Why online banking isn't as safe as you'd hoped

Even if you’re running an anti-virus system you're still at risk

We’ve met some interesting people here at CeBIT so far this year. But no one has had a better story to tell than F-Secure’s chief research officer, Mikko Hyppönen. He’s been working alongside security services all over Europe and is today flying to the UK to meet with Scotland Yard (HQ of the metropolitan police) to discuss new cases of cyber-crime.

The stories he tells are truly frightening. And despite having worked with viruses for over 17 years, Hyppönen says that even he is constantly surprised by how ingenious cyber-criminals are becoming.

Advanced criminal attacks

“I’ve been working with viruses since 1991 and since then we’ve seen big changes,” Hyppönen told TechRadar. “I think the biggest change is criminal elements entering the picture. We’re now seeing much more advanced attacks than we were expecting.

“For example we were last week analysing a series of banking Trojans which infect the user’s PC when they surf a web page by using exploits. And what it does is it writes a modified boot sector to your hard disc.

“Now first of all, writing to the boot sector on a hard drive from within Windows is supposed to be absolutely impossible, but that’s what it does. And it replaces the very first sector on your hard drive with a modified version.

So next time you reboot the computer the very first thing you run – before Windows – is the malware. It loads itself into the memory and then continues to boot the machine normally.

Online banking

“And after that when you go and do online banking and you type in account numbers where you want to save money to, it changes the numbers you type.

“So you type the number of say your electricity bill company, and it changes it to another account number which of course goes to the criminals. But it doesn’t show up on your screen – whatever you type looks fine but from the bank’s point of view, you’ve typed a different number. The money ends up going to the wrong people: the hackers.”

Hyppönen said that the most impressive part of it is that even if you’re running an anti-virus system, it can’t see any of this happening.

“Right now none of the antivirus companies here has a proven method of always detecting [this malware], so we’re living in interesting times. I personally wouldn’t believe that these programmers can pull this kind of thing off, but they do, it’s incredible.”

He said that this kind of online fraud is rife, before proceeding to tell us other ways in which hackers are able to steal your money.

Hacked authentication systems

“We saw another banking attack three weeks ago – a very clever attack targeting some of these new online banks which use very complicated authentication methods.

“So this particular bank – a big European online bank – had an authentication system where you log in by giving your account number and then a one-time password. The user has these passwords on a piece of paper and they only use those passwords once. So even if the phisher got hold of a password, it wouldn’t work anymore anyway.

“However, with a certain Trojan sitting on your hard drive, it will wait for you to log in. Then when you make a payment, at the end of the payment, the bank challenges you and asks for a password. So what happens here is that the Trojan waits for you type the password in, and then it shows you a completely fake page which says something like ‘temporary maintenance please wait’.

“The Trojan stops the password from being sent to the bank. And while the user is waiting, it sends a special ping to an IP address in Turkey. And there, there’s a guy – a real guy – waiting at the other end.

"And he sees the infected computer and is able to remotely take control of the machine with a hidden browser window which the user cannot see. He then actually uses his computer to continue your banking session.

"He moves money around, makes payments or whatever, and then of course at the end the bank challenges him and asks for a password. And that’s when the hacker passes the session back to the user who inputs the password not knowing that anything has happened. It’s pretty clever.”

James Rivington

James was part of the TechRadar editorial team for eight years up until 2015 and now works in a senior position for TR's parent company Future. An experienced Content Director with a demonstrated history of working in the media production industry. Skilled in Search Engine Optimization (SEO), E-commerce Optimization, Journalism, Digital Marketing, and Social Media. James can do it all.