A Look At the CoreFlood Botnet

← Back to Stories (view on slashdot.org)

A Look At the CoreFlood Botnet

Posted by Soulskill on Friday November 7, 2008 @10:03PM from the from-russia-with-love dept.

CNet is running a story about research from security expert Joe Stewart into the CoreFlood botnet, which has harvested at least "50 gigabytes of compressed data, searchable in a MySQL database," from a group of over 370,000 bot IDs. Stewart explains how the botnet operates and some of the things he's learned about the group that operates it. "Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say by a keylogging application. The CoreFlood script will then capture the HTML data on the post long-in page. In most cases, that page also contains the account's bank balance. They do that, he said, so that after running the test they have a picture of what are the highest dollar amounts. 'I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account. We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first,' he said."

120 comments

Min score:

Reason:

Sort:

Key Generator by FriendlyLurker · 2008-11-07 22:09 · Score: 4, Interesting

My Bank (HSBC) gives me a little keychain keygenerator that spits out a 6 digit number when I press the button. All logins must also have the key number... I wonder if this simple measure would stop dead any keylogger attacks like this, OR with enough reasonable time monitoring they could reverse engineer the generator's seeds?
1. Re:Key Generator by Entropy98 · 2008-11-07 22:14 · Score: 2, Informative
  
  I'd like something like that. My bank said if someone gets access to my account I'm screwed. All I have protecting me is having to answer 1 of 3 questions. Mother's maiden name, etc.
  --
  IP Finding
2. Re:Key Generator by Anonymous Coward · 2008-11-07 22:25 · Score: 5, Informative
  
  Not only do I use one of those for logging in, but any financial transaction has to be signed with the pad.
  For the bank where I have my loans, I have an SSL certificate and signature to confirm my identity.
  That same certificate is tied to my national identity card, meaning I can use it for a lot of other things as well.
  All in all, I can't understand why the US is so far behind when it comes to online banking.
  I mean, I've had this for eight years now, and it'sbeen around longer.
  Much love from Sweden ;)
3. Re:Key Generator by shungi · 2008-11-07 22:42 · Score: 5, Interesting
  
  A good solution is to send a text message containing a code to your mobile phone every time you make a transaction (or perhaps group of transactions). You then have to punch the code into the website.
4. Re:Key Generator by MrMr · 2008-11-07 22:44 · Score: 4, Informative
  
  That can be effective, just make sure the answers are not correct in a naive way. For instance Mothers maiden name= FE31BB076800267D0BA etc...
5. Re:Key Generator by drspliff · 2008-11-07 23:03 · Score: 2, Informative
  
  This solution already exists in the form of one-time security codes like the RSA SecurID range of products.
  Basically it's a PRNG which spits out a number every few minutes which is unique to the customer.
6. Re:Key Generator by mapkinase · 2008-11-07 23:19 · Score: 2, Informative
  
  The problem is that the carriers are unreliable in timing of delivery even w/o grid problems. So many times I have got text messages and even voice mail hours after it was delivered.
  PS. I am with Verison Wireless
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
7. Re:Key Generator by Uber+Banker · 2008-11-07 23:20 · Score: 5, Interesting
  
  When I was opening my first bank account (independently opening, back in 1995) I wrote a similar response on the form to Mother's Maiden Name as you stated above - a little more secure. Only to have the bank call my home to tell me that could not be a maiden name, please state her maiden name. Either HSBC or Natwest, I forget now which. 1995. I hope awareness over security has increased.
8. Re:Key Generator by sam0737 · 2008-11-07 23:31 · Score: 2, Informative
  
  Most China payment gateway (for processing online Credit/Debit cards transaction) do this. You need type the one time password from the text message sent to the registered phone.
  Generally I hate this a lot unless they offer an alternative: Think when you are traveling, which I do a lot. Luckily, the payment gateway is only used to authorize China's website online transaction, but not every other online credit card transactions so I am not seriously affected (yet).
9. Re:Key Generator by sam0737 · 2008-11-07 23:43 · Score: 2, Interesting
  
  Well...talking about Mothers maiden name: in one of the bank in China, their online banking software requires me to pick 5 questions to answer from 3 groups, at least one from each. The group are:
  Name of family member: brothers, sisters, parents, children, uncle/aunt or grand parents.
  Name of teachers: The class master, or language class teacher, or math teacher of elementary, middle, or high school.
  Date of birth of the family member.
  Then next time when you do sensitive process (change password / change the questions), it randomly choose one question and ask you.
  Or when you call the custom center, it won't ask you password but instead ask you 3 of these questions.
  Well, not sure if it's a good system or not. But at least give me a mind of safe.
10. Re:Key Generator by dkf · 2008-11-07 23:48 · Score: 2, Interesting
  
  The problem is that the carriers are unreliable in timing of delivery even w/o grid problems. So many times I have got text messages and even voice mail hours after it was delivered.
  I've had it take 9 months. Admittedly I wasn't in my home country at the time the SMS was sent.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
11. Re:Key Generator by Missing_dc · 2008-11-08 00:05 · Score: 2, Funny
  
  wow, I hope that wasn't for paying a bill, you might find your house foreclosed when you get back.
  
  --
  How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
12. Re:Key Generator by Anonymous Coward · 2008-11-08 00:06 · Score: 2, Funny
  
  Hmmm...lowish /. ID, mother's maiden name strange, ALIEN! Run!!!!!
13. Re:Key Generator by Fulcrum+of+Evil · 2008-11-08 00:17 · Score: 1
  
  But at least give me a mind of safe.
  That's about all you get - 1.1 factor auth is crap compared to RSA keyfobs.
  
