'Trojans' open online accounts

Is it safer to bank online or offline?

By BBC News Online internet reporter Mark Ward

An investigation into online banks has revealed how vulnerable they are to malicious hackers looking to steal the identity of customers.

Working with former hacker Gary Chapman, the BBC's Newsnight revealed the methods that computer criminals could use to commit an internet bank robbery.

Mr Chapman planted a snooping program on the computer of presenter Sue Nelson and used the information it gathered to assume her online identity.

The banks say they are already beefing up security to limit the risk to consumers and make it harder for hackers to steal passwords and identities.

Anyone with a GCSE in computer science could use these tools to hack into a bank account

Gary Chapman, former hacker

Newsnight presenter Sue Nelson set up online accounts at four banks - Barclays, NatWest, Egg and Lloyds - to test their security.

She found that it was possible for a determined hacker to steal her password and login details for three of the four accounts.

Password no protection

Former hacker Gary Chapman helped her show up the weaknesses in online security by sending Ms Nelson an email message which contained a "trojan" or hidden program.

Like the legendary wooden horse of Troy that concealed a dangerous payload, the seemingly innocuous e-mail message contained a hidden malicious program.

Almost any type of computer program can be used as a trojan and many computer viruses spread themselves in this way.

But for Newsnight Mr Chapman concealed a program that logs every key- press made on a computer's keyboard and sends it to the malicious hacker.

When the legitimate bank account holder goes online and types in their password the trojan sends the information to the hacker who can later pose as the customer and steal all the money.

Key logging programs are available on the internet.

"Anyone with a GCSE in computer science could use these tools to hack into a bank account," said Mr Chapman.

Called to account

Already malicious hackers are trying to use these techniques to collect passwords and pillage accounts.

Earlier this month security experts warned of a variant of the Love Bug virus which targeted those who have online accounts with Swiss Bank.

Thankfully the badly engineered program, known as VBS/LoveLetter.bd, seems to have failed to harvest any login details and no accounts are believed to have been rifled.

The hardest part for hackers is getting users to open the e-mail message containing the trojan.

Outbreaks of computer viruses have made people wary of opening messages they are not expecting and has led many to turn off the systems that let trojans install themselves.

Peter Sommer, a expert on computer evidence and security at the LSE, said: "If customers want to protect themselves they have to learn rather more about computer security and that tends to become rather complicated."

In the wake of the revelations banks are keen to reassure customers that their finances are in safe hands

A spokeswoman for Barclays said it was introducing new security measures later this year which would make it harder for a trojan-type attack to succeed.

"We have been a bank for a long time," she said, "There have always been fraudsters and we are always working to be one step ahead of them."