Slashdot Mirror
Largest Ever Online Robbery Hits Swedish Bank
ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"
In other news, Nordea is planning to relocate to Sealand.
Res publica non dominetur
Slashdot Option 1: Encourage stupid people by paying out when they do stupid things like believe email that reads "Dwonlaod tihs spam fihgting tool". Slashdot Option 2: Encourage banks to absorb financial responsibility of eCommerce mishaps and take the lead in system security. Can't... make... decision... brain... splitting... in... half...
I hate printers.
Those who are not into technology have no idea.... Look at my latest journal . You can have a PhD and fall for the simplest scam there is. Computers do seem to have this effect on people: their common sense fails because computers are somehow "Magic".
It's tragic if you ask me.
>>The sender encouraged clients to download a "spam fighting" application.
Why should the bank have to fork out cash because the users can't see an obvious phishing email?
$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers
Bank pays for user ignorance? Sounds like a nice bank. My bank would probably tell me I'm SOL.
The biggest online robbery ever was a lousy million dollars? Oh come on, someone's gotta be able to do better than that. Get it in gear, people, it's 2007, we should be having way bigger cybercrimes by now. Someone hax0r the Gibson or something.
Stealing passwords is trivially easy. Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.
The trick is getting cash transfered from someone's bank once you have their credentials.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
the 'spam fighting' app almost did exactly what it was deceptively claiming to do;
bankrupt the people, force them to sell their technological idolatry, bam-- no more spam.
No, that merely changes who the victims are. There is no such thing as "good news for the victims" unless the stolen money is recovered.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If this was to happen in the US, would the FDIC cover these types of things?
And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!
For those of you who have an ING account you know what their security is like. Nothing much that will hamper a real customer, but things that should stop non-customers.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
Why can't movie studios come up with plans this ingenious for robbing a bank? The last bank robbing movie I saw involved some terrorist types kidnapping the head of bank security and having him steal the account numbers with a wacky device made out of scanner module from a fax machine and the hard drive from an iPod Mini.
Boy, if all of the nefarious Slashdotters got together couldn't we beat that by at least an order of magnitude? After all, didn't Sean Connery and Catherine Zeta get away with a few billion?
'He was a dreamer, a thinker, a speculative philosopher... or, as his wife would have it, an idiot.' - Douglas Adams
TFA does not state what operating systems these victims vere using. I bet they were on Windows. Every story like that fails to mention that this is mostly fault of Windows.
Seems like a fairly precise number...wonder how they derived it? And if true, for $1,000,000 that works out to be just over $8,000 per participant (assuming the proceeds were/are shared equally). Hardly seems worth the risk. On the other hand, the article says (indirectly) that it took 15 months to decide a heist was in progress. Heh, as they say "Patience is a virtue".
The NSA: The only part of the US government that actually listens.
An employee of the Swedish Bank was quoted as saying, "Gersh gurndy morn-dee hack-zee hack-zee!"
Launch every sig.
How could you ever turn the stolen money into paper money with out it being completely tracked. What means do cyber criminals launder their money without being immediately apprehended?
Windows Vista Help Forum
Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience. It involves lots of forms and remembering to do things at the right time and spending time on telephone lines. In short it is a pretty good incentive not to be careless with your banking security.
All that not refunding the customer's money would accomplish is hurt a lot of people and discourage people from using online banking or encourage them to change banks. People are never going to become security gurus just so they can bank online and if you make banking online too risky or hard they will just give it up.
By making sure it is the bank who has to pay for security losses while still making sure people have some incentive (annoyance, possibility they might pay next time or lossing $50) to be safe you end up with the best results. The bank is the entity that can roll out new security solutions and most easily improve security practices so giving them incentives to improve security is the best move.
If you liked this thought maybe you would find my blog nice too:
not really an incentive to take more care in future
I'm hoping that the banks at least suspended and revoked the privilage of online banking from the users in question. If you can't take care not to download trojans/etc online that affect online banking, you shouldn't be allowed to do your banking online.
It's an incentive for the Bank to improve security. If every bank was required to do this (and cc companies as well) it'd do quite a bit to improve security in online shopping and banking.
Best Slashdot Co
Well according to my anecdotal evidence coming from an ex security admin at a bank who was giving a lecture on bank security on a security themed conference, banks have a certain percentage of loss every year due to online activites. The loss they suffer is tuned to the line that spending more on security would cost more than the current losses they suffer.
Anyway, I highly doubt that this was the largest ever online robbery, maybe it was the largest phishing attack.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I was curious about the security protocol for Nordea bank and although links on the Nordea site are currently broken (an attempt to cover up?), I could find them on Google.
So the scammer just needs the fixed PIN code, plus a few of the one-time codes.
I used to have a bank account in Sweden with a different bank that uses a cryptographic challenge/response key generator, both for logging in and confirming a transaction. The website supplies you with a code number that you enter, as well as a PIN code. The device uses the code together with a secret key and the time from an internal clock and lets you send back the data.
Banks here in the Netherlands use similar systems, often with a generic card reader that uses a chip that is built into the bank cards. Others send a confirmation code by SMS to a mobile phone number that is registered to your account.
I think cryptographic systems are inherently much more secure than predefined one-time keys. The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction. Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.
Avantslash: low-bandwidth mobile slashdot.
FWIW; this must be the 4th time this happens in a matter of at the most 2 years. Each attempt was made by sending out e-mails in extremely bad Swedish trying to convince customers to Nordea to hand over their user information or visit their website (which was on another domain or hijacked).
/from a random Swede
Each and everyone who fell for this must either be an immigrant, senile, or just plain dumb (this is a sincere hypothesis). The title of this story absolutely does not ring true to what's really happened - it wasn't huge and it's not a big scandal at all. Also, 2 people have been apprehended and are considered suspects to the fraud.
Fight for your digital freedom, join the EFF *now*: http://www.eff.org/support/
What?! No, Soviet Russia jokes yet?!?!
In Soviet Russia, key logs you!
Or even better. In Soviet Russia, you gulag.
Perhaps, in Soviet Russia, bank robs you!
One last note, in Soviet Russia, Russian reversal jokes are funny.
There are many tongues to talk, and but few heads to think. -Victor Hugo
In the grand scheme of things, 1 million dollars is probably not that much for one of the largest banks in Sweden. If it was 1 billion the tune would probably be a bit different.
I'm guessing that few of you have had money stolen from accounts before. It is a huge pain, involves lots of paperwork, and is generally not a pleasant experience. I had a good deal of money(for me at the time) transferred out of my account in the United States and sent to Turkey. Nothing stolen online, we figure it was a dumpster diver. Money is still gone, and it still took weeks to clear. I, for one, am happy that the bank re-reimbursed the account holders for their losses. For everyone here that says "learn security!!!!", what if it wasn't the account holder who placed the trojan there? Would you then blame the person for having "stupid" people using their computer, i.e. significant others, who bank at the same place? You can't educate everyone.
What the Russians did is small change compared to what might happen if the data from this heist http://money.canoe.ca/News/Other/2007/01/18/340157 9-cp.html becomes available to the wrong crowd.
I happen to have an account at a swedish bank (S.E.B.), and they give this wonderfull little box they call a "digipass". When you want to log on, they give you 8 numbers, which you have to type in your digipass, which then gives you another little sequence of number, which is the password you have to use to login. It's kinda challenge-response authentification, but with the private key safely saved outside of the computer, and out of reach to the client themselves in fact... Just don't lose your digipass, your pincode and your account number all at the same time ! :+)
The sender encouraged clients to download a "spam fighting" application.'"
The trojan in question only runs on Windows.
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
I'm not knocking Windows, the users contributed by not running antivirus software and not being terribly bright. But this is why I don't ever access any of my banking or investment accounts with Windows.
Just makes it that much harder to automate installation of a keylogger.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
What they just did was tell users that they can run insecure OSs, do nothing about it, and still not be held responsible for their actions. What these victims did was to buy a straw house, then leave the door wide open, and are now being compensated for stolen money. When will it end.
