Slashdot Mirror
A Look At the CoreFlood Botnet
CNet is running a story about research from security expert Joe Stewart into the CoreFlood botnet, which has harvested at least "50 gigabytes of compressed data, searchable in a MySQL database," from a group of over 370,000 bot IDs. Stewart explains how the botnet operates and some of the things he's learned about the group that operates it.
"Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say by a keylogging application. The CoreFlood script will then capture the HTML data on the post long-in page. In most cases, that page also contains the account's bank balance. They do that, he said, so that after running the test they have a picture of what are the highest dollar amounts. 'I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account. We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first,' he said."
I'd like something like that. My bank said if someone gets access to my account I'm screwed. All I have protecting me is having to answer 1 of 3 questions. Mother's maiden name, etc.
--
IP Finding
Not only do I use one of those for logging in, but any financial transaction has to be signed with the pad.
For the bank where I have my loans, I have an SSL certificate and signature to confirm my identity.
That same certificate is tied to my national identity card, meaning I can use it for a lot of other things as well.
All in all, I can't understand why the US is so far behind when it comes to online banking.
I mean, I've had this for eight years now, and it'sbeen around longer.
Much love from Sweden ;)
That can be effective, just make sure the answers are not correct in a naive way. For instance Mothers maiden name= FE31BB076800267D0BA etc...
This solution already exists in the form of one-time security codes like the RSA SecurID range of products.
Basically it's a PRNG which spits out a number every few minutes which is unique to the customer.
The problem is that the carriers are unreliable in timing of delivery even w/o grid problems. So many times I have got text messages and even voice mail hours after it was delivered.
PS. I am with Verison Wireless
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Likewise in Finland. Single-use random 4-digit ids. We've had them for 15 years or more. (So in the early 90s, Finnish banks were more security conscious than most modern-day US or UK banks.)
Also FatPhil on SoylentNews, id 863
Most China payment gateway (for processing online Credit/Debit cards transaction) do this. You need type the one time password from the text message sent to the registered phone.
Generally I hate this a lot unless they offer an alternative: Think when you are traveling, which I do a lot. Luckily, the payment gateway is only used to authorize China's website online transaction, but not every other online credit card transactions so I am not seriously affected (yet).
Several problems with that:
Yes, they are, like any other OTP system. Moreover, some banks also allow you to click in the numbers with a mouse by providing a keypad image. If you feel paranoid about key loggers, just use the mouse. But the real security is, of course, the one-time nature of those numbers.
cpghost at Cordula's Web.
Why create your own if instead you could use the decades old s/key (http://tools.ietf.org/rfc/rfc1760.txt)
You distro might have this in packages called opie. Debian packages:
opie-client - OPIE programs for generating OTPs on client machines
opie-server - OPIE programs for maintaining an OTP key file
libpam-opie - Use OTPs for PAM authentication
Java implementations can be found eg: http://math.berkeley.edu/~vojta/opiekey.html
Well one thing that I didn't mention, to login into the banking system in a first place, before any of operations can be carried out, you need a digital certificate (and ordinary password and username).
It could either be a USB thumbdrive hardware form issued from the bank, or an imported PFX file.
> These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.
Not being used in the US perhaps... I've had one for several years with Swedbank. They are also used by another major swedish bank, SEB.
http://www.seb.se/digipass
http://www.swedbank.se/sst/inf/out/infOutHjalp/0,3769,55142,00.html
Never happened to me, typically sms is on my cellphone 3 second after clicking "send" on page.
You can't install keyloggers on most cellphones.
It's not about two devices. It's about using cellphone instead of separate or no token.
Depend's where. Where I live sending sms costs me $0.05, receiving for free. Other carriers often have cheaper sms. For a bank it may be a lot cheaper for mass messaging.
Extreme Programming - Redundant Array of Inexpensive Developers