via:gizmodo

Schuyler Towne, a man who loves locks more than anything, is hosting a 24-part video course on how to pick locks. With any luck, you can become the next great lock picker after watching it (or at least, get yourself in your apartment when you lock yourself out).

All the videos are on YouTube and they cover everything from what you'll need to how Medeco Locks work to picking with half-diamonds and rakes. I don't even know what I'm saying anymore. It's comprehensive and a little bit intimidating but can you think of a better way to spend a lazy weekend (or workday)? Admit it, we've all wanted to learn how to pick a lock once in our life. Why not get lessons from a good guy like Schulyer? Check out Schulyer Towne's entire 24-part video course here.

Two new victims took a hit in the Wild West world of computer hacking this week: Citibank, where 200,000 credit card holders were victimized, and the International Monetary Fund, which reportedly also endured a cyberattack.

The FBI is on the case — so much so that 1 in 4 hackers may now be an informant, according to some experts.

Hackers And Spies

Ed Pilkington, who covers hacking for the Guardian, tells Weekend All Things Considered guest host Rachel Martin that the overriding atmosphere in the hacker community is one of paranoia and fear as more and more of them join the other side to get out of trouble.

"They don't really who know who's doing what," he says. "It seems such an extraordinary contradiction. Here is this community which in popular vision is a community of anarchists, anti-establishment people, and yet here are so many of them actually acting as the eyes and ears, as virtual spies, on behalf of FBI and Secret Service."

There are those in the cyber-community who think even more than 1 in 4 hackers are in cahoots with the U.S. government these days. Former hacker and information security consultant Kevin Mitnick says that informants are essential to America's defenses.

"I don't know of any case that involves computer hacking where there were multiple defendants charged where there wasn't an informant on the case," he says.

And Mitnick knows the community well. As a kid, he found he had a knack for what was then called "phone freaking" — essentially hacking phones before there were computers. "When I got pretty adept with manipulating the phone company's systems, I was able to pull pranks," Mitnick says. "I was able to change a friend's home telephone's class of service to that of a payphone. So whenever he or his parents would pick up the phone to make a call, it would say, 'The call you have made requires a 25 cent deposit.'"

Years later, Mitnick went from hacking phones to breaking into phone companies' computer systems. Then in 1995, he was arrested on charges of computer fraud and served a five-year jail sentence. A fellow hacker testified against him in court in exchange for a lesser sentence.

"You definitely feel a great sense of betrayal," Mitnick says of the testimony. "If hackers, if anyone committing a criminal act, wants to reduce their risk, they obviously don't involve anybody else. The greater the circle of people that know what you're doing, the higher the risk."

Catching Small Fish

Today, the risk — and the stakes — have never been higher. As more and more personal and financial information has wound up on the Web, hackers have increasingly banded together to attack that information.

"The main group are the carders. They specialize in breaking into databases of credit cards, usually held by banks or credit card companies," Pilkington says. "They can do millions of dollars of damage in terms of stealing directly from bank accounts, or going out with fraudulent credit cards that they create using this database of information."

They do this with very sophisticated attacks. But the FBI has managed to fight them, Pilkington says, using an old-fashioned trick.

"It's the trick they use against drug gangs, it's the trick they use against mobsters and the mafia: You catch a little guy doing a little thing," he says.

Pilkington gives the example of Albert Gonzales, who was caught fraudulently taking money out of an ATM, which "in the scheme of this stuff is pretty small beer." Authorities got him out of prison early and set him up in an FBI office. They paid him $75,000 a year to set up networks to meet other hackers.

"He then became essentially a honey trap for big carders and identity thieves in the hacking community," Pilkington says.

But last year Gonzales got a 20-year sentence for hacking: While he was working as an informant for the FBI, he was secretly hacking government agencies and back accounts.

Fifteen years ago, Mitnick says, things were not this complicated.

"When I was a hacker it was all about pursuit of knowledge, getting a bite of the forbidden apple, so to speak. Then of course the challenge and the seduction of adventure," he says. "Today it's all changed. I mean, the trend of hacking today is all profit — credit card numbers, bank account numbers. For example, Sony recently has suffered over 17 attacks."

