PSA Security & Hacking: Shylock Banking Trojan now spreading via Skype

Primary source https://www.csis.dk/en/csis/blog/3811

As someone that is computer security conscious, I avoid online banking completely.

For friends, family, & others that insist on online banking I suggest either of the following:

• Use a Live CD, Brian Kreb has excellent articales on how to do this http://krebsonsecurity.com/2012/07/banking-on-a-live-cd/ or http://krebsonsecurity.com/banking-on-a-live-cd/
• Use a recent iOS device, iPhone 4S or newer, iPad 2 or newer, iPod Touch 5th generation or newer.  There are significant hardware security improvements that started with those respective devices. 

I also strongly suggest if using the iOS devices, to turn off Simple Passcode, and use a Pass Phrase, even if you don't lock your iOS device all the time, this will enable whole device encryption.

Clear instructions & screenshot for turning off Simple Passcode http://www.computerworld.com/s/article/9231627/Kenneth_van_Wyk_Shutting_down_security_gotchas_in_iOS_6?taxonomyId=17&pageNumber=1

The reason for this, is that a hacker with right software, can use a computer to try passwords, they can also bypass the 10 try feature.

So if your using the Simple Passcode, which is just a 4 digit number, they will probably be able to hack it in less than an hour.

However, if you use a Pass Phrase, like I <3 my iPad.  I hate green beans! the hacker will have a much more difficult time.  [Note, don't use that pass phrase, it is just to illustrate the concept.]

Since instead of only 4 numbers, there are 34 characters, counting the blank spaces, plus your using uppercase letters , lowercase letters, numbers, special characters, and blank spaces.

The hacker won't have any idea how long your password is, and by using at least one of all possible upper/lower case, numbers, symbols, and blank spaces you make hackers job a lot harder.

For more on passwords see http://cliffsesportcorner.blogspot.com/2012/05/steve-gibsons-haystacks-needles.html

Additional links:

• Covers weakness of older iOS devices to hacking http://www.blackbagtech.com/blog/2011/12/15/iphone-forensics-accessing-a-handset-locked-iphone-ipad-or-ipod-touch-device/
• Elcomsoft article (pdf) on password keepers, but they also cover superiority of locking iOS or Blackberry devices over Password Keepers http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf
• Verifying iOS Data Protection enabled http://support.apple.com/kb/HT4175
• Non Apple article for verifying iOS Data Protection enabled (some find Apple's Support articles less than clear) http://www.cloudcentrics.com/?p=1820
• Puppy Linux, a decent choice for Live CD http://puppylinux.org/main/Overview%20and%20Getting%20Started.htm
• Damn Small Linux another decent choice for Live CD http://www.damnsmalllinux.org/
• Place to buy Live CD or DVD with Puppy Linux (so you can just buy it and use it, without hassle of downloading & burning it yourself)  http://www.osdisc.com/products/linux/puppy