Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hacked Bank of India Site Labeled Trustworthy

Posted by kdawson on from the punching-a-hole-in-the-web-of-trust dept.

SkiifGeek writes "When the team at Sunbelt Software picked up on a sneaky hack present on the Bank of India website, it became a unique opportunity to see how anti-phishing and website trust verification tools were handling a legitimate site that had been attacked. Unfortunately, not one of the sites or tools identified that the Bank of India website was compromised and serving malware to all visitors The refresh time on a trust-brokering site is too long to be useful when a surf-by attack on a trusted site can take place in a matter of seconds, with a lifetime of hours, and with a victim base of thousands or greater."

54 comments

  1. How common a problem? by mordors9 · · Score: 3, Insightful

    That's the problem, how many consumers are sophisticated enough to even ask the right questions. They simply trust that their financial organization or any major web retailer has a secured site. Obviously there should be strict standards but who is going to enforce it. What authority would the agency actually have. As I have said before, there is still a lot to be said to walking into your local bank and being helped by a clerk that you see every week that you can shoot the shit with as they handle your transaction.

    1. Re:How common a problem? by Ash+Vince · · Score: 3, Insightful

      That's the problem, how many consumers are sophisticated enough to even ask the right questions. On a similar note I just went to the Site Advisor page for bank of india. (http://www.siteadvisor.com/sites/bankofindia.com)

      Especially amusing is the comment some moron has posted complaining about when Bank of India was getting a red rating. Basically he is saying how he used the site for three years and it must be a site advisor problem not a problem with the Bank of India website.

      How on earth do you come up with a technological solution that copes with people who even when they get a warning saying that the site they about to visit is dangerous carry on and visit the site anyway. I know that he should now have learnt his lesson (assuming he visited the site and got all that crap installed on his PC) but there must be alot more morons out there just like him.
      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
    2. Re:How common a problem? by allanw · · Score: 1

      Check the posting date of that comment:

      Posted at 12/23/2006-02:16:06 PM by Mehli B Mulla, Reviewer , View profile [ Reputation score: 1 / 9 ]

    3. Re:How common a problem? by DemonXstreeM · · Score: 1

      it is true that you can do your part to lessen the risk by going into your local branch to complete transactions, however once you have completed your transaction the bank stores that information electronically and it then becomes subject to attack.

      --
      -exitus acta probat
  2. Banks: Please Stop Using ActiveX ! by Gopal.V · · Score: 5, Insightful

    There are very few instances when I actually need to rdesktop in and use a Windows machine.

    One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work. For someone who uses FF, noscript and occasional peeks at firebug, it really pisses me off when I have to disable all my own security checks to enable a site to "secure" itself.

    This is just another instance where I'd have been hit if I had been a user of the said bank (and had to use IE to browse it).

    --
    Quidquid latine dictum sit, altum videtur
    1. Re:Banks: Please Stop Using ActiveX ! by Anonymous Coward · · Score: 5, Interesting

      The main problem is that the Indian technical institutes rarely teach anything besides Microsoft products. So each year they produce many thousands of students who know of nothing but Windows, VB.NET, SQL Server, and ActiveX. When you only really know about one particular set of technologies, and virtually nothing about the alternatives, you'll usually make poor choices regarding which technologies to use. In the case of ActiveX, its use can easily lead to compromised systems and data.

    2. Re:Banks: Please Stop Using ActiveX ! by ScrewMaster · · Score: 3, Insightful

      For someone who uses FF, noscript and occasional peeks at firebug,

      Don't forget Privoxy.

      But yeah, the only thing I deliberately use Internet Exploiter for is Windowsupdate. Requiring an ActiveX control (ActiveX!) on a financial site is unacceptable, as is forcing visitors to use Explorer. Personally, I have the same setup you do, and the occasional site that requires Explorer doesn't get visited again. I also have several sites that I use for financial purposes, and they all support Firefox. If they didn't, I'd either switch institutions, or not use their site.

      One of those is when I've actually got to visit one of my online banking sites, which requires some obscure activex "security" extension to work.

