Combating Apathy with Free Security Check

WholeSecurity gives businesses the ability to offer their customers an opt-in PC security sweep to quarantine malicious software

How can businesses protect themselves from customers that won’t secure their PCs?

According to a recent report from Novell, the extent of user apathy is alarming. Surveying British workers, Novell found that “90 percent of workers believe that they have no part to play in preventing the spread of viruses, preferring to leave responsibility to their IT department, Microsoft or the government.” Almost two-thirds think nothing of forwarding spam to colleagues. Over one-third also reply to unsolicited e-mail, thus validating their e-mail address to spammers.

A lot of spam comes with malicious attachments aiming for one thing: information useful for identity theft. Several recent worms, including MyDoom, have especially targeted customers of select financial services companies, hoping to glean log-on or account information.

It turns out that apathy is expensive. Internet-related identity theft was up 51 percent last year, according to a Federal Trade Commission published in September 2003. The total cost of identity theft last year was $50 billion, much of it paid by U.S. businesses.

If users won’t protect their computers, the companies they transact business with just might. “Extending protection to consumer PCs is a logical next step for the industry,” says Meta Group analyst Chris King. “While there will always be a need for SSL and firewall technology, as transaction volume increases and online criminals move their theft approaches to target unmanaged PCs, businesses must incorporate additional measures to protect themselves.”

“Identity theft is a growing problem, particularly for banks, e-commerce companies, and online brokerages,” says Scott Olson, senior vice president of marketing for WholeSecurity. Banks, for example, “have line-item fraud losses due to identity theft from their customers.”

WholeSecurity released Confidence Online Portal Edition, the first product businesses can use to scan customers’ PCs for malicious code. Online companies—financial institutions and retailers, for example—can offer it as a service to their customers.

Customers, of course, opt in; they get a message asking if they’d like their PC analyzed for malicious software before loading the site. If the user agrees, a 300-kbyte ActiveX component is downloaded and a sweep of the computer begins—usually taking 3-5 seconds to look for such things as keystroke loggers and Trojan software trying to eavesdrop. The software uses behavioral analysis to identify malevolent code, as opposed to signature matching, so it doesn’t need signature updates after every new attack.

When a user revisits a Web site offering the service, it then runs before they reconnect. WholeSecurity anticipates the component will get updated once or twice a year; updates will occur automatically when a user revisits the site.

Eavesdropping, however, isn’t the only technique for stealing information online. Phishing—disguising e-mails and Web sites to trick users into divulging sensitive information—is gaining in popularity. While Olson says the WholeSecurity product doesn’t currently address phishing, “We’re focused on consumer identity theft, and that’s a piece of the puzzle.” Expect it in the next version.

Many phishing attacks, however, also feature Trojan software, he notes. “The interesting thing about phishing attacks is you go to the site and they can put a Trojan horse on your machine. So there’s very much a blending of those threats.”

When it comes to software meant to safeguard their PCs, will customers bite, especially since many seem to revel in their security ignorance? Time will tell, though two factors—it’s customers’ money at risk and they get the service free—may spur adoption.

Related Story:

Combating Identify Theft and Fraud in Real Time

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.