Protecting The Cloud

Another tech company hackers were watching closely this week was Apple. CEO Steve Jobs announced the iCloud, a new service that will allow Apple users to store all their email, photos, music and documents on one central server.

"By centralizing their data, they've really painted a target on their back," says David Brumley, a computer scientist at Carnegie Mellon University in Pittsburgh. He says Apple's iCloud is actually a bank of servers in a building the size of two football fields in North Carolina.

"From the reports, they have barbed wire around the building, they have guards and you're going to need an ID to get into those buildings," he says. "So the physical security is actually pretty good. It would be a lot like getting onto a military installation to actually get into Apple's iCloud data center."

Though it may be tough to break into the server's headquarters, Mitnick says, breaking in online could be another story.

"I was hired to test this cloud infrastructure in South America. Literally in the 15 minutes that I was on the phone with the CEO of the company and one of the lead technical guys, I was able to get access that only system administrators should get access to," he says.

Mitnick says there are things everyday Internet users can do to protect their information, like using a VPN client or more secure browsers like Google Chrome, but he adds, "Anything out there is vulnerable to attack given enough time and resources."

For Mike Smith, Facebook is a fort for communicating freely with friends online.

Within the confines of that giant yet access-restricted network, the music-software engineer from San Francisco believes he can control what's posted about him through the simple courtesy of asking friends to remove unflattering photos.

But on the wide-open Web exists a harsher environment.

Images that make their way outside the walls of Facebook or similarly closed networks can get indexed by search engines and become almost impossible to scrub.

"I don't want to advertise my life," Smith said. "But my last name is Smith, so there's built-in anonymity. No one can find me."

For those less fortunate, a rogue picture can become an unwanted tattoo. As software matures, more data can be extracted from those images with ease.

A digital photograph is like an onion, and advancements in machine reading and software scanning can help peel back layers to extract information from images.

Each layer of a digital picture often contains data about where and when a shot was taken. Rapidly maturing computer algorithms can interpret what or who is in the frame.

More than half of people online have uploaded photos to be shared with others, according to a study from the Pew Research Center for a report that hasn't yet been published. It was 55% in November, up from 46% in July 2008, Pew's studies found.

Previously, the Pew Internet Project hadn't studied photo sharing as closely as status updates and blogs, said Lee Rainie, the project's director.

"The photo piece of this is now rising in importance and volume, we think, so we're going to pay more attention to this in the future," Rainie said. "It's become such a central feature for social networking."

Pew is also considering the privacy implications. "As location awareness now comes in your pocket with that smartphone, it's very likely that there's more of that (GPS data) inadvertently passed along," Rainie said.

Coye Cheshire, a University of California, Berkeley professor who studies social interaction online, is also planning to research this subject more deeply. He's working on a study about people's perceptions of the pictures they post to Facebook and Twitter.

So far in his research, Cheshire has observed that people tend to perceive a loss in their ability to control and contain info about themselves after something bad happens with it.

"What we don't see, however, is any increase in their online discretionary behaviors," he said.

Several factors could account for this phenomenon, which seems to run counter to the experiments where an animal learns to avoid electrodes after getting zapped a few times. "Thankfully, we don't have any data showing people aren't able to learn," Cheshire said with a chuckle.

But perhaps new technologies, with their increasingly slick and simplified interfaces, are outpacing humans' ability to adjust.

How long did it take us to determine the manners and appropriate response times associated with e-mail and text messages? Have we even figured them out yet?

"People are kind of slow, actually, to evolve to large-scale normative shifts," Cheshire said. "It takes a very long time for that to happen."

While we're trying to figure out whether it's appropriate to tag a tipsy friend in a Facebook photo, software engineers are barreling ahead.

Google has already deployed apps capable of identifying objects, goods, text, artwork and buildings by taking a picture from a phone and running some algorithms over it.

That architecture is also used for privacy-related endeavors, such as the blurring of faces and license plates captured by Google's Street View vehicles.

The search giant is also tuning the ability to identify the faces of people who agree to be included in its database, a director for the project said in an interview last week.

Face.com released an app called Photo Finder, which looks for familiar faces in images on Facebook in an attempt to find a person's photos that haven't already been tagged manually. The company's computers have scanned 23 billion photos from people who have installed the app and authorized it to look at their pictures and ones from friends.

"When it comes to normal people's photos, the truth is that most of the photos are within the closed doors of a social network," said Face.com CEO Gil Hirsch. "Not that many people have a lot of photos of themselves out there on the open Web."

Let's say you take a picture at your office that has a business card or envelope with your home address or some kind of sensitive information visible in the background.

Evernote, ZoomReader and many other companies have proprietary image-processing capabilities that can recognize words in images and then make that text searchable. About one-fifth of all notes stored in Evernote's database contain images, Evernote CEO Phil Libin said in a recent interview.

Generally, text transcribed by image services, such as Evernote's, isn't offered up to public search engines such as Google. However, "today, every image that Google touches is analyzed by one or several of our algorithms," said Hartmut Neven, Google's engineering director for image-recognition development.

Flickr, a Yahoo property that's among the largest photo-sharing sites, declined to comment on development plans, but a spokeswoman said, "No idea is out of the question."

Beyond the stacks of info contained within standard picture files, a new breed of applications can pile on even more detailed signals about where a photo was taken.

For example, a new photo-sharing app called Color leverages a smartphone's various sensors to determine more accurately the setting where a picture is taken.

In addition to the phone's GPS location, Color can record gyroscope and compass orientation, as well as ambient sound from the microphone and lighting from the phone's proximity sensor -- tracking 20 to 40 data points in all, Color Labs CEO Bill Nguyen has said.

Some of that info is sent over the internet to Color's servers moments after the app is opened, not just when pictures are taken. Using those signals, the app figures out who is nearby and then displays their photos. On the iPhone, users must tap a button to grant Color permission to access the device's GPS after the app is first loaded, and it won't work at all without that.

Though Color collects all of this info, someone's exact location isn't shown publicly, and the goal isn't to sell any of this data to other companies, Nguyen said. The actual business model involves partnering with restaurateurs and store owners to provide services that make environments more hospitable, he said.

"I think the problem that happens to me a lot online is I never remember: Is this public or private?" Nguyen said of competing social-networking services. "One of the great things about Color is we're telling you, 'Hey, it's public; it's public.' "

However, some people have complained that Color has not been totally upfront about the extent of data that's collected, some of which is instantly made available to nearby strangers. Nguyen acknowledges these concerns and said an upcoming version could make the terms "more clear."

"We think there are, without a doubt, moments where you share things privately and where you share things publicly," Nguyen said. "This is a way that you share openly."

Even popular smartphone systems, such as the iPhone and Android, aren't always explicit about the info they store in photos. Evidence of that can be found in the stream of pictures that are shared online from people unwittingly publishing data that can pinpoint their whereabouts.

Photos shared through e-mall or using Flickr, Photobucket and others can include precise location info, easily surfaced by free software, according to a CNN report in October. Facebook, the most popular photo-sharing site, wipes that info from each image uploaded for security reasons, a spokeswoman said then.

A computer program, aptly named Creepy, demonstrates how easily the location data in photos can be surfaced and plotted on maps. Various apps have popped up that let users selectively strike sensitive data from pictures. Alternatively, smartphone owners can disable location tagging in their phone's settings panel.

AnchorFree, a security-software firm, is planning to offer a feature in the next six months that can automatically remove GPS data from photos before they're sent over the Web.

"IPhone doesn't protect itself," said Eugene Lapidous, AnchorFree's chief architect. "So we have to provide some intermediary service in the cloud."

Any existing privacy concerns we have may be perpetually aggravated by the constant strides made in technical laboratories.

"As we think of new ways to use the content, there's no way to go back," Berkeley's Cheshire said. "It's an added problem to think about how this could be indexed, searchable on a completely separate system that hasn't been invented yet."