      That's insane. I mean, the bank is assuming that their own security is perfect and will never be cracked, which is not realistic. When you get right down to it, you'd think that banks (of all organizations) would require the use of a more secure medium. Nothing would please me more than to navigate to my bank's Web site in Explorer and see a message "We're sorry, but due to ongoing security issues with Microsoft Internet Explorer, this site requires the use of a more capable browser" and see links to Firefox, Opera and others. When I first signed up at my current bank, it was the exact opposite, but fortunately I could just change the browser ID and it worked fine, no ActiveX crap.

      --
      The higher the technology, the sharper that two-edged sword.
    3. Re:Banks: Please Stop Using ActiveX ! by Shados · · Score: 2, Interesting

      Ironicaly, I went to a very Windows-heavy college (it did show unix, linux, intel assembly, and other non-MS centric stuff, but overall it was more than 50% windows), and they didn't show us ActiveX especially becuase of all its issues (and that was before .NET, too, back when ActiveX were sortoff relevent).

      So not only those institutes may be Windows-only, but they're behind the time and pretty bad too. At least from what I read, not -all- of em are like that...

    4. Re:Banks: Please Stop Using ActiveX ! by b1ufox · · Score: 1

      You can't teach ability to choose a different solution. That said nobody taught me kernel programming, rather discouraged me but still i work as a kernel developer full time. That said teaching is not the problem, mindset is.

      --
      -- "Genius is 1% inspiration and 99% perspiration" - TAE --
    5. Re:Banks: Please Stop Using ActiveX ! by 140Mandak262Jamuna · · Score: 1
      I also have several sites that I use for financial purposes, and they all support Firefox. If they didn't, I'd either switch institutions, or not use their site

      I can personally vouch that the following financial institutions support Firefox, and I did not have to chew anyone's ears or fiddle with agent strings. Vanguard, Schwab, Dollar Bank, Citizens Bank, Smith Barney, Fidelity, MFS, Ameritrade, NDB (might be defunct now). And if an Financial institution does not support FireFox, it does not get my business.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    6. Re:Banks: Please Stop Using ActiveX ! by ScrewMaster · · Score: 0, Troll

      The main problem is that the Indian technical institutes rarely teach anything besides Microsoft products.

      Good.

      --
      The higher the technology, the sharper that two-edged sword.
    7. Re:Banks: Please Stop Using ActiveX ! by Anonymous Coward · · Score: 0

      USAA also does. No stupid activex or anything.

    8. Re:Banks: Please Stop Using ActiveX ! by dave_h_in_philly · · Score: 1

      Here in Korea (I'm no longer in_philly), most of the financial sites and numerous government sites such as Korea Post, use "obscure 'security' extension" ActiveX controls. But in Korea it has to do with Korea's adoption of the SEED cipher back in the 90s, and the inability to get 128-bit encryption from the Americans until 1999. Needless to say, it is a significant concern for me (an expat) as well as for regular Koreans. For my own part, I try to avoid such sites and do as much banking as possible in the US, but for most Koreans that's not an option. At least according to the article I linked above, Koreans are suing their government over the whole mess.

    9. Re:Banks: Please Stop Using ActiveX ! by Mathinker · · Score: 1

      Sorry, didn't quite understand that reply, especially considering your other posts....

      You're just happy that the use of ActiveX isn't dogma of major Indian religions?
      You're glad you won't have to compete in the job market against outsourcing to Indian Linux/BSD gurus?

    10. Re:Banks: Please Stop Using ActiveX ! by ScrewMaster · · Score: 1

      I perceive Indian tech workers as competing in the same job market that I do, and if they deliberately choose to use second-rate development tools that's fine by me. Not picking on Indians per se: it's just that I'm always happy to see my competition make potentially poor decisions.

      --
      The higher the technology, the sharper that two-edged sword.
    11. Re:Banks: Please Stop Using ActiveX ! by ScrewMaster · · Score: 1

      Yes, I remember reading a couple of articles about that here on Slashdot. I hadn't realized that Koreans are sufficiently upset about it that they're taking on their own government. Hopefully that will result in some positive changes.

      --
      The higher the technology, the sharper that two-edged sword.
  3. dont trust sites that crosslinks by Anonymous Coward · · Score: 0

    never trust sites that use different domains to show pictures, provide logins, tracker pixels etc...