  --
  "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
14. Re:Key Generator by tehniobium · 2008-11-08 00:24 · Score: 3, Interesting
  
  Sounds exactly like what I have in Denmark... Actually, only people who DONT use IE get the pad in my bank...:D. IE users get an activeX plugin. Yay for the worlds least secure browser.
  
  --
  No kitty, this is my pot pie!
15. Re:Key Generator by caluml · 2008-11-08 00:33 · Score: 0, Redundant
  
  I wrote a little Java app for phones that works in the same way as RSAs SecureID. I'm trying to find someone who can write a PAM module for the server side now, so that after you've logged in with your username and password over SSH, it prompts you for the current token.
  
  --
  Get your own free personal location tracker
16. Re:Key Generator by caluml · 2008-11-08 00:41 · Score: 2, Interesting
  
  I mentioned this above, but I wanted such a system for myself, so I wrote one that runs on Java enabled phones. mobfob.calum.org. Works well enough. The cryptographic hashing is just an MD5 sum, but if you don't know the key, you can't predict the hash. I just want to find someone who can write a PAM module so that it can be hooked into SSH, /bin/login, etc.
  
  --
  Get your own free personal location tracker
17. Re:Key Generator by Kinetix303 · 2008-11-08 00:48 · Score: 1
  
  Is this with HSBC in Canada? I've been looking for a new bank...
  
  --
  Urban Detail
18. Re:Key Generator by Anonymous Coward · 2008-11-08 01:02 · Score: 0
  
  Are you here for Sarah Connor?
19. Re:Key Generator by kwark · 2008-11-08 01:32 · Score: 3, Informative
  
  Why create your own if instead you could use the decades old s/key (http://tools.ietf.org/rfc/rfc1760.txt)
  You distro might have this in packages called opie. Debian packages:
  opie-client - OPIE programs for generating OTPs on client machines
  opie-server - OPIE programs for maintaining an OTP key file
  libpam-opie - Use OTPs for PAM authentication
  Java implementations can be found eg: http://math.berkeley.edu/~vojta/opiekey.html
20. Re:Key Generator by sam0737 · 2008-11-08 01:42 · Score: 2, Informative
  
  Well one thing that I didn't mention, to login into the banking system in a first place, before any of operations can be carried out, you need a digital certificate (and ordinary password and username).
  It could either be a USB thumbdrive hardware form issued from the bank, or an imported PFX file.
21. Re:Key Generator by sharperguy · 2008-11-08 02:32 · Score: 2, Funny
  
  My mother is called FE31BB076800267D0BA you insensitive clod!
  
  --
  "sudo rm -rf your-face"
22. Re:Key Generator by ErikZ · 2008-11-08 02:46 · Score: 0
  
  Because in the US, we're not constantly under attack by Eastern European criminal organizations.
  Your RSA key is a result of your environment.
  
  --
  Democrats or Republicans. They are both taking us to the same place and they are not afraid of us anymore.
23. Re:Key Generator by Kozz · 2008-11-08 03:17 · Score: 0, Troll
  
  Great idea, then I just need the bank to foot the bill for a mobile phone. I don't have one and don't need one.
  
  --
  I only post comments when someone on the internet is wrong.
24. Re:Key Generator by Anonymous Coward · 2008-11-08 03:19 · Score: 2, Insightful
  
  I think the Atlantic Ocean does not help too much protecting the US from Internet fraud.
25. Re:Key Generator by KamuZ · 2008-11-08 04:25 · Score: 1
  
  Banorte (a bank in Mexico) issues a "token" from RSA which generates a new number every minute, it is synchronized with your bank account so you can say its "unique" and you need to type it with the password you know for every transaction you do (for example, "passwordNUMBER") and of course is one time use. It would be awesome if they could give you a certificate for the whole connection, it would be more secure against someone modifying the transaction live.
26. Re:Key Generator by Eunuchswear · 2008-11-08 04:56 · Score: 2, Insightful
  
  Because in the US, we're not constantly under attack by Eastern European criminal organizations.
  Uh, RTFA - you are under constant attack from Eastern European criminal organizations.
  
  --
  Watch this Heartland Institute video
27. Re:Key Generator by Ihmhi · 2008-11-08 05:00 · Score: 2, Funny
  
  Ah, memories. Mrs. FE31BB076800267D0BA always did make the best brownies back in the day.
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
28. Re:Key Generator by Tubal-Cain · 2008-11-08 05:44 · Score: 1
  
  So... What's her maiden name again?
29. Re:Key Generator by Knackered · 2008-11-08 06:45 · Score: 1
  
  No, that's a bad solution. Mobile phone reception in my house is unreliable at best. Ironically, I live on the top of a hill, in sight of several radio masts in a major US west coast city.
  
  --
  a.
30. Re:Key Generator by moonbender · 2008-11-08 07:00 · Score: 1
  
  No, it is a good solution. It's true two-factor security. It's just not a good solution for you.
  
