Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Banking Trojan Stole Money From Belgians

Posted by kdawson on from the routing-around dept.

hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.

7 of 144 comments (clear)

  1. Not unique to Belgium by arivanov · · Score: 3, Interesting

    There is a similar scam doing the rounds in the UK targeting nationwide which uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).

    The scam apparently asks you to "resync" your challenge device. If you do you end up sending a sum of money to a money mule.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  2. How long until..... by CastrTroy · · Score: 2, Interesting

    How long until we move to using dedicated terminals to access our online banking. A device that only did banking could be really cheap. Load a custom, hardened version of Linux on there, that only displayed a web browser, and only went to the bank's website, and you'd probably go a long way to stopping this, and many other kinds of fraud.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:How long until..... by SharpFang · · Score: 2, Interesting

      There is a system that is currently (AFAIK) uncrackable. Details of the transaction you sign are sent back to you through SMS with authorization code. So you know the transaction has been hijacked if the SMS contains wrong data. The code is one-use, generated by bank upon submitting the transaction for authorization.

      (of course this may still fall victim to people not reading the SMS beyond the auth code...)

      I guess it could be hackable if the attackers could hijack the owner's phone (make a clone of the SIM card?) and learn the password at the same time.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  3. Note the fraud dates from 2007 by Anonymous Coward · · Score: 2, Interesting

    The fraud dates from 2007, but it didn't go unnoticed for 3 years. The investigation took 3 years to complete because in Belgium the police does its job properly.

  4. Money-Mules by gweihir · · Score: 3, Interesting

    I can at least attest that the search for money-mules is getting more and more aggressive and annoying here. Everybody thinking of making some easy money that way should think again. If the original target goes to the police, the money-mule will have to refund the full amount of money lost and likely will get punished. The reason is that courts typically rule that the fraudulent nature of the job was obvious and hence the money-mule is an accomplice.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  5. Re:Pay attention by Mattpw · · Score: 2, Interesting

    This is the problem with putting complicated user action into the transaction authentication process, if you control the browser you can request the user do just about anything in the name of a test or error as related in the article. My Passwindow method encodes the transaction information (ie destination account) into the challenge from the server so the user must only visually check the information, because this information is cycled alongside the authentication digits they are forced to inspect it and cannot simply ignore it and blindly authorize the transaction.

  6. Re:PassWindow could have prevented this by hankwang · · Score: 2, Interesting

    My Passwindow method could have prevented this and cost practically nothing to implement too,

    I suppose you mean http://www.passwindow.com/index.html ?

    As far as I can tell, there are two problems with this:

    • A Trojan could intercept enough data to reconstruct the mask. The whitepaper claims that you need to capture between 30 and 1000 transactions. That doesn't account for the fact that the trojan does not need to be 100% sucessful (probably the user can try 3 times).
    • Unlike an embedded EMV chip, the mask is trivial to copy; the owner will not notice that his passwindow card is missing. With a telephoto lens, an attacker could photograph you from a distance while you use an ATM. This means that you still need a password or cryptographic authentication.
    --
    Avantslash: low-bandwidth mobile slashdot.