Slashdot Mirror
How Banker Trojans Steal Millions Every Day
redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."
Here in Australia, the Commonwealth Bank does exactly this. If you are entering a new account to transfer money to, it will send out a confirmation SMS with a code to your phone. The next time you transfer within a bound of amount to a particular account, it assumes that this account is OK to transfer to, thus reducing the inconvenience of the number confirmation system, and saving the bank an SMS.
No security system is perfect, and there will always be a way around anything you do, but intelligent security layers like this hinder the chances of a cash mule being sent dud money, as every transaction and every piece of security is handled at the mid tier, and the web page remains a dumb client, simply passing information to be confirmed to a trusted server.
Science advances one funeral at a time- Max Planck
Done. There's already a cryptographic device that offers near-perfect cryptographic security for web banking. ABN AMRO uses it for their e.dentifier2 device. The brilliant part is that the trust lies only within the card's chip and the handheld device, never only the PC or the browser. It's exactly what a bank should provide: end to end encryption of the user's authorization to perform a transaction, where both ends are created and maintained by the bank.
Now we just need a bank that's willing to deploy those here in the U.S.
John
My bank does this. If you try to send funds to an account you haven't before, you HAVE to sms verify, it's great. Transfer funds, get a window asking for the sms verification code. If i got one randomly i'd call up support asap. Another thing the bank does - is send out emails, but it tells you up the top they'll never put links in the emails, and to visit the site like they normally do. While this is upto the intelligence of the user in the end, the more they see the message, the more likely they'll be not to do click on phishing emails.
Why can't we use a cell phone as a proxy for this?
Because the cell phone is reprogrammable, and so ultimately can't be trusted. You might get a virus or install some kind of Trojan horse J2ME app that pretends to be your PIN pad, but makes large withdrawals silently in the background after you enter the PIN for a legitimate transaction. A cell phone is actually the worst possible place, because it can go on-line immediately and start abusing your account right up until you yank the battery (or go broke.)
The best possible security will come from the bank supplying the end user with both the card and the PIN Entry Device. Sure, they might want to offer it in a cell-phone-carrying-case-form-factor (think iPhone cradle with a PIN pad on the back.) Slightly ugly but more convenient to carry. But it needs its own dedicated PIN pad and display.
The first version of the e.dentifier was even more secure than this one IMHO because it did NOT have the convenient USB port. The user had to type in the values into the pad manually. The security advantage is the air gap is something no hacker can ever bridge (without resorting to social engineering, extortion, or threats of violence.) Mind you, this device is probably plenty secure as long as it can never be re-flashed or re-programmed through the consumer facing USB port.
RSA actually offers credit card form factor devices with a little 10-key pad and a one line LCD display. They are used for SecurID tokens where the user has to enter a PIN to get the generated #. The same form factor would make an excellent bank card where you don't have to carry around the extra little device to use it.
John
(at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits)
I'm nullifying several mod points to comment, but... This is actually really stupid. Putting too many constraints on passwords makes them less secure, not more. Your bank has drastically reduced the set of possible passwords and thereby made them easier to guess.
We've got something like this in the UK, and I'm sure there are plenty of other places that have them. You can't make a transaction without getting the correct cryptographic response from the card using the card reader. Here's a picture: http://www.nationwide.co.uk/rca/How-does-it-work/find.htm
I don't like the sound of a USB type device, because it seems that there is some possibility it could be interfered with in the same way as the recently discovered chip+pin break. In fact I'm quite surprised they came up with what seems to be a pretty well implemented system, given that they seem to have tried pretty hard to make design mistakes with c+p
Trojans have moved on a bit since a couple of years ago.
You no longer need to be an utter moron or surfing to some dodgy websites to get infected. It's not unknown for rooted webservers to be serving up a side order of drive-by download (I have actually seen this happen on a respectable retailer's website).
It no longer sticks out like a sore thumb - you won't, for instance, find that attempting to point your web browser at www.symantec.com mysteriously doesn't work.
Your PC doesn't slow down to a total crawl.
You don't find something which looks a little bit like your bank's login page on an unsecured website registered in China. Instead, a keylogger takes the details from your keyboard when you visit the real website and ships them on.
Even if you have up to date AV software, it doesn't necessarily detect the trojan.
In short, the malware authors have upped their game considerably and the security industry is playing catch-up.
I agree it's not enough. They should also eliminate the use of any Windows computer by all banks. Seriously, name just one large botnet that contains no infected Windows machines. I dare you.
iServices.A is a mac only botnet that is distributed with pirated copies of iwork.
Work bio at MMWD
give the man a +1. Ever since modern banking and lending started of back in the 1700s, the risk have been shifted from the lender/banker to the customer. cant pay your debt, bye bye security. Bank account gets zeroed, customer was careless with access info. Basically, the same party that holds the most to gain, also holds the least risk. Just like in a las vegas casino, the odds favor the "house"...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm