Slashdot Mirror
Online Banking Trojan Stole Money From Belgians
hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.
The article does not even mention the word Sweden or Zweden. It does however mention Denmark, which is not equal to Sweden.
"Civis Europaeus sum!"
Regardless of the effort or complexity, every security system has one inherent flaw.
Poor Mr. Belgians :-(
This should still be impossible if The user pays attention. The user could be tricked to re-enter the amount or the recipients account number repeated times. But for the attack to be successful, the victim has to be tricked into entering the attackers account number at some point. Before, the login procedure could be hijacked (since it required challenge of a random number) but these days that should be a recognizable number, for example starting with a specific digit.
There is a similar scam doing the rounds in the UK targeting nationwide which uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).
The scam apparently asks you to "resync" your challenge device. If you do you end up sending a sum of money to a money mule.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
How long until we move to using dedicated terminals to access our online banking. A device that only did banking could be really cheap. Load a custom, hardened version of Linux on there, that only displayed a web browser, and only went to the bank's website, and you'd probably go a long way to stopping this, and many other kinds of fraud.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
I personally never use a Windows computer for banking. I always use an updated Linux computer when i do anything involving money.
Windows + Internet Explorer is proven to be unsecure and not fit for anything that demands security. With Linux you can be unsure about security, with Windows you know its very bad and unsecure by design.
HTTP/1.1 400
I'd say if it was Belgium, rather than the Netherlands, then the language in question was Flemish.
My pics.
The fraud dates from 2007, but it didn't go unnoticed for 3 years. The investigation took 3 years to complete because in Belgium the police does its job properly.
I can at least attest that the search for money-mules is getting more and more aggressive and annoying here. Everybody thinking of making some easy money that way should think again. If the original target goes to the police, the money-mule will have to refund the full amount of money lost and likely will get punished. The reason is that courts typically rule that the fraudulent nature of the job was obvious and hence the money-mule is an accomplice.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That's an excellent Flash demo. For some reason it asked for my account number and password. It's on a safe site so I went ahead and entered it, but it gave some kind of error.
My Passwindow method could have prevented this and cost practically nothing to implement too, the transaction verification method employed by the electronic tokens which do the transaction signing as explained in the article have the fatal flaw in that it requires user action for the transaction verification part. ie entering the website generated challenge and then their transaction destination account number etc (a very laborious process for the users). With passwindow the transaction information is encoded into the challenge and the user is forced to recognize it (not merely click an authentication button with some other devices) as it this info such as destination account number is cycled alongside the actual authentication confirmation numbers. Once you put up complicated user action hurdles if the attacker owns the browser it wouldnt be too difficult to simply instruct the user to do as you wish claiming a security test or some such. Honestly with the amount of digits required to be entered into both the device and terminal by the user (up to 40+ on some of the devices) Im not suprised it all turns into a blur of action for many users.
Oh. Belgium!
I'm from Belgium, i rather big websites and i reported fraud a couple of time, they replied to me with this:
> We can't keep ourself occupied with 'things like this'.
So the part about it being unreported might just be "undocumented".
"The problem with beauty is that it's like being born rich and getting poorer."
You failed to mention the wonderful telephøne system and mani interesting furry animals. Those responsible for that post have all been sacked. signed : JUTTE HERMSGERVORDENBROTBORDA http://www.smouse.force9.co.uk/monty.htm
Are you saying that there is another land outside America? That America is not the one and only inhabited ground on this planet, and that anywhere else there are not just aliens or eventually oil but also other human beings?
That's impossible. Another lie of those freaky evolutionists.
Stop acting so self important about the name of your country in other languages. Do Germans complain that their country is called Germany in English or Allemagne in French instead of Deutschland? Are Russians upset that their capital is called Moscow in English instead of Moskwa? Are Americans upset that you call their country Vereenigde Staaten? No, they couldn't care less. Your collective loathing for / envy towards one of your provinces is your own business, don't expect anyone else to care about it. The English name for your country is Holland, deal with it.
Pffff, somebody pissed in your cheerios this morning, jeez.
It is the same when we say America and then you counter that with The United States of America since America is more than North America alone.
And we technical people like to be technically correct, so the AC is 100% correct.
