“It’s not a fair fight,” said online security expert Brian Krebs at Mid-Atlantic Corporate’s first IT and Security conference about the “asymmetry in sophistication” of savvy cyber criminals and their guileless victims.
“Financial institutions need to be doing more to educate their customers,” Krebs said.
That was the top-line message of Krebs’ speech at the recent event, where he focused on the so-called Zeus Trojan malicious code – typically it infects a computer via email or a visit to an apparently innocuous website – that lets cyber criminals seize control of a victim computer.
In the worst case, the criminals - using the victim computer and its usual Internet Protocol address - can loot the account. All the computer “fingerprints” point back to the user.
An upshot: growing tensions between customers and financial institutions, said Krebs, a onetime Washington Post staff reporter who now operates his own blog.
“If this happens to a consumer, it’s the bank’s problem. If this happens to a business, it’s the business’s problem. This is causing all kinds of strife,” Krebs said later in an interview.
Krebs added that he knew of at least two financial institutions whose own internal computers had been infected by the Zeus Trojan.
“This is a problem that just keeps on,” said Krebs, who explained that the Trojan has gone through various permutations to dodge detection by security software.
Prime targets today, he elaborated, are small businesses, school districts, title and escrow companies, homeowners associations and law firms. Wherever there are large sums of money and possibly little security, Zeus-wielding criminals are sniffing around, Krebs suggested.
His best advice to users who want safety from Zeus: use one computer only for online banking. Nothing else. “No email, no Facebook, no porn, nothing else,” said Krebs.
But bottom line: “Institutions need to be telling their business customers in particular about the threats and what they need to stay alert to.”