Keylogging Used To Catch Bank Crackers

An anonymous reader writes "BBC News is reporting that the British police National High Tech Crime Unit has foiled an attempted fraud by hackers using keylogging software. The London branch of the Sumitomo Mitsui bank of Japan was the target, and a person has been arrested in Israel after being identified as the recipient of an attempted electronic transfer of UKP13.9m."

Even the submitter didn't read the article!!

[REBloomfield]

The crooks were the ones using the keyloggers, not the people who caught them!!!!!!

Re:Even the submitter didn't read the article!!

[Trolling4Columbine]

You're new here, aren't you...

Re:Even the submitter didn't read the article!!

[lucabrasi999]

The editor didn't read it, either.

Re:Even the submitter didn't read the article!!

[akintayo]

This seems to a case of a badly constructed sentence, rather than the submitter not understanding the article.

Too much

[turtled]

Man, trying to get into bank records? You know everything is logged somehow. It scares me to think about 2 things... 1, life in prison, and, 2, with that much money, it draws suspicion, so, you really can't spend it.

Re:Too much

[lecithin]

Yea, but getting away with it once, is all you need for the rest of your life. I wonder how many have succeeded that we will never hear about.

Kinda like Enron right?

Re:Too much

[mangu]

with that much money, it draws suspicion, so, you really can't spend it.

Ever heard of "laundering" money? What you have to do is open a legit company and make it profitable with the money you have stashed somewhere. Tricky, yes. But possibly doable.

However you are right about drawing suspicion. You can never become as rich as $400 million, because being as rich as that will make you automatically famous. If you stay below a limit, which I assume to be about up to $10 million if done right, you might be able to have a comfortable life without getting caught.

But all this is theory. In practice, I can't recall any heist above $1 million where the perps got away. It may take some time, even years, but you will be caught in the end. You may be much smarter than the cops, but once the thing is done, they have all the time until you die to catch you. No, even if you manage to escape, you'll never have a quiet moment without worry. Anyone contemplating a big robbery should google ronald biggs train robbery if they think escaping to a far away country is an option.

Slashdot story incorrect

Um.. yeah, this article synopsis would be wrong.

From the article it links to:

They managed to infiltrate the system with keylogging software that would have enabled them to track every button pressed on computer keyboards.

The hackers were attempting to use keylogging software.. there's nothing in the bbc article whatsoever about how the police caught them, let alone if they were caught using keylogging software (which is what the synopsis says).

Apparantly, not even the editors read slashdot stories :)

How would they do this?

[gstoddart]

How do you manage to get key-logging software onto a bank system without physical access?

Is this more examples of social engineering, or would this have required physical access to the computers? [ I'm assuming here that the general bank computers aren't all on the interweb ]

Scary as hell that someone (almost) managed to do this.

Re:How would they do this?

[Silver+Sloth]

The usual methods

• Overworked techie department employs consultants without sufficient vetting
• Disgruntled and overworked techie is approached by bad guys
• Overworked techies release system into 'live' without sufficient testing/hardening due to presure to complete by deadline

Do you see the common thread?

Re:How would they do this?

[faloi]

I used to do support for a lot of smaller banks in a rural area in the US. If you walked in, said you were from their support company, looked the part and needed to "check on something while you were in the area" they tended not to give you a second glance. You were their outsourced IT guy coming in to check on things. In the years of supporting smaller banks and branches of banks, I only had one instance where someone called the shop to verify I was supposed to be there. And that was after I'd already left.

THE ARTICLE IS CORRECT...

[MLopat]

A quick English lesson:

"BBC News is reporting that the British police National High Tech Crime Unit has foiled an attempted fraud by hackers using keylogging software." - This means the hackers are using keylogging software

Note the addition of commas: "BBC News is reporting that the British police National High Tech Crime Unit has foiled an attempted fraud, by hackers, using keylogging software." - This means the police are using keylogging software

The editor of the article is CORRECT!

Blinks behind the mask

[Doc+Ruby]

The ambiguous story description could be interpreted to mean either that the crackers installed the keylogger, or that they were caught by keyloggers. Any sensible reader would know that the crackers probably weren't caught by keyloggers, because they'd already have too much access by that point. But even just reading the story shows that their attack was by keylogger, not their capture.

Now it's obvious: Slashdot submission approvers (staff "authors" who vet the submission queue, to approve stories for publication) just read the text, and decide whether the story is interesting. They don't click the links, they don't think about whether anything makes sense. It really looks like Slashdot's submitters are higher quality than the editors who decide what to publish. And even worse, the editors seem to have the quality of a lower tier of Slashdot readers: grab the most inflammatory interpretation of a post, and run with it - without regard to the facts, or even just the story itself.

