Slashdot Mirror
How Banker Trojans Steal Millions Every Day
redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."
Test
Banker trojans have become a serious problem
Look at how much they stole from the American taxpayer! Oh wait, you're talking about computers.
Speaking of Trojans, they didn't even lube it up before they put it in our ass!
Look where all this talking got us, baby.
We need to develop greater use of proveable correctness in bank security, promote the use of isolated secure workstations for private banking transactions online, and use contractual incentives and accountability to incentivize better security systems.
Seriously, how about a physical random token generator where someone has to enter what the token currently displays each time they make a transaction for an account with a $5000+ balance, or more than $500 in a single transaction, or $1000 in a day? Or similar systems that make phishing alone useless.
-- IANAL, this isn't legal advice, and definitely isn't legal advice for you. Also, Squee!
This is somebody's blog describing some hypothetical situation. "Oh no! My browser session is going to get hacked." Seems just as likely someone working at the bank could steal your account or someone behind you at the atm seeing your pin. This article was not worth the five minutes I spent reading it.
"Maybe this world is another planet's hell"
Aldous Huxley
Just R'ed the FA, and my first reaction was "Bob's an idiot."
First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.
Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.
Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.
Fourth, he continues to use this browser after it exhibits strange behavior.
Fifth, he ignores red flags like unexplained 'Safety Pass' requests.
If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.
I can see the fnords!
"Reid said that the effects of joblessness on domestic violence were especially pronounced among men, because, Reid said, women tend to be less abusive.
"Women don't have jobs either, but women aren’t abusive, most of the time," he said."
--Excerpt from thehill.com
I guess ol' Dingey Harry hasn't met his House counterpart. Most people consider her to be quite abusive, which is why her popularity rating is even lower than Obama's.
This round of panic brought to you by Fireeye -- but rest assured, they can protect you from this latest 2-year-old+ threat.
We should just give away copies of all the best hack tools. As soon as they appear they should be all over the net for free. What will this do? Simple. It removes the monetary incentive to write good hacking tools. If what any idiot can download for free is as good as it gets then the money is sucked right out of the market for supplying tools.
On top of that when you have every idiot out there using the best tools vendors WILL be forced to deal with the flaws a lot more quickly and release higher quality code to start with. It won't stop the people using the tools from using them and stealing money, but nothing is going to stop that.
The first property crime happened the day property was invented. Nothing we do is going to stop it, but we can suck some of the wind out of the blackhats sails.
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
about so many groups using the same toolkit is that if you find a weakness in the toolkit then you can clear up multiple attacks all at once.
Nullius in verba
I'm so pissed at Apple. I bought the toolkit and made a mobile botnet iPhone app with controller but they won't approve it. *sigh* Such bullshit, they don't approve anything!
... elected officials do better than that, and they get the girls.
The Luddites were ahead of their time.
I'm thinking of some past conversations I've had with people in banking and payment systems. I have a suspicion based off of some of those conversations and what we actually see. Banking has two related security problems:
1) They think they don't need to care (and might be somewhat right)
2) Leadership in the industry largely just doesn't have the ability to tell who's good at security.
As an industry bankers have long naturally had an awful lot of clout legally and politically, and so they're very used to dealing with problems that way. It might not be particularly more expensive to hire some good security professionals and developers to get their systems right than it would be to do some lobbying for harder penalties, more attention from specialized law enforcement, some kind of public insurance against this kind of theft and fraud, and most importantly, laws that push the liability onto other parties (remember, being a banker means *never* having to take any responsibility!), but I suspect they're a lot more practiced at the latter approach than the former. And this is *before* you get into some of the darker corners of banking. There are no small number of people who will tell you a little bit of looseness in the system is a feature, not a bug, because it makes it a lot easier to handle money for, shall we say, extralegal enterprises.
And while it might not be more *expensive* to hire good security professionals, it's probably harder. As the old saying goes, it takes one to know one. The banking community knows good lawyers and lobbyists. They don't really know what computer security looks like.
Tweet, tweet.
You mean like in Superman 2?
Use a trusted Live Linux CD (Ubuntu, Knoppix etc..) in a VM or boot your PC with it. Browse directly to your banks site and take care of business.
Slashdot, downstairs in my house has a major ant problem. Luckily I reside upstairs. Nevertheless, once every 5 minutes or so an ant comes trotting along my desk. First I place a coin or another object in its path. This confuses the ant, causing it to run off in a different direction, but my finger is waiting. I block its path with my finger. It runs in the opposite direction, but I anticipate this. Soon the ant is encircled by pens and other barriers, and if it attempts to climb them, swift punishment is issued. The ant remains in my arena. Then I take my knife, and nimbly place the tip onto one of its legs, holding it in place, then I press down hard and chop the leg off. The ant does not run, it merely enters a craze moving all around wildly. I allow it to suffer like this for a minute or so, chopping off another leg if it appears not to be in pain. Then comes a decision. Sometimes I will wait for another ant, and place it in the arena to see what it does. Occasionally it will pick up its comrade, and run off, but this is an offense punishable by death. Other times, I will merely watch the ant until it gives up. It will stop moving all but one leg. At this point I give in and slice the ant in two, putting it out of its misery. I save the corpses in a small pile, and once I have a considerable stack, I scatter them in my arena. This is where the real fun begins.
I venture outside to my back yard and find a red ant. This is my gladiator. I return to my room and place him in among the corpses. He wanders, confused. I do not let him leave. I pound the desk near him with my fingers, scaring him. I toughen my gladiator up until another ant comes along. I place the intruder into the arena. The red ant will go after the black ant, and they engage in mortal combat. If the red ant wins, another corpse decorates my arena. If the black ant vanquishes his foe, he wins the prize of life. I carry him in my hands and bring him downstairs and place him among his comrades. If he put up a good fight, I give him a warriors welcome and feed his colony with bread. If he barely defeated the red ant, he receives no food, only the gift of life. This is how i spent my afternoons.
There are already physical random password generators- can they be directly plugged into the computer? If it either sends a password every few seconds or every time you are transmitting any financial information, it would require the attacker to stay in the middle to do anything. If the password generator uses the user input to help seed the password, shouldn't a MitM attack be foiled, as they cannot change the information and still have the password check out? The issue here is that the password generator has to be immune to input from the attacker.
Everything I know about security in these situations is from my misinterpretations of posts here on slashdot, so I must be missing something. Anyone care to elaborate on why this works/doesn't, or perhaps a better solution?
My webcomic
There is still money to be made in IT/CS!
Basically the "big bucks" are on my banking accounts. Great, I happen to have a bank mandating the use of a cryptographic token. Even better, for account numbers never used before or for big amount it is mandatory to make the account number of the recipient part of a cryptographic challenge: good game lowlifes, it is mathematically provable that you cannot work around that.
Noticed the "cryptographic challenge" part? That defeats *every* MITM attack (renamed "Man In The Browser" in TFA for no good reason).
Now another site where I've got $1.5K or so is an online Poker site. The biggest one. 300K players at peak hours. The good news? That site *also* provide a RSA security token. (cue all the clueless about online poker sites being all rigged but I'm actually making money with this while having a lot of fun and, yes, I did already cashout a lot of times and, no, I never had any issue).
Anyway, it ain't the point: the point is... More and more sites are starting to use two-form authentication and this trend ain't going to stop.
Either people using botnet to steal money out of customer account become a real problem and bank SHALL all (or most) mandate the use of physical security tokens + crytographic challenge (once again, it's already done here and it works flawlessly and people don't whine about it) or people using botnet to steal money shall stay an insignificant problem.
I didn't think about using an iPhone to connect to my online banking website (supposed to be safer due to non-unsigned application and also greatly due to the better track security record of OS X compared to Windows)...
That said my security token + cryptographic challenge + Linux bootable CD gives low-lifes a nice finger :)
How are these underground communities preventing the toolkits from flooding usenet and bittorrent? Perhaps software vendors could take a lesson from them?
Not the ones for the kids. The ones for everyone...
Except we take parts of pennies and do it a million times a day.
I know a non technical solution which even generate jobs, bring back the physical counter...
The key to solving this problem is secure and cheap transaction authentication, which is what IBM has been trying to achieve with their ztic, but even that I fear is vulnerable. The solution I think that will ultimately put something of a stop to the mitb/trojan is this: http://passwindow.com/ It seems at first glance too good to be true, but I read parts of the whitepaper and it seems legit. I heard it mentioned that a few banks might be rolling it out some time this year....
A good solution to phishing is PassWindow (no I have no connection to their product, I just think its a damn good idea). See www.passwindow.com for details of the system.
Basically your card (ATM card, credit card, bank card or whatever) has a translucent window on it (translucent to make it hard to photocopy). This window contains segments like those on a 7 segment LED display. These segments are in a pre-defined pattern.
When you log in, the bank generates another set of 7-segment patterns. When you hold your card over the pattern, the segments on the card and the segments on the screen match up to generate 1 or more numbers that you then key into the login form.
Each time you login, the set of segments generated by the bank will be different (resulting in different numbers)
This system has the following advantages:
1.Unlike calculators and key-fobs and similar, it requires no batteries to operate. Plus, it is something you would carry with you anyway.
2.Unlike card/pin pads, special certificates and dongles and other devices that plug into your computer, PassWindow cards will work with any device that is capable of rendering the PassWindow image (including cellphones, internet cafe/kiosk computers and work PCs where plugging things in is not allowed)
3.The PassWindow system is essentially totally resistant to social engineering (due to the fact that its not easy to describe in words the layout of the PassWindow markings)
4.Unlike on-screen-keyboards, "click the right picture" and other such systems, the PassWindow system is resistant to trojan horses, keyloggers and any other software or hardware that may be running when you access the bank as the number generated by the PassWindow is 1-time-use-only and will not be valid if the trojan/hacker attempts to log in with it (if the trojan/hacker simply stores it and returns a "bank not working" error instead of actually logging in with it, it wont be valid since it will have expired)
5.The PassWindow system is resistant to brute force due to the number of possible combinations of PassWindow patterns that could be on the card (and the fact that the random image returned by the bank each time you try and log in is different each time)
Now I am not saying its perfect but its better than any other solution I have seen to date. (and cheaper than anything requiring a seperate electronic device of some sort)
If anyone knows of any ways in which the PassWindow technology would be insecure (or more to the point, less secure than alternatives that are currently in use) please speak up.
I have noticed in IT an almost physical revulsion of the idea of upgrading. I can't count the times I have worked on a system and found it to be several versions out of date, the reason? "Well it works".
No, it does not.
While for some software new releases indeed only happen to sell more copies and add useless features, for production software and OS, security, reliability and bug fixes tend to be improved. If nothing else, then at least you present a moving target.
A lot of exploits happen with code BASED on FIXES. So the bad guys learn what to attack by watching the patches that don't come out and basically attack everyone who hasn't patched.
Often the official excuse is that code must be tested... yeah... because you tested it so well before that you did not find the security holes. If you ever been told that you can't upgrade beyond IE6 because it hasn't been certified yet, ask yourself: "Who the hell certified IE6?" Really, how did that ever get approved if any ever did any real testing? Answer: Nobody ever did.
It is just that the support companies want to see big bucks first because if they upgrade their clients they got to retrain their people. Same with stuff that is developed for legacy systems, to cheap to do essential maintenance.
Car anology: It is like not replacing your brakes because they still stop your car eventually and you need to cut costs and then when the remains of the brakes have becomes fused to the rims you can't afford the now increased costs so you defend that you need the car as it is and everyone else is to blame for it being a road hazard.
UPGRADE. If you are afraid that you might be bitten by some new bug, then at least such a bug is an honest mistake, you might loose some data but that is what backups are for. If you do not, your data might not simply be lost but be stolen. And sooner or later someone will start to hold you accountable for your lousy business practices... oh we are talking the financial industry here? Never mind.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
I'm forced to use those things here in Sweden. They are an incredible PITA. You have to put in the card, punch in a PIN, and then digitally sign every transaction. It's such a pain. This also means you have to take your card and reader with you anytime you travel if you want to log into your bank.
...and all other active content. Oh, and cookies too, that makes the job of those data gatherers slightly harder.
That's why I'm stuck posting anonymous.
Other employees will be more likely to read and use the IT security SOPs.
Deleted
Windows Security Essentials anti-virus are not available in all countries. I am on the duty trip in the FSU and Windows Security Essentials Page informs me: "Not available in your country".
Windows update checks for the authenticity of Windows.
As a result on millions of computers the OS is un-updated and anti-virus is absent.
In western countries the PCs have the authentic Windows, which is regularly updates itself, and an anti-virus. However, the majority of PCs in the world have a pirated Windows, no anti-virus, no-OS update.
These PCs are infested with viruses and trojans. I saw several bot-nets on one PC.
For people in western countries it may look like everything is more or less OK. But it is not OK. It is well manage chaos, part of the monopoly's strategy to suffocate its main threat: the free safe Internet (web applications), as its monopoly is in silos (PCs' applications).
Now I'm gonna have to freak out every time my browser crashes. And with opera, thats about 4
That's copyright infringement!
Oh.
Sorry, wrong thread.
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
Last time when I was in India, every time my brother made an ATM withdrawal he got a text message to his phone. Every time he made a big charge in the credit card he got a text message. Alerting people to withdrawals and transfers immediately would be a good first step. The banks get early warning and stop the fraud quickly. Of course you should not be able to change the alert phone number via the internet, and you should be able to set a threshold on the amount that triggers alerts.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
Here in Germany many banks use mTAN which includes the amount and destination of the wire with the confirmation code in the SMS to prevent a man in the middle attack as described in the article.
The idea is that if you attempt to send a wire to John Smith at account 203424 for €200, but the mTAN says Mary Jan for €2000 at account 3422233, then you've got a problem.
There will come a time where if you want to pay bills or transfer money outside your "normal pattern" at an "unsecured" computer or terminal you'll have to "call ahead" and give a limited-time authorization. Checking transaction history and making savings-to-checking transfers or "routine" things like paying recurring bills will still be allowed, but things like your full account number might not show up on your screen and entering them won't be part of your login process.
There will be "secure terminals" such as ATMs or perhaps computer-on-a-dongle devices that plug into your cell phone or PC for those who need them.
The bigger long-term issue is that telephones and caller-id are no longer trustworthy. Time was, you could have someone call you from their home phone, enter a PIN, and barring some serious inside-job hacking at the bank or telco or someone physically tapping the line, you knew it was them. Not any more.
In the near-term, I see banks encouraging small businesses to set up dedicated "banking only" computers that use dial-in directly to the bank or to a "banker's ISP" to do online banking. Yes, I said dial-in, bypassing the Internet.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Your post is hilarious, but you're totally offtopic so I can't bring myself to mod you Funny.
"When information is power, privacy is freedom" - Jah-Wren Ryel
We need cell phones to have a hard switch that changes them between normal "powerful" mode and a limited secure mode.
Then you could do simple things like authentication and digital signatures in secure mode (e.g. transferring money), and do everything else in the normal mode.
Without something physical that can't be overridden with software, there is no way to be sure secure is really secure.
Of course, something physical is still vulnerable if someone gets physical access to your device for some period of time, but no security is absolute.
Here in Germany I'm using PostBank (which is the post office bank service)
They have a more or less fine web interface for paiments and so on.
When you make a new paiment, you have to look up a transaction number from a paper, physical list you have sent with the creation of your account
alternatively you can signup for SMS tan, where they send the transaction number by SMS and you type it on the screen.
A nice layer of security and all.
Now.. if a company gets my bank account number bank code, and name, they can also simply request the money. I don't even have to send or confirm the paiment myself. They can just serve themselves. A trojan for this bank would then just need to capture the said data and sent it upstream and take money per small amounts. Same with the credit card numbers, or just a paypal account.
As usual, the weakest link wins.
other Whores:
Oh please !
Are Linux machine also vulnerable to these trojans? Or should I be feeling comfortable using Ubuntu9.10 + FF3.6/Chrome?
This device uses a time-dependant (be it iterative or time-synchronised) password. It requires no input from the bank it self. The device simply gives you a number, you type it into the log-in screen and you're logged in.
Once logged in, a hi-jacked browser could pretty much change the account information on-the-fly during a transfer (the browser screen says your transfering money to the merchant you're buying from, but secretly the trojans changes it on the fly, so the bank is actually ordered to transfer money to a criminal. See case 2 in TFA).
In Switzerland, UBS use a slightly different device.
That device is closer to the kind of stuff you see in a public-key infrastructure : you just type a number in, and an encoded version is spit out.
The log-in is slightly different : UBS gives you a challenge on the log-in screen, and you must respond with the encoded version of it.
Where it gets interesting is, as the device can encode any string, you can also use it to secure wire transfers :
instead of directly typing the account number of the merchang you're paying, you type the account into the device, and give the encoded version to the web-form (for each new recipient. Once a recipient account is known as "safe", you can also do it without encryption).
Case 2-type injection can't work : the torjan can't change the recipient on the fly because there's no merchant's account number to replace. In theory, the trojan should replace the encrypted merchant's account with an encrypted criminal account. But that's impossible because the encryption is done on a separate device which isn't accessible to the trojan*.
*: That would require a rather more elaborated (and therefore more prone to detection) case.
The trojan should initially simulate internally a couple of failed logins, where it requires the user to attempt to log using a challenge which is actually the criminal's account. Thus the trojan gains knowledge of the number encoded with the victim's key.
Then it proceed as in case 2, but instead injects the encrypted criminal account number it obtained during the fake failed log-in step.
Could work, but the first step will look highly suspicious to lots of users. And is easily subverted if the bank starts to ask encrypting random part of the recipient account instead of a fix part - the torjan doesn't know in advance which part it must encrypt during the fake-log-in.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
where Ricahrd Pryor wrote the program to steal all the half cents?
Shut up brain or I'll stab you with a Q-Tip. - Homer Simpson