Print
Discuss
Send to friend
RSS feedsI am still struggling to believe this. According to email security firm MessageLabs, it is now possible for you to be defrauded just by opening an email. Forget your dutiful "open no dodgy attachments" policy, a malicious script can be activated simply by clicking to open an email.
Thankfully the scam has only been detected in Brazil, and there is a fix, but this is yet another nail in the coffin for email as we know it. This is how it works: the fraudster sends you an innocent-looking email that you open; this activates a tiny bit of code that merrily trundles off to overwrite your bank's web address details.
A little later when you log onto your online bank, you are directed to a fake web site and your banking passwords are dutifully collected by the fraudster.
It's just another version of the so-called "phishing" scams that work by fooling you into thinking you are dealing with your bank or another legitimate online business when you are not. And it is now also possible for a fraudster to send a virus to your PC to harvest the email addresses, which can then be used to send emails back to you that look like they are coming from people you know. Given all the above, can we really still trust the email we receive?
The scam spotted in Brazil can be stopped by disabling the Windows scripting host. But depressingly, antivirus experts point out that new scams are usually tried and refined in one region before being launched worldwide. Do not be surprised if a new, improved "Brazilian" scam gains global notoriety in the coming weeks.
So what's to be done? The reality is that email is one of the most vulnerable parts of any personal or corporate computer system. We tolerate its flimsiness because its power and cheapness as a communication tool is unrivalled.
Firms need to assess the risks before deciding how much cash they will spend to keep out criminals and chancers, in the same way they would assess the likelihood of their buildings being broken into.
On the whole, businesses understand and tackle the problem well. The most common targets of fraudsters are small businesses and individual users who are slow to patch and fix or are just plain unaware of the threat. Delay in bolting those barn doors gives fraudsters a multi-million-pound opportunity every day.
But it's not just the small guy that gets hit. Indirectly, online commerce is damaged. How much will online banks suffer as a result of news of the Brazilian scam? It's impossible to quantify, but what is clear is that the providers of online services must do more to help potential victims. And service providers need to protect their public image - tarnished this month when a Cahoot bank user told the BBC it was possible to look into other people's accounts without a password. Naturally the story was soon headline news.
Sadly, email is a victim of its own success. It's so cheap and ubiquitous that there is now a criminal industry built around it.
But the banks' current attitude - simply to bolt on a bit of advice about email security to their glitzy online services - has to change. They should be collectively setting up a 24-hour security helpline to give users advice, and adopting variable passwords based on hardware tokens - the best defence against phishing. However, that would require them to admit there is a problem - not something that banks are particularly keen to do.
Alternatively, Microsoft could do a lot more to make its software attack-proof before you even take it out of the box. But that, as they say, is another story.
del.icio.us
Digg this
reddit!