For all Slashdot's championing of the "open" community, we know very little of how the editorial process works. How many editors? Do they know each other? See each other, or work remotely? Is there an editorial policy, written or by "rolling consensus"? Are their criteria? What's the process like? With the published Slashcode so old, there's no way to know details about the queue process even by looking at "the" software. So what goes on there behind the curtain?

Heh

[mattmentecky]

Someone in Israel, breaking into a branch of a Japanese bank, stealking British pounds. Well, theres some multiculturism for you.

Phew!

[bigtallmofo]

This article would've scared the crap out of me if I hadn't already sent all my money to a Nigerian Prince.

Once I get the millions in cash I've been promised, I'll be sure to keep it away from any keyboards.

I fail to understand

[hsoft]

I fail to understand how such thing is possible, and I would appreciate explanations.

For example, if someone gets my bank account user/pass and logs into my bank account, transferring all my money into his account. When I see this, I will sure call my bank saying that this was an unauthorized transaction, and this transaction should be void, no? Besides, the thief reveal himself by specifying the destination account, no?

Re:I fail to understand

[NeoSkandranon]

If the destination account was in a country who's laws make it advantageous to bank there (Think the Caymans, or Switzerland for example) or a country that doesn't particularly respect the victim's home country, getting your dollars (well, pounds) back is going to get alot harder, if not flat out impossible.

Of course, the thief would reveal his account number, which can be tied to an identity (or at least a contact) but the difficult issue is leaning on the bank to give up that information.

Re:I fail to understand

[Tenebrious1]

When I see this, I will sure call my bank saying that this was an unauthorized transaction, and this transaction should be void, no?

Where's the proof that it was unauthorized? Only you had access to your account, and only you had rights to transfer the money. So, unless you can prove the account had be compromised, no, there's no recourse. And even if there's proof, the money is gone, there's no "voiding" the transaction. The only thing you might be able to do is sue the bank to try to recover the money.

Besides, the thief reveal himself by specifying the destination account, no?

Not really; the money usually gets transferred from a respectable bank to a smaller bank so it doesn't look too shady, then from the smaller bank overseas; once the money goes overseas to the shady bank it's gone.

Abbreviation correction

[justanyone]

attempted electronic transfer of UKP13.9m

Sorry if this is in any way pedantic - just FYI since I used to work in a capital markets trading environment...

The abbreviation in most currency markets is not UKP, it's GBP, for Great Britain Pounds.

To quote from a handy refernce page:
ISO 4217 (Codes for the Representation of Currencies and Funds) defines three-letter abbreviations for world currencies. The general principle used to construct these abbreviations is to take the two-letter abbreviations defined in ISO 3166 (Codes for the Representation of Names of Countries) and append the first letter of the currency name (e.g., USD for the United States Dollar).

A non-official site's list is at: http://www.jhall.demon.co.uk/currency/by_country.h tml

The official 4217 list of currency codes is at http://www.iso.ch/iso/en/prods-services/popstds/cu rrencycodeslist.html

The official ISO 3166 Country codes list is at:
http://www.iso.ch/iso/en/prods-services/iso3166ma/ 02iso-3166-code-lists/list-en1.html

Re:Abbreviation correction

[justanyone]

Yuck! Slashdot's machinery cut up those links. Here they are again:

The official 4217 list of currency codes is at here

The official ISO 3166 Country codes list is at:
here.

Re:Abbreviation correction

[leandrod]

>> attempted electronic transfer of UKP13.9m

Sorry if this is in any way pedantic - just FYI since I used to work in a capital markets trading environment... The abbreviation in most currency markets is not UKP, it's GBP

Also, the SI unit abbreviation for million is M, not m. m is Meter, M is million (mega), so a mM is a million meters (a thousand Km), but Mm, MM or mm don't make any sense at all, nor mGBP.

Re:Abbreviation correction

[jabuzz]

May be, but that is because the ISO have deemed that the UK as an abrieviation for United Kingdom is to generic, even though there is only one country in the entire world going by that name. On the other hand US is perfectly acceptable for the USA, with United States being just as generic as the United Kingdom.

The thing is there is no such legal entity as Great Britain and there has not been since 1801. Great Britain existed as a country for less than 100 years, and has not existed for over 200 now. If the island of Ireland ever gets united again, it would come into existance again. However for the time being I live in the United Kingdom of Great Britain and Northern Ireland.

