Slashdot Mirror

← Back to Stories (view on slashdot.org)

Online Banking Trojan Stole Money From Belgians

Posted by kdawson on from the routing-around dept.

hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.

11 of 144 comments (clear)

  1. sweden??? by lordholm · · Score: 5, Informative

    The article does not even mention the word Sweden or Zweden. It does however mention Denmark, which is not equal to Sweden.

    --
    "Civis Europaeus sum!"
    1. Re:sweden??? by MadKeithV · · Score: 4, Funny

      Yeah, but why NOT Sweden, it has some lovely lakes?

  2. Not unique to Belgium by arivanov · · Score: 3, Interesting

    There is a similar scam doing the rounds in the UK targeting nationwide which uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).

    The scam apparently asks you to "resync" your challenge device. If you do you end up sending a sum of money to a money mule.

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
    1. Re:Not unique to Belgium by arivanov · · Score: 3, Informative

      No, but Nationwide has been using nagware banners that tell the customers that they NEVER ask them to resync the device for a few months now. From there on to deduce what the scam is is fairly trivial. Even if the scam was not around when they started the hint contained in the warning is sufficient for anyone clued up enough to design the relevant trojan by now.

      --
      Baker's Law: Misery no longer loves company. Nowadays it insists on it
      http://www.sigsegv.cx/
    2. Re:Not unique to Belgium by Rich0 · · Score: 3, Insightful

      Agreed. I'd envision the secure "credit card" of the future having the following mechanism of operation:

      1. You interface the card with a computer (via USB, acoustic modem for phone, one-wire, etc).
      2. The remote party sends the card a packet with who is to be payed (in the form of a bank certificate), and how much, and whether any kind of recurring transaction is authorized (with details on that if applicable).
      3. The card displays the transaction info on a display built into the card.
      4. The user approves the transaction by hitting an approve button and typing in a PIN using a keypad on the card.
      5. The card generates a certificate and sends it back to the remote party.
      6. The remote party confirms successful receipt of the certificate to the card.

      The remote party and the card communicate by SSL (using bank-signed certificates), so no MITM, although the algorithm should be fairly invulnerable to MITM anyway.

      If there is a transmission error the remote party just asks for a retransmission any time until step 6. The card and the bank would both spot likely duplications. You couldn't spoof the merchant name (Gooogle Innc) or anything like that since it comes via a bank certificate. Nothing is trusted outside the card itself, so no risk of trojans/etc.

      All it needs is a credit card with a battery, display, keypad, and small CPU optimized for crypto. I can't imagine that these are more expensive to produce than the cost of bank fraud.

      You could even have cards that function as digital wallets, handling multiple banks, government IDs, etc. All it takes are some standards, and the right CAs for the right data items.

  3. Money-Mules by gweihir · · Score: 3, Interesting

    I can at least attest that the search for money-mules is getting more and more aggressive and annoying here. Everybody thinking of making some easy money that way should think again. If the original target goes to the police, the money-mule will have to refund the full amount of money lost and likely will get punished. The reason is that courts typically rule that the fraudulent nature of the job was obvious and hence the money-mule is an accomplice.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  4. Re:Dutch original? by mrvan · · Score: 4, Informative

    Flemish is a dialect of the Dutch language. I know, dialect is generally a political rather than a linguistic term, but:

    - The official languages of Belgium are Dutch and French (and German...), not Flemish and Walloon
    - The written languages are identical (except for some idiom)
    - People can understand each other without effort (except for heavy local dialects, which is the same in most languages)
    - Anecdotally, I think the within-country dialectal differences (e.g. standard Dutch versus Limburgs, Twents; "standard Flemish" vs. West-vlaams etc) are as great as or greater than the between-country differences.

    you should see Dutch and Flemish the way you see British English and American English, minus the spelling differences.

  5. Really good Flash demo by noidentity · · Score: 3, Funny

    (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code.

    That's an excellent Flash demo. For some reason it asked for my account number and password. It's on a safe site so I went ahead and entered it, but it gave some kind of error.

  6. Re:Dutch original? by Anonymous Coward · · Score: 3, Informative

    No, Belgium has three official languages: Dutch, French, and German (the first two account for the bulk of Belgian people). There are three dialect families of Dutch in the Dutch-speaking part of Belgium: Flemish ('Vlaams'), Brabantic ('Brabants'), and Limburgish ('Limburgs'). Sometimes all of these are lumped together under the nomer of 'Flemish', which is not really accurate.

    Anyhow, Flemish is certainly not a different language, and the language you find in written communication, such as the newspaper article in question, is Dutch, not Flemish. There does exist some variation in e.g. vocabulary between the 'Belgian' and the 'Netherlandic' variants, but the original article would be perfectly readable to any Dutchman.

  7. Re:How long until..... by Mattpw · · Score: 3, Insightful

    Banks wont run the IT tech support required, and theres also the liability issues. Even if you could guarantee the software had no security bugs the user can just as easily fall victim to phishing type scams and then sue the bank, this is essentially the same problem with the bootable linux LiveCD concept which does guarantee no trojans getting into it but fails to prevent simple phishing. The tech support for all the different drivers and other things a person might use the terminal for would kill the bank. The other problem is banking rarely happens in a vacum, a user wants their account program, their files etc and so locked devices become good for security demonstrations but impractical in real life.

  8. Re:Note the fraud dates from 2007 by Hognoxious · · Score: 3, Informative

    For sufficiently small values of "properly".

    http://onlyinbelgium.eu/belgiums-finest/no-biggie-really

    http://ellisctaylor.homestead.com/belgiumpaedophilescandal.html

    http://onlyinbelgium.eu/belgiums-finest/sure-help-yourself

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."