According to Greek mythology Zeus is actually the Father of the Gods. But in the world of cybercrime, the Zeus Trojan may be the biggest cyber threat this century, if not of all time.
Zeus is a banking Trojan that has swept through the global banking community over the last couple of years, using infected computers to steal bank logins and passwords, bypass security, and plundering bank accounts to the tune of billions of dollars.
The problem is so bad, Zeus has triggered its own mini security industry, with experts, books, blogs and conferences devoted to this one piece of malware and its marauding spawn of copycats.
To my point. Zeus has sparked a raging debate over the future of online banking, security and authentication, and global cooperation.
And here are the most common solutions being offered:
- More cooperation between financial institutions, on issues of security and authentication, and more standardization of security to make it easier for financial institutions to implement.
- More cooperation globally within law enforcement, to take down the bad guys faster.
- More control of financial transfers, especially across borders, to prevent compromised accounts from moving the money.
- Greater focus on the "mules" — the sometimes innocent but often not so innocent individuals recruited to set up local bank accounts to which the stolen money is moved before being transferred out of the country.
All well and good. Except for one problem. Where are the customers in all this? Zeus and other banking Trojans work the exact opposite of attacks like data breaches by hackers. In data breaches, hackers attack the institution first, in search of customer data they can then use to commit identity theft and other frauds.
Zeus attacks the customers first, by sneaking on to their computers, and then like Trojans sneak into the bank's network and plunder the accounts.
One of the best defenses we have against the vital first step in the attack - the attack on the customer's computer - is customer vigilance. The customer is best placed to protect their computer, and with round-the-clock education, support, and alerts, coupled with sanctions if they fail to take security seriously, Zeus could have many doors slammed in its face.
And this is where financial institutions are failing. I've been with one of the top 3 banks for more than a decade, and can't remember a single communication from the bank on any security issue in those ten years. Sure, I've received plenty of notices advising me that due to some data breach, my card may have been compromised and so is being replaced.
Of course they never tell me what breach, when, where, what information was stolen and so on. But my bank has never advised me about security, sent me warnings, alerts, tips, offered free software (like my ISP has for years). Nothing.
You'd think it would be in my bank's best interest to make me as vigilant as possible. If I become a sentry instead of a vulnerability, I'm protected, my bank is protected, my fellow customers are protected, the bank has fewer security incidents and losses, and the bank's reputation is less vulnerable.
Most of all, I learn to trust my bank more. Silence on security is usually interpreted as apathy, that my bank is not thinking about security or my protection, and that my bank doesn't seem to be at all bothered about all these Trojans like Zeus.
I know my bank's position. It's an archaic one that believes that talking to customers about security makes customers worry about security. Whereas in reality, it's quite the opposite.
Until banks summon the courage and smarts to engage their customers in their own security, bring them into the fight, and share their security knowledge with customers, Trojans like Zeus will continue to be the father of gods, men, and bank heists.