A variant of the ZeuS banking trojan is targeting mobile phone users who rely on their handsets to get enhanced, two-factor authentication from ING Bank Slaski in Poland, a security blogger said on Monday. The ZeuS man-in-the-mobile attacks appear to similar to those that hit Spain in September, researchers from antivirus …
Ever heard of Unicode?
It's called "Śląski", not "Slaski".
for all your mTAN needs, use a mobile just smart enough to receive SMS and no smarter.
Or use NoScript so you don't get XSpwned. Oh and don't give your mobile number to crooks?
There's no such thing as fool proof
Fools are evolving all the time.
At some point we'll have to stop trying to secure accounts with technology and start educating the users.
Re: User Education
This cannot and will not ever work, and no public system should ever require this in order to be secure.
Fail for Bank & Criminal
So they get Zeus on your PC to get the online banking number and static passwords, then con you into infecting your mobile with another Zeus variant. But why bother?
As you're typing the OTP mTAN into the infected PC anyway, the extra step is pointless (and requires an additional risk that the element of social engineering alerts the user).
Bank 3/10 - poor security, which fails to understand the point of out of band security
Criminal 6/10 - potentially successful, but fail to understand they're messing up their own attack
> The ZeuS Mitmo injects a fraudulent field into webpages that prompts users for their cellphone number and the type of handset they use ..
The solution being to run your Browser off a bootable CD or readonly USB device. Seriously folks, how often do I have to keep on saying this. Yes, I know all about in memory hacks, but they are a rarity and get flushed on the next reboot.
On a related note, in the interests of security and 'compliance', the IT people here have banned the use of Linux and require the sole use of the 'compliant' Windows XP/7. At the same time the system is wide open to anyone with a wireless laptop. Thing is, I really don't understand how spying on me is going to protect me from the 'terrorists' ...
...until next year
...when a ZeuS variant infects your OS such that when it creates a bootable CD or USB key, the OS contained therein is modified to already contain the ZeuS trojan.
Basically the Stuxnet approach to getting round the physical network isolation of the PLC controllers.
Yes, you could run a MD5 check (or some other hash) against the OS image, but how do you know your computer is telling you the right answer? We can't even go back to buying physical CDs as the pressing plant may have been compromised.
Could I PLEASE get my paper OTP lists back now?
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Microsoft refuses to confirm 'Windows 9' unzip lip slip
- The Register to boldly go where no Vulture has gone before: The WEEKEND
- Netflix swallows yet another bitter pill, inks peering deal with TWC