In USD...

[DroopyStonx]

13.9 million GBP is about 26.7 million USD.

They managed all of this

[tezza]

without Bruce Willis? Amazing.

Precedence rules.

[kahei]

It's a matter of operator precedence being poorly defined in English, leading to the ambiguity known as a 'dangling modifier'.

Parentheses could have solved the problem:

The police foiled (hackers using keyloggers).

But parentheses aren't used like that in natural language. In English the right way to do it would be more like this:

The police foiled hackers who were using keyloggers.

The 'who' strongly binds the entity before it to the entity after it, indicating that 'using keyloggers' is a predicate of 'hackers'. Thus the modifier, now tightly bound, dangles no more.

Re:Precedence rules.

[Nemi]

Actually I believe this would be the preferred way of arranging the sentence:

hackers using keyloggers were foiled by police.

This places the modifier after a single subject, completely removing ambiguity.

Re:Precedence rules.

[damyata]

True. However the original bbc article contained no such ambiguity and the slashdot article title is unambiguously wrong. So the person writing the article did have the wrong idea.

Or maybe, just maybe, the article title means "Keylogging Used To Catch Bank Crackers": as in it used to, but it doesn't any more.

NO, THE ARTICLE IS INCORRECT...

[BarryNorton]

The article includes its own title. Unless this is changed to 'Keylogging Used By Caught Bank Crackers' it remains incorrect.

guess again...

[RikF]

from the BBC "The investigation was started last October after it was discovered that computer hackers had gained access to Sumitomo Mitsui bank's computer system in London. They managed to infiltrate the system with keylogging software that would have enabled them to track every button pressed on computer keyboards. " Sounds like it was the criminals using the software to me! RikF ---- Life begins at 5500 rpm

Question about Key Logging software

[ReadbackMonkey]

If I type my password into a txt file surrounded by a bunch of gibberish, i.e.

diowengiw03821-13kd98password8990830209keivli

Would key-logging software be able to find my password if I cut and paste the relevant data into the appropriate field when I want to enter the password?

Basically, where does the key-logging software sniff the bits? Is it off the bus from the keyboard to the processor, or does it sniff it off the processor?

Just curious

Re:Question about Key Logging software

[InsaneCreator]

The early trojans (like NetBus & pals) would copy the passwords from input fields when you typed them in. I'm not sure how things work nowdays, since newer versions of Windows don't allow this anymore.

Re:Question about Key Logging software

It hooks the relevant windows API's usually. And some more advanced keyloggers also hook secure sockets and the clipboard.

Re:Question about Key Logging software

Different software packages capture the events at different times - some when the key events are sent to the windowing systems - and some when the translated events are processed by the OS.

Re:Question about Key Logging software

[merreborn]

If your password is in a text file, there are a lot simpler ways for attackers to get at it then via keyloggers.

Keylogging Used To Catch Bank Crackers = WRONG

[KingFatty]

Creative parsing on your part cannot save you.

The title "Keylogging Used To Catch Bank Crackers" is indisputably wrong, no matter how you parse it.

Furthermore, you have introduced your own parsing bias in the first non-comma sentence. The fact is the non-comma sentence does not have one difinitive meaning, and you are just telling us what it means through your assumed meaning.

The fact is you cannot indisputably say that the word "using" applies to the hackers and not the Crime Unit - the only thing supporting that interpretation is the adjacency between hackers and using, and as you illustrate with commas, the sentence can be parsed without commas such that the using applies to the Crime Unit.

It's like saying "Criminal killed her using steak knife". In that sentence you cannot know whether I meant the criminal used the steak knife, or the woman was cutting her steak using her steak knife when she was killed with, say, a bullet from the criminal's gun.

So, if you take this ambiguous sentence, and combine that with the indisputably wrong title of "Keylogging Used To Catch Bank Crackers", then you cannot come to your conclusion that the editor of the article is correct.

In IKR

[HalliS]

it's about 156 million Icelandic Kronas.

Now let's hear hear from everyone else!

Tee hee

[Red_Icculus]

Pardon me. I just thought it was humorous that you said "Sniff the bits".

GBP not UKP

[PureCreditor]

According the xe.com, the international symbol for the pound sterling is actually GBP (for Great Britain Pound), not UKP as commonly denoted.

Same for CAD for Canadian dollars, but it's frequently listed (incorrectly) as

Cdn $