  --
  Switch back to Slashdot's D1 system.
31. Re:Key Generator by Anonymous Coward · 2008-11-08 09:23 · Score: 0
  
  If your mother's name is a hex string that's supposed to prove you're NOT a bot?
32. Re:Key Generator by jcuervo · 2008-11-08 10:13 · Score: 1
  
  Here's to you, Mrs. FE31BB076800267D0BA / Jesus loves you more than you will know / whoa-oh-oh
  
  --
  Assume I was drunk when I posted this.
33. Re:Key Generator by Anonymous Coward · 2008-11-08 11:02 · Score: 0
  
  FE31BB076800267D0BA is not a valid string, it contains a null character, and can't be completely read with a byte wordsize. .
34. Re:Key Generator by Killjoy_NL · 2008-11-08 11:31 · Score: 1
  
  I log in to my bank with a password, but every time I want a transaction, an sms is sent to my mobile phone.
  I think it's secure enough :)
  
  --
  This is the sig that says NI (again)
35. Re:Key Generator by dkf · 2008-11-08 14:40 · Score: 1
  
  This solution already exists in the form of one-time security codes like the RSA SecurID range of products.
  Basically it's a PRNG which spits out a number every few minutes which is unique to the customer.
  The advantage of the mobile phone strategy is it is making use of a device that the user is (with very high probability) already carrying on their person. Most people don't like carrying lots of extra gadgets.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
36. Re:Key Generator by mcrbids · 2008-11-08 18:39 · Score: 1
  
  Tell me about this SMS "message" that was sent when you were out of the country... did it cry alot, look alot like your best friend, and come with a child-support payment?
  
  --
  I have no problem with your religion until you decide it's reason to deprive others of the truth.
37. Re:Key Generator by JakartaDean · 2008-11-08 19:35 · Score: 1
  
  My HSBC account in Indonesia also uses one of those, and I love it. With the improved security, I can log in and transfer money (subject to daily limits) anywhere in the world. I've used it extensively for domestic transactions, and occasionally for international ones, and it just plain works.
  Compare that with my Canadian bank account (Bank of Montreal) where the online capabilities are so crippled it's useless to me. I can pretty much only transfer funds among my own accounts, because they don't trust their own security.
  
  --
  The subject who is truly loyal to the Chief Magistrate will neither advise nor submit to arbitrary measures (Junius)
38. Re:Key Generator by Anonymous Coward · 2008-11-08 21:33 · Score: 0
  
  an important and very pertinent observation... well done.
39. Re:Key Generator by dkf · 2008-11-09 01:01 · Score: 1
  
  wow, I hope that wasn't for paying a bill, you might find your house foreclosed when you get back.
  As it happens, it wasn't a financial message, but rather an instruction telling us to stay away as the person we were going to visit was ill with laryngitis (or something like that). Alas it was too late even by the time it was actually sent; we'd already booked accommodation in the area.
  Curiously, the message arrived about two weeks before she visited us the following year, causing massive confusion! Spooky coincidence, especially given that such visits either way are rare. (The trip is over a thousand miles each way, through some of the busiest highways in Europe.) On the other hand, I've had statistical training so I'd be really worried if coincidences never happened...
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
40. Re:Key Generator by Anonymous Coward · 2008-11-10 01:48 · Score: 0
  
  Moderator points must have been given to all the dickwads (THAT's a troll). How is the parent a troll? Is it a solution that information should be disseminated via devices which some people don't own? Why not offer a banking service which requires that you use the Internet? Doesn't that exclude grandma who still uses her IBM Selectric?
41. Re:Key Generator by FriendlyLurker · 2008-11-10 02:36 · Score: 1
  
  No, HSBC Hong Kong...
42. Re:Key Generator by Missing_dc · 2008-11-10 08:30 · Score: 1
  
  Absolutely hilarious. I laughed for a good 2 minutes after reading that just imagining the chaos that created. Thank you for sharing.
  
  --
  How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
43. Re:Key Generator by Pf0tzenpfritz · 2008-11-10 23:41 · Score: 1
  
  The US still are some years ahead in almost any way. In these interesting times this means they were the first to hit the actual pile of crap. Efficient security is costly, banks are struggling, policies to screw up account holders in cases of banking fraud are much cheaper. European banking droids are actually looting public budgets to cover their losses caused by mismanagement. What do you think they'll do next? Improve security measures? You bet...
  
  --
  Oh, the beautiful gloss of greality!
44. Re:Key Generator by Anonymous Coward · 2008-11-13 01:10 · Score: 0
  
  I filled out a security question like the following on some old account:
  youllneverguessmymothersmaidennameyoumothersuckinghackers
  When I had to reset the password, I got some customer service rep on the phone. She called me a dirty man...
Online banking? Sign me up!!!! by Joce640k · 2008-11-07 22:10 · Score: 0, Redundant

This just makes me even more determined to never say "yes" to online banking. No good can come of it....

--
No sig today...
1. Re:Online banking? Sign me up!!!! by nicklott · 2008-11-07 22:38 · Score: 3, Funny
  
  Good god man! Presumably you get around by horse and cart? I mean, that petrol engine is very convenient and all, but think of the risk of explosion...
2. Re:Online banking? Sign me up!!!! by purpledinoz · 2008-11-07 23:02 · Score: 3, Interesting
  
  In Germany, any money transaction requires you to enter something called an iTAN number. These number are mailed to you, so even if some hacker was able to gain access to your account online, no transfers can be made because they won't have the iTAN numbers. Unless you're dumb enough to scan these numbers and store them in your computer. It's a little bit of a pain in the ass, but after reading this article, I'm glad that this system exists.
3. Re:Online banking? Sign me up!!!! by Anonymous Coward · 2008-11-07 23:21 · Score: 0
  
  You mean the 100% risk of explosion? I enjoy winding up oneof my colleagues that while driving around his car is doing 6000 explosions per second.
4. Re:Online banking? Sign me up!!!! by fatphil · 2008-11-07 23:26 · Score: 2, Informative
  
  Likewise in Finland. Single-use random 4-digit ids. We've had them for 15 years or more. (So in the early 90s, Finnish banks were more security conscious than most modern-day US or UK banks.)
  
