Slashdot Mirror
Largest Ever Online Robbery Hits Swedish Bank
ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"
In other news, Nordea is planning to relocate to Sealand.
Res publica non dominetur
$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers
The biggest online robbery ever was a lousy million dollars? Oh come on, someone's gotta be able to do better than that. Get it in gear, people, it's 2007, we should be having way bigger cybercrimes by now. Someone hax0r the Gibson or something.
Stealing passwords is trivially easy. Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.
The trick is getting cash transfered from someone's bank once you have their credentials.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
So a PhD in medieval literature makes you an expert in computers and email? I am not saying that she shouldn't have known better (the SPAM indicator), but the PhD alone doesn't really matter. Besides some people are always looking for a get rich quick scheme.
Just remember - if the world didn't suck, we would all fall off.
the 'spam fighting' app almost did exactly what it was deceptively claiming to do;
bankrupt the people, force them to sell their technological idolatry, bam-- no more spam.
No, that merely changes who the victims are. There is no such thing as "good news for the victims" unless the stolen money is recovered.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If this was to happen in the US, would the FDIC cover these types of things?
And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!
For those of you who have an ING account you know what their security is like. Nothing much that will hamper a real customer, but things that should stop non-customers.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
An employee of the Swedish Bank was quoted as saying, "Gersh gurndy morn-dee hack-zee hack-zee!"
Launch every sig.
I was curious about the security protocol for Nordea bank and although links on the Nordea site are currently broken (an attempt to cover up?), I could find them on Google.
So the scammer just needs the fixed PIN code, plus a few of the one-time codes.
I used to have a bank account in Sweden with a different bank that uses a cryptographic challenge/response key generator, both for logging in and confirming a transaction. The website supplies you with a code number that you enter, as well as a PIN code. The device uses the code together with a secret key and the time from an internal clock and lets you send back the data.
Banks here in the Netherlands use similar systems, often with a generic card reader that uses a chip that is built into the bank cards. Others send a confirmation code by SMS to a mobile phone number that is registered to your account.
I think cryptographic systems are inherently much more secure than predefined one-time keys. The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction. Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.
Avantslash: low-bandwidth mobile slashdot.
What?! No, Soviet Russia jokes yet?!?!
In Soviet Russia, key logs you!
Or even better. In Soviet Russia, you gulag.
Perhaps, in Soviet Russia, bank robs you!
One last note, in Soviet Russia, Russian reversal jokes are funny.
There are many tongues to talk, and but few heads to think. -Victor Hugo
No, this has been reported by Dagens Nyheter, The Daily News, which is Sweden's largest and most serious newspaper.