    1. Re:dont trust sites that crosslinks by larry+bagina · · Score: 1

      like slashdot?

      --
      Do you even lift?

      These aren't the 'roids you're looking for.

  4. iframes... by ls+-la · · Score: 1

    ... seem to be nothing but trouble. Does anyone know of a legitimate use for them (especially cross-server) that could not be done with a bit of easy server-side including? On a related note, does anyone know of a firefox addon that can warn you if any page you visit contains an iframe tag?

    1. Re:iframes... by ubernostrum · · Score: 3, Informative

      They're useful for doing in-place file uploads without refreshing the page (e.g., in a web app like Gmail where you'd want to add an attachment to a message), because that's the only way to do that.

    2. Re:iframes... by vux984 · · Score: 1

      Does anyone know of a legitimate use for them (especially cross-server) that could not be done with a bit of easy server-side including?

      They are efficent; they let you change the content of part of your page without reloading the whole thing. I use them frequently with venture capital company websites to display slightly delayed stock charts and share price information for example. They can update themselves every couple minutes without reloading the whole page.

      Additionally, because the chart and share information is provided by 3rd party company, the iframe is cross-server. I suppose one could write a proxy layer to make the iframe appear to come from the same server, but I don't see any real benefit to that.

      And it goes without saying that they are heavily used for advertising; again because they don't reload the whole page the ads can be roated.

      You could use ajax style programming to get the same effect I suppose, but that would be more work; and again I'm not sure how it would make it more secure.

    3. Re:iframes... by Anonymous Coward · · Score: 0

      yes. frame redirecting sites. see joker.com and other providers which give frame redirects for legit websites.

    4. Re:iframes... by Ant+P. · · Score: 1

      You could try sticking something in the user CSS to make iframes stand out. Not too hard to force them all to have a big red border.

    5. Re:iframes... by JacksBrokenCode · · Score: 1

      Would it then require some hack to make sure that the inline style doesn't override any stylesheets you've created? The iframe used on bankofindia.com had "style='visibility:hidden;'". Unless I'm mistaken, even if you had custom stylesheets applied to every page you visit the inline CSS would still rule... right?

    6. Re:iframes... by Anonymous Coward · · Score: 0

      Would it then require some hack to make sure that the inline style doesn't override any stylesheets you've created?
      No, not a hack, just good use of the cascading order.

      The iframe used on bankofindia.com had "style='visibility:hidden;'".
      I'd rather eliminate it with display: none!important;, although getting rid of it entirely with a filtering proxy is much more secure.

      Unless I'm mistaken, even if you had custom stylesheets applied to every page you visit the inline CSS would still rule... right?
      That's right--unless you use !important rules which (applied in a user style sheet) always take precedence.
  5. Re:Whoopdeedoo by garcia · · Score: 5, Insightful

    As stated, when someone like Doubleclick, Akamai or some other cache serving company gets compromised, then I will worry about things more.

    For some unknown reason, I hoped that financial institutions would have more online security than Doubleclick or Akamai.

  6. in Soviet India... by Anonymous Coward · · Score: 1, Funny

    hacked site labels YOU trustworthy.

  7. Re:Whoopdeedoo by MrAnnoyanceToYou · · Score: 1

    Why's that? Akamai probably handles multiple foundational financial systems' networking, so if they got compromised it could be a much bigger deal.

    Having worked for a bank, I'd be floored if financial systems' defenses ever caught up with technical systems'. The problem is that in a financial organization financial skills are valued on a cultural level rather than technical skills. This is quite different from a technical company, at least one in its early to mid life. (in, of course, my experience and readings. Perhaps this is not completely true)

    --
    My little site.
  8. Anti-phishing tools shouldn't be used to determine by Glowing+Fish · · Score: 4, Interesting

    Anti-phishing tools shouldn't be used to determine which sites are good, they should be used to determine which sites are bad.
    These tools might have picked up thousands of shoddily done, fly by night phishing scams. It doesn't reflect badly on them if one well done, sophisticated cracked server can fool them. There is still going to be errors. These tools allow people to discount the most obvious hacks, and use their time on the 1% of most dangerous hacks.

