Cyber Gangs Raise Profile of Commercial Online Bank Security 140
tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."
Re:I like Bank of America's approach (Score:4, Informative)
Sweden rocks (Score:2, Informative)
Depending on your bank in Sweden, you either got:
* A user/pass combination that you input on their website. You then get a code that you input on a personal code generator thingy, and you get another code back that you enter on the website. (Downside: You need your code generator with you)
* A user/pass combination and one-time-use codes that you scratch off a card that you carry with you. (Downside: You gotta order more codes after a while)
* A digital ID encrypted on file, and a password that decrypts it. (Downside: you need the file on a USB memory stick or something)
* (New). A digital ID on a card that you carry with you, and a non-personal card reader. This card is like a digital version of your ID.
You can either enter your card and a 6-digit PIN with the reader connected through USB.
Or you can enter the card and PIN, and you get a code that you enter on the website. You then get a code back that you enter into the reader, which in turn generates another code that you enter on the website.
(Downside: You need a card reader when you're away from home. If everyone uses the same bank, this wouldn't be a problem)
Everything is done over HTTPS, so it seems pretty secure.
Re:I like Bank of America's approach (Score:4, Informative)
To successfully transfer funds out of your account, they would need you to authenticate via SMS twice - once to login and once to authenticate the transaction. If you know you haven't authorized any transactions, you simply should refuse any further authentication attempts.
I suppose they could make it appear that the original attempt failed. However, that should raise enough suspicion to cause you to log off. In addition, they would have to correctly guess your SiteKey image to attempt the attack. When you login, Bank of America displays a unique image of your choosing to ensure you're at the authentic site.
Re:I like Bank of America's approach (Score:3, Informative)
Re:So close ... and yet ... (Score:3, Informative)
Just for instance ... it can connect to a server, retrieve a transaction from it and validate it with the key you just entered. The server at the same time sends off a couple of SMS to money mules.
Automation is the key.
Re:I like Bank of America's approach (Score:5, Informative)
https://www.paypal.com/securitykey
As for the alternative of getting in my answering the security questions for the account, I have used very hard to guess made up answers for the stupid security questions (I did not use real information).
An employee at the bank, where I have my checking account, recently suggested that I should do online banking. First I asked him if that would work with my computer which runs Linux, intead of Windows. He said Linux would work just fine. I then mentioned my concerns about security and the fake phishing emails that I get, which claim to be about my online banking account at their bank. I said, you know the ones that want me to click on some long complicated looking URL going to some foreign country, and then probably have me log-in and give them my user name and password. He said, "yes just ignore all of those fake email messages."
I also mentioned my concerns about keystroke loggers, although I added I have probably managed to secure my Linux computer, better than most average computer users do. However, a keystroke logger might still a slight possibility, even for my Linux computer, so I knew I wanted the additional protection of multi-factor authentication. I pulled my security key out of my pocket, and asked him if they offer two-factor authentication, using something like this. He said the did not offer anything like that. I told him that I would not feel comfortable doing online banking with them, because they do not offer multi-factor authentication.
Two-factor authentication may not be totally perfect, because most forms might still be vulnerable to a man-in-the-middle attack, but it would still be a major upgrade to their security. The cell phone plus 6-digit number in an SMS text message technique, that you said Bank One is using, also sounds great.
Re:No thanks, nanny bank (Score:4, Informative)
" ... The point is that as long as banks are not responsible for the losses, they have no incentive to implement strong security measures on their websites. ..."
Actually, it goes beyond that. As long as banks are not responsible for the losses, they have an incentive to weaken security in order to maximize the number of clients in the available pool of clients, who actively online bank.
This lowers the cost of running the bank and therefore maximizes profits (which cannot be impacted by pesky requirements to provide compensation for breaches and customer losses via weak security).