Slashdot Mirror
UK Banks Blackmailed by Crackers
Palin Majere writes "This story from USAToday reports on how banks in the UK are finding it cheaper (and easier) to pay off cracker groups rather than try and defend themselves properly."
← Back to Stories (view on slashdot.org)
Many worldwide banks offer NetBanking as a way of allowing customers access to their account, bill payments, loan payments, etc over the net. The way this is done is not through a browser, but through a secure on-line client terminal, developed by the bank (which is not open source ;-) ).
My bank has an interesting solution here: It uses a client, which does all the wacky password stuff, and then acts as a local proxy, so that you can use your normal browser, but only with the security program working. It can be a bit of a pain to setup when you're already using a proxy, but not all that bad. And it seems to work - I haven't heard of any great problems yet.
Of course, the nice thing about just having stuff on the web is that you don't need any proprietary software - it'll work on any OS that has a browser!
Of course, you'll want decent encryption - would a "simple" solution that used 128 bit encryption be generally decent? Would most of you trust it?
(of course it would depend on a lot of other things... but hey)
If so, all we need is to allow 128 bit encryption everywhere! There's that familiar refrain again...
Perhaps opening an account to receive the message leaves too much of a trail? I don't recall the article saying *how* the crackers were paid off (suitcase full of cash, say; or seized collateral, or whatever) but the bright ones, presumably, wouldn't accept anything like a personal check...
Only the dead have seen the end of war.
Inhabitants of the "UKcrypto" mailing list, for discussing government cryptology policy, have come to the conclusion that this story is a complete fabrication, "cut from whole cloth" by GCHQ (the UK equivalent of the NSA) to spread bad words about strong crypto and encourage regulation.
The original story has bizarre references to "hackers" holding up banks "with crypto" - I know it's a munition, but you can't point it at a bank teller!
See for example thi s article by highly respected cryptologist and computer security expert Ross Anderson, who is also co-author of AES candidate Serpent. Note also thi s observation on bank panic stories, or read the whole thread (search for "today's Times").
I'll also echo the comments here about Jonathan Ungoed-Thomas's hilarious attempts to cover security issues, among other iGaffes.
--
Xenu loves you!
Go read some back issues of www.ntk.net to know more about the most outrageous cyber-journalist in the UK, Jon Ungoed-Thomas. This story is pure fantasy, as are most of his stories. He is a scare-monger of the worst kind.
:-)
Many times he has been caught sending out emails from his work account, pretending to be a female eco-terrorist. Then he started using hotmail but filled out the registration form with his own name, and it was sent with the emails. He is astoundingly stupid and clueless.
Now, there may have been some extortion attempts against banks recently by script-kiddies. During the Secondary DNS Con, civic minded hackers announced that the Scottish National Party's web site had no security. They then gave the web masters 2 weeks to fix it (the idiots applied a single M$ patch), then cracked the system and defaced the home page with some very funny stuff. Obviously the hack was long in the making.
Since then, there has been a lot of poking around websites all over the place in the UK, and since most of the security holes are application based, adding firewalls doesn't do much good.
I expect some script-kiddies sent an email to a web master at a major bank, demanding money or "the web site gets it". Mr double-plus-Ungoed has managed to fabricate a huge threat out of that with his tabloid trash writing.
Bank security for transactions doesn't go through web sites, despite what clueless wanna-be hackers would love to think. Any real cyber-threat to banks is well funded by organized crime, and the hacks are months in the execution. The payoff can be huge, and usually requires inside knowledge. Mr Ungoed can't even figure out hotmail
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
My bank (Toronto Dominion) has a net banking solution.
It grew from a touch-tone system (which I avoid using) to a proprietary client to a browser based app. They recently phased out the propietary client.
However, I would not be able to legally access my info outside of North America. Yep, it only allows 128-bit crypto. It'll reject anything else.
Between that and the phone, I trust the browser more. It is really easy to just record a phone session and get the touch-tone password and card number.
So banks outside North America are getting the shaft due to dumb US export restrictions.
Quite frankly, I'm surprised they're "letting" us use it. But then again, is that IP owned by the US government? What right do they have to impede international business?
What pisses me off the most is that I can't really do anything about it. They're not going to listen to me, as I'm not a US citizen.
All of you US people should each write a monthly letter to their politicians, or a monthly fax. Let them know how strongly you feel.
If there's one group that I trust to honor privacy even less than any of our governments it's large corporations. And if there's any group that I trust less than large corporations to honor privacy, it's crackers.
Does anybody know if these crackers are anything more than greedy script kiddies?
With this kind of thing (governments eroding privacy, eroding any attempts to use encryption, private sector being even worse about privacy, etc.) the average law-abiding citizen in any country might as well post a daily log of all their activities and financial statements to USENET, because everybody could get to the info anyways.
And, jeez, how hard is it, really, to separate a bank network from the internet entirely and only allow absolutely necessary things through firewalls? (and to keep computers up-to-date, for that matter) Or is this all mostly being done by people that manage to get access (somehow) to terminals in the banks themselves?
The methods of blackmail are very simple as most of the systems run over standard high bandwidth lines. It's a simple enough problem to get into these systems by going through the exchange points rather than walking through the front door of a bank (just like breaking into most company networks is actually much easier to break the PABX system and then jump across into the data stream that contains the network link rather than trying to attack the firewall directly).
Most of the time, the banks don't even bother with varifying the cracker's claims. They just pay up the cash and be done with it. You'd be surprised as just how lax most banks are with thier internal security. Oh, this system is inside the network so we don't even have to worry about encrypting the comms between our two mainframes even though their located at two different sites 50Km apart.