Calling the Netherlands Holland only shows ignorance and arrogance, deal with it.
This is the sig that says NI (again)
I'm torn between pity and some sort of vague feeling that justice has been served upon the Belgian public.
On the one hand, nobody wants to see someone taken advantage of, and on the other, they *do* share a border with the Dutch.
You are in a twisty maze of processor lines, all alike.
There is a lot of hype here.
And telling other people how to use their language is showing arrogance, too. (If two people speaking with each other, both can be arrogant).
although true of all the low countries, belgium is yet more cold and clammy and humid than the netherlands. this means people generally have a lot of mucus build up in their airways. so in belgium they speak their dutch with a more gutteral, throaty idiom
thus, they speak "phlegmish"
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
I'm too lazy to think this through, but intuition says running a safe guest inside a compromised host isn't going to protect you. Motherboard firmware is already being tampered with too as another poster pointed out. I really do think a stand alone machine with dedicated hardware, locked down to do that one thing is in order. Final user wouldn't even have root (sounds kinda like an i-anything). I'd not do the read-only thing so that signed security updates can be installed from the creator. Its a weak-point (two really, the update sigs, and the writeability), but I suspect there are enough vulnerabilities still popping up in most OS ('cept VMS maybe), to make it a worthwhile trade. If you can get a VMS browser to open your bank's website read-only might be in order. It would also have an IP (not domain!) whitelist with only your bank's ip's in it.
refactor the law, its bloated, confusing and unmaintainable.
The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown.
Wow, imagine the Bank did that for an actual good 'ol fashioned bank robbery...
Calling the Netherlands Holland only shows ignorance and arrogance, deal with it.
Most dutch people I've asked don't really care, and in many of the surrounding countries Holland is per definition the same as Netherlands.
Pffff, somebody pissed in your cheerios this morning, jeez.
It is the same when we say America and then you counter that with The United States of America since America is more than North America alone.
And we technical people like to be technically correct, so the AC is 100% correct.
Calling the Netherlands Holland only shows ignorance and arrogance, deal with it.
Well no, the Dutch name is Nederland, not 'The Netherlands'. To be absolutely 100% pedantic, 'The Netherlands' refers to a region, not to a country. There is no basis whatsoever for pouncing on every single mention of the word 'Holland' on the internet and telling English speakers to prefer one word over another in their own language!
Do English speakers tell you to say 'Wat zeg je?' instead of 'wablief'? The whole concept is ridiculous.
From top to bottom the responses are:
* 4.000 EUR is a lot for some people (Get of my lawn)
* Link to FOSDEM (Free and Open Source Software Developers European Meeting)
* Mac is more secure (Standard Mac Fanboy)
* Banks are thieves (Standard non addressing the issue, just namecalling)
* Make banking more secure (Blaming the banks, not the people who stole it)
That looks like /. in only 5 postings.
Don't fight for your country, if your country does not fight for you.
That's embarassing. The Netherlands is the name of the country. Holland is the name of two of its 12 provinces (North Holland & South Holland). So no, comparing it to Germany not being called Deutschland in English is flat-out wrong. It would be like someone calling the US "Carolina", and then insisting that they're right.
but when on vacation in the US, very few people could identify that as a city in the Netherlands. (Let alone realized that "Holland" and "the Netherlands" are - incorrectly - synonymous.)
Who'd have known I'd defend stereotypical US ignorance, but as a German, I didn't know the distinction between Holland and Netherlands, either. Both names are pretty much used as synonyms around here.
Anyway, a few Wikipedia articles later I now know the distinction. I'm a bit surprised that Holland isn't actually the name of the country. Then again, I knew what Benelux stands for, so that should have been a clue.
I think you are a bit confused by "the nether lands" The Netherlands" is a country, hence the captital T and N.
And yes, I would tell an English speaker to first use proper wording. That is if he is willing to learn and I have done so.
Don't fight for your country, if your country does not fight for you.
Everywhere I go in Europe (Including The Netherlands) The Netherlands and Holland are interchangable.
Want proof? Hup, Holland. Hup.
They even market themselves in international faires with Holland, Tulip and wooden shoes, even if the company is from Twente.
