Banks Urge Businesses To Lock Down Online Banking

tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."

...and how would you do that?

[sicapo]

'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible. When almost all online banking is done through Web Sites...

Re:...and how would you do that?

[JWSmythe]

    Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ . Brilliant advice.

    Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated), I'm not sure who they were suggesting that to. I have the only Linux virus I've ever seen, and it's safely tucked away on a floppy disk, in a concrete vault, underground, at a location that I forgot. :) Dammit, I knew I shouldn't have left the map in the vault. Most "bank customers" wouldn't keep a dedicated machine just to check their bank balance with. Hell, they'll call out on the company PBX and give their credit card information over the phone to any arbitrary business, with coworkers happily writing it down and the phone admin recording the call.

    Users are their own worst enemy. Hmm, wasn't there a story today saying something to that effect? I once found a bank card (w/ Visa logo) on top of an ATM. For some reason, they set it down and forgot it there. Brilliant. Since there was no one around to claim it, I called the bank. It took me an hour to convince them that I found it and that the card should be canceled. They "couldn't release any information on the card holder until...." I told them, "I'm holding the card in my hand. I guess that makes me the card holder." Finally, they told me "Oh, just bring it to a branch on Monday", at which point they finally canceled it. I knew the people at the branch, so they knew I was legitimate, and they confirmed that it hadn't been canceled. The account hadn't even been noted that I called in to report it. What if I wasn't a nice guy? I would have had 2 days or more to charge anything I wanted. If you can't get a person to maintain control over a little physical piece of plastic, why should you they think that they're going to do any better elsewhere?

Re:Getting the money back? WTF?

[jumpingfred]

It is also lax security on the banks side. The bank is not properly verifying that the transactions really come from the businesses. It is much like identity theft. The person didn't steal my identity they got around the bank or credit card companies poor security to trick the bank. They took nothing from me they tricked the bank into giving them my money.

Re:Sounds like they should hand out liveCDs

[Spit]

Scammers are getting around that by hijacking your phone number. Probably the best I've seen is using a challenge-response for all transactions, with a frob supplied by the bank.

Linux Partition

[Merritt.kr]

This is actually a big selling point for my business: I do computer repairs, and my focus is on selling people on the idea of using Linux. One of my best points is "On Windows, you are almost gauranteed to have malware on your computer tracking you and watching you, stealing your CC, etc.. If nothing else, use Linux to just log off windows, sign on to Linux and do your banking." Not perfect security, but a heck of a lot better than when you have malware trying to get that info every time you buy off Amazon or sign in to online banking to pay a bill.

Re:people who won't act civilized...

[Max_W]

Your anger is misplaced. We in Ukraine hate crime even more than you do.

Besides an image of "fucking peasants", of "sleezy Ukrainian hacker", etc. really hurts us on a global market place.

If Microsoft included One-Care into its Windows OS, we would not have this conversation at all. But they do not do it to milk customers twice: for insecure OS and for the anti-virus, anti-spy-ware products. It is a billions and billions business. And a cultivated image of an in-existing in reality "sleezy Ukrainian hacker" fits very conveniently in this business.

The man who sent the first human into space, Sergey Korolyov, was from Ukraine. The mathematician who helped him to calculate this flight, Ginsburg, was also from Ukraine.

But instead we are getting a reputation of "fucking peasants" and criminals. Of course there criminals and prisons in Ukraine, the same as in your part of the world. But we are not responsible for the insecure OS and the multi-billion business based on this fear.