A couple more things to watch out for

[mdlbear]

SSL Trojans getting ever nastier

The E-gold Trojan waits for the victim to successfully authenticate to E-golds Web site, creates a second hidden browser session, and uses various spoofing tricks until it drains the victims account. Because the stealing and spoofing is started after the authentication is completed, no amount of fancy log-on authentication would prevent the heist. All too telling is LURHQs prediction that other banking institutions are sure to be attacked in this manner in the future.

...

I'll go further. Finding out about this huge underworld of target-specific Trojans stealing from e-commerce sites and banks has been a revelation. The criminals are more mature, practiced, and technology-prepared than I previously thought. I think 2006 will be the year of the worlds biggest bank heist. Tens of millions of dollars will be stolen electronically by SSL Trojans in one day (if it hasnt already happened), resulting in an awakening of the general public and government regulators.

...and I'll go further yet: I think this is probably a gross underestimate. I'm still waiting for a stealthy heist of a few tens of millions of credit card numbers and names, followed by a couple of days of massive cash advances. Tens of billions, easily.

and now for something completely different:

This website devoted to RFID viruses and worms.

Up until now, everyone working on RFID technology has tacitly assumed that the mere act of scanning an RFID tag cannot modify back-end software, and certainly not in a malicious way. Unfortunately, they are wrong. In our research, we have discovered that if certain vulnerabilities exist in the RFID software, an RFID tag can be (intentionally) infected with a virus and this virus can infect the backend database used by the RFID software. From there it can be easily spread to other RFID tags. No one thought this possible until now. Later in this website we provide all the details on how to do this and how to defend against it in order to warn the designers of RFID systems not to deploy vulnerable systems.

The proof-of-concept they've implemented is a SQL-injection attack on the scanner's back-end database. Sure, it's easy to scrub your incoming data. But who would have thought that you had to do it for data coming from read-only RFID tags?

and for the tinfoil hat crowd:

It occurred to me, thinking of RFID tags and duct-tape wallets, that you could make a very effective, very durable shielding material by sandwitching a layer of aluminum foil between two layers of duct tape. You could probably make a propeller beanie or baseball cap using the same principle; remember to keep the shiny side out if you want to block those alien mind-control rays.

Comments

[mdlbear]

That's a nasty one. Don't use your debit card's PIN in a store! Call it a credit card and sign your receipt.

[jilara.livejournal.com]

I feel relieved that I'm old-fashioned and don't use a debit card for purchases.

[mdlbear]

Same here. Only place I use mine is the ATM, which is probably still fairly safe.