Slashdot Mirror
Largest Ever Online Robbery Hits Swedish Bank
ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"
In other news, Nordea is planning to relocate to Sealand.
Res publica non dominetur
Slashdot Option 1: Encourage stupid people by paying out when they do stupid things like believe email that reads "Dwonlaod tihs spam fihgting tool". Slashdot Option 2: Encourage banks to absorb financial responsibility of eCommerce mishaps and take the lead in system security. Can't... make... decision... brain... splitting... in... half...
I hate printers.
Those who are not into technology have no idea.... Look at my latest journal . You can have a PhD and fall for the simplest scam there is. Computers do seem to have this effect on people: their common sense fails because computers are somehow "Magic".
It's tragic if you ask me.
$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers
The biggest online robbery ever was a lousy million dollars? Oh come on, someone's gotta be able to do better than that. Get it in gear, people, it's 2007, we should be having way bigger cybercrimes by now. Someone hax0r the Gibson or something.
Stealing passwords is trivially easy. Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.
The trick is getting cash transfered from someone's bank once you have their credentials.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
the 'spam fighting' app almost did exactly what it was deceptively claiming to do;
bankrupt the people, force them to sell their technological idolatry, bam-- no more spam.
No, that merely changes who the victims are. There is no such thing as "good news for the victims" unless the stolen money is recovered.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If this was to happen in the US, would the FDIC cover these types of things?
And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!
For those of you who have an ING account you know what their security is like. Nothing much that will hamper a real customer, but things that should stop non-customers.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
An employee of the Swedish Bank was quoted as saying, "Gersh gurndy morn-dee hack-zee hack-zee!"
Launch every sig.
Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience. It involves lots of forms and remembering to do things at the right time and spending time on telephone lines. In short it is a pretty good incentive not to be careless with your banking security.
All that not refunding the customer's money would accomplish is hurt a lot of people and discourage people from using online banking or encourage them to change banks. People are never going to become security gurus just so they can bank online and if you make banking online too risky or hard they will just give it up.
By making sure it is the bank who has to pay for security losses while still making sure people have some incentive (annoyance, possibility they might pay next time or lossing $50) to be safe you end up with the best results. The bank is the entity that can roll out new security solutions and most easily improve security practices so giving them incentives to improve security is the best move.
If you liked this thought maybe you would find my blog nice too:
Well according to my anecdotal evidence coming from an ex security admin at a bank who was giving a lecture on bank security on a security themed conference, banks have a certain percentage of loss every year due to online activites. The loss they suffer is tuned to the line that spending more on security would cost more than the current losses they suffer.
Anyway, I highly doubt that this was the largest ever online robbery, maybe it was the largest phishing attack.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
I was curious about the security protocol for Nordea bank and although links on the Nordea site are currently broken (an attempt to cover up?), I could find them on Google.
So the scammer just needs the fixed PIN code, plus a few of the one-time codes.
I used to have a bank account in Sweden with a different bank that uses a cryptographic challenge/response key generator, both for logging in and confirming a transaction. The website supplies you with a code number that you enter, as well as a PIN code. The device uses the code together with a secret key and the time from an internal clock and lets you send back the data.
Banks here in the Netherlands use similar systems, often with a generic card reader that uses a chip that is built into the bank cards. Others send a confirmation code by SMS to a mobile phone number that is registered to your account.
I think cryptographic systems are inherently much more secure than predefined one-time keys. The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction. Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.
Avantslash: low-bandwidth mobile slashdot.
What?! No, Soviet Russia jokes yet?!?!
In Soviet Russia, key logs you!
Or even better. In Soviet Russia, you gulag.
Perhaps, in Soviet Russia, bank robs you!
One last note, in Soviet Russia, Russian reversal jokes are funny.
There are many tongues to talk, and but few heads to think. -Victor Hugo
No, this has been reported by Dagens Nyheter, The Daily News, which is Sweden's largest and most serious newspaper.
No it doesn't.
If your computer has been rooted, it really IS ball game over. Just sitting here thinking how I would exploit a rooted system that someone uses for banking...
1 - establish account offshore that offers SWIFT transfer (or other convenient inter-bank wire), and can deal with bank that requires no ID.
2 - Monitor victims on-line banking activity for a couple of months.
3 - Intercept after online session has next been established.
4a - Inject low level "noise" transfer, if victims balance is medium level
4b - Take it all, if victim balance is at high level.
5 - Complete transfer from SWIFT bank next day, to "no ID" bank.
6 - transfer from "no ID" to Bahamanian account (Swiss account, you pick). Cash out.
Ob.Holywood: Add sound effects, and visual effects as appropriate: "I'm in!" and up/down counters with ticking.
Of course this doesn't work if you DON'T do on-line banking; this is a good thing(tm) because on-line activity would otherwise be exceptional.
Bear in mind that this is the first solution I came up with. And I suspect it would be very workable. Especially, if that "Digipass" gave you a sense of security.
Thing thing you "Trust": the thing that you have faith in because you have no other choice. And that which you must trust, you must be able to verify. With Internet Banking, you do not trust the network (thus, we use cyrptographically sound protocols). You trust your password, and are forced to trust your computer. (And, you trust your bank). So, secure that computer, and don't give out your password. I wouldn't trust a digikey, simply because I have no way of verifying (I can restrict access to my computer, and my password is under my control).