I prefer the "u" in honour as it seems to be missing these days.
If the trojan was targeted to something like a specific list of account holders, instead of wildly blasted around, that could indicate a different breach of security at the bank. In that case, the bank has a lot more cleaning up to do behind the scenes. I'm not saying that definitely happened, but I am given pause.
Passing the cost on to the consumer is one of the worst idea's I've ever heard. First off, towards promoting better security, put the hurt on the bank because they're the one's who have the power to improve their security. But more importantly, losing their lifesavings is about as scary as anything can be to first worlders. Remember how people stopped flying after 9/11? When significant numbers of people getting burned out of their retirement funds hits CNN, you can bet online banking stops nearly overnight. Not a step forward.
The only possible good that could come from your suggestion is that public outcry would force congress to enact legislation that required better security, but that's clearly not your intended point and I'm not sure that said path is particularly good anyway. And anyway, if you run windows (which is not me but that doesn't mean I think someone who does is an idiot), being compromised is not neccassarily your fault, nor is your bank's poor security practices.
Relax I just want some peanuts.
Because, you see, http://mcafee.com/ doesn't even mention that this has happened, either. The McAfee site search returns empty results. Besides, Google searches on `nordea mcafee` and `nordea robbery` also didn't return anything comprehensive. Did a McAfee contact whisper it secretly in the ZDNet editor's ear?
Annoyingly I've not been able to google it up, and I can't remember where I read about it, but I read somewhere that a Brazilian bank went bankrupt following fraud enabled by hacking attacks which lost them (IIRC) over $300m. Please, someone, spare my sanity and find me a link? It would have been an Infosec story on the net -- I thought CryptoGram at first, but apparently not. Help! :)
Everything I needed to know about life, I learnt from Blake's Seven
Seems like a gang with that kind of sophistication needs to find a more lucrative occupation. Those 121 people could have made more than a million dollars selling drugs for a week.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Maybe you'd have to carry a cellphone and they'd autodial you with a message asking you to confirm the transaction ("Please press 1 to confirm $500 to Alxei in Moscow, Press 2 to inform the police..."). Hopefully the transactions don't all occur at 3AM. Now if the crooks have your account info AND your cellphone then you are probably more concerned about how you are going to escape from your kidnappers.
My credit card company has called me to confirm heavy activity or big purchases that veer from my normal spending pattern. I'm grateful that they do.
It is by the juice of the coffee bean that thoughts acquire speed, the teeth acquire stains. The stains become a warning
10-15 years ago, a russian hacker made off with 200+ million from citibank. Till this day they have no idea how he did it. When they actually caught the guy, they made him an offer, reduced jail time for return of the $$ and how he did it. He refused, and was sentenced to like 10 years or some such.
Question: Would you go to jail for 10 years for US$200mil?
No it doesn't.
If your computer has been rooted, it really IS ball game over. Just sitting here thinking how I would exploit a rooted system that someone uses for banking...
1 - establish account offshore that offers SWIFT transfer (or other convenient inter-bank wire), and can deal with bank that requires no ID.
2 - Monitor victims on-line banking activity for a couple of months.
3 - Intercept after online session has next been established.
4a - Inject low level "noise" transfer, if victims balance is medium level
4b - Take it all, if victim balance is at high level.
5 - Complete transfer from SWIFT bank next day, to "no ID" bank.
6 - transfer from "no ID" to Bahamanian account (Swiss account, you pick). Cash out.
Ob.Holywood: Add sound effects, and visual effects as appropriate: "I'm in!" and up/down counters with ticking.
Of course this doesn't work if you DON'T do on-line banking; this is a good thing(tm) because on-line activity would otherwise be exceptional.
Bear in mind that this is the first solution I came up with. And I suspect it would be very workable. Especially, if that "Digipass" gave you a sense of security.
Thing thing you "Trust": the thing that you have faith in because you have no other choice. And that which you must trust, you must be able to verify. With Internet Banking, you do not trust the network (thus, we use cyrptographically sound protocols). You trust your password, and are forced to trust your computer. (And, you trust your bank). So, secure that computer, and don't give out your password. I wouldn't trust a digikey, simply because I have no way of verifying (I can restrict access to my computer, and my password is under my control).
The digikey in no way mitigates responsibility for keeping your computer secure.
Just another "Cubible(sic) Joe" 2 17 3061
I don't understand why banks and other sites where high security is important, don't utilize a randomizer to enter a secret 4-digit passkey in addition to your password. Let me clarify Simply displaying image that looks like a keypad with numbers 0,1,2...9 in random position. User needs to click on the position to enter their 4 digit key, between each digit clicked, the keypad's random positions are changed. If this is done in addition to a full password you gain a lot of security. A keylogger may record the position you clicked, but since each visit to the website displays the digits 0-9 in a different location, the logged click position does not help. Granted 4 digits can be cracked by simply trying all combinations, but you can further increase security by increasing the number of digits required, or even using a fully randomized keyboard with the full alphabet and other special keys. Now a hacker would need a keylogger in addition to screen captures. And it would be much easier for virus scans to pickup an illicit program that is trying to capture screen images and send them since image files are much larger.
If I remember this correctly this is the 3rd or 4th time this bank, Nordea, takes a hit in the last year! The first three or four times there were false e-mail and a dupe website saying that the customer for security reasons should supply three of their single use codes (you have them on a plastic card), then their PIN-code and their account number. The phishing email and website were full off misspelled and fake words and bad language in general, it's amazing that anybody fell for it!
This was really big in the media several times last year.
And now this! For the love of Darwin (God or whatever), who, WHO clicked on a link in an email saying it's from the bank??
Well well they will probably make me use some sort of certificate that is windows or mac only. Anyhow I will stop use this bank.
There's a lot of sentiment on /. which says we should make the people who had key loggers accountable for their slip ups, because otherwise nothing will change. I disagree. I think that even though no serious harm came to the hapless pwned, they're going to feel violated knowing that some lurker was recording everything they did over the Internet. They will probably also see that sometimes the banks won't be there to cover their asses when the hackers come.
I'm not saying that people shouldn't be responsible for their own computers; I'm saying that even if the key loggers didn't cost the dupes money, most of them are still going to change their careless ways after this wake-up call.
Expected time to finish is 1 hour and 60 minutes.
How many OS X users lost money?
Why doesn't the headline name the real enabler: Microsoft.
Running Windows is like putting your money in a cardboard safe. Wet cardboard.
you had me at #!
Why can't I flag my bank account so that the bank will not electronically transfer the contents to another bank without an in-person visit from me (with ID, etc.)? (Or more than 10% per month, or whatever.) Ditto brokerage accounts and so forth. Yes, it's potentially a small hassle if I ever *do* want to e-transfer my entire bank account... but I really don't think that's likely. Until my bank sends me a letter offering that, any security problems are their responsibility, in my view.
"good news for the victims, but not really an incentive to take more care in future"
/. crowd may know better, the average punter does not, and shouldn't have to.
Consumers are told by people who market computers that they are easy and safe to use. Consumers are told by internet service providers that online services are easy and safe to use. Consumers are told by banks that online banking is secure and convenient.
Aside from the criminals, who appear to have escaped without any consequences to them, the burden is falling where it should be, namely on agents who allow marketing over reality. While the
Banks can guard against this by making users click on a randomizing keypad with their PIN in addition to any password/username combination they need to type in. ING Direct does this.
I'm not a windows fanboy ('nix is my preferred OS), but why would the crooks pump out a linux binary or an OSX application in their scammy emails when probably 80-90% of the recipients are likely to use windows, and probably about 80-90% of linux/mac users are slightly more educated in terms of scammy emails.
This wasn't an automatically installed keylogged from the sounds of it, but rather one installed by dumb users. Windows has more users, so they email the windows users. PC's being more prevalent (and cheaper) plus windows being the preloaded OS, chances are the the less PC-educated are going to be using that OS too.
