BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

The BBC's Denise Mahoney
"Raiding internet accounts isn't just possible, it can be quite simple"
 real 56k

Newsnight tests security of online banks
Sue Nelson: "The home PC is the vulnerable link"
 real 56k

Thursday, 24 August, 2000, 15:21 GMT 16:21 UK
'Trojans' open online accounts
Cash machine banking
Is it safer to bank online or offline?
By BBC News Online internet reporter Mark Ward

An investigation into online banks has revealed how vulnerable they are to malicious hackers looking to steal the identity of customers.

Working with former hacker Gary Chapman, the BBC's Newsnight revealed the methods that computer criminals could use to commit an internet bank robbery.

Mr Chapman planted a snooping program on the computer of presenter Sue Nelson and used the information it gathered to assume her online identity.

The banks say they are already beefing up security to limit the risk to consumers and make it harder for hackers to steal passwords and identities.

Anyone with a GCSE in computer science could use these tools to hack into a bank account

Gary Chapman, former hacker

Newsnight presenter Sue Nelson set up online accounts at four banks - Barclays, NatWest, Egg and Lloyds - to test their security.

She found that it was possible for a determined hacker to steal her password and login details for three of the four accounts.

Password no protection

Former hacker Gary Chapman helped her show up the weaknesses in online security by sending Ms Nelson an email message which contained a "trojan" or hidden program.

Like the legendary wooden horse of Troy that concealed a dangerous payload, the seemingly innocuous e-mail message contained a hidden malicious program.

Almost any type of computer program can be used as a trojan and many computer viruses spread themselves in this way.

But for Newsnight Mr Chapman concealed a program that logs every key- press made on a computer's keyboard and sends it to the malicious hacker.

When the legitimate bank account holder goes online and types in their password the trojan sends the information to the hacker who can later pose as the customer and steal all the money.

Key logging programs are available on the internet.

"Anyone with a GCSE in computer science could use these tools to hack into a bank account," said Mr Chapman.

Called to account

Already malicious hackers are trying to use these techniques to collect passwords and pillage accounts.

Earlier this month security experts warned of a variant of the Love Bug virus which targeted those who have online accounts with Swiss Bank.

Thankfully the badly engineered program, known as VBS/, seems to have failed to harvest any login details and no accounts are believed to have been rifled.

The hardest part for hackers is getting users to open the e-mail message containing the trojan.

Outbreaks of computer viruses have made people wary of opening messages they are not expecting and has led many to turn off the systems that let trojans install themselves.

Peter Sommer, a expert on computer evidence and security at the LSE, said: "If customers want to protect themselves they have to learn rather more about computer security and that tends to become rather complicated."

In the wake of the revelations banks are keen to reassure customers that their finances are in safe hands

A spokeswoman for Barclays said it was introducing new security measures later this year which would make it harder for a trojan-type attack to succeed.

"We have been a bank for a long time," she said, "There have always been fraudsters and we are always working to be one step ahead of them."

Search BBC News Online

Advanced search options
Launch console
See also:

23 Aug 00 | Business
Internet bank fraud probe widens
21 Aug 00 | Business
Online banking gets poll boost
01 Aug 00 | Business
Safety fears for web banking
02 Aug 00 | Business
Barclays admits new security breach
26 May 00 | Business
Online banks scramble for customers
02 Nov 99 | Sci/Tech
Real sorry after privacy row
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories