wai-tak, manager of the Computer Emergency Response Team Co-ordination Centre, said the attacks were most likely launched by organised cyber criminals targeting specific bank clients.

He said the technique had 'conceptually and practically' compromised the double authentication process used by banks.

'The logistics - from planting the Trojans to wiring out the money - are very complicated and require expert skills,' he said, adding that the hackers would frequently alter the Trojan programs to avoid being blocked by anti-virus software.

Chow Kam-pui, associate director of the Centre for Information Security and Cryptography at the University of Hong Kong, said the Trojan programs were normally hidden in the attachments of spam e-mails.

Dr Chow said that updated anti-virus software could block most Trojans, but admitted that new viruses could still slip through undetected.

Mr Ko said the onus was on customers to ensure their personal computers were free of malicious programs. 'If the clients are not sure that their computers are clean, they are taking a risk' when conducting online banking transactions, he said.

Professional Information Security Association chairman Daniel Ng Ching-wa said customers could set a ceiling for each transaction, and bar money transfers to third-party or unknown accounts.

Mr Ng suggested that small and medium-sized enterprises ask their bank for specialised services such as connection via a protected network or a 'call back' service.

A spokeswoman for Bank of China (Hong Kong) said several customers had inquired about the fraud but none had suffered losses. Hang Sang Bank, Standard Chartered Bank and HSBC did not comment.

Safe keeping

Keep anti-virus software up to date.

Set a ceiling on online banking transactions.

Don't allow transfers to any third-party accounts.

Verify transaction details and notify bank of anything suspicious.