    --
    Hopefully I didn't put any [] around my words.
  9. Looks to me..... by TW+Atwater · · Score: 1

    ..like it only affects Windows users.

    --
    More than 60,000 Windows programs won't run on Linux.
    1. Re:Looks to me..... by jimicus · · Score: 2, Interesting

      Maybe the malware it dishes out only affects Windows users. But if that part of the site has been compromised, what's to say there isn't also some surreptitious logging of user credentials going on?

  10. now if it were me... by oblonski · · Score: 2, Interesting

    ... I would implement the one-time password sent to mobile phone which is the method my internet banking site uses: you log in with card number, customer selcted pin and password

    the login page also has BIG warnings: do not click on any links (relating to your banking or purporting to be) or give your banking details to anyone on the internet or in an e-mail since the bank or it's employees will never ask for it

    then when you are on your profile page, before you can do any transaction at all, the site sends an SMS to your mobile with a one-time password only after entering this password are you allowed into your main account and can start banking i.e verifying your physical presence as well as being good security measure for online banking sessions

    of course you need to set all this up with your bank beforehand, but with new financial regulations in south africa you go through a long process of verifying your identity and proof of address in person in a bank each year, so from the beginning this type of scheme has robust security

    this has worked very well and i need to hear of an instance of it being circumvented other than criminals holding a gun to your head while you do your banking, which puts the whole thing in another category altogether

    people who get scammed by clicking on links and falling for Nigerian type fund relocation schemes only has their own stupidity and greed to blame

    only my 0.02

    --
    Move along now, nothing to see here! Go on!
    1. Re:now if it were me... by mlts · · Score: 3, Informative

      Banks, especially in the US, need a system like above for authentication, where its not just a single username and password protecting someone's accounts from total destruction. Some banks now use a system where you type in your username, it asks one of several personal questions, then your password, but that doesn't protect much against a keylogger, as an attacker can keep trying the questions until he/she finds the one that gets presented with an answer in the keysniffer's output.

      PayPal, eBay, and Verisign offer a rebranded Vasco keyfob that one can use. Enter in username, tab to the password field, enter in your password, then append the six digit number from the Digipass Go 3 (the OEM name), and you are in. Though this is not as well engineered as a SecurID system, it still forces a would-be thief to have physical custody of the keyfob and the password to the account.

      Some European banks use a system similar to the age-old one time password system found in BSD (S/Key or OPIE). You obtain a list of one time passwords on a piece of paper that you scratch off in the mail, and every time you log in, you scratch off the next one on the list. This can be attacked (there are some targeted phishing attacks to try to get users to type in multiple lines off the OTP paper), but it keeps a compromised user PC from becoming an entry point for an attacker.

      Lastly, there are always Aladdin eTokens that store a private client certificate. This is one of the more secure ways, because there are zero passwords used. The server asks the client (any web browser pretty much) for a certificate similar to how a SSL enabled web browser asks the web server for its cert, the web browser passes the signing request to the eToken, the eToken signs it on the physical card (the private key never leaves the eToken), and the server checks the validated cert against the user list and lets the user in. For academic places (universities), this is one of the absolute best ways to do things.

      All and all, probably the best solution would likely be a hybrid system, similar to an eToken NG-OTP keyfob, that allows a user to plug the token in and use it online with client certificates, or offline, typing the six digit number off the LCD screen.

      Disclaimer: I don't work for Aladdin, RSA, or Vasco, but like their products.

    2. Re:now if it were me... by Anonymous Coward · · Score: 0

      One thing my bank does that is a little different variation on that:

      When you sign up with online banking, you type in a phrase and select an image from a list, as well as setting up a username, password, and a group of security questions. When you log in you are asked one of you security questions, and then they present you with a page that has the image and phrase you typed in. The logic, I assume, is that nobody else will know what phrase you told them, or know what image you selected. *shrug*

    3. Re:now if it were me... by MMC+Monster · · Score: 1

      Interstingly enough, when I created an HSBC direct savings account a couple months ago, it asked for two passwords. One I would type in after my user name. The other I had to click in using my mouse on a virtual keyboard on their website.

