Earlier today it got known that at least 250 customers of the banking groups Sparebank 1, Nordea, DNB Nor and Skandiabanken have gotten their bank accounts emptied after having been infected by trojan horses.
My first thought was, but why isn't there any random token authentication to protect against this. But the more I thought about it, the more clear it got to me that I would rather just monitor the activity of the customer, wait until the user him/her-self logged in and then capture the computer, do the necessary transfers, change the password and log out, while the user only thought there was a lag in the system by forcing up another window.
Which brings us back to the root cause of the problem, the users. Albert Einstein is often attributed the quote "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." and indeed, security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivete, or ignorance come into play.
I really hope the banks doesn't take full responsibility for this, as it will only result in higher prices for users that actually bother to protect themselves.
And for crying out loud, learn how to protect your computer, or don't use it at all. The last time something similar happened, a vulnerability that was fixed by Microsoft in April got used, so the users had more than half a year to upgrade the systems, yet didn't.
More about protecting your computer can be read at http://www.secure-my-internet.com
