Slashdot Mirror

← Back to Stories (view on slashdot.org)

Banks Urge Businesses To Lock Down Online Banking

Posted by kdawson on from the no-social-no-engineering dept.

tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."

48 of 201 comments (clear)

  1. ...and how would you do that? by sicapo · · Score: 5, Interesting

    'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible. When almost all online banking is done through Web Sites...

    1. Re:...and how would you do that? by ScytheBlade1 · · Score: 4, Informative

      By locking down everything *but* that site?

      Emphasis web *browsing* - if you're locked to a subset of one site, you can't do a whole lot of browsing. The browser effectively turns into a sandboxed application, which is what the banks here want.

      English is a wonderful language.

    2. Re:...and how would you do that? by JWSmythe · · Score: 5, Interesting

          Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ . Brilliant advice.

          Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated), I'm not sure who they were suggesting that to. I have the only Linux virus I've ever seen, and it's safely tucked away on a floppy disk, in a concrete vault, underground, at a location that I forgot. :) Dammit, I knew I shouldn't have left the map in the vault. Most "bank customers" wouldn't keep a dedicated machine just to check their bank balance with. Hell, they'll call out on the company PBX and give their credit card information over the phone to any arbitrary business, with coworkers happily writing it down and the phone admin recording the call.

          Users are their own worst enemy. Hmm, wasn't there a story today saying something to that effect? I once found a bank card (w/ Visa logo) on top of an ATM. For some reason, they set it down and forgot it there. Brilliant. Since there was no one around to claim it, I called the bank. It took me an hour to convince them that I found it and that the card should be canceled. They "couldn't release any information on the card holder until...." I told them, "I'm holding the card in my hand. I guess that makes me the card holder." Finally, they told me "Oh, just bring it to a branch on Monday", at which point they finally canceled it. I knew the people at the branch, so they knew I was legitimate, and they confirmed that it hadn't been canceled. The account hadn't even been noted that I called in to report it. What if I wasn't a nice guy? I would have had 2 days or more to charge anything I wanted. If you can't get a person to maintain control over a little physical piece of plastic, why should you they think that they're going to do any better elsewhere?

      --
      Serious? Seriousness is well above my pay grade.
    3. Re:...and how would you do that? by ArcherB · · Score: 2, Interesting

      Businesses do not use the web browser

      Yes they do. OK, big businesses may have apps that dial into big banks, but small businesses use local banks and local banks can not afford a custom written proprietary app that they give to their business customers. The vast majority of small businesses that use local banks do most of their banking through a web browser. I've seen businesses to payroll, wires, ACH payments, transfers, you name it, all through a common web browser.

      However, most of these systems are cookie limited to a single computer per login and Mulit-Factor challenged if the IP changes. The biggest problem we've seen have been phishing scams looking for credentials of non-business accounts. Although these sites are usually shut down within hours of the bank finding out what is up.

      --
      There is no "I disagree" mod for a reason. Flamebait, Troll, and Overrated are not substitutes.
    4. Re:...and how would you do that? by Runaway1956 · · Score: 4, Insightful

      Could we at least start by replacing the freaking pin numbers with something meaningful? A four digit numeric does NOT make a password FFS!!

      Maybe next, we could graduate the bank's computers from Windows 2000 up to something remotely sane - like Redhat SEL.

      The idea of a biometric ID in conjuntion with a reasonably secure password hash has it's appeal, as well. If my bank would use it, I'd install a fingerprint reader on my HOME computer. Businesses should just jump on that idea - it's a small price to increase security dramatically.

      Finally, maybe we can get around to "Linux - the year of the desktop!" Face it, boys and fanbois - no unix-like machine is open to as many exploits as Windows is.

      I'm just dreaming, of course. If I manage to live another 20 years, we'll still be having similar discussions, PIN numbers will still be 4 digit numerics, and Windows XP will be the ancient, outdated operating system of choice for banks.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    5. Re:...and how would you do that? by eric31415927 · · Score: 2, Interesting

      My dream:

      A bank could dole out thumb drives to its customers, which thumb drives could boot up into an O/S [hopefully not within a VM] that only allows Internet access to the bank's website. Passwords could change every minute with use of a RSA key chain (eTrade facilitates minute-by-minute password changing).

      It would be nice if the thumb drives were read only; perhaps some sort of dongle might work.

      This would make me feel more secure in my online bank transactions.

    6. Re:...and how would you do that? by Jurily · · Score: 3, Insightful

      The browser effectively turns into a sandboxed application, which is what the banks here want.

      Why not just make a separate application? You're trying to force a browser to be essentially different than what it was designed to be, and then you're complaining that it's not really working.

      I know cross-platform availability is great, but you can also do that with say Qt. Not to mention you'd have your own nicely designed UI instead of the clunky pile of shit most banks today do, without inheriting the security problems of every fucking browser out there. One would think that because this is an absolutely critical task in terms of security, banks would at least try to minimize the amount of code involved, or at least the amount of code they have no fucking control over whatsoever.

      I know Web 2.0 is hyped right now, but stop acting like the browser is the only application capable of establishing a network connection. As a famous cat put it: THIS IS WHY WE CAN'T HAVE NICE THINGS.

    7. Re:...and how would you do that? by Falconhell · · Score: 2, Insightful

      Users are their own worst enemy

      Quite so. I dont know where I read it but the quote below sums it up nicely.

      The average user wouldn't know a security issue if it was parading down the main street naked carrying a large sign saying "I am a security issue"

    8. Re:...and how would you do that? by Zontar+The+Mindless · · Score: 2, Informative

      Any online banking transaction for me requires:

      *My 10-digit personal number ("personnummer" = Swedish equivalent of SSN)

      *My 4-digit PIN (assigned by bank when card is issued, not changeable by user)

      *6-digit authorisation key from bank's website, good for 4 minutes from time of issue (I have 4 minutes to enter it into the card reader)

      *My bank card

      *Card reader (fits in a shirt pocket; first one provided gratis by bank, replacement unit is SEK 100 or about US$12.00)

      *9-digit response code generated by card reader, good for 4 minutes from time of issue (I have 4 minutes to enter this on the web page and click the Submit button)

      All of these are required for login, requesting transaction, and finalising/authorising transaction. Any one of the pieces missing = no transaction.

      This combination seems pretty secure, and it is actually quite quick and easy to use.

      --
      Il n'y a pas de Planet B.
    9. Re:...and how would you do that? by muckracer · · Score: 2, Insightful

      > The browser effectively turns into a sandboxed application, which is what
      > the banks here want.

      Regardless of the wishes of those greedy fucks, a browser and each site should
      be sand-boxed in the first place. Viewing one site should have no relevance to
      the tab beside it, even less for your user files and most certainly not your
      system files.

    10. Re:...and how would you do that? by jimicus · · Score: 3, Informative

      Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated)

      Not true, actually. You most certainly can lock down Windows fairly heavily - in fact, Microsoft provide a tool to help you do it.

      Though to be perfectly honest I'd still stick the computer in it's own little /29 subnet with a firewall blocking all traffic in both directions except that which is explicitly allowed.

    11. Re:...and how would you do that? by Dan541 · · Score: 2, Insightful

      It is pointless to secure a system that is to be used by idiots.

      A Default installation of XP or Vista is the most secure system in the world for an average user any security beyond that is invalidated by their stupidity. What they need are competent employees then these issues wouldn't exist.

      --
      An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
    12. Re:...and how would you do that? by Jedi+Alec · · Score: 2, Interesting

      My dream:

      A bank could dole out thumb drives to its customers, which thumb drives could boot up into an O/S [hopefully not within a VM] that only allows Internet access to the bank's website. Passwords could change every minute with use of a RSA key chain (eTrade facilitates minute-by-minute password changing).

      It would be nice if the thumb drives were read only; perhaps some sort of dongle might work.

      This would make me feel more secure in my online bank transactions.

      Or they banks give out small card readers that the online shopper sticks their bank pass into, types in his pin and a one time code to yield a one-time key to confirm the transaction.

      Wait....we've already got that! In some places anyway.

      --

      People replying to my sig annoy me. That's why I change it all the time.
    13. Re:...and how would you do that? by markdavis · · Score: 2, Interesting

      Why not put Linux on your laptop then? You should be able to run Vista in VirtualBox, if you really need it. I am shocked at how quickly VirtualBox became mature, how high-quality it is, how many features it has, and how often it is updated.

  2. Getting the money back? WTF? by dnaumov · · Score: 2, Interesting

    The article talks about the victims actually intending to sue their banks to get their money back. WTF? Since when it the bank responcible for the lax security on the customer's side?

