Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Gangs Raise Profile of Commercial Online Bank Security

Posted by Soulskill on from the only-you-can-prevent-identity-theft dept.

tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."

8 of 140 comments (clear)

  1. Re:I like Bank of America's approach by maladroit · · Score: 4, Insightful

    As Bruce Schneier recently pointed out, MITM attacks are now much more common, and likely to become widespread.

    Now, if they used that cell phone message to authenticate the exact transaction you are performing, you'll be much more secure.

    Of course, if it's too easy to update the cell phone number, all bets are off.

  2. No thanks, nanny bank by religious+freak · · Score: 2, Insightful

    Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs

    How exactly is this the banks' responsibility? And if is a bank's responsibility, are they going to go into my PC to fix it?

    --
    If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
    1. Re:No thanks, nanny bank by MeanMF · · Score: 3, Insightful

      The point is that as long as banks are not responsible for the losses, they have no incentive to implement strong security measures on their websites. A large number of the current attacks on customer PCs could be eliminated if banks didn't let people do everything with just a username and password. Imagine how bad credit card fraud would be today (or how few people would use credit cards) if you were responsible for fraudulent use and not the bank.

  3. Re:I like Bank of America's approach by Sir_Lewk · · Score: 2, Insightful

    I think as we see an increase in cellphone usage for common internet tasks, the "out of band" benefits of this scheme are going to be lost for many people.

    --
    "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
  4. Re:Hmm by hedwards · · Score: 3, Insightful

    You know, Kelsey Grammer is only one man. You can't expect him to go out and fix all the worlds English language issues, now can you?

  5. survival of the fittest by shentino · · Score: 2, Insightful

    My two cents

    1) Why should the bank be held responsible for something that is clearly the customer's responsibility? I.e. securing their fucking computer?

    2) Maybe this will encourage folks to keep their computers locked down.

    Mind you, I think that the bank should bend over backwards to help catch the bad guys. However, they cannot and should not be expected to police their client's computers...and likewise expecting them to pony up for something they can't prevent is also unfair.

    The real enemy in this case, as usual, is the crook that did the hacking in the first place.

    1. Re:survival of the fittest by Moridin42 · · Score: 2, Insightful

      1) The security of financial transactions isn't "clearly the customer's responsibility" .. it is a problem that exists because there are two parties. The bank is one. The customer is the other. Both can take steps to reduce losses. Customers can secure their fucking computers. Banks can secure the fucking web page. Neither party will capture all of the gains from improving security. So, to answer your question.. banks should be held responsible (for some, perhaps most, but not all) of this type of security because they are in the best position to improve everybody's position at the least expenditure of effort. Making them responsible makes sure they make such an effort.

      2) It won't. Users are dumb, reckless, careless, negligent, and stubborn. How many hours of a poorly performing machine must they suffer before they're willing to tighten security? Many, many years, apparently. How much data must users lose before they'll tighten security? Couldn't tell you. I can pretty much guarantee you that a tiny fraction of the population of internet banking users getting ripped off won't make the rest of the vast hordes of users give a flip about their own machine's security if years of data loss, identity theft, and performance impact have yet to do the job.

      --
      I don't expect morality, equality, consistency, or justice from the law. I expect only legality.
  6. Re:Go after microsoft by Opportunist · · Score: 2, Insightful

    How is MS or any vendor of computer hard- or software responsible for user stupidity?

    Most of current malware infections are not due to an OS blunder or faulty software. It's social engineering, getting the user to launch a program he better not. From the obvious ones where you get an email from LAWYER telling you to open this attachment immediately and act OR ELSE, to the less obvious ones where you install a "crack" for something that also quietly installs a rootkit.

    How could any OS avoid this? By requiring root access for anything but the most trivial actions? So? The user will grant it. Imagine you promise the user a crack for his OS so it won't activate but is still usable. Will he get suspicious if the crack wants to install ring0 drivers or manipulate system files (assuming he knows at all what I'm now talking about)? No, after all that crack is supposed to change his OS. Not only would he not be alarmed, quite possibly he would do whatever is in his power to help the rootkit install itself. If it doesn't work, oh well, maybe those bastards at MS changed something and the crack doesn't work anymore. Happens all the time with new firmware for those consoles...

    Don't try to shift the blame, people. It's not Ford's fault if you don't check your brake fluids and your car doesn't stop when you slam the brakes. It's not your plumber's fault when you clog the sink and it floods the apartment. It's not Smith&Wesson's fault if you can't handle your gun and shoot yourself in the foot. And it's not MS fault when you can't keep your machine clean.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.