Another interesting whole to watch out for in the future will be the increasing use of direct fibre channel connections. Some of the setups that I've seen put the mainframe connection in one site and the drives and backdrives in two separate sites. The drives are hooked up using fibre channel as though they were local hard drives to the machine. If you know what you're doing, getting inside one of these links can be quite easy.
Despite repeated demonstrations of how easy some of these systems are to break, the banks just don't seem to be interested in trying to make it more secure. They don't want to spend the extra money because it eats into the profit margin. Security through obscurity seems to be their favourite mantra. Fscking idiots!
you never lose the Dane.
of all the policies I've heard, this is the most short sighted. Of course, not much detail is given out, but I can see this already:
1. crack root on one bank's machine.
2. metastatize into the whole LAN.
3. install backdoors everywhere.
Now:
4. give a vivid demo + ransom instructions, signed
with one handle. Obtain ransom. Observe which backdoors are undone. Restore what you can.
5. wait.
6. if (backdoors >= 1) {
a. select new handle and set of ransom
instructions.
b. repeat steps 4 and 5.
}
Lovely, eh?
Thi is exactly the kind of attitude I can't understand in the Capitalistc world were leaving in.
.....
Sure on the short terms it's cheaper to pay the hackers to send them elsewhere (like your comperitor). But on the long term this really is bad:
* Crackers will see in such deal a good way to make money, they'll come back (this will increase the cost of security)
* Since they just pay the cracker and don't do anything about security, what will happen when the cracker dosn't try to get paid by the bank but takes what he wants
On the long trem the money should be spend on increaing security
none Yet.
Overheard on an unsecured line:
"Did you pay off the hackers?"
"Yes, they're covered."
"How bout the crackers?"
"Ya, we got them too."
"Snackers?"
"Trying to find them."
"Meat packers?"
"I can only work so fast boss..."
Hotnutz.com
This issue has been discussed on the UK Crypto mailing list since the article appeared in the Sunday Times last weekend. The hwole meat of the article is unsubstantiated and is simply not true. The same spiel has been going the rounds for several years now, apparently hyped up by the spooks at GCHQ who are trolling for business reviewing commercial software system security.
Now I wonder why GCHQ want to know how banks and institutions secure themselves?
-- BtB
I think you've been watching too many films - most people would demand tens of thousands as its far easier to get away with. Millions is hollywood and people that havent thought it through. Most people in the UK that have been caught, have tried to set up systems to withdraw the ransoms from cash machines in several hits, and have been caught by the cash machine cameras. Not very clever as the cash machine is the perfect way to get the cash away from a random unknown location...
No they got it 100% right this time. They are hackers, they're using their hacking skills for malicious purposes therefore they're also crackers. The term hacker itself is grey, there are good hackers and there are bad hackers. The problem is that in the media hackers has been used to refer to the population of hackers who operate contrary to the law as opposed to the entire population of hackers.
Even leaving it at reports of 'malicious hackers' would've been correct. They're hackers and they're malicious. It isn't implying that all hackers are malicious anymore than saying 'corrupt police officer' would imply that all police officers are corrupt.
Just as people don't call rustlers "cowboys" or (sea) pirates "sailors", so they won't call crackers "hackers" (though the former is almost an included set of the latter in all three cases).
Good for you, USA Today!
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So soon they were networked, and checked the real records of the account. Big improvement.
But it costs a lot to keep the banks' machines up 24x7. So they went to standalone mode on weekend nights. And again they trusted the card, and again they were vulnerable.
I hear that one major bank in Detroit didn't bother with the extra shift on Sunday night when they were only losing $10K/weekend. When it got up to $100k, they paid for the extra shift, and the window of opportunity became very narrow and sporadic. (And nowadays the hosts are up so much of the time that they can program the ATMs to go out-of-service if they can't reach the host. So for these machines the window is zero.)
The same will likely happen with the blackmailers. If there are ever so many that it's cheaper for the banks to fight them than to pay them off they'll fight 'em. Menawhile, they can gain breathing room to work on their security by keeping the current few at bay with payoffs. And they can try to trace the payoffs and bust the blackmailer-of-opportunity now and then.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So the next obvious question is, does this get covered by insurance? If so, why isn't the insurance company screaming about getting some security installed and maintained? Or are they making more in premiums than losing in payouts and fine with things as they are?
It seems much more likely that authorities could trace a single such (planned) transaction (even if it goes through an online Swiss bank or something) than if J. Random Cracker just transferred the $10 million to his account without the bank's knowledge. So, why would J. even demand a payoff at all unless he's bluffing or too stupid to realize he's increasing the chances of being caught?
As I suspected when I saw the reference to the Sunday Times, the original article that was cited in USA today was authored by Jon Ungoes-Thomas. Readers of ntk.net will be familiar with Ungoed-Thomas as a journalist who is long on unsubstantiated sensation, and very short on fact checking, and who is building a career out of predicting the collapse of civilization as a result of the Internet.
I'd take this particular article with a few large and tasty grains of salt.
I work in the financial messaging sector of IT, and I find it difficult to believe that crackers have actually managed to move money from Bank Account A to Bank Account B.
You'd not only need to be a fairly talented cracker to get into the bank's network in the first place - but you'd also have to have an in-depth knowledge of how banking transactions work to actually pass the money around.
I've been working in this industry for five years now - working with a large number of banks - and I still don't think I could get away with it...
Gentlemen, start your penguins