Slashdot Mirror
How Banker Trojans Steal Millions Every Day
redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."
The second attack scenario would get around this, as it just "corrects" payments you try to make so that they go to a different account. Using an SMS with a confirmation message could avoid this, though.
My webcomic
Bob isn't an idiot, he's a typical windows user. Not to ping on MS, but they do manage to capture the low end of the market in that respect. A vast majority of computer users think that computer programmers are modern day wizards, and blindly trust that only bad programmers build bad programs. Further there are only two kinds of programs, good ones and bad ones like viruses and malware. Any program that is not bad is good, and has things like virus checking and mind reading built into them. Stack overflow is a card mishap at the casino and cross site scripting sounds like a multi site movie writers program.
These warped expectations leads to things like ... well, like Bob.
Bob and his friends are why so many virus and malware programs are profitable, so in a sad way, Bob is right.
Support NYCountryLawyer RIAA vs People
Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day. Its quite hard to get money from Vladimir Hacker who lives in Russia. While it might be easy to trace an IP, if it is outside of the US jurisdiction, theres not that much you can do. Yeah, you -might- be able to get the money back, but Vladimir Hacker can still do the same thing to someone else and no doubt it will require a lot of paperwork to get your money back.
Taxation is legalized theft, no more, no less.
about so many groups using the same toolkit is that if you find a weakness in the toolkit then you can clear up multiple attacks all at once.
Nullius in verba
Or we can continue with the already totally unsafe Internet we already have. Anyone with a couple bucks and no scruples can do whatever they want on the 'net now. That isn't going to change.
The truth is we need hell-of-a-lot-better quality software for people to use and the quickest and dirtiest way to get it is quite simple. If you go online with anything less, you get instantly robbed blind. Pretty soon we'll have better quality software. The truth is that right now most people just figure they're going to be the lucky majority that don't get hit. The threat hasn't escalated to a high enough level yet. ;)
"Malo periculosam, libertatem quam quietam servitutem." -- Jefferson
You plug it in to a computer and 'blackhat' will create MITM kind of situation, security lost...
The physical token *should not* contact Computer other than via user entry.
Which is why a cell phone is a very good proxy. You have both the cell phone that should belong to you, and you have the login information for the bank. Not a bad system, and much more secure than captchas and such.
My blog. Good stuff (when I remember to update it). Read it.
But no matter how quickly you fire Bob, the thieves still have that money
That statement misses the point.
First, I have a chance to detect Bob's dangerous behavior before the thieves do. Your "no matter how quickly" statement assumes they get to Bob before I do.
Second, my point is, if it weren't for Bobs, these thieves would be looking at boobies on channel 9 and filing TPS reports instead of collecting ill-gotten booty. Bob is a root cause. (Thieves' greed is another.)
The point isn't to blame the victim, but to figure out how to prevent them from becoming victims
Bob's not the victim, in this scenario. I am. Bob is the exploit.
At least you demonstrate my underlying point even as you pick nits at the example. The way to prevent being a victim is to not be Bob.
In other words, don't be stupid and you won't be a victim. Blaming the stupidity is not blaming the victim.
And ultimately, it's my stupidity -- If I give a Bob access to my bank account, I'm the stupid one. So therefore, I don't give that job to a Bob.
I can see the fnords!
You might be right, I don't know enough about it, but I didn't think it was susceptible to replay attacks.
The card reader generates a validation code for a transaction based on the amount and destination account number, and it's only valid for that txn. Changing the details before submitting them (mitm) would fail, as would resubmitting different details with the same code (is that what you mean?)
We need cell phones to have a hard switch that changes them between normal "powerful" mode and a limited secure mode.
Then you could do simple things like authentication and digital signatures in secure mode (e.g. transferring money), and do everything else in the normal mode.
Without something physical that can't be overridden with software, there is no way to be sure secure is really secure.
Of course, something physical is still vulnerable if someone gets physical access to your device for some period of time, but no security is absolute.