Slashdot Mirror
Banks Urge Businesses To Lock Down Online Banking
tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."
'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible. When almost all online banking is done through Web Sites...
The article talks about the victims actually intending to sue their banks to get their money back. WTF? Since when it the bank responcible for the lax security on the customer's side?
why cripple the machine just because of some malware?
Sigs are too short to say anything truly profound so read the above post instead.
And you all thought that Obama was just having the US Mint print more money? That China would buy all of our debt and take over the US without firing a single shot? HA! Just wait until big businesses in China are bankrupted by cyberterrorism. And you thought that new US Air Force division was just for our defense? Tell that to our new Cybertron... er... Cyber Command. And Obama is really MEGATRON. Hail Decepticons!
- WTF?
It wouldn't be rocket surgery, or especially onerous in cost/seat terms, for major financial institutions to hack together and press a bunch of "Banking liveCDs".
No writable persistent storage, just a browser(configured so that it will only accept pages from the institution's set of domains and only when those pages have appropriate SSL certs. Completely reject all non-SSL pages, and any SSLed pages with certs for other institutions, or from other CAs).
There would probably be some annoying edge cases(some ghastly graphics card that isn't supported by default, and freaks out in VESA mode, say) or network issues(though you could always offer a cheap USB ethernet or wifi adapter, with a known working chipset, at cost to interested customers); but it'd be fairly easy to cover 95% of the boring business boxes and common home machines that you would be concerned about, if suitably generic settings were used.
As hardware gets cheaper and/or for larger accounts, it might even make sense to put together a dedicated banking appliance offering, basically the cheapo embedded ARM embodiment of the above.
Never once seen such a thing go down with Mac & Linux users. But hey, that's me.
Apparently, it is that time of the month again. Despite the well-established fact that 95% of all computer-related fraud originates in the USA, they still keep pushing the mandatoty "Eastern Europe" BS. I wonder how much of the taxpayers money is spent on cooking such propaganda stories?
Seriously? A *standalone* machine? You mean I shouldn't check my bank accounts from my kids' Windows ME computer?
Just joking, I've already mastered the first skill of safe computer use ... not having kids, or Windows ME.
Of course it's not nearly as big a problem as it could be here, since no tech-savvy person, running a business or otherwise, would ever have internet banking set up with any level of access other than read-only, except perhaps for a small number of pre-approved payees.
Ever.
"Nine times out of ten, starting a fire is not the best way to solve the problem." - my wife
say for example i own a sporting goods store in St. Louis Missouri and my bank is in the same town, dont you think the bank should reject anyone using my identity with an IP address that is in another country?
i think the banks need to be more careful about who is logging on to their systems
Politics is Treachery, Religion is Brainwashing
I guess this is what you get when you run your small business on Windows.
And maybe the banks can even set up some standalone, hardened, and locked-down computers in convenient locations around the city for their customers to use. Maybe they could even get money out of these computers. They could be like bank tellers, but automated.
We hope your rules and wisdom choke you / Now we are one in everlasting peace
I'm having a flashback to dumb terminal days.
For a second I had hope that companies would be dusting off us old guys again.
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
are inept at computing and don't understand the problem. Even if you could tell them why its a bad idea, they can't get away from the Windows mindset. Give them a liveCD, and they wouldn't know how to login to their bank, cuz it doesn't have IE loaded on the 'start' menu. The solution is to charge them for services that solve the problem for them without work on their part.
Well at least there are other career options for all those out of work gold farmers and character levelers...
The ATMs from Brazilian Bank Itau uses Windows 2000. And I not kidding. On the "blaster" virus year, I found more than one ATM with Blaster virus.
Religion: The greatest weapon of mass destruction of all time
People who won't act civilized should sooner or later find themselves 'de-civilized'. Why are we taking an endless amount of shit from these losers?
A few hydrogen-to-helium convertors delivered right to their door does wonders to get across the message we are not a people to be fucked with!
If they can't police themselves and insist on ripping off systematically people in foreign countries, then send 'em some great balls of fire.
When this shit happened fifty years ago, Khrushchev would have just sent some NKVD to scoop up these parasites, take 'em back behind the outhouse, and beat their brains inside out. And all their friends and family would get ten years in the gulag.
I miss Nikita and Eisenhauer. (Nike and Ike) Great times. No one took any shit: no one gave anyone chickenshit like this. There were limits and those limits were respected. No one from Eastern Europe was sneaking into your bank account. Fucking peasants. Khrushchev slaughtered almost a million of his own troops to stop the Germans at Stalingrad. One phone call from the US State Department and all these sleazy little cock-sucking hackers would have been mince-meat.
