Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Banking Trojan Stole Money From Belgians

Posted by kdawson on from the routing-around dept.

hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.

2 of 144 comments (clear)

  1. Re:How long until..... by Mattpw · · Score: 3, Insightful

    Banks wont run the IT tech support required, and theres also the liability issues. Even if you could guarantee the software had no security bugs the user can just as easily fall victim to phishing type scams and then sue the bank, this is essentially the same problem with the bootable linux LiveCD concept which does guarantee no trojans getting into it but fails to prevent simple phishing. The tech support for all the different drivers and other things a person might use the terminal for would kill the bank. The other problem is banking rarely happens in a vacum, a user wants their account program, their files etc and so locked devices become good for security demonstrations but impractical in real life.

  2. Re:Not unique to Belgium by Rich0 · · Score: 3, Insightful

    Agreed. I'd envision the secure "credit card" of the future having the following mechanism of operation:

    1. You interface the card with a computer (via USB, acoustic modem for phone, one-wire, etc).
    2. The remote party sends the card a packet with who is to be payed (in the form of a bank certificate), and how much, and whether any kind of recurring transaction is authorized (with details on that if applicable).
    3. The card displays the transaction info on a display built into the card.
    4. The user approves the transaction by hitting an approve button and typing in a PIN using a keypad on the card.
    5. The card generates a certificate and sends it back to the remote party.
    6. The remote party confirms successful receipt of the certificate to the card.

    The remote party and the card communicate by SSL (using bank-signed certificates), so no MITM, although the algorithm should be fairly invulnerable to MITM anyway.

    If there is a transmission error the remote party just asks for a retransmission any time until step 6. The card and the bank would both spot likely duplications. You couldn't spoof the merchant name (Gooogle Innc) or anything like that since it comes via a bank certificate. Nothing is trusted outside the card itself, so no risk of trojans/etc.

    All it needs is a credit card with a battery, display, keypad, and small CPU optimized for crypto. I can't imagine that these are more expensive to produce than the cost of bank fraud.

    You could even have cards that function as digital wallets, handling multiple banks, government IDs, etc. All it takes are some standards, and the right CAs for the right data items.