Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Banking Trojan Stole Money From Belgians

Posted by kdawson on from the routing-around dept.

hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.

13 of 144 comments (clear)

  1. People by Anonymous Coward · · Score: 1, Interesting

    Regardless of the effort or complexity, every security system has one inherent flaw.

  2. Pay attention by Anonymous Coward · · Score: 1, Interesting

    This should still be impossible if The user pays attention. The user could be tricked to re-enter the amount or the recipients account number repeated times. But for the attack to be successful, the victim has to be tricked into entering the attackers account number at some point. Before, the login procedure could be hijacked (since it required challenge of a random number) but these days that should be a recognizable number, for example starting with a specific digit.

    1. Re:Pay attention by Anonymous Coward · · Score: 1, Interesting

      Each (new) account number should be challenged.

      Like I said earlier, the biggest problem was the login challenge, but using a fixed prefix (not shared with any account numbers) is enough to avoid the login from being used to get the correct response from the attackers account number. I don't think this news is about a technical weakness but rather about customers using a system they haven't quite understood.

    2. Re:Pay attention by Anonymous Coward · · Score: 1, Interesting

      My bank simply states during the login that the login challenge number always starts with the digit 9.

      Unless I don't pay attention to that I could be on a fake site displayed by a trojan that challenges an attackers account number. There is no peactical way to prevent that. The system is "safe enough" even with ignorant users, and really safe with attentive users. It has worked for 15 years without big problems. To put things in perspective, ATM fraud and card skimming probably steals more money every minute than this type of attack does in a year.

    3. Re:Pay attention by Mattpw · · Score: 2, Interesting

      This is the problem with putting complicated user action into the transaction authentication process, if you control the browser you can request the user do just about anything in the name of a test or error as related in the article. My Passwindow method encodes the transaction information (ie destination account) into the challenge from the server so the user must only visually check the information, because this information is cycled alongside the authentication digits they are forced to inspect it and cannot simply ignore it and blindly authorize the transaction.

  3. Not unique to Belgium by arivanov · · Score: 3, Interesting

    There is a similar scam doing the rounds in the UK targeting nationwide which uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).

    The scam apparently asks you to "resync" your challenge device. If you do you end up sending a sum of money to a money mule.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  4. How long until..... by CastrTroy · · Score: 2, Interesting

    How long until we move to using dedicated terminals to access our online banking. A device that only did banking could be really cheap. Load a custom, hardened version of Linux on there, that only displayed a web browser, and only went to the bank's website, and you'd probably go a long way to stopping this, and many other kinds of fraud.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:How long until..... by Anonymous Coward · · Score: 1, Interesting

      You can't prevent DOS type attacks, but you can prevent man-in-the-middle attacks (or at least make them useless) by strong end-to-end encryption. However, the encryption key would not be safe it it was on an USB stick... unless the USB stick in turn is encrypted with a password that the user must enter. Ok, that would work. Unless the attacker patches the BIOS to insert a keylogger or something.

    2. Re:How long until..... by SharpFang · · Score: 2, Interesting

      There is a system that is currently (AFAIK) uncrackable. Details of the transaction you sign are sent back to you through SMS with authorization code. So you know the transaction has been hijacked if the SMS contains wrong data. The code is one-use, generated by bank upon submitting the transaction for authorization.

      (of course this may still fall victim to people not reading the SMS beyond the auth code...)

      I guess it could be hackable if the attackers could hijack the owner's phone (make a clone of the SIM card?) and learn the password at the same time.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  5. Note the fraud dates from 2007 by Anonymous Coward · · Score: 2, Interesting

    The fraud dates from 2007, but it didn't go unnoticed for 3 years. The investigation took 3 years to complete because in Belgium the police does its job properly.

  6. Money-Mules by gweihir · · Score: 3, Interesting

    I can at least attest that the search for money-mules is getting more and more aggressive and annoying here. Everybody thinking of making some easy money that way should think again. If the original target goes to the police, the money-mule will have to refund the full amount of money lost and likely will get punished. The reason is that courts typically rule that the fraudulent nature of the job was obvious and hence the money-mule is an accomplice.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  7. Belgian police does not care about online crime by Anonymous Coward · · Score: 1, Interesting

    I'm from Belgium, i rather big websites and i reported fraud a couple of time, they replied to me with this:

    > We can't keep ourself occupied with 'things like this'.

    So the part about it being unreported might just be "undocumented".

  8. Re:PassWindow could have prevented this by hankwang · · Score: 2, Interesting

    My Passwindow method could have prevented this and cost practically nothing to implement too,

    I suppose you mean http://www.passwindow.com/index.html ?

    As far as I can tell, there are two problems with this:

    • A Trojan could intercept enough data to reconstruct the mask. The whitepaper claims that you need to capture between 30 and 1000 transactions. That doesn't account for the fact that the trojan does not need to be 100% sucessful (probably the user can try 3 times).
    • Unlike an embedded EMV chip, the mask is trivial to copy; the owner will not notice that his passwindow card is missing. With a telephoto lens, an attacker could photograph you from a distance while you use an ATM. This means that you still need a password or cryptographic authentication.
    --
    Avantslash: low-bandwidth mobile slashdot.