Banks Urge Businesses To Lock Down Online Banking

tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."

...and how would you do that?

[sicapo]

'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible. When almost all online banking is done through Web Sites...

Re:...and how would you do that?

[ScytheBlade1]

By locking down everything *but* that site?

Emphasis web *browsing* - if you're locked to a subset of one site, you can't do a whole lot of browsing. The browser effectively turns into a sandboxed application, which is what the banks here want.

English is a wonderful language.

Re:...and how would you do that?

[JWSmythe]

    Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ . Brilliant advice.

    Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated), I'm not sure who they were suggesting that to. I have the only Linux virus I've ever seen, and it's safely tucked away on a floppy disk, in a concrete vault, underground, at a location that I forgot. :) Dammit, I knew I shouldn't have left the map in the vault. Most "bank customers" wouldn't keep a dedicated machine just to check their bank balance with. Hell, they'll call out on the company PBX and give their credit card information over the phone to any arbitrary business, with coworkers happily writing it down and the phone admin recording the call.

    Users are their own worst enemy. Hmm, wasn't there a story today saying something to that effect? I once found a bank card (w/ Visa logo) on top of an ATM. For some reason, they set it down and forgot it there. Brilliant. Since there was no one around to claim it, I called the bank. It took me an hour to convince them that I found it and that the card should be canceled. They "couldn't release any information on the card holder until...." I told them, "I'm holding the card in my hand. I guess that makes me the card holder." Finally, they told me "Oh, just bring it to a branch on Monday", at which point they finally canceled it. I knew the people at the branch, so they knew I was legitimate, and they confirmed that it hadn't been canceled. The account hadn't even been noted that I called in to report it. What if I wasn't a nice guy? I would have had 2 days or more to charge anything I wanted. If you can't get a person to maintain control over a little physical piece of plastic, why should you they think that they're going to do any better elsewhere?

Re:...and how would you do that?

[Runaway1956]

Could we at least start by replacing the freaking pin numbers with something meaningful? A four digit numeric does NOT make a password FFS!!

Maybe next, we could graduate the bank's computers from Windows 2000 up to something remotely sane - like Redhat SEL.

The idea of a biometric ID in conjuntion with a reasonably secure password hash has it's appeal, as well. If my bank would use it, I'd install a fingerprint reader on my HOME computer. Businesses should just jump on that idea - it's a small price to increase security dramatically.

Finally, maybe we can get around to "Linux - the year of the desktop!" Face it, boys and fanbois - no unix-like machine is open to as many exploits as Windows is.

I'm just dreaming, of course. If I manage to live another 20 years, we'll still be having similar discussions, PIN numbers will still be 4 digit numerics, and Windows XP will be the ancient, outdated operating system of choice for banks.

Sounds like they should hand out liveCDs

[fuzzyfuzzyfungus]

It wouldn't be rocket surgery, or especially onerous in cost/seat terms, for major financial institutions to hack together and press a bunch of "Banking liveCDs".

No writable persistent storage, just a browser(configured so that it will only accept pages from the institution's set of domains and only when those pages have appropriate SSL certs. Completely reject all non-SSL pages, and any SSLed pages with certs for other institutions, or from other CAs).

There would probably be some annoying edge cases(some ghastly graphics card that isn't supported by default, and freaks out in VESA mode, say) or network issues(though you could always offer a cheap USB ethernet or wifi adapter, with a known working chipset, at cost to interested customers); but it'd be fairly easy to cover 95% of the boring business boxes and common home machines that you would be concerned about, if suitably generic settings were used.

As hardware gets cheaper and/or for larger accounts, it might even make sense to put together a dedicated banking appliance offering, basically the cheapo embedded ARM embodiment of the above.

Re:Getting the money back? WTF?

[jumpingfred]

It is also lax security on the banks side. The bank is not properly verifying that the transactions really come from the businesses. It is much like identity theft. The person didn't steal my identity they got around the bank or credit card companies poor security to trick the bank. They took nothing from me they tricked the bank into giving them my money.

That's a great idea

[amRadioHed]

And maybe the banks can even set up some standalone, hardened, and locked-down computers in convenient locations around the city for their customers to use. Maybe they could even get money out of these computers. They could be like bank tellers, but automated.

Re:That's a great idea

[noidentity]

And maybe the banks can even set up some standalone, hardened, and locked-down computers in convenient locations around the city for their customers to use. Maybe they could even get money out of these computers. They could be like bank tellers, but automated.

Yeah, but you know they'd screw it up somehow, like have it run Windows or have a company like Diebold to make them...

people who won't act civilized...

[Simonetta]

People who won't act civilized should sooner or later find themselves 'de-civilized'. Why are we taking an endless amount of shit from these losers?

    A few hydrogen-to-helium convertors delivered right to their door does wonders to get across the message we are not a people to be fucked with!

    If they can't police themselves and insist on ripping off systematically people in foreign countries, then send 'em some great balls of fire.

    When this shit happened fifty years ago, Khrushchev would have just sent some NKVD to scoop up these parasites, take 'em back behind the outhouse, and beat their brains inside out. And all their friends and family would get ten years in the gulag.

    I miss Nikita and Eisenhauer. (Nike and Ike) Great times. No one took any shit: no one gave anyone chickenshit like this. There were limits and those limits were respected. No one from Eastern Europe was sneaking into your bank account. Fucking peasants. Khrushchev slaughtered almost a million of his own troops to stop the Germans at Stalingrad. One phone call from the US State Department and all these sleazy little cock-sucking hackers would have been mince-meat.

    Nike and Ike had the ability to blow up the world. But, they didn't blow up the world. They came to respect life after taking part in so much slaughter and bloodletting.

    Would you trust a sleezy Ukrainian hacker with a modem to not blow up the world if he had a chance? No way. Or some smug little twisted little shit-for-brains in Estonia to behave himself. Let's face facts here; going to another country and randomly stealing people's money is an act of war! When is Putin gonna knock these guys upside the head so hard that their eyes roll out? We have real enemies now and we need to work together against them. All this cross-border chickenshit financial crime is inexcusable. It's a new world, a new century. Get a real job, stop fucking around with petty rip-offs. Assholes!

    Let's all work together to rid civilization of the shit-people!

    Another great Slashdot rant. Too bad it will get modded down to -1 by toads that don't appreciate this kind of thing.

In related news...

[InsertWittyNameHere]

Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ . Brilliant advice.

Microsoft is urging it's customers to 'carry out all computing activity from a standalone, hardened, and locked-down computer which is not plugged into any electrical outlet. Such a secure "computer" is known colloquially as the "typewriter"