Much as I love linux (and macs aren't bad either), I'd have to say that in this case it's not so much of a case that the OS is insecure, but rather that the users are uneducated. If linux users suddenly skyrocketed, one could probably get similar results with a script that dumped a custom **firefox in the user folder with built-in keylogger, and then replaced the old firefox with the hacked version.
** Avoidable by having noexec on the home directory, but that's not generally a default setting, and could still be avoided by trolling for some other user-writeable + executable location to write insidious code...
It appears that most of the victims weren't running security protection.
Often these guys use directed fraud mails written in reasonably good Swedish, so I wouldn't really doubt they have custom made keyloggers too to attempt to escape antivirus tools.
Sure, they could use detection by heuristics like some support, but then the accuracy falls rapidly, as well as the fact that not nearly all popular tools even supporting that.
What's needed here is that users don't become so naive when they sit down in front of a computer. To many, it seems like they then enter a world of safety where they don't have to think much and just click through mails that "look right" even if they ask for logon details that the banks has earlier been very careful to inform they'll never request. (because they already have that info, or can reset it at their whim anyway, duh!) The problem is that on the Internet, the exact opposite mostly holds true.
Beware: In C++, your friends can see your privates!
I'm thinking that the refunds are a result of the newness of on-line banking. When the newness wears off - people will lose their life savings with these tricks.
It's no different than meat-space scams that trick people into withdrawing money or allow theives access to their bank accounts (like a stolen ATM card with the PIN number written on it).
The message here should be "if you do on-line banking, your computer is your ATM card. Protect it just as you would your ATM card"
Citibank, 1994, US$10 million.
Security Pacific, 1974, about the same amount from someone who eavesdropped and social engineered his way past te security measures on the wire room.
That's how we fight SPAM.
Welcome to the Panopticon. Used to be a prison, now it's your home.
Damn, seems like their site are down for the moment, and not just the Swedish one(they have banks in more than one country). I guess they are all hosted the same place. I wanted to log in to my account.
The security for their online banking system includes a key file that you must have on your PC so a trojan could be used to gain access if it got found the key file. I am not aware if they have additional optional security options available, like a key card or whatever.
BTW the client side runs Java and works nicely in Firefox on Linux.
>idiots
We'll never get decent security as long as we set traps for users and call them idiots when they fall in.
The email containing the Trojan came from the bank's domain, apparently. Is it the fault of the users that email isn't authenticated? Are they idiots for not knowing how SMTP sessions can be spoofed?
How many places require software downloads to work? Include Flash and PDF readers in that list. Are people idiots for installing something that any non-expert would think came from their bank?
Do we even know that they weren't running antivirus? Would there have been signatures for a Trojan that was only distributed to a few hundred or a few thousand people? Would behavior-based antivirus have caught it, given that the crooks had the chance to test it against every common antivirus program?
Are the users idiots because the bank used a security protocol so unutterably lame that it was subject to undetectable replay attacks?
Calling the users idiots is just an excuse for not fixing the real problems.
My bank will retunr money from unauthorized purchases on an ATM card. With no Min.
The Kruger Dunning explains most post on
...Stealing money online must be quite a silly thing to do. You leave such a trail, that you are almost always likely to be caught. Its not like these guys have money printing machines that convert e-dollars into actual paper dollars. Or do they, coz if they do, then I gotta get me one of those.
Can't you just look and say, OK, someone took money from this account, and put it in that accounnt. So whose account is that.
Or even a mandatory delay in processing for payments done online. Notify the user (on their phone) and they can call and speed up processing if they really require this.
I don't think the users should be blamed. At least not if this scam was well designed. There is no way the user can see the difference between the bank's own site and a phony one.
:-)
I don't know how well-designed this scam was. But it is possible to make the real and the false pages look exactly the same, or so similar that only the most suspicious minds will discover the difference.