There are add-ons, VPNs, and apps galore that offer a safer browsing experience—but the browser you use, and the sites you visit, offer strong but simple security tools, too. Here are the best of the no-hassle, no-install-required options that you should be using now.

Stash Your Passwords the Safe Way

If you're up for it, consider making LastPass your easy, any-browser, any-OS solution, or get into KeePass for even tighter, more customized security. Not up for installing something new and setting it all up? Then simply fix up your current browser's password-saving system.

• Firefox can save your passwords, but does so insecurely, so that anyone who grabs your laptop, or digs into your files, can read them. So be sure to enable the Master Password, and while you're at it, install Master Password + for a less-annoying, more-secure tool.
• Chrome can save your passwords, too, and also sync them through the Google cloud to any other Chrome browser you use. But be sure to protect your passwords with a passphrase.
• Internet Explorer, even in its pre-release ninth version, doesn't offer much in the way of password protection, beyond a toggle to ask you before saving each password. You're best off getting friendly with LastPass.

Enable HTTPS and Bettery Security Everywhere You Can

If you're surfing without an encrypted connection, you're leaving yourself open to, at best, a practical joke from friends; at worst, a breach of security in your social networks, email, or other accounts, which can lead to further harm. It seems like paranoia, unless you've had a tech-savvy friend prove to you just how open you are.

Most sites that you'd want to use now offer an encrypted connection option, usually termed as "HTTPS" or "SSL." If a site doesn't have that option, and it's holding your personal data, consider whether you really need to be using that service. Here are the services for which you should definitely enable the secure/https option:

• Gmail: Secure connections are usually a default now, but double-check: head into Settings, look under "Browser connection," and ensure that "Always use https" is enabled. (Be sure, too, that you've enabled two-step verification for your Google account, Gmail included.
• Facebook: Recently offered, and not enabled by default. To make use of it, click the Account link on any Facebook page while logged in, head to Account Settings, then, under "Account Security", hit the change button and check the box that says "Browse Facebook on a secure connection (https) whenever possible." Hit the Save button and head elsewhere.
• Full size
  Yahoo: Yahoo has a lot of really great, personalized account security options—so why aren't you using them? Logged into any Yahoo page, click under your name (in the "Hi Kevin" link), and choose Account Info. You'll have to enter your password again (but, hey, that's good!), but then you can set custom password reset questions, require an SMS code for verification, set up an alternate email address for account recovery, and many more really good options that are both free and easy to use.
• Hotmail: Now offered for everyone, though not fully supported across clients like Outlook and Windows Live Mail. If you're mostly using Hotmail in your browser, add an "s" to your Hotmail URL (https://hotmail.com), and you should see a screen asking you if you always want to use a secure connection. You probably do.
• eBay/PayPal: Log into PayPal, click the My Account tab, then click the Profile sub-tab. Look for the "Security Key" tab. For $5, you can order a passphrase that arrives in physical form, and without which PayPal won't let anyone come close to your money. For those who do a decent amount of trading, especially overseas, it's a worthy investment.
  

  Make It Harder for People to Pretend They're You

  Not every site offers encrypted connections or extra security options, but most offer some kind of password recovery scheme for your convenience. Then again, most of them are hinged around simple email confirmations, or security "questions" that someone could discover from, say, your Facebook profile.

  What's to be done about overly simple security features? Do your own thing. Create fake, snarky answers to security questions about your favorite teacher, your first pet, or easily discovered relatives. One thing I've done for security questions that seem halfway decent is to answer the opposite of whatever the question was—so, enter yourleast favorite teacher, your last childhood pet, and maybe not the mascot of the high school you attended, but the mascot of that school's arch-rival.

  Keep Insecure Plug-Ins from Exposing You

   

  Full size

   

  Take a tip from Jeff Atwood, who found that, despite his best intentions, he had a fake anti-virus app installed on his machine. The culprit was a Java plug-in that allowed a site Atwood was passing by to sneak in some badly behaved code.

  The modern browser is full of plug-ins, some of them occasionally necessary. How does one prevent these house guests from inviting all kinds of crashers onto your system?

  First things first: head to Mozilla's super-handy Plugin Check page, which works with almost any browser, and see which of your plug-ins need updating now. You'll probably be a bit surprised, as even I was, evidenced by the screen capture above.

  Chrome has a few good options for keeping insecure plug-ins at bay. You can set them to "click-to-play" or disable them indivually, or enter about:flags into your address bar and enable the "Disable outdated plugins" option to automatically shut down plug-ins that have known vulnerabilities.

  Firefox will work some automatic plug-in monitoring into its future versions, as will other browsers; for now, consider making Plugin Check something you visit frequently—maybe even as one of your multiple startup pages.

  Pretend Like You're Always Surfing in Public

   

  Full size
  When Starbucks went totally free with their Wi-Fi recently, we offered some good tips on staying safe on public Wi-Fi networks. They are, however, good tips for doing any kind of surfing. Turn off sharing, enable your firewall, and poke into a few other settings that are built-in, free, and easy.

   

When you're browsing from a public Wi-Fi connection—like at your favorite coffee shop—anyone on that network can snoop on what you're doing, with very few exceptions. So can the IT crew at your workplace. Today, we're going to walk through setting up an encrypted proxy server on your home computer so you can secure your browsing session no matter where you're connected, keeping your private data significantly more private.

What's the Point?

We've mentioned this more than a few times, but when you're browsing on a public Wi-Fi network and aren't connecting to sitesthat use HTTPS, anyone on that network can see what you're doing; they can grab passwords sent in plain text, or they can potentially steal your browser cookies and pretend they're you. (That's how, for example, Firesheep works.)

On Monday we offered some tips forsecuring your online life the easy way, which involved using HTTPS connections on web sites that provide them, stashing your passwords more securely, and keeping your plug-ins up-to-date (among other things). Today we're going to take this to a big more advanced level, detailing how to encrypt and secure your entire browsing session, regardless of whether or not your using HTTPS to browse a site.

Here's How It Works

Below, I'm going to detail how to set up a secure, encrypted connection to a web proxy you're going to run from your home computer. The secure proxy will hide all your browsing from prying eyes, even on a public network. Prox-wha? A web proxy is essentially a middleman that stands between you and the web at large. When you browse to a page using a proxy, you pass your request to the proxy, which actually fetches the page content and then passes it back to you.

A proxy alone isn't enough if you're connecting via a simple, unencrypted HTTP connection—a sneaky user could still watch what you're passing back and forth over a public network. The special sauce involves Hamachi, a free app that creates a secure, encrypted Virtual Private Network (VPN) between your computer and any other of your computers that you've installed and configured Hamachi on. By setting up a proxy on one computer, then connecting to that proxy using a secure connection via Hamachi, you're able to encrypt and secure your browsing session.

If that sounds complicated, don't worry: It's actually pretty easy to set up, and I'll walk you through every step. Hat tip to user warwagon from the Neowin forums.

What You'll Need

• An always-on computer: This is the computer you're going to securely tunnel your traffic through when you're browsing from outside your home network.
• Hamachi: A free (for non-commercial use), cross-platform VPN service that, simply put, gives you secure access to your home network no matter where you are.
• Privoxy: A free, easy to set up web proxy with advanced privacy features.

Step One: Install and Set Up Hamachi

The first thing you'll want to do is install Hamachi on the computer that's going to act as you proxy and on the computer(s) you want to browse securely on when you're on a public network. For example, I've got Hamachi installed on my Windows desktop computer at home (which will act as my secure proxy), then also installed on my MacBook Air (which I'll be using on public networks).

Once you've installed and powered on Hamachi (the first time you launch it, you need to click to blue power button to "Power on"), you'll need to create a new private network. To do so, click the Network menu, then select Create a new network. Give your network a unique ID and password (remember the password), then click Create. That's all there is to setting up your new network.

Next, download and install Hamachi on your laptop or other machine. Again, power on Hamachi, but this time, instead of creating a new network, select Network > Join an existing network, and then enter the Network ID and password you set up on the first machine.

You can rinse and repeat this on every machine you want to do this with, for up to 16 clients (that's the limit for Hamachi's free-for-non-commercial-use version). Now that you're set up with Hamachi, it's time to install Privoxy on your always-on home machine.

Step 2: Install and Set Up Privoxy

Privoxy is a free, open source web proxy that we're going to install to your always-on home machine. So download Privoxy from Sourceforge for your system and install. Privoxy is available for Windows, Mac, and Linux, so you should be able to find a download to fit your needs. For my example, I'm using Windows, which you can easily install by running through a regular old installer. Things may run slightly different on other systems, but it should be the same basic setup. If you need help, check Privoxy's installation page.

After you've installed Privoxy, launch the application. (If you're running a firewall, you may need to give it access to open a port.) In Windows, Privoxy loads as a blank window. Don't worry, that doesn't mean it isn't working. In fact, you can close this window; Privoxy will still be running in your system tray.

Now it's time to configure Privoxy to shuttle traffic through your Hamachi setup, so right-click Privoxy in the system tray and select Edit > Main Configuration. Notepad will open with a text file called config.txt; this is Privoxy's main configuration file. Press Ctrl+f and search for listen-address 127.0.0.1:8118. Comment out that code by entering # in front of it, then paste listen-address followed by the IP address created by Hamachi. You can see, for example, that my proxy is set to listen-address 5.xxx.xxx.xx:8118. Save config.txt and restart Privoxy.

Step 3: Set Up Your Web Browser to Use Your New Secure Proxy

Now you just need to set your browser to use the secure Hamachi+Privoxy proxy you've set up so far. This last step varies by browser, but I'll walk through setting it up on Chrome or Firefox.

On Chrome

1. Install the Proxy Switchy extension. Once installed, it should automatically open a new tab with its options. (If it doesn't, right-click the Proxy Switchy icon in your toolbar and select Options.)
2. Enter a profile name—something like Privoxy.
3. In the HTTP Proxy box under Manual Configuration, enter the Hamachi VPN IP address to the computer where you set up your proxy. Set the port to 8118. (Remember that you need Hamachi running on both computers when you want to use this proxy, and you can get the IP of any other computer on your Hamachi network by right-clicking the computer name and selecting Copy address.)
4. Click Save and you're done.

Whenever you want to browse using your secure proxy—whenever you hit your coffee shop, for example—just click the Proxy Switchy icon in Chrome, then select your Privoxy connection.

On Firefox

1. Open your Firefox preferences, then click on the Advanced tab. Click the Network tab, then the Settings button next to "Configure how Firefox connects to the Internet".
2. Click Manual proxy configuration, then enter the IP address of your Hamachi-powered proxy server and 8118 as your port. (In my case, for example, I'd right click "Windows" in Hamachi and copy the address for the Windows computer.)
3. Click OK.

Make Sure It's Working

To test that Privoxy is working, you can simply point your browser tohttp://config.privoxy.org/. If it is, you'll see a message like "This is Privoxy 3.0.17 on Windows (5.xxx.xxx.xx), port 8118, enabled." If not, you'll see a page that reads "Privoxy is not being used". Also, if you're on a public Wi-Fi connection and you navigate to something like WhatIsMyIP.com with your proxy turned off, you should see a different IP when you reload the page with your proxy turned on. (Essentially, when turned on, your home's public IP address should be showing.)

And that's all there is to it. This may sound a touch geeky or complicated, but it's an extremely useful thing to have set up, and it's actually really easy to set up and use. And remember, even though your proxy is running over an HTTP connection, Hamachi is encrypting everything that runs between your computers, so it's still a secure option. Also keep in mind: This is far from the only way to accomplish this task. You could, for example,set up an SSH SOCKS proxy to encrypt your browsing. I like this method because it's relatively simple to set up, and so far, it's worked like a charm for me

Security software firm Trusteer now says that Rapport, the Trojan-protection program it supplies to customers of Bank of America, ING Direct, eBay and dozens of other financial transactions sites, is not disabled by the biggest, baddest banking Trojan to arrive on the Web in some time.

Cybersecurity blogger Brian Krebs earlier this week reported the creators of the rival banking Trojans, ZeuS and SpyEye, recently joined forces to create a powerful hybrid, dubbed SpyZeuS.

Krebs reported that SpyZeuS carries instructions to disable Rapport. So Trusteer obtained a copy of SpyZeuS from anti-virus firm Trend Micro, ran some tests and confirmed that the Rapport-disabling component does not work.

"There is no concern for Rapport users," says Amit Klein, Trusteer's chief technical officer. "They are protected."

Trusteer is currently used by more than 18 million online banking customers from some 70 online financial transactions firms, mostly banks, in North America and Europe, says Klein.

Users must download a Rapport plug-in to protect specific accounts. It creates a vault around data entered and presented in the browser, maintains a tunnel for safe communication with the destination Web site and prevents redirection to look-alike, faked Web sites. If your bank does not offer the Rapport plug-in, you can download it for free here.

ZeuS is the creation of a brilliant programmer, who goes by the nickname, A-Z. It has been the top-selling banking Trojan for several years. ZeuS is a malicious program that arrives on your harddrive in the form of an infection. You typically get the initial infection by clicking on a viral Web link or by visiting corrupted Web site.

ZeuS features a simple-to-use blue dashboard. It is primarily designed to enable an intruder to hijack online bank accounts. SpyEye, which does much the same thing as ZeuS, came on strong in 2010 as a competitive rival to ZeuS.

SpyEye is much more modular than ZeuS, says Aviv Raff, CTO and co-founder of Seculert. It makes the creation of additional plugins and extensions easier. There are much more plugins in SpyEye than in ZeuS, to customize tasks, such as stealing credit card information, says Raff.

Now that ZeuS as merged with SpyEye, security experts are keeping a close watch on how SpyZeuS evolves, including whether the bad guys take another crack at Rapport.

"As this version is being updated on a daily basis, I do expect that they will release a fix for this, the same as they already do for other bugs," says Raff.

Consumers want mobile payments. So do the mobile carriers, device manufacturers and point-of-sale (POS) vendors. Amex, Visa, MasterCard and all of the other payment providers also have something to gain. Payment is the next frontier of mobile technology and is becoming a hot area for innovation helping to make carrying a wallet obsolete.

But, recent high-profile security breaches aren’t helping us drive toward that reality. Even outside of the mobile arena, Firesheep democratized data theft for anyone inclined, and the recent challenges by PayPal via iTunes illustrate that no brand is safe or sacred.

Remember back in 1998 when people were scared about buying things online? We eventually figured out how to do it, and moreover, do it right.

We are now at the same crossroads with mobile. Mobile is a completely different animal however, and one that comes with a full host of new threats. We cannot simply apply our dated, web-based security best practices to the mobile domain. In fact, I’d argue that mobile security is critical to the maturation of the web itself, in 2011 and beyond.

Whether you’re a consumer, developer or investor delving into mobile payments technologies for personal or professional use, here’s why you should care and the top factors to consider when evaluating technologies in the coming year.

Security Is Not Sexy, but It Affects Your Financial Health

We, an industry of entrepreneurs, investors and builders of great software, too often turn a blind eye to the reality of security vulnerabilities. There are exponentially more of them as the pace of technology innovation quickens.

Security means directly addressing risks and the reality is we really don’t like people raining on our parade. To date, security and peace-of-mind has been represented as a checkbox, not a core competence or the make-or-break software issue that it should be.

Even the most well-respected brands have challenges in this regard –- as illustrated by PayPal and Bank of America’s mobile payment efforts.

In fact, the more and more we do on our mobile phones, the more enticing it becomes to take advantage of holes in mobile security. There is a huge opportunity to secure the mobile lifestyle and enable trustworthy payment applications.

Security is something we’ve focused on at my company, and it’s the reason we’re able to work so closely and effectively with point-of-sale systems and vendors in the hospitality industry. The security of our app is not just a feature; it’s the heart and soul.

Continuing to ignore the gravity of mobile security threats as the web matures substantially increases the likelihood that your credit card information will be stolen while your bar tab is open, while it’s being transmitted over the wireless networks, or while it’s stored in massive databases.

Even if a mobile payments provider or bank has the best fraud and theft protection, the odds are high that you will still need to request a new card from your bank and ensure that it doesn’t process any of the foreign charges before you can resume your life. In the worst case scenario, you have to navigate a slew of identity theft issues and dedicate unknown hours of precious time re-securing your personal data, identity and financial security — instead of living your life.

Payment Methods and What “Encryption” Really Means

There are many different options available to companies, services and apps when initiating a mobile transaction. These include:

• Web-based transactions (through the browser)
• SMS (via text messages)
• NFC (near-field communications, usually a sticker put on the phone and newly popularized because Apple and Google () are rumored to be putting NFC inside of their next-generation phones)
• Tokenization (like paying for a ticket at a theme park, i.e. converting first into an alternate currency)
• And many more options.

These technologies will all succeed in completing a transaction, but they all rely on some type of encryption to enforce security along the way.

For all intents and purposes, encryption is a process by which information is transformed so that it is unreadable to anyone except those possessing the key or the decryption process. A wide variety of encryption processes or schemes have been developed and employed to safeguard our payment data.

To set your fears at bay, companies offer assurances of the “best” encryption technology, the best-guarded servers, or the standard certifications by McAfee and Symantec.

The truth is that today’s dominant approaches to mobile security date back to 1995 or earlier and seek to conduct mobile transactions in the same way as traditional transactions — by treating the phone like it is just another computer, adding in some extra encryption for good measure.

But, mobile has very different vulnerabilities, and although encryption is an important piece of the puzzle, it isn’t the whole solution.

Ask About Intermediaries

What you should look for is establishing a direct connection between your phone and the venue’s point-of-sale (POS) system (e.g. a cash register or payment console). Companies that do this mitigate threats from middlemen, and the fewer intermediaries, the better.

Also, you should care about whether your information is processed locally at a venue or pushed to a larger, third-party server farm somewhere else. The bottom line is that fewer steps and company touches is better. You might not always know explicitly whether this is the case, but you should get in the habit of asking.

Better Understand Where Your Data Lives

Above and beyond everything else, common sense dictates: If there’s enough money in the bank, someone will try to steal it. 7-Eleven only carries $20 cash at night for a reason.

Your payment data should solely be stored on your phone and not in someone else’s database with tens of thousands of other credit card numbers. It’s hard to steal from someone if there’s no money in the safe. This is the only thing that truly deters hackers from going after a big score.

Keeping your payment data solely in your phone is equivalent to keeping your credit card in your wallet.

For consumers, you can usually find out where data is being stored by perusing a website carefully or reading well-researched articles and reviews. Journalists are doing a better and better job of ferreting out where your data lives, and how it is being passed around.

For app developers and payments services, keeping the data out of their servers absolutely involves more work and clever engineering. It’s hard to avoid any third parties (whether for processing or hardware), because those third parties can make things a lot easier on a startup. It’s worth it to start down this path if you haven’t already, since consumers will increasingly demand it.

Be Confident the Data’s Encrypted

The very best approaches to mobile security never send your payment information in any way that an enabled hacker in proximity could intercept your data.

It should be a priority to have industry-standard encryption. Customer smartphones talk directly to the POS. Ideally vendors and companies won’t even need this extra data in the first place.

Your Cheat Sheet

In sum, the stakes are high when the smartphone replaces the wallet. We have to rethink where the data lives and who has access to it, convenience notwithstanding. We’re all responsible for asking the hard questions to be informed consumers when we support a carrier, manufacturer, vendor network and technology.

Here’s your cheat sheet for owning your mobile transaction financial health. I urge you to ensure that your credit card information is:

• Only sent to the venue’s POS system, rather than passing through third party services.
• Only stored on your phone, where it’s safest, and not in the cloud.
• Always encrypted when it is sent to the POS system, where the transaction is taking place.