The digikey in no way mitigates responsibility for keeping your computer secure.
Just another "Cubible(sic) Joe" 2 17 3061
If I remember this correctly this is the 3rd or 4th time this bank, Nordea, takes a hit in the last year! The first three or four times there were false e-mail and a dupe website saying that the customer for security reasons should supply three of their single use codes (you have them on a plastic card), then their PIN-code and their account number. The phishing email and website were full off misspelled and fake words and bad language in general, it's amazing that anybody fell for it!
This was really big in the media several times last year.
And now this! For the love of Darwin (God or whatever), who, WHO clicked on a link in an email saying it's from the bank??
Well well they will probably make me use some sort of certificate that is windows or mac only. Anyhow I will stop use this bank.
Where's
(c) profit!!!!
Oh wait, nevermind.
"good news for the victims, but not really an incentive to take more care in future"
/. crowd may know better, the average punter does not, and shouldn't have to.
Consumers are told by people who market computers that they are easy and safe to use. Consumers are told by internet service providers that online services are easy and safe to use. Consumers are told by banks that online banking is secure and convenient.
Aside from the criminals, who appear to have escaped without any consequences to them, the burden is falling where it should be, namely on agents who allow marketing over reality. While the
It appears that most of the victims weren't running security protection.
Often these guys use directed fraud mails written in reasonably good Swedish, so I wouldn't really doubt they have custom made keyloggers too to attempt to escape antivirus tools.
Sure, they could use detection by heuristics like some support, but then the accuracy falls rapidly, as well as the fact that not nearly all popular tools even supporting that.
What's needed here is that users don't become so naive when they sit down in front of a computer. To many, it seems like they then enter a world of safety where they don't have to think much and just click through mails that "look right" even if they ask for logon details that the banks has earlier been very careful to inform they'll never request. (because they already have that info, or can reset it at their whim anyway, duh!) The problem is that on the Internet, the exact opposite mostly holds true.
Beware: In C++, your friends can see your privates!
>idiots
We'll never get decent security as long as we set traps for users and call them idiots when they fall in.
The email containing the Trojan came from the bank's domain, apparently. Is it the fault of the users that email isn't authenticated? Are they idiots for not knowing how SMTP sessions can be spoofed?
How many places require software downloads to work? Include Flash and PDF readers in that list. Are people idiots for installing something that any non-expert would think came from their bank?
Do we even know that they weren't running antivirus? Would there have been signatures for a Trojan that was only distributed to a few hundred or a few thousand people? Would behavior-based antivirus have caught it, given that the crooks had the chance to test it against every common antivirus program?
Are the users idiots because the bank used a security protocol so unutterably lame that it was subject to undetectable replay attacks?
Calling the users idiots is just an excuse for not fixing the real problems.
I don't think the users should be blamed. At least not if this scam was well designed. There is no way the user can see the difference between the bank's own site and a phony one.
:-)
I don't know how well-designed this scam was. But it is possible to make the real and the false pages look exactly the same, or so similar that only the most suspicious minds will discover the difference.
At least with the IE 6 browser, you can design a popup with layout at the top pretending to be the Menu and Address bar, making the user believe he is at the bank's true address. And you might add the image of a lock giving the impression that he is on a SSL secured site. You don't need an infected computer to do this, you only have to make the user click a link. (It is hard to do this convincingly for every user, but doing it convincingly for 70% is obviously enough).
And given a rootkit, the criminal could change the behaviour of the browser, change the dns-service, or whatever - resistance is futile. With malware running stealthily in the background, intercepting and changing some of the communication with the bank, there is not much point in high security authentication tools like digipass calculators or smartcards.
In my view, the bank's loss is mainly due to the fact that today's common os-es and browsers are not safe. Period. The chief problem is that the industry is selling a product which is full of security loopholes. With today's popular OS-es, most home users are running with administrator rights (making the result of security breaches possibly very serious), and with common browsers and web standards, it is hard to see whom you are communicating with - especially when using popups and frames.
The users might be a little to blame in this case, but the important thing is that one - for the time being - can not expect users to have the skills necessary to keep the computer safe and surf safely. With nerds and computer professionals, expectations can be higher.
Users might be asked to keep their computers updated with anti-virus software. In my experience (with family and students), a lot of them are incapable of doing this by themselves. After some time, the computer is sluggish because of spyware or different programs and updates they have involuntarily accepted be installed. Keeping a computer safe and in working order is a profession.
What banks must do to limit attacks? Make attacks expensive. And encourage the software developing community/industry to integrate security in the products.
1) Make a policy to avoid simple attacks. Maybe should users be advised always to enter the bank's address in the address bar (if so, banks must never send links themselves
2) And make sure that the malware must be complex, i.e. make sure that the authentication data cannot be reused from another computer (static passwords are an obvious no-no), perhaps also prevent concurrent background transfers (deny dual sessions with the bank).
I am sorry.. i was modding your post insightful, and the trackpad on my macbook made the mouse cursor "jump" and it landed on troll RIGHT AS I CLICKED.
i am now replying to kill the modpoint i applied to you as being a troll. Sorry.
(and fuck, this pisses me off, because I try to only post when I have some particular insight to share.. and now i will have this post on my userpage. I like the new web2.0ish drop down moderation menu.. but it *REALLY* needs to have an undo feature)
I am Jack's complete lack of surprise.