At least with the IE 6 browser, you can design a popup with layout at the top pretending to be the Menu and Address bar, making the user believe he is at the bank's true address. And you might add the image of a lock giving the impression that he is on a SSL secured site. You don't need an infected computer to do this, you only have to make the user click a link. (It is hard to do this convincingly for every user, but doing it convincingly for 70% is obviously enough).
And given a rootkit, the criminal could change the behaviour of the browser, change the dns-service, or whatever - resistance is futile. With malware running stealthily in the background, intercepting and changing some of the communication with the bank, there is not much point in high security authentication tools like digipass calculators or smartcards.
In my view, the bank's loss is mainly due to the fact that today's common os-es and browsers are not safe. Period. The chief problem is that the industry is selling a product which is full of security loopholes. With today's popular OS-es, most home users are running with administrator rights (making the result of security breaches possibly very serious), and with common browsers and web standards, it is hard to see whom you are communicating with - especially when using popups and frames.
The users might be a little to blame in this case, but the important thing is that one - for the time being - can not expect users to have the skills necessary to keep the computer safe and surf safely. With nerds and computer professionals, expectations can be higher.
Users might be asked to keep their computers updated with anti-virus software. In my experience (with family and students), a lot of them are incapable of doing this by themselves. After some time, the computer is sluggish because of spyware or different programs and updates they have involuntarily accepted be installed. Keeping a computer safe and in working order is a profession.
What banks must do to limit attacks? Make attacks expensive. And encourage the software developing community/industry to integrate security in the products.
1) Make a policy to avoid simple attacks. Maybe should users be advised always to enter the bank's address in the address bar (if so, banks must never send links themselves
2) And make sure that the malware must be complex, i.e. make sure that the authentication data cannot be reused from another computer (static passwords are an obvious no-no), perhaps also prevent concurrent background transfers (deny dual sessions with the bank).
If a good hacker uses the next big remote windows exploit for some judicious tampering (ie. not quickly caught by automated detection systems, for instance by examining the user's own account history) I wouldn't be surprised if he could misplace billions of dollars before everything grinds to a halt ... transferring any of that to himself wouldn't be easy, but it wouldn't be necessary either if he just wanted to cause havoc.
... in a pinch a mobile phone will do (more diversity, more obscurity).
Personally I'd like a closed wireless device which shows me the amount and destination of each transaction with a big OK button
OK, but what is the attack against this:
Give all users a small numerical keypad that is comfortable enough to enter lots of numbers, and includes the user's private key and an accurate clock. The keypad works as a USB keyboard. For every wire transfer, the user types the account number and the sum to be transferred on the keypad. The keypad sends the account number, the sum and a digital signature of the data and the current time, thus filling in parts of the wire transfer form on the bank web site. The rest of the user experience is conducted on the web browser as usual.
Is there a fatal flaw that couldn't be corrected in this scheme?
I am sorry.. i was modding your post insightful, and the trackpad on my macbook made the mouse cursor "jump" and it landed on troll RIGHT AS I CLICKED.
i am now replying to kill the modpoint i applied to you as being a troll. Sorry.
(and fuck, this pisses me off, because I try to only post when I have some particular insight to share.. and now i will have this post on my userpage. I like the new web2.0ish drop down moderation menu.. but it *REALLY* needs to have an undo feature)
I am Jack's complete lack of surprise.
Ahh, Schadenfreude towards the Swedes. Nordea Finland states [in English] that this attack does not work for Nordea customers in Finland. The reason is rather simple: Nordea Finland uses, unlike Nordea Sweden, an one-time pad. The customer has a codebook, which is spent: you must enter a single-use code to validate a transaction. Because the codes are one-use only, harvesting login details is a pointless pursuit for criminals. Sure, it's a chore entering those codes, but so is locking one's house, so trading security for convenience (all 10 seconds of it) is, in my opinion, plain irresponsible in this case.
I'm not sure if I should be surprised or not, when the same company uses a secure system in one country and a different, probably incompatible, insecure system in another. Formerly, some Finnish banks didn't use an one-time pad, and were promptly scammed in the exact same manner. The fact that Nordea didn't heed the warning doesn't speak highly of its internal corporate synergy.