A new risk to online banking? Not really.
Harry Waldron, Windows Security MVP and owner of http://msmvps.com/blogs/harrywaldron/default.aspx came across this article on the Panda Software Web site:
Yay, says Sandi.. inspiration for a blog post
Capturing mouse positions and clicks for nefarious purposes is not a new phenomenom. For example, it was reported by the Antiphishing working Group back in July 2005 in their Phishing Activity Report:
"In late July we started to see some additional techniques being deployed more frequently than previously. These are Trojan Horses which are designed to capture screenshots of the target machine in order to capture credentials from the end-user. Due to the increase in phishing-based keyloggers several banks have changed the method to how they authenticate users within their website. In this case they are using a browser popup window which requests the user clicks on numeric keypad in order to logon.
The malicious code waits for the active window to equal one of the sites that they want to monitor information for. Once accessed the program then “scrapes” the screen based on the mouse clicks and uploads that information to a website in order to compromise the credentials. The below example is from a website that was hosting images from a screen scraper."
There is another mention of screen scrapers here:
http://www.eweek.com/article2/0,1895,1867957,00.asp (October 2005)
Some banks have implemented TAN (transaction authentication numbers) to try and protect the users of online banking facilities. Protective measures such as single use TAN codes may not be foolproof depending on their implementation, as was discovered by Postbank and Deutschebank when the Trojan Spy.Win32.Bancos.pw hit the streets. The fatal flaw that those behind the trojan were able to take advantage of was that the TAN being captured did not expire until it was used.
There are also quite a few banks that have introduced virtual keyboards, sometimes with the keypad numbers changing position on every page load, to increase online safety for their users. Unfortunately, because threats such as Banbra.DCY capture a limited image from the screen as well as mouse position, such protective features may not work.
Bank such as the Bendigo Bank, Elders Rural and Bank of Queensland here in Australia use Security Tokens in an attempt to protect their users (and therefore the bank itself) from phishers, keyloggers and risks such as screen scrapers. Hopefully more banks will adopt the technology now that screen scrapers are getting publicity again thanks to trojans like Banbra.DCY.
Security tokens such as those used by the Bendigo Bank change every 36 seconds meaning that not only do the bad guys have to capture your security token, they have to use it before it expires. This means they are a better protection from risks such as Spy.Win32.Bancos.pw than static lists of single use TANs. But if, for example, you are silly enough to use an Internet Cafe to do your banking where there is a guy in the back room watching your every move who can capture your code the moment it is entered, divert you to a fake error page and take over your log-in session, then even a code that changes every 30 seconds will not save you.