  --
  Also FatPhil on SoylentNews, id 863
5. Re:Online banking? Sign me up!!!! by Anonymous Coward · 2008-11-07 23:39 · Score: 0
  
  Is this iTAN number somehow keylogger proof?
6. Re:Online banking? Sign me up!!!! by tyler.willard · 2008-11-08 00:07 · Score: 1
  
  Yes.
  They're one time use.
7. Re:Online banking? Sign me up!!!! by cpghost · 2008-11-08 01:21 · Score: 4, Informative
  
  Yes, they are, like any other OTP system. Moreover, some banks also allow you to click in the numbers with a mouse by providing a keypad image. If you feel paranoid about key loggers, just use the mouse. But the real security is, of course, the one-time nature of those numbers.
  
  --
  cpghost at Cordula's Web.
8. Re:Online banking? Sign me up!!!! by moonbender · 2008-11-08 07:03 · Score: 1
  
  That won't do any good. If attackers can install a keylogger, they have the ability to take screenshot, or some other means of determining the numbers. Of course, as you say, the security comes from being a OTP. After a transaction code has been used, its security is irrelevant. In fact, here's one of my previous TANs, no keylogger required: W8PBB2.
  
  --
  Switch back to Slashdot's D1 system.
9. Re:Online banking? Sign me up!!!! by oldhack · 2008-11-08 07:09 · Score: 1
  
  Not to mention the risk of non-explosion...
  
  --
  Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
10. Re:Online banking? Sign me up!!!! by dougisfunny · 2008-11-08 09:10 · Score: 1
  
  Why would the banks spend more money to be more secure? They don't have to pay when someones money gets stolen.
  
  --
  This is not the funny you're looking for.
11. Re:Online banking? Sign me up!!!! by Anonymous Coward · 2008-11-08 14:19 · Score: 0
  
  The mouse keypad's have key loggers as well. so it doesn't really protect you that well. It aint much harder to write a key logger for that either...
  --
  Wil
Criminal by WillKemp · 2008-11-07 22:10 · Score: 1

I wish i was criminally inclined - it must be fun getting that stuff up and running!
1. Re:Criminal by Timesprout · 2008-11-07 22:22 · Score: 4, Interesting
  
  You must be criminally inclined if you think setting up a system to steal from others would be fun.
  
  --
  Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
  What truth?
  There is no dupe
2. Re:Criminal by Anonymous Coward · 2008-11-07 22:28 · Score: 0
  
  or broke
3. Re:Criminal by azgard · 2008-11-07 23:07 · Score: 3, Insightful
  
  Umm, no. Playing Civilization on computer can be fun even if you are not inclined being a dictator or conqueror.
4. Re:Criminal by sammyF70 · 2008-11-07 23:08 · Score: 2, Interesting
  
  Maybe just technically interested. Writing and setting up a botnet like this one withing the limitations inherent to something that's illegal sounds like an interesting challenge.
  
  --
  "DRM is like the Ford Pinto: it's a smooth ride, right up the point at which it explodes and ruins your day."-C.Doctorow
5. Re:Criminal by DMalic · 2008-11-07 23:08 · Score: 1
  
  i have to say that I don't understand your comment. If he'd just said "I would enjoy setting up that system so much", you would make sense. However, he didn't. Notice the "I wish I was criminally inclined?" That implies that he wouldn't actually enjoy it now.
6. Re:Criminal by Ornedan · 2008-11-07 23:14 · Score: 1
  
  And you must be no geek. It's possible to admire a system that has parts doing really neat stuff without approving of the system's purpose as a whole.
7. Re:Criminal by Anonymous Coward · 2008-11-08 03:04 · Score: 0
  
  Nice. You'd better call the Thought Police.
8. Re:Criminal by Anonymous Coward · 2008-11-08 04:07 · Score: 0
  
  BOOM! HEADSHOT!
9. Re:Criminal by WillKemp · 2008-11-08 08:49 · Score: 1
  
  You must be criminally inclined if you think setting up a system to steal from others would be fun.
  Not even remotely. But i do like a challenge. And security in general is a fascinating subject.
  I just think it would be technically very interesting.
10. Re:Criminal by uvajed_ekil · 2008-11-08 17:44 · Score: 1
  
  Good point, because it has been proven that everyone who has ever enjoyed playing an even moderately violent video game has also been shown to have murderous tendencies. It isn't about the puzzle and the challenge of it all, of course.
  
  The means and methods of such a system are very interesting to some of us, even if we really have no interest in actually achieving the criminal result. But I know, everyone who reads novels about serial killers really wishes it were them.
  