Nike and Ike had the ability to blow up the world. But, they didn't blow up the world. They came to respect life after taking part in so much slaughter and bloodletting.
Would you trust a sleezy Ukrainian hacker with a modem to not blow up the world if he had a chance? No way. Or some smug little twisted little shit-for-brains in Estonia to behave himself. Let's face facts here; going to another country and randomly stealing people's money is an act of war! When is Putin gonna knock these guys upside the head so hard that their eyes roll out? We have real enemies now and we need to work together against them. All this cross-border chickenshit financial crime is inexcusable. It's a new world, a new century. Get a real job, stop fucking around with petty rip-offs. Assholes!
Let's all work together to rid civilization of the shit-people!
Another great Slashdot rant. Too bad it will get modded down to -1 by toads that don't appreciate this kind of thing.
Yes, and you can bet your ignorant ass they will win too. They are responsible for it since the client can produce a contract stating exactly what has been violated. If the client honored their side of the contract, HOWEVER SHITTY THE SECURITY REQUIRED WAS, then it is the banks problem.
This article specifically deals with COMMERCIAL banks, and identifies them as such.
You, in your apparently myopic life bubble, specifically deal with RETAIL banks, and therefore think that is all that exists in the world, since its all you have ever seen
There is a difference. Next time you dont understand something, learn about it before speaking about it.
Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ . Brilliant advice.
Microsoft is urging it's customers to 'carry out all computing activity from a standalone, hardened, and locked-down computer which is not plugged into any electrical outlet. Such a secure "computer" is known colloquially as the "typewriter"
KOMMIE BASTARDS!!!!!
The dirty russians are at it and always will, the 3rd world example of a toilet overflowing with shit and lots and lots of rotting remains.
Security for online banking in the US is awful. Transactions should require a second physical authentication token in addition to the password; most US banks have nothing.
I was the network services manager for a small community bank a couple of years ago, and all of our online banking fraud was directly related to the insecurity of the online banking application - specifically SQL injection attacks.
The application vendor's solution was to encrypt everything in the database and block known SQL injection "patterns". I told them they needed to harden their application against SQL injection; encryption and pattern matching are not enough.
Sure enough, some Russian guys (I'm guessing by the originating IP addresses) figured out that if they opened an account with a known password, they could use SQL injection to copy the encrypted known password to an account with lots of money.
Our work-around for the crappy vendor's "security" was implementing RSA tokens (outside of the banking app) on business accounts that could electronically move money out of the bank. Non-business accounts could only transfer money inside the bank - a large fraudulent transaction would get caught by a human before the money left the bank.
Before anyone suggests switching vendors, consider two things:
1. Switching banking software vendors is EXTREMELY disruptive to business. In a business where customers complain about 5 minute drive-through times, a large software migration with downtime and training is intolerable.
2. All small to medium bank software vendors suffer from similar code quality problems. Moving to another product does not necessarily guarantee quality code.
-ted
Weeee Dogies! Y'all're gonna have ta excuse mah cogitations, Mister Drysdale, but Ah figgers this's one thread just about the perfect Phishin' hole fer them there squattin' folk. Ahmah gonna has ta asks y'al tah not pay no never-mind t'mah sig. Yore Friend, Jed Clampett
There is nothing to FEAR but NOTHING itself; and I fear there is a whole lot of nothing going on. --scorpivs
> The banking group is urging that commercial bank customers 'carry out all
> online banking activity from a standalone, hardened, and locked-down computer
> from which e-mail and Web browsing is not possible.
My bank still has actual human tellers.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
Maybe Rob has a huge monitor with very low resolution ..... then you wouldn't be laughing............
I run a small business here in San Francisco, and about once a month I send money to foreign businesses.
These are USD$500 to USD$25,000 transfers from my bank account to a business bank account (in China, India, Romania, etc).
Until last year, my bank, Wells Fargo, made the transfers with little more than my signature on a fax.
Now, the transfers won't go through until a security officer calls me and talks to me to confirm that I want to send the funds. Even for little transfers, as small as $600. Last time, they asked me a couple good questions (like "when did you first open this account?" and "Who else is listed on your account")
Naturally, I'm perfectly happy to get these phone calls! Not perfect, but much more secure than a faxed request to transfer money.
These banks can call for everyone else to do all kinds of drastic things. But even though practically all phishing scams should be stopped by banks enforcing their own trademarks, banks do absolutely nothing like that.
These banks are businesses that get paid $TRILLIONS to lose everyone else's money, all the time. Of course they'll demand everyone else do a lot of hard work to protect them, while they do none but keep all the money.
