Jon’s Network

This Times article details a new technique that criminals could use to steal your log-in information.  It only works if they have the password to your router.  Since most casual internet users don’t even know they have a router, their routers still have the default passwords such as "admin". (The article estimates that 50% are still at default, but I bet it is more.)  The criminals attack using a bit of code that your browser runs when you view their website.  The code changes the DNS settings on the router to point to their own DNS server.  The next time you visit your online bank, your browser loads a spoofed site because of the false DNS records and your credentials are theirs once you log-in.  Hopefully, the broadband companies will change the password for their customers when they install from now on, since most customers will never think to do so themselves.  While the bad guys may have your username and password, they won’t be able to do anything with it if you use tokens or smartcards to log-in to your bank account. (I realize most people don’t.)  The new trend for online banks to display a unique picture to you after you log-in should help users discover quickly if they fall prey to this or similar tactics.