Slashdot Mirror
How Banker Trojans Steal Millions Every Day
redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."
Banker trojans have become a serious problem
Look at how much they stole from the American taxpayer! Oh wait, you're talking about computers.
Speaking of Trojans, they didn't even lube it up before they put it in our ass!
Look where all this talking got us, baby.
Just R'ed the FA, and my first reaction was "Bob's an idiot."
First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.
Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.
Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.
Fourth, he continues to use this browser after it exhibits strange behavior.
Fifth, he ignores red flags like unexplained 'Safety Pass' requests.
If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.
I can see the fnords!
Here in Australia, the Commonwealth Bank does exactly this. If you are entering a new account to transfer money to, it will send out a confirmation SMS with a code to your phone. The next time you transfer within a bound of amount to a particular account, it assumes that this account is OK to transfer to, thus reducing the inconvenience of the number confirmation system, and saving the bank an SMS.
No security system is perfect, and there will always be a way around anything you do, but intelligent security layers like this hinder the chances of a cash mule being sent dud money, as every transaction and every piece of security is handled at the mid tier, and the web page remains a dumb client, simply passing information to be confirmed to a trusted server.
Science advances one funeral at a time- Max Planck
Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day. Its quite hard to get money from Vladimir Hacker who lives in Russia. While it might be easy to trace an IP, if it is outside of the US jurisdiction, theres not that much you can do. Yeah, you -might- be able to get the money back, but Vladimir Hacker can still do the same thing to someone else and no doubt it will require a lot of paperwork to get your money back.
Taxation is legalized theft, no more, no less.
Done. There's already a cryptographic device that offers near-perfect cryptographic security for web banking. ABN AMRO uses it for their e.dentifier2 device. The brilliant part is that the trust lies only within the card's chip and the handheld device, never only the PC or the browser. It's exactly what a bank should provide: end to end encryption of the user's authorization to perform a transaction, where both ends are created and maintained by the bank.
Now we just need a bank that's willing to deploy those here in the U.S.
John
The first property crime happened the day property was invented.
So what you're saying is, the solution to theft is communism?
Sometimes I wish I was a plumber, then I'd know how to deal with other people's shit.
The issue is, as always, EDUCATE THEM.
You can educate them but they won't care. Look at how hard it is for a lot of these type of people to even browse the internet, something that is designed to be really easy to use. Even with education you run the risk of them remembering only misinformation and making them paranoid. Look at the '90s and people thinking ZOMG COOKIES ARE VIRUSES!!!11!111!1! and rather than doing sane things, they just kept up the paranoia. The last thing we need is people scared to go to a generic site because its not secured with HTTPS even though it doesn't need to be.
Paranoia is almost worse than being ignorant, especially in a business. Being ignorant -may- cost the company money, being paranoid -will- cost the company money.
Taxation is legalized theft, no more, no less.
I'm so pissed at Apple. I bought the toolkit and made a mobile botnet iPhone app with controller but they won't approve it. *sigh* Such bullshit, they don't approve anything!
Clicked in the link too. My browser crashed and now extrange lett$(@#& all is working normally. Nothing to see here, move along.
I'm thinking of some past conversations I've had with people in banking and payment systems. I have a suspicion based off of some of those conversations and what we actually see. Banking has two related security problems:
1) They think they don't need to care (and might be somewhat right)
2) Leadership in the industry largely just doesn't have the ability to tell who's good at security.
As an industry bankers have long naturally had an awful lot of clout legally and politically, and so they're very used to dealing with problems that way. It might not be particularly more expensive to hire some good security professionals and developers to get their systems right than it would be to do some lobbying for harder penalties, more attention from specialized law enforcement, some kind of public insurance against this kind of theft and fraud, and most importantly, laws that push the liability onto other parties (remember, being a banker means *never* having to take any responsibility!), but I suspect they're a lot more practiced at the latter approach than the former. And this is *before* you get into some of the darker corners of banking. There are no small number of people who will tell you a little bit of looseness in the system is a feature, not a bug, because it makes it a lot easier to handle money for, shall we say, extralegal enterprises.
And while it might not be more *expensive* to hire good security professionals, it's probably harder. As the old saying goes, it takes one to know one. The banking community knows good lawyers and lobbyists. They don't really know what computer security looks like.
Tweet, tweet.
That's because the customers are who lose out in cases of "identify theft". Banks have no culpability, so they don't care so much. If they did, the transactions would be much more closely and securely performed.
My blog. Good stuff (when I remember to update it). Read it.
Why can't we use a cell phone as a proxy for this?
Because the cell phone is reprogrammable, and so ultimately can't be trusted. You might get a virus or install some kind of Trojan horse J2ME app that pretends to be your PIN pad, but makes large withdrawals silently in the background after you enter the PIN for a legitimate transaction. A cell phone is actually the worst possible place, because it can go on-line immediately and start abusing your account right up until you yank the battery (or go broke.)
The best possible security will come from the bank supplying the end user with both the card and the PIN Entry Device. Sure, they might want to offer it in a cell-phone-carrying-case-form-factor (think iPhone cradle with a PIN pad on the back.) Slightly ugly but more convenient to carry. But it needs its own dedicated PIN pad and display.
The first version of the e.dentifier was even more secure than this one IMHO because it did NOT have the convenient USB port. The user had to type in the values into the pad manually. The security advantage is the air gap is something no hacker can ever bridge (without resorting to social engineering, extortion, or threats of violence.) Mind you, this device is probably plenty secure as long as it can never be re-flashed or re-programmed through the consumer facing USB port.
RSA actually offers credit card form factor devices with a little 10-key pad and a one line LCD display. They are used for SecurID tokens where the user has to enter a PIN to get the generated #. The same form factor would make an excellent bank card where you don't have to carry around the extra little device to use it.
John
(at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits)
I'm nullifying several mod points to comment, but... This is actually really stupid. Putting too many constraints on passwords makes them less secure, not more. Your bank has drastically reduced the set of possible passwords and thereby made them easier to guess.
We've got something like this in the UK, and I'm sure there are plenty of other places that have them. You can't make a transaction without getting the correct cryptographic response from the card using the card reader. Here's a picture: http://www.nationwide.co.uk/rca/How-does-it-work/find.htm
I don't like the sound of a USB type device, because it seems that there is some possibility it could be interfered with in the same way as the recently discovered chip+pin break. In fact I'm quite surprised they came up with what seems to be a pretty well implemented system, given that they seem to have tried pretty hard to make design mistakes with c+p
I agree it's not enough. They should also eliminate the use of any Windows computer by all banks. Seriously, name just one large botnet that contains no infected Windows machines. I dare you.
iServices.A is a mac only botnet that is distributed with pirated copies of iwork.
Work bio at MMWD
The Nationwide device/scheme appears to be heavily flawed in that it is trivially susceptible to a very simple form of replay attack it seems.
It is better than the previous scheme that Nationwide had in place, that required me to invent and remember a favourite colour for example, which is why I haven't whinged about this, and it could work very well with more intelligent programming at the server end (ie I think the current hardware already issued is fine).
But I do hope Nationwide realises how broken the current scheme is, and fixes it soon.
Regards,
Damon
http://m.earth.org.uk/
give the man a +1. Ever since modern banking and lending started of back in the 1700s, the risk have been shifted from the lender/banker to the customer. cant pay your debt, bye bye security. Bank account gets zeroed, customer was careless with access info. Basically, the same party that holds the most to gain, also holds the least risk. Just like in a las vegas casino, the odds favor the "house"...
comment first, facts later. http://chem.tufts.edu/AnswersInScience/RelativityofWrong.htm