Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Banking Trojan Stole Money From Belgians

Posted by kdawson on from the routing-around dept.

hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.

24 of 144 comments (clear)

  1. sweden??? by lordholm · · Score: 5, Informative

    The article does not even mention the word Sweden or Zweden. It does however mention Denmark, which is not equal to Sweden.

    --
    "Civis Europaeus sum!"
    1. Re:sweden??? by MadKeithV · · Score: 4, Funny

      Yeah, but why NOT Sweden, it has some lovely lakes?

  2. Not unique to Belgium by arivanov · · Score: 3, Interesting

    There is a similar scam doing the rounds in the UK targeting nationwide which uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).

    The scam apparently asks you to "resync" your challenge device. If you do you end up sending a sum of money to a money mule.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
    1. Re:Not unique to Belgium by arivanov · · Score: 3, Informative

      No, but Nationwide has been using nagware banners that tell the customers that they NEVER ask them to resync the device for a few months now. From there on to deduce what the scam is is fairly trivial. Even if the scam was not around when they started the hint contained in the warning is sufficient for anyone clued up enough to design the relevant trojan by now.

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
    2. Re:Not unique to Belgium by Rich0 · · Score: 3, Insightful

      Agreed. I'd envision the secure "credit card" of the future having the following mechanism of operation:

      1. You interface the card with a computer (via USB, acoustic modem for phone, one-wire, etc).
      2. The remote party sends the card a packet with who is to be payed (in the form of a bank certificate), and how much, and whether any kind of recurring transaction is authorized (with details on that if applicable).
      3. The card displays the transaction info on a display built into the card.
      4. The user approves the transaction by hitting an approve button and typing in a PIN using a keypad on the card.
      5. The card generates a certificate and sends it back to the remote party.
      6. The remote party confirms successful receipt of the certificate to the card.

      The remote party and the card communicate by SSL (using bank-signed certificates), so no MITM, although the algorithm should be fairly invulnerable to MITM anyway.

      If there is a transmission error the remote party just asks for a retransmission any time until step 6. The card and the bank would both spot likely duplications. You couldn't spoof the merchant name (Gooogle Innc) or anything like that since it comes via a bank certificate. Nothing is trusted outside the card itself, so no risk of trojans/etc.

      All it needs is a credit card with a battery, display, keypad, and small CPU optimized for crypto. I can't imagine that these are more expensive to produce than the cost of bank fraud.

      You could even have cards that function as digital wallets, handling multiple banks, government IDs, etc. All it takes are some standards, and the right CAs for the right data items.

  3. How long until..... by CastrTroy · · Score: 2, Interesting

    How long until we move to using dedicated terminals to access our online banking. A device that only did banking could be really cheap. Load a custom, hardened version of Linux on there, that only displayed a web browser, and only went to the bank's website, and you'd probably go a long way to stopping this, and many other kinds of fraud.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:How long until..... by phantomfive · · Score: 2, Insightful

      Sounds like an excellent plan. One you can implement personally for yourself right now (I personally discourage all my family members from doing online banking from a windows computer). You can have your own personal terminal at your house that you use to connect to the bank. If you think it is an idea people will like, you can start a business setting up similar terminals for other people.

      As for you question, how long: banks will not start sending out terminals to all their clients until the cost of paying for fraud becomes higher than the cost of sending out terminals. Individual users will not start using them until the cost of not using them becomes great enough to overcome the laziness and annoyance of acquiring/using a separate terminal. If banks continue to pay them off like they did in this case, it is not likely to happen.

      --
      Qxe4
    2. Re:How long until..... by Mattpw · · Score: 3, Insightful

      Banks wont run the IT tech support required, and theres also the liability issues. Even if you could guarantee the software had no security bugs the user can just as easily fall victim to phishing type scams and then sue the bank, this is essentially the same problem with the bootable linux LiveCD concept which does guarantee no trojans getting into it but fails to prevent simple phishing. The tech support for all the different drivers and other things a person might use the terminal for would kill the bank. The other problem is banking rarely happens in a vacum, a user wants their account program, their files etc and so locked devices become good for security demonstrations but impractical in real life.

    3. Re:How long until..... by SharpFang · · Score: 2, Interesting

      There is a system that is currently (AFAIK) uncrackable. Details of the transaction you sign are sent back to you through SMS with authorization code. So you know the transaction has been hijacked if the SMS contains wrong data. The code is one-use, generated by bank upon submitting the transaction for authorization.

      (of course this may still fall victim to people not reading the SMS beyond the auth code...)

      I guess it could be hackable if the attackers could hijack the owner's phone (make a clone of the SIM card?) and learn the password at the same time.

      --
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
  4. Re:Pay attention by MadKeithV · · Score: 2, Informative
    I use the system mentioned in the article, and I've never noticed the log-in random challenge to have any recognizable number, nor do I recall any communication from my bank (Dexia) that this is so. If this is actually the case, it wasn't made clear to users.

    Potentially even more worrying is that this system is now also being applied to online payments using my Dexia VISA card, which is more vulnerable still because it originates at the merchant's site, and isn't always so easy to verify.

  5. Re:Pay attention by StoneOldman79 · · Score: 2, Insightful

    Entering some extra recognizable info in the 2-way factor authentication is indeed "the way to go".
    Account number is not that user friendly (and which number to enter if you have multiple transfers in one go?)
    My current online bank requires me to type in the amount of money to transfer as an extra fail-safe.
    This should be "good enough" for the near future.
    Sadly, many online banks do not have anything like this. Not implementing proper security and paying to "robbed" customers is apparently still the cheapest option.

  6. Re:Pay attention by ZeroExistenZ · · Score: 2, Insightful

    This should still be impossible if The user pays attention

    Well, you cannot expect the user to take this responsibility of "checking for a specific digit", they'll go to the competition if the procedure is too "complex". Why is Apple booming? Not because of feature-gallore.

    You cannot imagine how many emails I get of "regular users" who entered their login details on some random webpage resulting in a email to all contacts in a format "follow this link to see [facebook-style test results]" to be prompted to login with your credentials and continue the chain.
    (I've given up on educating and sending a reply explaining how their credentials have been comprimised").

    And why wouldn't those people?

    It is simular as Microsofts' passport or the facebook implementation on webpages which is pushed everywhere as a "ease of use" and "seemlessly integration everywhere". (which, if with malicious intent, could hijack your accounts as well and get to your emails, banking details or get creative and infect someone)

    --
    I think we can keep recursing like this until someone returns 1
  7. Note the fraud dates from 2007 by Anonymous Coward · · Score: 2, Interesting

    The fraud dates from 2007, but it didn't go unnoticed for 3 years. The investigation took 3 years to complete because in Belgium the police does its job properly.

    1. Re:Note the fraud dates from 2007 by Hognoxious · · Score: 3, Informative

      For sufficiently small values of "properly".

      http://onlyinbelgium.eu/belgiums-finest/no-biggie-really

      http://ellisctaylor.homestead.com/belgiumpaedophilescandal.html

      http://onlyinbelgium.eu/belgiums-finest/sure-help-yourself

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  8. Money-Mules by gweihir · · Score: 3, Interesting

    I can at least attest that the search for money-mules is getting more and more aggressive and annoying here. Everybody thinking of making some easy money that way should think again. If the original target goes to the police, the money-mule will have to refund the full amount of money lost and likely will get punished. The reason is that courts typically rule that the fraudulent nature of the job was obvious and hence the money-mule is an accomplice.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. Re:Dutch original? by mrvan · · Score: 4, Informative

    Flemish is a dialect of the Dutch language. I know, dialect is generally a political rather than a linguistic term, but:

    - The official languages of Belgium are Dutch and French (and German...), not Flemish and Walloon
    - The written languages are identical (except for some idiom)
    - People can understand each other without effort (except for heavy local dialects, which is the same in most languages)
    - Anecdotally, I think the within-country dialectal differences (e.g. standard Dutch versus Limburgs, Twents; "standard Flemish" vs. West-vlaams etc) are as great as or greater than the between-country differences.

    you should see Dutch and Flemish the way you see British English and American English, minus the spelling differences.

  10. Really good Flash demo by noidentity · · Score: 3, Funny

    (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code.

    That's an excellent Flash demo. For some reason it asked for my account number and password. It's on a safe site so I went ahead and entered it, but it gave some kind of error.