  --
  This is a hacked account, for which the owner can not be held responsible.
Useful information... by Anonymous Coward · 2008-11-07 22:20 · Score: 5, Funny

Botnets need to start logging something useful.
Like slashdot accounts with moderator points.
Security Expert Joe Stewart by Anonymous Coward · 2008-11-07 22:23 · Score: 2, Funny

First I thought "so that's what he's going to do without George Bush in the Whitehouse" but then I realized it's Joe the Security Expert, not Jon the Daily Show host.
1. Re:Security Expert Joe Stewart by Anonymous Coward · 2008-11-08 02:53 · Score: 0
  
  With the Internet being a bunch of tubes couldn't he call in Joe the Plumber for security?
Baby steps to the solution by Anonymous Coward · 2008-11-07 22:33 · Score: 5, Insightful

One-time-password generators protect against replay attacks, but they do not protect against modified transactions. If an attacker has root on your system, then he can simply escalate the keylogging attack to a live modification of the transaction data.
A better approach would be to use a class 3 card terminal. That's a small computer with a strictly defined purpose and specification (and therefore tremendously easier to secure). It has a display so that you can see the transaction that you authorize, without interference from software on a compromised PC, and it has a keypad so that you can enter the PIN and confirmation, without software on a compromised PC being able to capture any of it. These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.
1. Re:Baby steps to the solution by sam0737 · 2008-11-07 23:25 · Score: 2, Funny
  
  Sounds like much harder to build right than a electronic voting machine...
2. Re:Baby steps to the solution by Yetihehe · 2008-11-07 23:36 · Score: 3, Interesting
  
  Or, like in my bank, they send me authorization code with sms, stating which operation is it and how much is it and account number to which money goes. It's much cheaper.
  
  --
  Extreme Programming - Redundant Array of Inexpensive Developers
3. Re:Baby steps to the solution by Anonymous Coward · 2008-11-07 23:51 · Score: 3, Informative
  Several problems with that:
  SMS messages may be delayed
  SMS messages are not encrypted end-to-end
  Cellphones are no more secure than PCs
  The additional security from using two separate devices is lost when you do online banking on your cellphone.
  It's only cheaper if you do relatively few transactions. SMS messages are the most expensive form of data communication there is.
4. Re:Baby steps to the solution by Gregar · 2008-11-08 00:35 · Score: 1
  
  That's a rather excessive / expensive approach to make the approach immune to tampering. It would be far easier / cheaper / user-friendly to add a confirmation page at the very end of the transaction which shows all the details of the transaction and a so called verification code ( based on the amount of money, and the account-numbers involved ). This verification code will have to be entered into the key generator, together with PIN and bank number and would create a reply code. This reply code then gets entered into the banks website making the process tamper proof, atleast until they reverse-engineer the algorithms.
5. Re:Baby steps to the solution by Smask · 2008-11-08 00:36 · Score: 1
  
  but they do not protect against modified transactions. If an attacker has root on your system, then he can simply escalate the keylogging attack to a live modification of the transaction data.
  You're talking about the "man in the middle" attack. My bank, SEB, uses the transaction amount as one of the numbers I have to enter into the digipass to generate a pass key. In order to beat that they have to crack my digipass completely and I can't see how they will accomplish that since the digipass isn't connected to the computer in any way.
6. Re:Baby steps to the solution by atraintocry · 2008-11-08 02:50 · Score: 1
  
  If the validation is done on the client side, then you have the algorithm already. If the validation is done on the server, then all you're doing is taking a code from one text box and pasting it into another. What's stopping the bot from doing that?
7. Re:Baby steps to the solution by ard · 2008-11-08 03:25 · Score: 2, Informative
  
  > These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.
  Not being used in the US perhaps... I've had one for several years with Swedbank. They are also used by another major swedish bank, SEB.
  http://www.seb.se/digipass
  http://www.swedbank.se/sst/inf/out/infOutHjalp/0,3769,55142,00.html
8. Re:Baby steps to the solution by Anonymous Coward · 2008-11-08 03:28 · Score: 0
  
  Only if you put Windows on both...then again, you could simply blame McAfee if something goes wrong
9. Re:Baby steps to the solution by Yetihehe · 2008-11-08 04:25 · Score: 2, Informative
  Several problems with that:
  
  SMS messages may be delayed
  
  Never happened to me, typically sms is on my cellphone 3 second after clicking "send" on page.
  
  Cellphones are no more secure than PCs
  
  You can't install keyloggers on most cellphones.
  
  The additional security from using two separate devices is lost when you do online banking on your cellphone.
  
  It's not about two devices. It's about using cellphone instead of separate or no token.
  
  It's only cheaper if you do relatively few transactions. SMS messages are the most expensive form of data communication there is.
  
  Depend's where. Where I live sending sms costs me $0.05, receiving for free. Other carriers often have cheaper sms. For a bank it may be a lot cheaper for mass messaging.
  --
  Extreme Programming - Redundant Array of Inexpensive Developers
10. Re:Baby steps to the solution by TeamSPAM · 2008-11-08 04:36 · Score: 1
  
  yes, but I expect since real money is involved, this device will be built right.
  
