Compared to the risks of disclosing your passwords described in section 3, spyware is a relatively small risk. It does, never the less, exist and you should be aware of how spyware works, how it is defeated and how it is not defeated.
How Spyware Works
Spyware is software that is downloaded onto your computer without your knowledge. It monitors activity on your computer and compiles a report. Some spyware monitor what you type, some monitor what passes through your clipboard and some monitor the data entered in your browser's logon forms. It then transmits its report to Mr. Badguy over the Internet.
How Spyware is
Spyware is defeated by (most) responsible financial website operators by using a logon screen that asks for different logon information each time. This can be done either by asking one from a selection of pre-agreed question and answers or by asking for three different characters from your password.
If the information you used to logon is intercepted by spyware and Mr. Badguy tries to use it, it doesn't work, and, to prevent him from simply retrying until it does, his wrong entries lock your account until you have agreed a new password.
Changing the logon information is the only true defense against spyware. If your bank allows you to log on with the same information each time, you are at risk. It doesn't matter if they just ask for a password or if they ask for a user name, password, date of birth, address, zip code and your great aunt's maiden name. If it's always the same, it's vulnerable.
How Spyware is
Spyware is not defeated by anti-spyware programs, firewalls or password managers that inject your password directly into your browser form. These can certainly help in the fight against spyware, but they can never be complete solutions. Here's why:
These programs rely on recognizing the spyware program from a list of known spyware. If you have one of these, and the company supplying it hasn't encountered the particular spyware you have, their program will not detect it.
Your firewall's contribution to the fight against spyware is not to allow it to transmit it's report. The problem is that it will ask for permission and the chances are that you will give it !
If you have a piece of spyware and it tries to send it's report, your firewall will not say:
"ANastySpyware is attempting to access the Internet - Permit/Block"
It will say :
"Norton Update" or "MS Messenger" or almost any program that you are likely to have, is attempting to access the Internet - Permit/Block
If the program that the spyware chooses to mimic is one that you actually have, it's just too easy to say "Permit".
Direct Entry Password
One well known password manager boasts that because it transfers your passwords directly into your browser form, there is no risk of it being intercepted by key logging spyware. The statement is, of course, true but only because they specified "Key Logging" spyware. "Key logging" is not the only type of spyware.
Only entrust financial transactions to web sites that ask for different information each time you logon.