Don't fight for your country, if your country does not fight for you.
This is typical banking behavior when it comes to investigating fraud, they can not really prove THE CLIENT's COMPUTER was at fault...
so once they see the problem being fraud in another country when the person is still here, they just block the card and refund whatever money they lost, and still the banks are showing all time high profit margins....go figure....make's you wonder just how much they really need to up their services charged for transactions all the time....!
"Trojan horses that were planted onto the victims' computers..." and no one noticed the horses? Mike
This is from the news site of one of the mayor Belgian television/radio groups (VRT), they have a selection of articles in English.
Belgian investigators expose fraud
http://www.deredactie.be/cm/vrtnieuws.english/news/100724_bank_fraud
but when on vacation in the US, very few people could identify that as a city in the Netherlands. (Let alone realized that "Holland" and "the Netherlands" are - incorrectly - synonymous.)
Who'd have known I'd defend stereotypical US ignorance, but as a German, I didn't know the distinction between Holland and Netherlands, either. Both names are pretty much used as synonyms around here.
Anyway, a few Wikipedia articles later I now know the distinction. I'm a bit surprised that Holland isn't actually the name of the country. Then again, I knew what Benelux stands for, so that should have been a clue.
There is no distinction. The poster is trying to elevate a very minor, petty, internal cultural grievance between the south and the north of their country to an issue of international importance.
The tiresome OP's cliche about the 'stereotypical American ignorance' is the only reason I even replied. How many Europeans can point out Columbus, Ford Worth or Jacksonville, you think? Why would you expect Americans to know much about a city of similar size in on another continent?
For clarification, "The Netherlands" is the whole country, "Holland" is a region, but often used to denote the whole of The Netherlands. Not to be confused with "nether lands" or any variation as such. "The Netherlands" is an english "translation" of Nederland, just as many other languages translate some placenames, even if they are proper nouns. Examples: Spanish for London is Londres, England is Inglaterra. Norwegian for Russia is "Russland", Belarus is "Hviterussland" (literally "white russia" which is what belarus really means). In English, a German town exists by the name of Cologne (like what you put on after shaving) when the "real" name for the town is Köln.
Good to know that the company that makes these authentication keys are also the same as Blizzards and one more reason to opt out of Real ID.
To be absolutely 100% pedantic, 'The Netherlands' refers to a region, not to a country.
Well, the Netherlands disagrees with you.
They refer to their country in english as The Kingdom of the Netherlands, and the conventional short form is "the Netherlands".
Very smart people have already been recommending using a live Linux CD for banking due to the very problem this article addresses (stolen credentials even with a security token).
http://voices.washingtonpost.com/securityfix/2009/10/avoid_windows_malware_bank_on.html
http://voices.washingtonpost.com/securityfix/2009/10/e-banking_on_a_locked_down_pc.html
To make matters worse, the bank demo was using IE6.
I believe is what this is called. (beside the usual can't buy a puter without windoze)
overschrijvingen ondertekenen?
C'mon, someone please post an un-encrypted version of the flash demo.
boycott slashdot February 10th - 17th check out: altSlashdot.org
Interesting discussion. I had no idea that Netherlands and Holland are not the same (even though most of its neighbors are using as that country's name Holland-derived variations) and it's weird that someone would be so anal regarding this difference.
OTOH, comparing Amsterdam with Columbus OH, Fort Worth TX or Jacksonville (which one? there's at least one in each of AL, AR, FL, GA, IL, IN, MD, MO, NC, NY, OR, PA, TX, VT, WV) based only on population size is really petty. Amsterdam is a city many hundred years old and had the time to accumulate culture, history and plenty of events for which it is known, while the above-mentioned US cities are arguably place names and that's all.
I used to have a friend that was a webmaster for at least 2 of our local credit unions when he lived in the area, he's since moved away. He was also a member of our local Linux users group. He told us repeatedly that the credit unions he worked for (his in particular, banks in general) found it more "cost effective" to not worry to much about security on customer access portals and just deal with the aftermath when it happens. That's what insurance companies are for. I always thought he was exaggerating, but ...
Why is this marked troll? Im dead serious in what i say because of my experiences from the last 10 years as a sysadmin.
HTTP/1.1 400