    1. Re:Getting the money back? WTF? by jumpingfred · · Score: 5, Interesting

      It is also lax security on the banks side. The bank is not properly verifying that the transactions really come from the businesses. It is much like identity theft. The person didn't steal my identity they got around the bank or credit card companies poor security to trick the bank. They took nothing from me they tricked the bank into giving them my money.

    2. Re:Getting the money back? WTF? by fuzzyfuzzyfungus · · Score: 2, Interesting

      Probably depends on the strength of the bank's verification system. If I leave my front door open, and somebody walks in and steals my ID, I'm guilty of being lax. If the bank accepts my stolen ID, from a guy who looks completely different than I do, they are guilty of being lax, even though my laxness precipitated the incident.

      In the online banking case, for instance, any bank that doesn't red-flag an situation where simultaneous online sessions on the same account are going on from an IP near the customer's address and an IP somewhere in Latvia is, arguably, negligently overlooking a likely fraud situation, even if it was malware on my machine that let the Latvian session be established.

    3. Re:Getting the money back? WTF? by AnyoneEB · · Score: 2, Interesting

      I agree that suing the banks seems like a strange reaction, but this type of attack only works because the banks simply do not care about security. On previous articles I have seen posters mention their banks (somewhere in Europe) have papers which have a list of single-use transaction codes which are used in some sort of challenge-response system. For example, choosing a code based on the transaction date, target, amount, and some randomness would protect against attacks like the one described where a compromised computer is used to drain a bank account.

      The client should have better security -- after all, even seeing the bank account info would likely be interesting to some attackers -- but the banks need to be held accountable for their lack of security features as well.

      --
      Centralization breaks the internet.
  3. Sounds like they should hand out liveCDs by fuzzyfuzzyfungus · · Score: 4, Insightful

    It wouldn't be rocket surgery, or especially onerous in cost/seat terms, for major financial institutions to hack together and press a bunch of "Banking liveCDs".

    No writable persistent storage, just a browser(configured so that it will only accept pages from the institution's set of domains and only when those pages have appropriate SSL certs. Completely reject all non-SSL pages, and any SSLed pages with certs for other institutions, or from other CAs).

    There would probably be some annoying edge cases(some ghastly graphics card that isn't supported by default, and freaks out in VESA mode, say) or network issues(though you could always offer a cheap USB ethernet or wifi adapter, with a known working chipset, at cost to interested customers); but it'd be fairly easy to cover 95% of the boring business boxes and common home machines that you would be concerned about, if suitably generic settings were used.

    As hardware gets cheaper and/or for larger accounts, it might even make sense to put together a dedicated banking appliance offering, basically the cheapo embedded ARM embodiment of the above.

    1. Re:Sounds like they should hand out liveCDs by JWSmythe · · Score: 2, Interesting

          But, that's the type of technical support headache that they've been trying to get away from, with virtual POS terminals, using the web page instead of their custom app, etc, etc. Even if your live CD worked on every machine ever known to man, when something flakes out, they're calling the bank first. Come on, how many times have you fixed a "my computer can't get on the Internet" because they accidentally unplugged the network cable? Or maybe they didn't even turn it on. Anyone who's worked in any kind of office where the management found out that you really now everything about computers, will bug the shit out of you to fix theirs (and their home machine, and the kids machine, and grand auntie Gertrude's machine too, even though she's legally blind and can't figure out what to do with a mouse).

          I've spent the last month or two touring the country, going from site to site on demand to fix everything. You wouldn't believe how many "best practices" have been completely ignored. Even when you say "there was malware that intercepted everything done online. They have all of your usernames and passwords, credit card numbers, and account numbers. Call the bank and cancel every credit card you've used online, and change every password that you have", they say they'll get around to it sometime and won't actually do it.

          I got a call today. It was a machine that I worked on two months ago, where I removed more viruses than I care to remember. Someone uninstalled the antivirus software that I installed, but they were kind enough to click through every way to get a new virus. 3 hours later it's clean again. I'll be getting the same call in a month.

          Your edge cases aren't edge cases. I'm afraid they'd be pretty damned close to 50%. The first banks that tried to force it would go out of business, because the customers would go to another bank that's "easier to work with".

      --
      Serious? Seriousness is well above my pay grade.
    2. Re:Sounds like they should hand out liveCDs by Spit · · Score: 3, Interesting

      Scammers are getting around that by hijacking your phone number. Probably the best I've seen is using a challenge-response for all transactions, with a frob supplied by the bank.