--
make install -not war
I am from Eastern Europe. Such crimes or such articles really hurt. Everybody gets convinced that people from Eastern Europe sooner or later will pull out a trick like that. And that image is really bad in global economy.
Why should a malicious software be possible on a PC at all? People pay for the operating system. And they have to pay for anti-virus, for ant-spy-ware. This is the point.
Why Windows-One-Care cannot be part of the OS? And people all over the world will sigh with a relief. Is it not done to milk billions from customers first for a monopoly insecure OS and then second time for making the OS secure.
Very conveniently fit people from Eastern Europe of criminal persuasion in this picture. Very conveniently. But this image really hurts interests of honest hard working people from Eastern Europe on a global market scene. There are a lot of good people in Eastern Europe who brought good things into this world, say, periodical system of elements, first flight into space, etc.
Include the Windows-One-Care in Windows and stop harassing us.
This is actually a big selling point for my business: I do computer repairs, and my focus is on selling people on the idea of using Linux. One of my best points is "On Windows, you are almost gauranteed to have malware on your computer tracking you and watching you, stealing your CC, etc.. If nothing else, use Linux to just log off windows, sign on to Linux and do your banking." Not perfect security, but a heck of a lot better than when you have malware trying to get that info every time you buy off Amazon or sign in to online banking to pay a bill.
It is no measure of health to be well adjusted to a profoundly sick society. - Krishnamurti
Almost all small-small businesses use either Peachtree or Quickbooks and people do their personal banking with Intuit. There are no real alternatives for these on a non-Windows platform, so no-one is going to switch.
Even if that were true, it would already eliminate many kinds of attacks.
But it's actually not even true (the NYT article got it wrong--typical). In correctly implemented banking systems, such tokens aren't used for logging in, they are used for authenticating transactions, after the transactions have already been entered and confirmed.
I actually had this exact idea a few years back. I went as far as fiddling with customizing Knoppix. But then I got my first laptop - no Wifi support from ANY LiveCD (at the time). Even the laptop that I'm on now won't get wireless support out of the box with Knoppix (I haven't tried any other LiveCD).
Printer drivers (for receipts) would have been a pain too - I figured on PDFs to Flash drives for this. Never mind the huge hassle of rebooting to do a simple transaction.
I'm all for two factor authentication that works -- how come PayPal.com will send me a single-use, time-limited secondary password by SMS for free (in Canada no less)! It'll be 10 years before a Canadian bank does this...
iTAN/iTANplus is a very safe method to do online banking and it is widely used in Europe. Why can't American banks just implement the same solution?
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
Yeah, blame eastern europe, not the idiots that operate their "secure" online banking.
I just wondered, do these businesses mostly use PIN/TAN security? Or a simple password? When I lived in the US, Citibank had a simple password protection - whereas my German bank account used (and still uses - no known successful attacks so far!) an HBCI compliant external card reader and home banking software.
I am wondering, because I can still imagine my banking software (StarMoney) being tricked into manipulating the online orders shown to me for verification and signing, but I have heard of no incidents so far .
All very well blaming "Eastern Europeans", but the idiots who think transferring cash through their personal bank account makes them a "Regional Sales Representative" must share some of the blame. These companies are being ripped off by fellow Americans who actually believe that foreign companies need their personal help to collect money due to them, and that an honest job can be that easy.
Why bother trying to beef up local security when the best option is to take the transaction off the web. Just dial in to the bank with a good old 56K modem. It's common place with some Australian banks to have a small business's accounts department line up all transactions on a local client and then dial in to the bank and send them. Never even touches the internet.
It scales with dedicated DSL and Fibre lines that never touch the internet (separate routing infrastructure). A little bit costly, but when your transactions begin to max out a 56k line you should be able to afford some overpriced DSL.
Calling someone a "hater" only means you can not rationally rebut their argument.
Bank should put out custom live cd's which will only allow the browser to access their site. They could even, based on Firefox, put a custom browser on the live cd and put build some extra validation in there.
Then everyone with a PC that you can boot and a network with an internet connection has his or hers locked down pc
---
'carry out all online banking activity from a standalone, hardened, and locked-down computer that is not running Windows from which e-mail and Web browsing is not possible.
Accuracy is important in these issues.
I have a small p3 computer, that all it does is connect to my bank, and lets me do what I need to, then it stays off for the rest of the time. The problem is when big companies that put all their trust in their networks being protected, when they really aren't, because all the AV apps out there are crap...and most admins don't know what they are doing....so the company has many holes, to which employees can bust through (either by accident or on purpose) and then cry when they don't understand why they got p0wned.
If you are a financial institution, having banks tell you to harden your protocols should say something. They never really followed the banks guidelines to begin with, thinking, "Oh no...not me, it will never happen to me...we are too _________ for it to happen to us"
(fill in blank with your own excuse).
