The following article appeared in the November 8th, 2005 issue of Law Times News:
Not long ago, computer viruses were the biggest problem personal computer users had to contend with. However, these days most computers run some sort of antivirus programs and most e-mail systems have built-in scanners to slow down e-mail-borne viruses. The emerging problem in the last year or two has been spyware.
The more serious varieties of spyware may search for modems attached to the userâ€™s computer and then attempt to make telephone calls to pay-per-use services, usually located in the Caribbean or Eastern Europe. Or they may turn the userâ€™s computer into a â€œzombieâ€ that can then be used to send out spam e-mail or to mount co-ordinated â€œdenial of serviceâ€ attacks against web sites that refuse to pay cyber-extortionists.
The worst variety install backdoors that allow hackers to access to the computer or install â€œkeyboard loggersâ€ that quietly monitor passwords used by the user to access secure systems, including office computers and online banking sites.
Aside from the obvious security risks, spyware uses memory and resources (including bandwidth used to access the Internet). It may therefore impair the proper function of PCs by slowing down their operation or causing conflicts with other software and adversely affecting system stability.
Compared to computer viruses, spyware is harder to guard against, even in a corporate environment. The use of anti-virus scanners on the firm e-mail system, even combined with good Internet use policies that prohibit users from downloading or installing unapproved software programs, wonâ€™t provide full protection.
In some cases, a computer can be infected simply by visiting a compromised web site containing code that exploits security holes contained in the browser or operating system. Also, most organizations have little control over their staffâ€™s home computers. An infected home computer can then be used to steal passwords for accessing the company or firm resources remotely.
Computers, both at work and at home, need to be updated promptly with security and critical updates issued for the operating system and application programs. Personal firewall programs that monitor and control both incoming as well as outgoing traffic (such as ZoneAlarm Firewall) should also be installed on each computer. This should be done even if the network that the computer is attached to is protected by a firewall or router (because the primary purpose of such routers is to protect computers from outside attackers, not to monitor whether hidden programs are trying to send personal data to the outside world).
Anti-spyware programs (such as Spyware Doctor, Ad-Aware, Spy Sweeper and Spybot Search and Destroy) should also be installed on each computer. While some anti-virus programs (such as McAfee Antivirus or Norton Antivirus) and some personal firewall programs (such as Outpost 3.0 and ZoneAlarm Internet Security Suite 6) now include built-in anti-spyware components, no one program is 100-per-cent effective.
In addition to the digital armour provided by the software programs described above, safe computing practices are also critical. Avoid installing unknown software and stay away from hacker-type web sites (such as those offering infringing software or music downloads). It also means keeping a separate computer at home to access corporate systems (or online banking resources) and which the kids in the house are prevented from using.
The financial services industry has also singled out spyware as a big problem. Although still in the minority, a significant percentage of Internet users have become so concerned about spyware and online fraud that they have stopped using online banking facilities and/or have reduced their online purchasing activities.
In the U.S., the Federal Financial Bank Examination Council sent banks a letter in early October notifying them that they will be expected to adopt some form of â€œtwo-factorâ€ authentication by the end of 2006. With two-factor authentication, customers must confirm their identities not only by providing something they know, such as a PIN, but also with something they physically have, such as a hardware token that displays numeric codes which change every minute or one-time passwords on scratch-off cards.
According to the FBEC, the use of single-factor authentication is inadequate for high-risk transactions involving access to customer information. Although its requirements apply only to U.S. financial services companies, it is to be hoped they will have an influence on Canadian financial services regulators.