      I have to do this every single time I want to access my account online. The second password sounds like it should be resistant to the average keylogger.

      --
      Help! I'm a slashdot refugee.
    4. Re:now if it were me... by mlts · · Score: 1

      I thought a virtual keyboard would be the thing too, until I read on the anti-malware lists that almost all modern keyloggers also take compressed screenshots of when and where you click your mouse. Maybe a virtual keyboard that would work with mouseovers (hover the mouse for a couple seconds above each key) would be the ticket, as that would require FRAPS-like video monitoring by spyware (which would be a noticable bandwidth hit), and did not generate keypresses, but sent the mouseovers directly to the server.

      A lot of on screen keyboard utilities generate keypresses that go through the keyboard buffer, where the OS, and malware can scoop them up, so having a utility that was directly connected to either an application, or just shipped the mouse locations directly to the server for parsing would be best.

  11. How aggressive do you want rating systems to be? by Animats · · Score: 1

    How aggressive should systems be about downgrading ratings for web sites? We've been struggling with this for SiteTruth. In addition to SiteTruth's main function, checking business identity, we have some basic phishing checks. We download the PhishTank database every few hours. PhishTank has lists of bad URLs, but now that the smarter phishing sites change URL and even subdomain in each spam e-mail, blocking by URL is no longer effective. So we now flag the entire base domain.

    This can have broad effects. Right now, we're blacklisting all of AOL (SiteTruth report) and all of "live.com" (SiteTruth report). Both AOL and Microsoft Live have redirectors which are being actively exploited by phishing sites. We can't tell their safe URLs from their unsafe URLs, so we have to blacklist the whole domain.

    When a site with an open redirector plugs the hole, PhishTank will downgrade those "active phishes" to inactive. We'll then pick that up and rerate them within hours. But until they do, they're in the tank. The whole site.

    Too harsh? Realistic? Evolution in action? Comments?

  12. Re:Whoopdeedoo by chaosite · · Score: 1

    Serious?

    Akamai is a tech company. They know their networks extremely well. I would expect that they were more competent with regards to security threats to their servers than a financial institution, whose main business is not running a computer network...

  13. It has been fixed, by 140Mandak262Jamuna · · Score: 1

    Siteadvisor says the site has been fixed and it is giving a green tag for it now.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  14. Re:Whoopdeedoo by mlts · · Score: 1

    Akamai not just does the networking for banks, but I'm pretty sure they handle a lot of high volume services that if tampered with would mean a lot of damage. Microsoft Update/Windows update is hosted on their network, for example.

    Most banks pay attention to their IT infrastructure, and if a compromise happened, heads would roll. However, almost always, there would be some way of showing due diligence [1] so nobody goes to prison or major lawsuits don't get filed. On the other hand Akamai's whole line of business is dependent on how secure their servers are, so I'm pretty sure they have a lot more manpower and resources dedicated to that (as a percentage), compared to a bank or credit union. Security is Akamai's reputation, where a breach with them would be as catastrophic and company destroying as having Verisign end up with its root signing private keys for anyone to download on a FTP server.

    From what I read, Akamai does a very good job of keeping their stuff locked down.

    [1]: HIPAA/SOX/other regs are another can of worms, and are almost as daunting (if not more so) for IT departments as keeping the infrastructure maintained.

  15. Banks are notoriously technically ignorant. by Futurepower(R) · · Score: 1

    We did some consulting work involving two large banks. The managers at one said that their bank had NO technically knowledgeable people who worked for the bank, on contractors. I talked to one of the contractors, and he had very little technical knowledge, also. (How would a bank with no technical knowledge choose which contractors were technically knowledgeable.)

    The other bank seemed to have very, very little interest in technical issues, also.

    We have accounts with several online banks, including an extremely large international bank. All have web sites with major design problems.

    I suppose that is one of the reasons that bank web sites are often IE only.

    BankRate.com is terrible, in my opinion, but it seems to be the best bank information web site available.

    1. Re:Banks are notoriously technically ignorant. by Futurepower(R) · · Score: 1

      Corrections: "only contractors." Also, "How would a bank with no technical knowledge choose which contractors were technically knowledgeable?"

