More on the breach previously mentioned in another blog entry.
Victims at one bank have lost between £1,000 and £3,000 each thanks to a ‘trojan horse’ program developed by the cyber criminals.
The name of the high street bank has yet to be released as the information has just been handed to the police.
The hackers have stolen at least £675,000 from 3,000 accounts at the institution.
The web attack, which originated from a server in eastern Europe, is still progressing, according to computer security experts.
They said it was the most sophisticated and dangerous malware program they had come across. And they accused the bank of failing to react quickly enough to the security breach, which began last month.
The trojan, known as a Zeus v3, spreads through legitimate websites and advertising to infect computers.
Once it has done so, it lies dormant until users connect to their online banking page. It then steals the customer’s log-in and password details and hacks into their account.
Read more on Metro.
Described this way, it sounds like it’s the bank’s security breach, but since one could argue that it was the users who were at least somewhat responsible for their account login being compromised/stolen, is this really the bank’s breach? Or do we say that banks have a responsibility to have greater authentication than whatever this bank uses so that it would detect a suspicious IP? Once the trojan is capturing whatever the user enters in their browser in real time, what security measures on the bank’s part are both necessary and sufficient?
C’mon, you security pro’s… what’s the answer? Educate this humble privacy advocate.