Slashdot Mirror
Cyber Gangs Raise Profile of Commercial Online Bank Security
tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."
, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules
I don't see how this is the bank's fault; the thieves stole the money before the security system was broken.
I have accounts at a few different financial institutions and have to say that despite all their other problems I think Bank of America has about the best two-factor authentication scheme I've seen so far.
Cell phones are extremely common these days, and BoA has leveraged that ubiquity. You can set up your account so that any time you attempt to log on the bank will send you an SMS text message with a totally random 6 digit number. You have to enter that number as you're logging into their website (along with your regular password). Since they're using an out-of-band method of sending you the random code the chances of it being intercepted are extremely small. And since it can only be used once then even a keylogger can't defeat it. The only type of attack that I think would work in this situation would be a man-in-the-middle attack, which is very unlikely as well.
Interesting, I'd never heard of Commerical Online Bank Security.
I emailed Cahoot about a flaw in their system, about 5 times as it happens, over a period of months, but only ever received stock replies. What happens is: you attempt a login with username/password. Then you get to a screen where you select 2 letters from a second password via drop down boxes. If you get that second page wrong a few times it tells you that your account is locked and you have to contact them. But you don't - your account is not locked. You can simply attempt another login. So if you know someone's username/password (username is visible when someone logs in so you just have to know their first password), then you get as many guesses as you like of their second password, and it doesn't vary the 2 letters it wants from that one. The drop down list gives a-z and 0-9. 36 * 36 isn't very many guesses to have to attempt.
It's a good approach, almost ... but it doesn't stop trojans at all. Why didn't they go the extra mm and make it secure? This is no better than the little calculator I have at home which generates a random number using my card and my pin, which doesn't stop trojans either.
What they should have done is send the transaction details and the confirmation code in the same SMS.
Why do you bank with them?
Online banking with a single factor security is silly (two passwords are not two factors). I don't feel entirely safe with the code calculator my bank gives, but at least I know how to recognise large transactions (you can see by the way you have to enter the website verification number, not that they tell you that) so trojans could only ever hijack a small transaction.
Oooh, yooz no eeted it!
kthxbye!
P.S.: See, even the cats notice it!
Any sufficiently advanced intelligence is indistinguishable from stupidity.
Depending on your bank in Sweden, you either got:
* A user/pass combination that you input on their website. You then get a code that you input on a personal code generator thingy, and you get another code back that you enter on the website. (Downside: You need your code generator with you)
* A user/pass combination and one-time-use codes that you scratch off a card that you carry with you. (Downside: You gotta order more codes after a while)
* A digital ID encrypted on file, and a password that decrypts it. (Downside: you need the file on a USB memory stick or something)
* (New). A digital ID on a card that you carry with you, and a non-personal card reader. This card is like a digital version of your ID.
You can either enter your card and a 6-digit PIN with the reader connected through USB.
Or you can enter the card and PIN, and you get a code that you enter on the website. You then get a code back that you enter into the reader, which in turn generates another code that you enter on the website.
(Downside: You need a card reader when you're away from home. If everyone uses the same bank, this wouldn't be a problem)
Everything is done over HTTPS, so it seems pretty secure.
Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs
How exactly is this the banks' responsibility? And if is a bank's responsibility, are they going to go into my PC to fix it?
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
I'm concerned of the potential that malware has to disrupt civilian systems from stuff like waste treatment all the way to energy facilities. The same vulnerabilities that allow your bank creds to be pwned are the same one that could be used to disrupt systems we need for heat or clean water. There neds to be stiffer penalties for neglecting to fix security problems.
boycott slashdot February 10th - 17th check out: altSlashdot.org
I don't get it. How's a trojan going to read an sms off my cell phone?
The trojan will intercept the 6-digit code mentioned above when you type it into the computer.
The trojan will intercept the 6-digit code mentioned above when you type it into the computer.
And do what with it? Squirrel it away to be used later, when it's no longer valid?
It'll give it to the attacker to log in with.. And it'll tell you that you entered the wrong code and that you need to try again.
Or it'll let you log in and quietly submit a transaction on your behalf every minute or two while you're logged on.
Just for instance ... it can connect to a server, retrieve a transaction from it and validate it with the key you just entered. The server at the same time sends off a couple of SMS to money mules.
Automation is the key.
Wow! After reading this, I'm starting to think that maybe opting out on Web services might be something for me. Banks don't appear to be very responsible for any money stolen. Maybe TARP can help us when our money is stolen by thieves, just-like-the-banks! Oh wait I forgot.. we have to be responsible citizens.(Somebody has to!)
My two cents
1) Why should the bank be held responsible for something that is clearly the customer's responsibility? I.e. securing their fucking computer?
2) Maybe this will encourage folks to keep their computers locked down.
Mind you, I think that the bank should bend over backwards to help catch the bad guys. However, they cannot and should not be expected to police their client's computers...and likewise expecting them to pony up for something they can't prevent is also unfair.
The real enemy in this case, as usual, is the crook that did the hacking in the first place.
So when you said "Why didn't they go the extra mm and make it secure?", what did you have in mind? Ban Windows, MacOS X and everything else except FreeBSD? Or ban every type of personal computer and provide bank-controlled terminals? Hey that's an idea, they could place one every few blocks in each city. Oh wait, those already exist and are called ATMs.
well I don't know how the banks in the United States handle those transactions, but back in Asia,from where I came,once a transaction needs to take place, the bank will send you an SMS including a temporary PIN. If the PIN is not used within 5 minutes, it would expire automatically. Also,if the transaction involves an large amount of money(over $1500), your personal financial advisor from the bank will call you directly to verify. So far, I haven't heard many big losses from the online trasactions in my home country, or at least not reported. I assume it means the way our banks handle the transactions is practical.
Wish I had mod points
Say the bank does not implement basic security measures such as monitoring brute force attempts, and someone brute forces your account ... how are YOU gonna prove you didn't just post your password on myspace? You can't! Only the bank can! It's better to put the burden on them, and have them, in turn, enforce security measures on the clients, because the other way around cannot work, and would screw over even the few of us who have a clue about comp.sec.
Also, I would like to take this opportunity to point out that banks have had a few centuries of experience looking after their clients' cash .. it's their GOD DAMN JOB for fuck's sake.
"What they should have done is send the transaction details and the confirmation code in the same SMS."
Stories like these make me glad I only log in from a Ubuntu LiveCD that I boot up solely for that purpose.
I do, of course, advocate that banks (or any other organization handling sensitive information) do all they can to secure their sites.
* SSL certs
* HTTPS encryption
* DNSSEC
* whatever else
That goes without saying. But after the bank has done all it can to keep things secure, it's really not their fault if an end user gets their machine pwned.
And putting the bank into the position of covering for losses they can't prevent is effectively forcing them to provide free insurance.
I'm not surprised by this. Nothing is a hundred percent unpenatrable. If you yourself can get into it, then I can get into it. The only way to have something be 100 percent safe is for no one to be able to access it including yourself, which then defeats the purpose.
Wouldn't it be funny to see the wrecking company play hardball with the bank as payback.
Not at all. Why should it? The trojan will just make YOU do all the work for it.
Scenario: You want to transfer 40 bucks to Aunt Bessy for that wonderful cake she sent you. You have one of those trojans in your box, though. This trojan got information from its maker that it should send whatever your account can possibly send without setting off alarm clocks at the bank to Mr. Hackme and sits quietly inside your box 'til the next time you log into your account.
"Fortunately" most banks conveniently display the amount of money you have on the page, so the question how much money can be sent is trivial to answer. What happens now is that the trojan lets you enter all the data, but before sending it to the bank it changes Aunt Bessy's account number with that of Mr. Hackme, and those 40 bucks with whatever it can rip off. The bank will accept that input and return to you the information that you're gonna send your fortune to Mr. Hackme, which the trojan will "translate" to 40 bucks to Aunt Bessy, and ask for the confirmation. You confirm those 40 bucks, but in fact you just confirmed the trojan deal.
The only way to thwart this is by sending not only a confirmation code but also the amount and account to send it to by SMS, and you verifying that this data is correct before punching in the code.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Care to explain what "security measures" they should enforce on the client? Take control of his computer? Because anything short of this means that the bank cannot enforce anything.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
My bank requires me to enter a number before I can pay a new person. This number is generated by a little machine that accepts my card and requires me to enter both my pin and a transaction ID. It then generates a hash from these three pieces of information. I then enter this hash into the bank's page. If a trojan (or a MITM attack) tried to substitute a transaction paying Aunt Bessey to Mr. Hackme then my bank would require authorisation. If I've already paid Aunt Bessey then I would go on a different path through the site and would be suspicious if it asked me to enter the number.
It's not completely foolproof, but given that I haven't sent money to any new people for over a year, it's pretty easy to check if it does the wrong thing when next I do.
I am TheRaven on Soylent News
They've already been mentioned: multi factor auth, out of band notification and confirmation (SMS, snailmail, phone), intrusion detection among other things.
If the bank does not implement those, there's nothing you can do. So having the customer bear that burden is pointless.
You might get suspicious. But how many others will? Browsers frequently lose cookies or webpages change so people are used to having to reenter their credentials every now and then, even if they already entered them. How many will simply write this off as "heck, every time the bank changes something I have to go through this hassle"?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
thank you for your two cents, that was so easy
just putting your two cents out there, wide open and public, on a comment board where seedier elements are known to roam
and you have the audacity to talk about users needing to take a greater interest in their online security? when you stroll around with your cash wide out and on the open internet?
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Actually, it would be 36 factorial combinations, ala 36*35*34*33...-> *1. A lot of combinations for a human being alone, but not for a human being with today's high speed (and even higher speed plus more specific to this kind of processing in gpu's) computers.
The problem IS THE BANKS! ...create the next foolproof system, it could very well be, find a way to disassociate yourself from the responsibility of
No matter how you look at it, the simple fact that their stance on identity theft and fraud prevention is this, what ever costs them less to maintain a working capital. If this capital goes down too much then they get driven to find a way to bring that back, however this might not be
being in control of your client's transactions.
Did you know that the banks do not want to invest in the security infrastructure because it costs less to just keep goig the way things are going, and reimburse when they lose the case or obviously have proof against them that it was not your transaction, so they reimburse you, and move along. They do not care to enforce security.
Until banks are made accountable for ALL the fraud they could protect from but don't, they won't learn their lessons.
The interesting thing here to note too, is that they will always be interested in the least costly security system (online that is) compared to the banks in zurich that have the highest systems in place. They know it is a loosing battle with the OS systems we have today....the only way I think you could ensure their security, is if they developed their own OS, a banking OS client and server.
sort of like sabre for the airlines... and then this could in fact be used in conjunction with higher grade encryption and call systems.
Certain banks have calling systems, that allow you to access banking by phone, speach recognition is a great asset.
Also, this could be done when ever their are transactions in place...you could have a phone call that comes to you, and
you are solicited to then give acceptance of a transaction.
Sh*t if I had a banking that had a system that I could say, for every transaction (except these types...repetition, pre authorized etc...) i want a phone call to confirm else just refuse it....aside from banking charges, you would know every time you had something come up. This would only work on low volume accounts....but I am sure a system could be devised for higher volume accounts too.
The drive just isn't there...many ideas, but none they want to invest in...
After reading the articles and this thread, I began to wonder whether banks should start distributing a read-only live-CD distribution that only contains the software needed to conduct online banking. In order to bank online, you'd have to reboot with the live CD. This eliminates the possibility of installed trojans and similar malware that might reside on the computer's hard drive.
Obviously this is going to be seen as a pain in the neck by consumers, but maybe it makes sense for commercial accounts? Given the radical differences in how such accounts are protected legally (read TFAs for details), and given that businesses presumably are less concerned about ease of use than consumers, commercial account holders might be willing to go this route. Of course some machines like netbooks and PDAs aren't well suited to this approach, but they're also not likely to be the types of client machines used in businesses. I presume it's possible to make read-only USB sticks for cases like this?
That's the part that makes the libertardians' dream of everything in a market a complete joke. You don't have access to that information. You CAN'T look at the god damn bank's web site design papers, or their source code or something.
So I don't know why you're even bringing this up, because on top of that, 99.9999% of all bank customers (i.e: everyone) is incapable of evaluating a bank's computer security even if they had access to this info.
Contrast this to putting that responsibility into the bank's hands; oh my dear, the poor rugged individuals, having to take responsibility for their actions. Ayn Rand would just cry.
... have stronger regulations than in the US.
For example there is no subprime bullshit in my country, because the courts have consistently upheld the notion that when a banker lends money to someone who couldn't possibly pay back, it's their own fault because it's their job to find that out in the first place. They can suck their credit up.
So they don't lend to deadbeats. Sure, it's harder to get a loan, but there was no subprime bullshit here.
We had that idea on the table when we dealt with a bank that asked us to come up with ideas to make online banking more secure. It was shot down for a few reasons:
1) Pain for the customer: He has to reboot, reboot into a system he is unfamiliar with, this would invariably lead to more support calls and limits acceptance. Not to mention the matter of compatibility, especially with a lot of notebooks that still don't follow normal specs and thus might not work well with the live-CD.
2) Draws attention to the problem: Yes, personally I'd see it as a good thing, but the last thing banks want is to draw more attention than necessary to the problem. Especially they want to avoid the question "Why does THIS bank has that? Do they have more of a problem with security than others?"
3) Impossible to know whether people use it. You can't verify that the customer actually uses your live-CD or his (insecure) machine to access your bank's online banking page. That leads to
4) Impossible to shift liability to the user. Since you can't say with certainty that he used the live-CD, you can't put the blame on a loss on him by saying he didn't use it.
Based on this it was rejected for the simple reason that users could not be "forced" to use the live-CD, thus would not use it because it's more hassle, thus it will not lead to more security (because the only people who would use it are not the "problem group", but rather people who are already security conscious and thus in general not susceptive to this threat would use it, which will not net any additional security or fewer phishing problems.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I could point out that banking regulations are quite a bit removed from the social problems you mention; or that said "riots" might not have been quite as fantastic as Fox News reported them; or that I didn't imply that things were better here in other areas, especially not now that we have a Bush-class moron in charge.
Or I could just ask you about Rodney King.