  16. Re:Anti-phishing tools shouldn't be used to determ by blowdart · · Score: 2, Informative

    But that's not what anti-phishing tools are they for. They should flag fake sites, not legit sites serving spyware. Regardless of the hack, the site itself was still the Bank of India site, and not a phished site. An iframe embedded in legit source is not a phishing scam. A toolbar that only checks for URL legitimacy would be correct in not flagging the site.

  17. site under temporary maintenance by Anonymous Coward · · Score: 0

    This message is posted on the BoI website: "This site is under temporary maintenance till further notice. Kindly bear with us."

    Nearly all links have been removed.

    I also noticed that it's "best viewed with IE 4.01 at 800x600. Who the hell is still using that crummy browser?

    1. Re:site under temporary maintenance by 140Mandak262Jamuna · · Score: 1
      er, may be, the Indians?

      Though many Indians now own PCs, they [I mean the PCs, not the Indians ;-)] are still considered a luxury items. Further the replacement time is quite large in India. Most people use internet cafes on a regular basis to access the net. So, yeah, there are plenty of old computers running old OSes in India, Pakistan, Bangladesh etc. So a bank site would still target a 800x600 screen. And then clueless managers will waste the screen real estate with useless stuff and links.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  18. Re:Anti-phishing tools shouldn't be used to determ by Anonymous Coward · · Score: 0

    LinkScanner from Exploit Prevention Labs protected against this. http://explabs.blogspot.com/ How? It looks only for known exploits, and it stops the driveby download from occuring. Solutions like this are the only way to reliably stop driveby downloads from sites like Bank of India, because a trusted site can be clean one minute and dirty the next. Reputation filters can't react in real time. You need an anti-exploit scanner.

  19. Re:Anti-phishing tools shouldn't be used to determ by (Score.5,+Interestin · · Score: 1

    Anti-phishing tools shouldn't be used to determine which sites are good, they should be used to determine which sites are bad.
    Maybe I'm misreading this, but it looks like you're advocating "Enumerating Badness", which is No.2 in the Six Dumbest Ideas in Computer Security (it's actually a special case of the No.1 dumbest idea, "Default Allow"). Or did you mean something different?
  20. Google Desktop would block this by Anonymous Coward · · Score: 0

    Google Desktop 5 would in fact block the iframe from loading, since it's in the Google blacklist.
    http://www.google.com/search?q=site%3Agoodtraff.bi z&btnG=Search

    Google search did not flag the site itself; As suggested by others, the site was probably compromised and cleaned up between Google's indexing cycle.

    Google does expose an API (search for 'safe browsing API') that contains these known bad hosts (goodtraff, etc), so incidents like these can still be prevented even before Google checks the compromised sites themselves. Google Desktop 5 uses this API, and mozilla developers blogged about possibly including this in Firefox 3.

    There still remains a problem with relying on blacklists (what if the attackers did not use an iframe and instead hosted all the exploits on the site itself), but I am just stating that the article did not cover Google Desktop, which in fact protected its users in this case.

  21. Bank of India? by yams · · Score: 1

    Could someone please tell me about this bank? I had not heard of it until now. Is it really a bank? What would be the estimated customer base?

    1. Re:Bank of India? by Anonymous Coward · · Score: 0

      I don't know about details for this bank. May be you can visit their website to find more details :)
      I know for sure that it's a legit bank, but not THE official 'bank of India' aka regulatory bank for the country. THE bank in India is Reserve Bank of India (www.rbi.org.in)

  22. Someone made a big boo-boo!!! by Anonymous Coward · · Score: 0

    Looks like these guys at Sunnet Berkerming didn't do their homework right... This http://blogs.zdnet.com/security/?p=487 article at ZDNet (who I have at least heard of before) mention the same incident, with a pretty screenshot showing how the plugin from Finjan correctly detected the malicious code on the website.

    Sounds to me a bit far from providing "accurate, non-biased synopsis of security-focussed technology trends" as they claim on their site...

    1. Re:Someone made a big boo-boo!!! by CodeMaster · · Score: 1

      Ouch.

      That must have hurt. Having a real journalist post actual facts that contradict your product pitch article.

      Shame on you guys. BTW - anyone heard of these Beskerming before?