      --
      POKE 36879,8
    3. Re:Sounds like they should hand out liveCDs by rho · · Score: 2, Insightful

      Sounds to me like a valid reason to run OpenBSD.

      Or maybe all those fucking banks can make Web sites that don't recommend (or require) Internet Explorer.

      --
      Potato chips are a by-yourself food.
    4. Re:Sounds like they should hand out liveCDs by palegray.net · · Score: 2, Informative

      It doesn't matter if these LiveCDs are kept up to date. They won't be hosting any network services, so there's nothing to exploit there. The browser can only go to the bank's website, and will only accept SSL pages. Unless the bank's web servers are compromised and attackers somehow managed to insert code designed to exploit a particular browser vulnerability, there's nothing to exploit there either. Note that that last scenario isn't impossible, but hugely improbable. One could just as easily argue that a hardware keystroke logger could be installed on the local machine. Not likely; if someone cares enough to go that far to get your data, they're gonna get it regardless.

      In other words, this is about a million times more secure than using any given general purpose desktop computer to do your banking.

      --
      512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
    5. Re:Sounds like they should hand out liveCDs by maxume · · Score: 2, Insightful

      I make up single use lies for the security questions and store them in Password Safe (from what I gather, Keepass has better support for more platforms). That solves the Palin problem. Of course, I then can't access my bank account from other computers, but I don't trust all that many other computers, so that doesn't hurt all that much.

      --
      Nerd rage is the funniest rage.
    6. Re:Sounds like they should hand out liveCDs by Aceticon · · Score: 2, Informative

      I've been using such a challenge-response mechanism with my Dutch bank for several years now.

      It works together with the smart chip in your bank card:
      - At the appropriate points the bank website gives you a number that you enter in a little device where you have your bank card slotted. The device (using the smart chip in your bank card) calculates a response number which you type back in the bank website. If the numbers match you are given-access/have-pending-payments-approved.

      No passwords or any other important keywords will ever go through the network or even enter your PC (and thus cannot be sniffed or keylogged). Your PIN code is needed to activate your bank card when first slotted into the device but even if somebody manages to visually see you type it (the only way to do it remotelly is to own your machine, turn on it's webcam and look through it at the right time), physical possession of the card is still needed.

      The most significant weakness of this is some form of man-in-the-middle attack within a running session with the bank's website (maybe using a dynamically generated fake bank website front-end talking to the real one in the back-end and injecting payment operations in the appropriate moments).

      Funnily enough I've moved to the UK where most banks are still comparativelly in the stone age (multiple-passwords is the most common of tricks). The best one I've used here (for my business account) is similar to the one from my Dutch bank but for initial authorization the smart card in your bank card does not receive a challenge-number, it just generates a number on it's own.

      The truth is that most problems of unauthorized access to bank accounts via a bank's website are squarelly to blame on the banks themselves - any system relying on long-lived shared authorization codes (i.e. passwords) which must go through non-hardenned and potentially insecure devices (a user's PC, a browser, a network connection) is exceptionally unsafe and prone to be broken remotelly using automated means.

      Even if users have the technical expertise to harden their own system, there are just too many potentially elements outside the user's control (the OS, thousands of network-listening applications, the actual browser, the SSL implementation used, the certification authorities, the bank's website implementation - to name just a couple) and vectors of attack. Using long-lived shared authorization codes which go through all sorts of potentially remotelly compromised systems for securing high-value targets is as dumb as it gets. To top it all up, if you happen to live in certain geographical locations, automated remote takeover of bank accounts is a low-risk-high-reward activity.

      Safer systems exist and are deployed by some banks already (i.e. challenge-response systems relying on shared keys running inside hardenned devices - smart chip on the client, SAM on the server - and never coming out) but they cost money and most banks are not willing to spend it.

      Until the banks get full financial responsability for this kind of intrusion, most won't do anything to provide an online banking environment which is not prone to them.

  4. Huh...funny... by Anonymous Coward · · Score: 2, Interesting

    Never once seen such a thing go down with Mac & Linux users. But hey, that's me.

  5. Seriously? by marciot · · Score: 3, Funny

    Seriously? A *standalone* machine? You mean I shouldn't check my bank accounts from my kids' Windows ME computer?

    Just joking, I've already mastered the first skill of safe computer use ... not having kids, or Windows ME.

  6. what about this by FudRucker · · Score: 2, Interesting

    say for example i own a sporting goods store in St. Louis Missouri and my bank is in the same town, dont you think the bank should reject anyone using my identity with an IP address that is in another country?

    i think the banks need to be more careful about who is logging on to their systems

    --
    Politics is Treachery, Religion is Brainwashing
    1. Re:what about this by AnyoneEB · · Score: 3, Insightful

      That should definitely raise a red flag at a bank. Credit card companies definitely do that type of check. On the other hand, if your computer is already infected with malware, making the attacker proxy the connection through your computer (and use the same cookies and user agent, too, so it looks like the same user) seems like a minor hoop to jump through.

      --
      Centralization breaks the internet.
    2. Re:what about this by JWSmythe · · Score: 2, Insightful

          Maybe. Maybe not. You, with your sporting good store, may have suppliers in other countries. You may go to their site. You may go on a trip elsewhere. While you're out, you can trust that the interim manager can handle everything, or you can look in on your bank accounts while you're gone. I know, it's not the best idea in the world, but no one ever said business owners always follow best security practices.

          If you were locked out of the account while you were overseas, you'd probably call and bitch the bank out (at $5/min for the phone charges). Not all businesses have the luxury of being mom & pop shops, and only ever doing business from their office line. Geo-locating the IP isn't exactly fool proof either. Depending on the line I'm on any day, I've been located in several states around the US, China, and Europe. All of those have been within one state, and generally just a handful of cities. It's not a failure on the ISP's part, it's a failure on the folks who are maintaining the geo-locating databases being used. Well, not exactly a failure, since they give a percentage of accuracy in their advertising.

          I just checked the IP I'm on today with MaxMind's site (the providers of GeoIP). The result was close, but still the wrong city. What if I told them to only expect traffic from City X and determine anything from anywhere else was fraud? Now I'm going to be considered an attacker. Wheee. I hope the feds don't come knocking my door down. Well, I am sitting by the pool, sipping some pretty serious rum drinks right now, but that's what happens when you're on vacation. :)

      --
      Serious? Seriousness is well above my pay grade.
    3. Re:what about this by CastrTroy · · Score: 2, Insightful

      Would it be too much trouble to give customers an RSA SecurID, so it would be impossible for them to give their password to some third party person, without being ultimately stupid, and handing them a physical device. Real two factor authentication would be great. Something you know (a password), and something you have (RSA SecurID), should be the minimum for logging into any bank account.

      --

      Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  7. Re:Oh, yeah! Another "Eastern Europe" story... by Grishnakh · · Score: 3, Insightful

    Do you have a citation for your claim?

    I would certainly believe that most of this crime comes from places like Eastern Europe and Russia, because it makes perfect sense. Those parts of the world are now connected to the West through the internet, and the people there are smarter and better educated than Americans (especially in regards to science and math). There's a good reason so many companies have software development teams in places like Russia, Latvia, and Romania these days. With all the computer expertise in those regions, it makes perfect sense that a lot of fraudulent activity would come from there as well.

  8. Cost of using Windows by Grishnakh · · Score: 3, Funny

    I guess this is what you get when you run your small business on Windows.

  9. That's a great idea by amRadioHed · · Score: 5, Funny

    And maybe the banks can even set up some standalone, hardened, and locked-down computers in convenient locations around the city for their customers to use. Maybe they could even get money out of these computers. They could be like bank tellers, but automated.

    --
    We hope your rules and wisdom choke you / Now we are one in everlasting peace
    1. Re:That's a great idea by noidentity · · Score: 4, Funny

      And maybe the banks can even set up some standalone, hardened, and locked-down computers in convenient locations around the city for their customers to use. Maybe they could even get money out of these computers. They could be like bank tellers, but automated.

      Yeah, but you know they'd screw it up somehow, like have it run Windows or have a company like Diebold to make them...

  10. Re:Oh, yeah! Another "Eastern Europe" story... by CastrTroy · · Score: 2, Interesting

    I would say that low wages have a lot more to do with the presence of software development teams in countries like Russia. Sure there's probably a lot of smart people in Russia, but if they were top notch, they would be working for the same wage as American workers (because they would be providing the same value), or they would start their own software firms, and put out their own products, allowing them to earn much more money because they wouldn't be paid by how many hours they spent programming, but rather by how many people they could get to buy the product that takes the same number of hours to program whether you sell 1 or 10000 copies.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
  11. ATMs here uses Windows by TheDarkMaster · · Score: 3, Informative

    The ATMs from Brazilian Bank Itau uses Windows 2000. And I not kidding. On the "blaster" virus year, I found more than one ATM with Blaster virus.

    --
    Religion: The greatest weapon of mass destruction of all time
  12. people who won't act civilized... by Simonetta · · Score: 4, Funny

    People who won't act civilized should sooner or later find themselves 'de-civilized'. Why are we taking an endless amount of shit from these losers?

        A few hydrogen-to-helium convertors delivered right to their door does wonders to get across the message we are not a people to be fucked with!

        If they can't police themselves and insist on ripping off systematically people in foreign countries, then send 'em some great balls of fire.

        When this shit happened fifty years ago, Khrushchev would have just sent some NKVD to scoop up these parasites, take 'em back behind the outhouse, and beat their brains inside out. And all their friends and family would get ten years in the gulag.

        I miss Nikita and Eisenhauer. (Nike and Ike) Great times. No one took any shit: no one gave anyone chickenshit like this. There were limits and those limits were respected. No one from Eastern Europe was sneaking into your bank account. Fucking peasants. Khrushchev slaughtered almost a million of his own troops to stop the Germans at Stalingrad. One phone call from the US State Department and all these sleazy little cock-sucking hackers would have been mince-meat.

        Nike and Ike had the ability to blow up the world. But, they didn't blow up the world. They came to respect life after taking part in so much slaughter and bloodletting.

        Would you trust a sleezy Ukrainian hacker with a modem to not blow up the world if he had a chance? No way. Or some smug little twisted little shit-for-brains in Estonia to behave himself. Let's face facts here; going to another country and randomly stealing people's money is an act of war! When is Putin gonna knock these guys upside the head so hard that their eyes roll out? We have real enemies now and we need to work together against them. All this cross-border chickenshit financial crime is inexcusable. It's a new world, a new century. Get a real job, stop fucking around with petty rip-offs. Assholes!

        Let's all work together to rid civilization of the shit-people!

        Another great Slashdot rant. Too bad it will get modded down to -1 by toads that don't appreciate this kind of thing.

    1. Re:people who won't act civilized... by Max_W · · Score: 3, Interesting

      Your anger is misplaced. We in Ukraine hate crime even more than you do.

      Besides an image of "fucking peasants", of "sleezy Ukrainian hacker", etc. really hurts us on a global market place.

      If Microsoft included One-Care into its Windows OS, we would not have this conversation at all. But they do not do it to milk customers twice: for insecure OS and for the anti-virus, anti-spy-ware products. It is a billions and billions business. And a cultivated image of an in-existing in reality "sleezy Ukrainian hacker" fits very conveniently in this business.

      The man who sent the first human into space, Sergey Korolyov, was from Ukraine. The mathematician who helped him to calculate this flight, Ginsburg, was also from Ukraine.

      But instead we are getting a reputation of "fucking peasants" and criminals. Of course there criminals and prisons in Ukraine, the same as in your part of the world. But we are not responsible for the insecure OS and the multi-billion business based on this fear.

  13. Re:USA Stimulus Package Payback Plan by Runaway1956 · · Score: 2, Insightful

    "wait until big businesses in China are bankrupted by cyberterrorism"

    Maybe they've just thawed you out after a nice cryogenic nap? China is migrating to Linux. Red Flag Linux. They may not be invulnerable to cyberterrorism, but they certainly don't leave their WINDOWS OPEN for terrorists, like US businesses do.

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
  14. In related news... by InsertWittyNameHere · · Score: 4, Funny

    Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ . Brilliant advice.

    Microsoft is urging it's customers to 'carry out all computing activity from a standalone, hardened, and locked-down computer which is not plugged into any electrical outlet. Such a secure "computer" is known colloquially as the "typewriter"

  15. lousy security by speedtux · · Score: 2

    Security for online banking in the US is awful. Transactions should require a second physical authentication token in addition to the password; most US banks have nothing.

  16. Online banking application vendors suck. by zerofoo · · Score: 2, Interesting

    I was the network services manager for a small community bank a couple of years ago, and all of our online banking fraud was directly related to the insecurity of the online banking application - specifically SQL injection attacks.

    The application vendor's solution was to encrypt everything in the database and block known SQL injection "patterns". I told them they needed to harden their application against SQL injection; encryption and pattern matching are not enough.

    Sure enough, some Russian guys (I'm guessing by the originating IP addresses) figured out that if they opened an account with a known password, they could use SQL injection to copy the encrypted known password to an account with lots of money.

    Our work-around for the crappy vendor's "security" was implementing RSA tokens (outside of the banking app) on business accounts that could electronically move money out of the bank. Non-business accounts could only transfer money inside the bank - a large fraudulent transaction would get caught by a human before the money left the bank.

    Before anyone suggests switching vendors, consider two things:

    1. Switching banking software vendors is EXTREMELY disruptive to business. In a business where customers complain about 5 minute drive-through times, a large software migration with downtime and training is intolerable.

    2. All small to medium bank software vendors suffer from similar code quality problems. Moving to another product does not necessarily guarantee quality code.

    -ted

  17. people from Eastern Europe condemn crime by Max_W · · Score: 3, Insightful

    I am from Eastern Europe. Such crimes or such articles really hurt. Everybody gets convinced that people from Eastern Europe sooner or later will pull out a trick like that. And that image is really bad in global economy.

    Why should a malicious software be possible on a PC at all? People pay for the operating system. And they have to pay for anti-virus, for ant-spy-ware. This is the point.

    Why Windows-One-Care cannot be part of the OS? And people all over the world will sigh with a relief. Is it not done to milk billions from customers first for a monopoly insecure OS and then second time for making the OS secure.

    Very conveniently fit people from Eastern Europe of criminal persuasion in this picture. Very conveniently. But this image really hurts interests of honest hard working people from Eastern Europe on a global market scene. There are a lot of good people in Eastern Europe who brought good things into this world, say, periodical system of elements, first flight into space, etc.

    Include the Windows-One-Care in Windows and stop harassing us.

  18. Linux Partition by Merritt.kr · · Score: 3, Interesting

    This is actually a big selling point for my business: I do computer repairs, and my focus is on selling people on the idea of using Linux. One of my best points is "On Windows, you are almost gauranteed to have malware on your computer tracking you and watching you, stealing your CC, etc.. If nothing else, use Linux to just log off windows, sign on to Linux and do your banking." Not perfect security, but a heck of a lot better than when you have malware trying to get that info every time you buy off Amazon or sign in to online banking to pay a bill.

    --
    It is no measure of health to be well adjusted to a profoundly sick society. - Krishnamurti
  19. Old Tech. by mjwx · · Score: 2, Informative

    'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible. When almost all online banking is done through Web Sites...

    Why bother trying to beef up local security when the best option is to take the transaction off the web. Just dial in to the bank with a good old 56K modem. It's common place with some Australian banks to have a small business's accounts department line up all transactions on a local client and then dial in to the bank and send them. Never even touches the internet.

    It scales with dedicated DSL and Fibre lines that never touch the internet (separate routing infrastructure). A little bit costly, but when your transactions begin to max out a 56k line you should be able to afford some overpriced DSL.

    --
    Calling someone a "hater" only means you can not rationally rebut their argument.
  20. This is not the weakest link by fulldecent · · Score: 2, Interesting

    In my dealings with TD Ameritrade, and an online brokerage starting with the letter Z (guess which one I signed an (weak) NDA with and am now regretting), and then dealing with the SEC and the FBI to clean up what I found, I can tell you this:

    Businesses with insecure workstations are not necessarily the reason why banks are getting broken it to.

    Banks are _careless_ with their online security, leaving things like token validation and referrer logging well beyond their vocabulary. After my findings, contact with the agencies shows that they prioritize things like DDOS (which affects businesses) higher than "loss" of information (which affects customers.)

    --

    -- I was raised on the command line, bitch

  21. OK i'll feed the troll. by zerofoo · · Score: 2, Insightful

    All of our vendors were audited by multiple independent auditing firms, had SAS70 compliance, and were also audited by federal regulators (FDIC, and OTS). It is a federal requirement by our regulators that all of our vendors go through multiple security audits multiple times per year.

    Further more, our applications WERE behind a managed security service (Perimeter security services) which included a web app firewall and intrusion detection.

    How exactly do you audit code that is proprietary and not viewable by the public? Every application vendor in this space, that I know of, will not let anyone outside the company view proprietary code. Federal regulators are the exception - they are allowed by law to audit the code. I am not.

    How is a small organization supposed to have the resources and the man-power to audit an entire company (let alone many companies) and their products? We were in the banking business, not the software development and auditing business.

    In short - fuck off - you have no idea what you are talking about.

    -ted