Slashdot Mirror
Banks Urge Businesses To Lock Down Online Banking
tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."
'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible. When almost all online banking is done through Web Sites...
The article talks about the victims actually intending to sue their banks to get their money back. WTF? Since when it the bank responcible for the lax security on the customer's side?
Never once seen such a thing go down with Mac & Linux users. But hey, that's me.
say for example i own a sporting goods store in St. Louis Missouri and my bank is in the same town, dont you think the bank should reject anyone using my identity with an IP address that is in another country?
i think the banks need to be more careful about who is logging on to their systems
Politics is Treachery, Religion is Brainwashing
How about just using SSL for the login page? Most of them don't--it's hidden in an iframe, and without viewing source or checking the form, you've got no reason to be certain your login data will be securely transferred. And don't get me started on *every single bank* I've used having XSS vulnerabilities -- to top it off, most of the the little ones outsource all of their financing/credit card transactions to third party companies--just to pay the damned balance on my visa, I have to allow javascript from four different domains.
Most every bank trying to comply with increased security requirements met the rules for two factor authentication by SAVING A FUCKING COOKIE on my drive (I wish congress would pass an additional law mandating strict liability in event of security breach for any institution that circumvented the intent of that rule in such a manner)
If I purge the cookies, they have me authenticate with MORE "passwords" (two passwords is two-factor, right? So if we ask for three we can claim we have 5-factor authentication) including such tidbits as my first school or grandfather's name. Surely I'd never reveal those in conversation to anyone. How about they spend $20 or give me the option to pay it myself to buy a dongle with a rotating pin?
I think you're going way too far too fast... a lot of the problems is on the customer side (and that's almost every programmers fault for requiring things like javascript/cookies and using them in excess) when a lot of the issues stem from...lax, lazy attitudes--but the banks are just as guilty. I guess you can say it's best to start with the weakest link in the chain--but the whole system is in need of overhaul and a few rolled heads.
Sorry to rant in reply--you're right that livecds would help...but the whole system is so screwed up that shipping them would be like putting a bandaid on a corpse.
But, that's the type of technical support headache that they've been trying to get away from, with virtual POS terminals, using the web page instead of their custom app, etc, etc. Even if your live CD worked on every machine ever known to man, when something flakes out, they're calling the bank first. Come on, how many times have you fixed a "my computer can't get on the Internet" because they accidentally unplugged the network cable? Or maybe they didn't even turn it on. Anyone who's worked in any kind of office where the management found out that you really now everything about computers, will bug the shit out of you to fix theirs (and their home machine, and the kids machine, and grand auntie Gertrude's machine too, even though she's legally blind and can't figure out what to do with a mouse).
I've spent the last month or two touring the country, going from site to site on demand to fix everything. You wouldn't believe how many "best practices" have been completely ignored. Even when you say "there was malware that intercepted everything done online. They have all of your usernames and passwords, credit card numbers, and account numbers. Call the bank and cancel every credit card you've used online, and change every password that you have", they say they'll get around to it sometime and won't actually do it.
I got a call today. It was a machine that I worked on two months ago, where I removed more viruses than I care to remember. Someone uninstalled the antivirus software that I installed, but they were kind enough to click through every way to get a new virus. 3 hours later it's clean again. I'll be getting the same call in a month.
Your edge cases aren't edge cases. I'm afraid they'd be pretty damned close to 50%. The first banks that tried to force it would go out of business, because the customers would go to another bank that's "easier to work with".
Serious? Seriousness is well above my pay grade.
Problem with a Live CD is that it can't be kept up to date. Linux has lots of vulnerabilities too. Just recently there was a big kernel bug exposed and the software you run on Linux (Firefox, etc) always has bugs too. Currently they don't seem to be targeted too often but if banks started handing out these "secure" Live CD's you can bet they would be targeted then. Because it's a Live CD the bugs would probably persist for long periods of time.
As the posted above me makes a good point. I hate that websites in general, especially banks, have non-SSL pages that you use to log into the secure SSL site. That is an extremely poor design because it then becomes super easy for a hacker to create a fake login page.
Scammers are getting around that by hijacking your phone number. Probably the best I've seen is using a challenge-response for all transactions, with a frob supplied by the bank.
POKE 36879,8
I would say that low wages have a lot more to do with the presence of software development teams in countries like Russia. Sure there's probably a lot of smart people in Russia, but if they were top notch, they would be working for the same wage as American workers (because they would be providing the same value), or they would start their own software firms, and put out their own products, allowing them to earn much more money because they wouldn't be paid by how many hours they spent programming, but rather by how many people they could get to buy the product that takes the same number of hours to program whether you sell 1 or 10000 copies.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I was the network services manager for a small community bank a couple of years ago, and all of our online banking fraud was directly related to the insecurity of the online banking application - specifically SQL injection attacks.
The application vendor's solution was to encrypt everything in the database and block known SQL injection "patterns". I told them they needed to harden their application against SQL injection; encryption and pattern matching are not enough.
Sure enough, some Russian guys (I'm guessing by the originating IP addresses) figured out that if they opened an account with a known password, they could use SQL injection to copy the encrypted known password to an account with lots of money.
Our work-around for the crappy vendor's "security" was implementing RSA tokens (outside of the banking app) on business accounts that could electronically move money out of the bank. Non-business accounts could only transfer money inside the bank - a large fraudulent transaction would get caught by a human before the money left the bank.
Before anyone suggests switching vendors, consider two things:
1. Switching banking software vendors is EXTREMELY disruptive to business. In a business where customers complain about 5 minute drive-through times, a large software migration with downtime and training is intolerable.
2. All small to medium bank software vendors suffer from similar code quality problems. Moving to another product does not necessarily guarantee quality code.
-ted
This is actually a big selling point for my business: I do computer repairs, and my focus is on selling people on the idea of using Linux. One of my best points is "On Windows, you are almost gauranteed to have malware on your computer tracking you and watching you, stealing your CC, etc.. If nothing else, use Linux to just log off windows, sign on to Linux and do your banking." Not perfect security, but a heck of a lot better than when you have malware trying to get that info every time you buy off Amazon or sign in to online banking to pay a bill.
It is no measure of health to be well adjusted to a profoundly sick society. - Krishnamurti
Your anger is misplaced. We in Ukraine hate crime even more than you do.
Besides an image of "fucking peasants", of "sleezy Ukrainian hacker", etc. really hurts us on a global market place.
If Microsoft included One-Care into its Windows OS, we would not have this conversation at all. But they do not do it to milk customers twice: for insecure OS and for the anti-virus, anti-spy-ware products. It is a billions and billions business. And a cultivated image of an in-existing in reality "sleezy Ukrainian hacker" fits very conveniently in this business.
The man who sent the first human into space, Sergey Korolyov, was from Ukraine. The mathematician who helped him to calculate this flight, Ginsburg, was also from Ukraine.
But instead we are getting a reputation of "fucking peasants" and criminals. Of course there criminals and prisons in Ukraine, the same as in your part of the world. But we are not responsible for the insecure OS and the multi-billion business based on this fear.
In my dealings with TD Ameritrade, and an online brokerage starting with the letter Z (guess which one I signed an (weak) NDA with and am now regretting), and then dealing with the SEC and the FBI to clean up what I found, I can tell you this:
Businesses with insecure workstations are not necessarily the reason why banks are getting broken it to.
Banks are _careless_ with their online security, leaving things like token validation and referrer logging well beyond their vocabulary. After my findings, contact with the agencies shows that they prioritize things like DDOS (which affects businesses) higher than "loss" of information (which affects customers.)
-- I was raised on the command line, bitch