So now the big wigs think they can cry to mommy about their lacking security and the banks or gov will bail THEM out...?
I really hope I am wrong when I say "I see them coming" with this one.. I would hate to hear in the news tomorrow, that they want a security incentive or bail out, because they need to ensure their own security.
In my dealings with TD Ameritrade, and an online brokerage starting with the letter Z (guess which one I signed an (weak) NDA with and am now regretting), and then dealing with the SEC and the FBI to clean up what I found, I can tell you this:
Businesses with insecure workstations are not necessarily the reason why banks are getting broken it to.
Banks are _careless_ with their online security, leaving things like token validation and referrer logging well beyond their vocabulary. After my findings, contact with the agencies shows that they prioritize things like DDOS (which affects businesses) higher than "loss" of information (which affects customers.)
-- I was raised on the command line, bitch
All of our vendors were audited by multiple independent auditing firms, had SAS70 compliance, and were also audited by federal regulators (FDIC, and OTS). It is a federal requirement by our regulators that all of our vendors go through multiple security audits multiple times per year.
Further more, our applications WERE behind a managed security service (Perimeter security services) which included a web app firewall and intrusion detection.
How exactly do you audit code that is proprietary and not viewable by the public? Every application vendor in this space, that I know of, will not let anyone outside the company view proprietary code. Federal regulators are the exception - they are allowed by law to audit the code. I am not.
How is a small organization supposed to have the resources and the man-power to audit an entire company (let alone many companies) and their products? We were in the banking business, not the software development and auditing business.
In short - fuck off - you have no idea what you are talking about.
-ted
The FBI says that most Russian criminals have local accomplices. Many freelance between different crime gangs.
-ted
There aren't many banking software vendors. They are all roughly the same in terms of quality. There is no software company in the world that will give you an iron-clad security guarantee at any price.
The market has determined that this type of software is "good enough". The software is "good enough" and the cost is tolerable. Unfortunately "good enough" = sucks.
-ted
Recommended to be used with a class 2 card reader and a RSA chip card, to move any possibility of fraud, and even keyloggers, out of the way.
More infors:
http://en.wikipedia.org/wiki/HBCI
http://en.wikipedia.org/wiki/FinTS
There, solved it for you.
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Would it be too much trouble to give customers an RSA SecurID, so it would be impossible for them to give their password to some third party person, without being ultimately stupid, and handing them a physical device. Real two factor authentication would be great.
You're assuming the banks want actual security or have any particular external motivation.
Actual security is expensive and inconvenient. If the banks can push responsibility off onto their customers or some other party, what motivation do they have to implement actual security?
And, given that the banking lobby is one of the most powerful in the United States -- and we've just seen that they successfully pushed responsibility for one of the most spectacular catastrophic economic failures onto the State -- why would they have any trouble pushing responsibility off onto others?
Tweet, tweet.
Maybe. Maybe not. You, with your sporting good store, may have suppliers in other countries. You may go to their site. You may go on a trip elsewhere....If you were locked out of the account while you were overseas, you'd probably call and bitch the bank out (at $5/min for the phone charges). Not all businesses have the luxury of being mom & pop shops, and only ever doing business from their office line. Geo-locating the IP isn't exactly fool proof either.
All of these problems can more or less be managed by opt-out/opt-in of geographically limited logins. Done in person at the bank.
Of course, this doesn't address the larger problem that the bank would have to build support for this, and they don't really have motivation to do it. They're doing what they do best with their announcement: pushing responsibility for problems in a system onto the backs of their customers.
Tweet, tweet.
But China's "emerging" market has not yet "evolved" to the point where corporate buying decisions are based primarily upon who wines and dines the C-level suits the most with the best.
Don't worry - Red Flag Linux will be smothered by duck and wine soon enough...and when enough Chinese corporate decision-makers come complete with gravy on their tie, a concubine in every closet, and an executive pay system that allows them to determine each other's compensation with no regard for performance or the longevity of the corporation, China will be a true superpower!
Briefly; about 50 to 75 years, judging by my country's history.
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
Why reinvent the wheel?
Use the IPsec Framework with 2 factor authentication. Enforce static password authentication together with a password generated by a token.
Another alternative is to use 2 factor authentication and SSH.
Just be creative. And don't use Windows.
Great! This is really informative and close to what I'm looking for. I'm looking for a business and property inventory software and I came across The Inventory Manager. Ever since using the software, we've had faster turnaround of reports without sacrificing the consistency and quality of reports. I hope that you will feature more business softwares. Thanks a lot!!! Kudos! :)