  --
  Brought to you by Team SPAM! where we believe: "Information in the noise!"
11. Re:Baby steps to the solution by coolsnowmen · 2008-11-08 05:39 · Score: 1
  
  There is plenty of money involved e-voting machines. What real money has that e-voting didn't is a paper trail.
12. Re:Baby steps to the solution by Gregar · 2008-11-08 05:43 · Score: 1
  
  The key generator is a completely separate client side device, not connected to the client itself in any way. Validation is done on both server and client, it's a challenge response sequence really. Where the server sends a challenge which the user has to answer using his key generator. http://en.wikipedia.org/wiki/Security_token
13. Re:Baby steps to the solution by atraintocry · 2008-11-08 09:23 · Score: 1
  
  Sorry, for some reason I misread and thought you were talking about doing this all in the browser without a SecurID or similar.
14. Re:Baby steps to the solution by davidphogan74 · 2008-11-08 11:19 · Score: 1
  
  You can't install keyloggers on most cellphones.
  Yet. As Android, Windows Mobile, or Apple's iPhone platform become more used, exploits will be found.
15. Re:Baby steps to the solution by Anonymous Coward · 2008-11-08 11:44 · Score: 0
  
  First, you must be able to recognize that the verification code is actually based on the transaction parameters you entered. The attacker might otherwise make the confirmation page show your transaction parameters together with the verification code for the actual, hidden transaction parameters.
  Second, if your password generator has a keypad for entering the verification code, a processor for making the calculations and a display for showing the resulting pass code, then it might as well be a class 3 card terminal. There are only two minor differences: the card terminal receives the transaction parameters from the PC and sends the signed transaction back, so that you don't have to type two codes, and the card terminal can be used with more than one banking card.
16. Re:Baby steps to the solution by klykken · 2008-11-08 11:51 · Score: 1
  
  You can't install keyloggers on most cellphones.
  Why not? I guess this is more used by suspicious spouses than anything else, but mobile keyloggers are available at the market. With a few moments alone with your cellphone, it is fully possible for someone to install clandestine software that can relay incoming and outgoing SMS messages to a third party, thus opening the door for a race-for-the-last-key attack.
  
  --
  Looks like a fish, drives like a fish, steers like a cow.
17. Re:Baby steps to the solution by OdinOdin_ · 2008-11-08 18:34 · Score: 1
  
  Ah but my banks one-time-password generate also has a transaction signing function and into this I type in the amount too.
  In the UK NatWest have a one-time-password genrator device that fits over your plastic card, talks to the chip. I use the cards pin to make it work. It has the functions "Identify" and "Respond" and "Sign".
  The Identify function provide authentication, it basically proves I have possession of my cash point card. AKA the RSA one-time-password, I'd use this number during login online.
  The Respond function is similar to the identify function but I have to feed in a 6 digit number to have it generate a 6 digit number. This is use to authorize transactions and proves I have possession of my cash point card (and know the pin) within the timeframe of the transaction.
  The Sign function is similar to the identify but it also allow me to specify an amount for the transaction. This is the most secure mechanism and as you can see is not subject to replay attacks.
18. Re:Baby steps to the solution by Anonymous Coward · 2008-11-08 21:29 · Score: 0
  
  I wouldn't call that a one-time-password generator. It's basically a class 3 card terminal without a connection to the computer, so instead of just entering the PIN and confirming the transaction, you have to reenter some of the transaction parameters (amount, routing number?) because the computer can't transmit them to the terminal.
  Keypad, display and processor are the essential ingredients for a class 3 device: Without the keypad, you can't have secure two-factor authentication (possession of the card and knowledge of the PIN). Without the display, you can't see the transaction that you authorize. Without the autonomous processor, you can't be sure that the information you enter or the information that you see is what is actually being processed.
I am skeptical by TFGeditor · 2008-11-08 00:33 · Score: 2, Insightful

Anytime I read "it could happen to anybody" in a security article, I am always skeptical. I think "it could happen to any *average* computer user/net surfer" is a better adage.
Most here assembled, though not 100 percent immune, are far less susceptible than an "average" user to any sort of malware infection.

--
Ignorance is curable, stupid is forever.
1. Re:I am skeptical by IamTheRealMike · 2008-11-08 01:57 · Score: 1
  
  Why? It's a drive by download against some unnamed browser (probably but not definitely IE). You don't have to visit shady sites to get those - these days they hack poorly protected legitimate sites and embed the exploit code into otherwise harmless pages.
2. Re:I am skeptical by TFGeditor · 2008-11-08 02:14 · Score: 1
  
  "Why? It's a drive by download against some unnamed browser (probably but not definitely IE). You don't have to visit shady sites to get those - these days they hack poorly protected legitimate sites and embed the exploit code into otherwise harmless pages."
  Most IT jocks (formerly nerds and geeks):
  1. use less-exploitable browsers, e.g. Firefox
  2. use a less-exploitable OS, e.g. Linux, OS10
  3. are less likely to visit dodgy websites
  4. are less likely to respond to "Cum see Brittny Speers nekkid at our website!" email "invites"
  5. have exploit code detection scripts built into their browsers
  6. usually have multiple, fine-tuned firewalls (hardware and software)
  7. know their software and machine's performance well enough to detect when something odd is going on, even if the other measures fail
  I am sure I have missed more than a few somethings that answer the "why."
  
  --
  Ignorance is curable, stupid is forever.
3. Re:I am skeptical by Anonymous Coward · 2008-11-08 02:29 · Score: 0
  
  Guess you didn't see this: http://www.secureworks.com/research/blog/index.php/2008/07/10/it-can-happen-to-anyone/
4. Re:I am skeptical by AnotherDaveB · 2008-11-08 02:31 · Score: 1
  
  3. are less likely to visit dodgy websites
  I don't think that's valid. Past exploits have used syndicated advertising, e.g. DoubleClick, Falk.
5. Re:I am skeptical by FlyingBishop · 2008-11-08 04:10 · Score: 1
  
  We're momentarily immune. This just gives me cause to worry about all the security exploits that are doubtless lurking beneath running Firefox 3 on Linux, and will begin to be exploited if we gain much more market share.
  In general, I don't see how I'm any safer than the average user, except that I have a reasonable understanding of what looks fishy in my browser. But really, it's not the things I can see that worry me, it's the things I cannot see, and I cannot see anything that prevents malware from hiding unobserved beneath my Firefox, sniping passwords without me being any the wiser.
  Obviously, precautions can be taken, but there are always countermeasures.
6. Re:I am skeptical by Seth+Kriticos · 2008-11-08 05:30 · Score: 1
  
  Same thougth I had, especially after reading the part of the article stating that it would run a Windows installer. They don't work on my machine.. Does that mean, that I'm nobody?
  
  Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
  
  "It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.
7. Re:I am skeptical by 1s44c · 2008-11-08 08:59 · Score: 1
  
  Most here assembled, though not 100 percent immune, are far less susceptible than an "average" user to any sort of malware infection.
  It could happen to anyone who uses windows is more accurate. I have seen smart people with current virus scanners and anti-spyware tools still suffering from DNS hijacking and spaming worms.
  You only have to look at one dodgy website once. Having virus scanners and all the latest updates will not prevent infection.
8. Re:I am skeptical by uvajed_ekil · 2008-11-08 17:47 · Score: 1
  
  Haha, I've had root on your box for three months already.
  
  --
  This is a hacked account, for which the owner can not be held responsible.
Office Space by Joebert · 2008-11-08 00:39 · Score: 1

Who says they're only taking from the rich accounts ?
I probably wouldn't notice a few cents missing from my account once a month, I bet there's several thousand other people who wouldn't either.

--
Wanna fight ? Bend over, stick your head up your ass, and fight for air.
..as interest in sports makes one an olympian. by osir · 2008-11-08 00:50 · Score: 4, Insightful

You would either have to be a hopeless moralist or simply dull around the edges to not fun such an idea fun/interesting. Interest in criminal ideas no more makes you a criminal than interest in horror movies makes you a masochist, or someone harboring murderous intent. What a naive comment.
this is a god way to do it. by Anonymous Coward · 2008-11-08 00:50 · Score: 1, Interesting

My bank (SEB Sweden) use a token from vasco,
Login works like this,
username: birthdate+personalnumber (something like social security number)
passwd: code generated by 2 numbers from the webpage punched into the token
when you are done and want to make you transaction i punch in 1 number from the webpage and the amount of the transfer, and get a number back to sign the transaction.
I believe this is pretty secure since you aprove that amount to be transfered and the amount is in the code i sign the transfer with. so its pretty hard to change amount and accounts that will receive the transfer.
So how do we stop this? by the+positive+path+ · 2008-11-08 01:01 · Score: 1

My bank has the random 3 questions plus password authentication scheme (Royal Bank Securities - Canada). I'm always wondering about the lax security, and when my account might be compromised. I bet if the bank calculated their total loses due to online fraud; then assumed RSA style token based authentication would reduce that by a significant amount, then wouldn't it make financial sense for them...?
Target biggest first? by andyh-rayleigh · 2008-11-08 01:24 · Score: 5, Interesting

"The only reason (the script) can see that data is to target the biggest accounts first,' he said."
That depends on the objective and tactics of the attacker:
Although the obvious assumption is that the attacker wishes to gain as much money as possible with a minimal chance of being caught, it may be that (s)he is less greedy and/or more cautious.
Suppose that your target is a total of, say, $200K rather than the assumed multi-millions. You are far less likely to be caught or to trigger money-laundering precautions. In a case like this your best strategy might well be to go for above-average but not top 10% balances.
Similarly, if you ARE going for the maximum while still hoping your chance of being caught is low, it may well be worth steering clear of the very highest balances as they could be more closely monitored (and some of them are probably "honeypots").
1. Re:Target biggest first? by Anonymous Coward · 2008-11-08 03:57 · Score: 0
  
  Or target some of the busiest first and make your transaction similar in size to the other transactions happening on that account.
2. Re:Target biggest first? by ankhank · 2008-11-08 06:12 · Score: 1
  
  Don't forget, one of the oldest ways to steal is by the fraction of a penny -- "rounding up" and "rounding down" and diverting the fraction to an account where the thief can collect it as it adds up.
  This is the same idea behind transaction fees of all kinds -- just collect a tiny amount every time money changes hands (every time, and every transaction).
3. Re:Target biggest first? by Restil · 2008-11-08 07:31 · Score: 2, Insightful
  
  Yes, but to do this properly would generally require someone to have access to the internal programming of the banking system. Making 1 cent transactions might be possible, but they will certainly show up and be more noticeable than if 1 cent just disappeared from the balance. If your account has 200 transactions a month and carries a balance over $20000, you're only going to try to balance that so many times before you give up trying to find the penny. Heck, you could lose a dollar or two at that rate and likely get away with it. But the importance of this method is that the actual transaction doesn't show up.
  Then again... if you could find a way to disguise the transaction as a fee, it would likely get overlooked as well. :)
  -Restil
  
  --
  Play with my webcams and lights here
4. Re:Target biggest first? by uvajed_ekil · 2008-11-08 18:01 · Score: 1
  
  Suppose that your target is a total of, say, $200K rather than the assumed multi-millions. You are far less likely to be caught or to trigger money-laundering precautions. In a case like this your best strategy might well be to go for above-average but not top 10% balances.
  
  This isn't my area of expertise (I don't have one), but I think this makes sense. The ideal target accounts would see a fairly large number of transactions without being really big accounts, meaning there would be a lot of "noise" (legit transactions) without a huge amount of scrutiny (unlike with especially large accounts). Corporate accounts might be worse targets than personal accounts, as they are likely tracked with rectification software and/or accountants. I wonder whether it is more common to see one-time theft of large amounts or perhaps repeat transfers of smaller amounts with the hope that they go undetected. Office Space-style microtransactions would probably raise suspicion quickly and not be profitable enough to be worth the risk.
  Honeypots for the banking industry? I never thought of that.
  
  --
  This is a hacked account, for which the owner can not be held responsible.
Any USA banks? by ShadoxPrime · 2008-11-08 01:36 · Score: 1

I wish my bank used a keyfob. Do any banks with a large eastern USA presence use any "advanced" form of security?
1. Re:Any USA banks? by Vegeta99 · 2008-11-08 04:00 · Score: 1
  
  M&T does - If you have a business account, anyway.
Re:Key Generator... is not useful by Anonymous Coward · 2008-11-08 02:47 · Score: 0

I wonder if this simple measure would stop dead any keylogger attacks like this, OR with enough reasonable time monitoring they could reverse engineer the generator's seeds?
It's not useful for banks:
http://www.schneier.com/essay-083.html
It certainly raises the bar a bit, but either a man-in-the-middle attack, or a trojaned personal computer will null any benefits.
And remember that MITM attacks can be automated, so that the "man" doesn't even have to be human.
Re:Key Generator... is susceptible to MITM by Anonymous Coward · 2008-11-08 02:55 · Score: 0

This solution already exists in the form of one-time security codes like the RSA SecurID range of products.
Basically it's a PRNG which spits out a number every few minutes which is unique to the customer.
Not it doesn't. A man-in-the-middle attack would circumvent the security:
http://www.schneier.com/essay-083.html
You think you're entering your SecurID token into the bank's web site, but you're actually entering it into a fake page, which then passes it along to your bank. Then when you think you've logged out, the attacker keeps the connection alive and transfers the money out.
Possible Solution... by Quantos · 2008-11-08 03:55 · Score: 1

I don't know if something like this would be possible or not, tell me what you think.

A proprietary interface that would be distributed by the bank when you open your account.
Each interface would have a distinct set of code in it, this would be different in each package-say for example half of a virus.
When somebody else attempts to do a man in the middle attack, or keylogging to access your account, they would be attacked by the other half of the virus.
It could do something like just shut their system down, or go to an extreme and perform a low level format.

--
Some people are only alive because it's against the law for me to hunt them down and kill them.
They weren't looking for high balance accounts by Anonymous Coward · 2008-11-08 04:16 · Score: 0

Actually, they probably weren't looking for the bank account with the most activity, but the account whose balance varied the most in a certain time period. It's probably a lot easier to steal money from an account whose balance is rapidly and continually changing than it is to steal money from an account whose balances is pretty much always the same -- missing money would be much more readily noticed in a "stagnant" account.
Dunno what's comming but its epic. by Requiem18th · 2008-11-08 04:59 · Score: 1

Anonymous is legion. CoreFlood is legion*s*.
Like in a legion of legion, legion^2.
So strong in numbers it is a force of nature, taking into account that it is competing with the Storm, or do they coexist nicely?
Is there any way to pit both networks against each other? I just hope it doesn't degrade into a bot-on-bot sin-fest, spawning little bot-nets into each and every single Internet in the web.
Alas, with what is known, could WE build this bot-net eating bot-net? I know it sounds dangerous but think of it like a fast car driven by a bad man, now replace the bad man with a cop :) totally gonna work.
At least Britons don't have to worry about securing their PC from these threats. Criminals simply read the account info from the surveillance main frames,

--
But... the future refused to change.
Xor Re:Key Generator by Anonymous Coward · 2008-11-08 05:05 · Score: 1, Funny

Now Xor that with something descriptive of your mom like LARGEBOVINE.
most secure system... by Anonymous Coward · 2008-11-08 06:28 · Score: 0

Last time I wanted to transfer 20 Euros using my bank's online website I had to enter the bank account of the recipient into my "digipass" (looks like a calculator, generating cryptographically secure hashes).
I then feed back 6 digits to the online bank's website.
Without having both:
- the physical device (the "digipass" as the bank calls it here)
- the PIN to power it up
- my login credentials
It is very difficult to defraud a single cent (should you try random 6-digits, your account would be locked out after a few tries).
A device that answers a challenge involving the account number of the recipient is "good game thieves".
Best of all ? Once you made a transaction to some account, subsequent money transfer to the same account are allowed as long as they're approximately of the same amount (so, no, you don't have to enter your brother's account number every time you send him a few bucks).
I simply don't understand why all banks are not switching to that scheme.
Where? by yusing · 2008-11-08 08:05 · Score: 1

Which chapter of "Halting State" is that quoted from, again???

--
"You must try to forget all you have learned. You must begin to dream." -- Sherwood Anderson
Security Questions -- Bah! by Anonymous Coward · 2008-11-08 09:33 · Score: 0

Asking these security questions (that almost anyone could figure out from public data) won't stop the criminals, but it has locked me out of my own account more than once.
Favorite Aunt's name? I don't have a favorite aunt, and I didn't have that question entered in my password book, so I spent an hour trying every aunt I could think of including Aunt Em, Aunt Bea, Aunt Pearl, and Aunt Jemima. I had to wait until Monday to phone and have my questions reset, but then how do they check my identity on the phone? They ask the security questions, of course.