  11. Re:Dutch original? by Anonymous Coward · · Score: 3, Informative

    No, Belgium has three official languages: Dutch, French, and German (the first two account for the bulk of Belgian people). There are three dialect families of Dutch in the Dutch-speaking part of Belgium: Flemish ('Vlaams'), Brabantic ('Brabants'), and Limburgish ('Limburgs'). Sometimes all of these are lumped together under the nomer of 'Flemish', which is not really accurate.

    Anyhow, Flemish is certainly not a different language, and the language you find in written communication, such as the newspaper article in question, is Dutch, not Flemish. There does exist some variation in e.g. vocabulary between the 'Belgian' and the 'Netherlandic' variants, but the original article would be perfectly readable to any Dutchman.

  12. Re:Pay attention by Anonymous Coward · · Score: 2, Informative

    If a trojan has control of your browser, what it sends to the bank doesn't have to be what you typed into the account field...

    No, the user types the recipient's bank account number into his Digipass device in order to generate an authentication code.

    During a legitimate transaction, the website will tell you

    Enter the challenge code 138427, then the amount in euro 5600, then the recipient bank account number 98765432 into your card reader and enter the authorization code in the field below.

    However, a trojan could transform that into:

    The authorization code was incorrect. For extra security, enter the the following three challenge codes 138427, 5600, and 98765432 into your card reader and enter the authorization code in the field below.

    My bank only asks a single challenge code for small transactions; only for larger transactions (1000 euro and up), the extra codes show up. A victim may not have encountered the triple challenge codes often enough to realize that they must indicate the amount and the account number.

  13. Re:Pay attention by Mattpw · · Score: 2, Interesting

    This is the problem with putting complicated user action into the transaction authentication process, if you control the browser you can request the user do just about anything in the name of a test or error as related in the article. My Passwindow method encodes the transaction information (ie destination account) into the challenge from the server so the user must only visually check the information, because this information is cycled alongside the authentication digits they are forced to inspect it and cannot simply ignore it and blindly authorize the transaction.

  14. Re:People by smallfries · · Score: 2, Informative

    The article doesn't say that the trojan was written for Windows either. Are you under the mistaken belief that there are no trojans out there for OSX or Linux?

    --
    Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
  15. Re:PassWindow could have prevented this by hankwang · · Score: 2, Interesting

    My Passwindow method could have prevented this and cost practically nothing to implement too,

    I suppose you mean http://www.passwindow.com/index.html ?

    As far as I can tell, there are two problems with this:

    • A Trojan could intercept enough data to reconstruct the mask. The whitepaper claims that you need to capture between 30 and 1000 transactions. That doesn't account for the fact that the trojan does not need to be 100% sucessful (probably the user can try 3 times).
    • Unlike an embedded EMV chip, the mask is trivial to copy; the owner will not notice that his passwindow card is missing. With a telephoto lens, an attacker could photograph you from a distance while you use an ATM. This means that you still need a password or cryptographic authentication.
    --
    Avantslash: low-bandwidth mobile slashdot.
  16. Re:PassWindow could have prevented this by Mattpw · · Score: 2, Informative

    There is no simulation, it is a real airgap, the PassWindow is just printed onto an ordinary piece of plastic card just like any barcode. There is no electronics, or software or hardware. The challenge is just an animated gif it works on any device regardless of the situation. The transaction information is encoded into the gif so the trojan only has one avenue of attack which is a long term statistical analysis but we assume every terminal is already compromised like this so we do our own analysis at key generation and determine exactly how many interceptions would be required by the theoretical trojan. With some simple tweaks we can get 10K+ interception rates so it would take decades of normal user interceptions to get enough data to analyse. Of course the server issues a new card to a user if their use rate goes anywhere near the interception rate. In short you end up with semi passive transaction verification so the user cant be tricked into entering in the mule account details because its all done serverside, its also much easier to use, the devices from the article are a major pain and take forever to use.

  17. Re:People by speculatrix · · Score: 2, Informative

    Unix has the same architecture and pretty much the same vulnerable technologies as NT based Windows.

    WTF? sure, they both run on computers (usually x86) but there's fundamental differences in everything from the kernel to the drivers!