INTERNET service providers and the industry need to do more to secure consumers' PCs, as experts concede strong passwords, regular patching and antivirus software are now of limited value.
With the AusCERT Home Users Computer Survey finding nearly one in four PCs have been infected by malicious software, security heavyweights concede ordinary users can no longer deal with the threats.
AusCERT general manager Graham Ingram said 92 per cent of respondents to the survey believed internet service providers should inform customers when they become aware a user's machine had been infected.
Sixty-one per cent favoured the ISP restricting their internet access to a "walled garden" of safe websites, until the computer was fixed.
People are desperate for help, Mr Ingram said. "I was surprised at the level of support for getting ISPs involved in trying to help customers fix their machines, and it would appear there are a lot of machines to be fixed."
The flood of malware (malicious programs spread by software viruses, worms and Trojans) seems unstoppable.
Internet security research group Shadowserver monitors the lag between the release of malware, the time antivirus vendors develop a patch and when users upload it. On average, almost 40 per cent of malware in circulation on a given day cannot be detected by existing products.
Shadowserver estimated it obtains about 10,000 new malware samples on the web each day.
Many of these are downloaders, designed to compromise computers then fetch other malware to perform specific functions, such as capturing bank account details.
This had contributed to massive growth in fraud.
Last year,card-not-present fraud (involving online, phone or mail transactions) on locally issued credit cards reached $53.5 million, up from $32 million the previous year, according to the Australian Payments Clearing Association. As well, millions of dollars flowed out to advance-fee fraud every month, despite warnings about email scams, Queensland Detective Superintendent Brian Hay said.
Advance-fee fraud had its roots in the old Nigerian letters/faxes/emails scam, but perpetrators today are just as likely to be in Tokyo, London or Amsterdam.
In a further refinement, people are being individually targeted -- online dating sites, Facebook and professional networking sites such as LinkedIn provide vast volumes of personal information that allows criminals to tailor their approach.
Mr Hay said the "romance hook" was a very potent and particularly nasty trick.
"Romance victims have been set up to cash fake cheques, transfer illegally obtained property and even transport heroin into Australia, usually under the guise of doing a favour for a friend," he said. "Many victims only not lose their savings and belongings, but they are shocked and traumatised."
Mr Hay said criminals got greater returns on targeted attacks and were prepared to play a patient game.
"If you send out 10,000 spam emails, you will get a small response and it takes time to work that up," he said.
"But when you've got a person's complete profile on the internet, and their likes and dislikes, it's easy to create a story that dovetails straight into that.
"Having said that, some relationships have been online for six months before the sting is launched, so they're extremely patient as well."
Scott Charney, head of Microsoft's Trustworthy Computing program, was among speakers at last month's AusCERT conference who warned that it was time to rethink IT security. "We have a huge problem with identity theft, and it's growing," he said.
"I'm not just talking about credit card fraud, but where people get pieces of information and then convince a bank they are really you, and take out a line of credit.
"Things like that are really hard to unravel, and the internet in part makes it possible, because so much personally identifiable information is available online."
Mr Charney proposed a new trust model, based on credentials issued to authenticate individuals in specified online situations.
"The model we use today is completely broken," he said. "We use shared secrets, which aren't secret at all.
"It's not always about proof of identity, it's often proof of something about you. I can choose which proof to present. If it's a financial transaction, I use my bank proof. When I'm getting on an airline, I use my government proof," he said.
Karen Dearne
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment