Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Gangs Raise Profile of Commercial Online Bank Security

Posted by Soulskill on from the only-you-can-prevent-identity-theft dept.

tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."

5 of 140 comments (clear)

  1. I like Bank of America's approach by Iphtashu+Fitz · · Score: 4, Interesting

    I have accounts at a few different financial institutions and have to say that despite all their other problems I think Bank of America has about the best two-factor authentication scheme I've seen so far.

    Cell phones are extremely common these days, and BoA has leveraged that ubiquity. You can set up your account so that any time you attempt to log on the bank will send you an SMS text message with a totally random 6 digit number. You have to enter that number as you're logging into their website (along with your regular password). Since they're using an out-of-band method of sending you the random code the chances of it being intercepted are extremely small. And since it can only be used once then even a keylogger can't defeat it. The only type of attack that I think would work in this situation would be a man-in-the-middle attack, which is very unlikely as well.

    1. Re:I like Bank of America's approach by Anonymous Coward · · Score: 5, Interesting

      I can think of a *lot* of attacks on that. Most of them just as illegal as the intended crime...but...yeah... It's technically trivial to intercept SMS data. As it is, you can already see the fraud shops working around it--the new trojans send an alert to some amazon-turk type person in the middle of nowhere when you login, and just hide a window that gets relayed to them. While you're logged in, they can do very bad things...

      Also, as somebody working in an industry that once depended on SMS. Let me tell you the service is ridiculously unreliable. How'd you like not being able to log into your bank b/c you couldn't get an SMS? In the US I can tell you from experience that any given vendor will have SMS "down" for about four days (total) a year.

      Finally--even if it can only be used once, a keylogger can defeat it, unless only the last message is valid, and/or there's a rapid timeout. All I need to do is make the keylogger a little aggressive, and popup a box prompting you for *two* passwords. Of course, the first one actually goes to the bank--the second one crossposts to evil.com so I can login later today and drain you.

      I realize--it's probably a "small" concern--but when you need your bank info--you often *need* it quickly.

      Looks, there's a lot of *good* technologies out there to help filter this. The credit card companies use some of them. But in the case of banks, what's going on is outright criminal negligence that they refuse to fix.

    2. Re:I like Bank of America's approach by maladroit · · Score: 4, Insightful

      As Bruce Schneier recently pointed out, MITM attacks are now much more common, and likely to become widespread.

      Now, if they used that cell phone message to authenticate the exact transaction you are performing, you'll be much more secure.

      Of course, if it's too easy to update the cell phone number, all bets are off.

    3. Re:I like Bank of America's approach by Rick17JJ · · Score: 4, Informative

      I have a PayPal security key on my key chain, which I use whenever paying for something by PayPal. Most people do not realize that PayPal offers the option of using a security key. That multi-factor identification, which is where I need to know something and I also need to have something, to access the account. The security key generates a different 6-digit number every 30 seconds. So if someone managed to steal my password through a keystroke logger or a phishing email message, they would not have the security key that I keep in my pocket. If someone found my security key laying on the ground, they would not know my password.

      https://www.paypal.com/securitykey

      As for the alternative of getting in my answering the security questions for the account, I have used very hard to guess made up answers for the stupid security questions (I did not use real information).

      An employee at the bank, where I have my checking account, recently suggested that I should do online banking. First I asked him if that would work with my computer which runs Linux, intead of Windows. He said Linux would work just fine. I then mentioned my concerns about security and the fake phishing emails that I get, which claim to be about my online banking account at their bank. I said, you know the ones that want me to click on some long complicated looking URL going to some foreign country, and then probably have me log-in and give them my user name and password. He said, "yes just ignore all of those fake email messages."

      I also mentioned my concerns about keystroke loggers, although I added I have probably managed to secure my Linux computer, better than most average computer users do. However, a keystroke logger might still a slight possibility, even for my Linux computer, so I knew I wanted the additional protection of multi-factor authentication. I pulled my security key out of my pocket, and asked him if they offer two-factor authentication, using something like this. He said the did not offer anything like that. I told him that I would not feel comfortable doing online banking with them, because they do not offer multi-factor authentication.

      Two-factor authentication may not be totally perfect, because most forms might still be vulnerable to a man-in-the-middle attack, but it would still be a major upgrade to their security. The cell phone plus 6-digit number in an SMS text message technique, that you said Bank One is using, also sounds great.

  2. Go after microsoft by bl8n8r · · Score: 4, Interesting

    I'm concerned of the potential that malware has to disrupt civilian systems from stuff like waste treatment all the way to energy facilities. The same vulnerabilities that allow your bank creds to be pwned are the same one that could be used to disrupt systems we need for heat or clean water. There neds to be stiffer penalties for neglecting to fix security problems.

    --
    boycott slashdot February 10th - 17th check out: altSlashdot.org