Cyber Gangs Raise Profile of Commercial Online Bank Security 140
tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."
Re:I like Bank of America's approach (Score:4, Insightful)
As Bruce Schneier recently pointed out [schneier.com], MITM attacks are now much more common, and likely to become widespread.
Now, if they used that cell phone message to authenticate the exact transaction you are performing, you'll be much more secure.
Of course, if it's too easy to update the cell phone number, all bets are off.
No thanks, nanny bank (Score:3, Insightful)
Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs
How exactly is this the banks' responsibility? And if is a bank's responsibility, are they going to go into my PC to fix it?
Re:No thanks, nanny bank (Score:4, Insightful)
Re:I like Bank of America's approach (Score:3, Insightful)
I think as we see an increase in cellphone usage for common internet tasks, the "out of band" benefits of this scheme are going to be lost for many people.
Re:Hmm (Score:4, Insightful)
survival of the fittest (Score:3, Insightful)
My two cents
1) Why should the bank be held responsible for something that is clearly the customer's responsibility? I.e. securing their fucking computer?
2) Maybe this will encourage folks to keep their computers locked down.
Mind you, I think that the bank should bend over backwards to help catch the bad guys. However, they cannot and should not be expected to police their client's computers...and likewise expecting them to pony up for something they can't prevent is also unfair.
The real enemy in this case, as usual, is the crook that did the hacking in the first place.
Re:survival of the fittest (Score:3, Insightful)
1) The security of financial transactions isn't "clearly the customer's responsibility" .. it is a problem that exists because there are two parties. The bank is one. The customer is the other. Both can take steps to reduce losses. Customers can secure their fucking computers. Banks can secure the fucking web page. Neither party will capture all of the gains from improving security. So, to answer your question.. banks should be held responsible (for some, perhaps most, but not all) of this type of security because they are in the best position to improve everybody's position at the least expenditure of effort. Making them responsible makes sure they make such an effort.
2) It won't. Users are dumb, reckless, careless, negligent, and stubborn. How many hours of a poorly performing machine must they suffer before they're willing to tighten security? Many, many years, apparently. How much data must users lose before they'll tighten security? Couldn't tell you. I can pretty much guarantee you that a tiny fraction of the population of internet banking users getting ripped off won't make the rest of the vast hordes of users give a flip about their own machine's security if years of data loss, identity theft, and performance impact have yet to do the job.
Re:Go after microsoft (Score:3, Insightful)
How is MS or any vendor of computer hard- or software responsible for user stupidity?
Most of current malware infections are not due to an OS blunder or faulty software. It's social engineering, getting the user to launch a program he better not. From the obvious ones where you get an email from LAWYER telling you to open this attachment immediately and act OR ELSE, to the less obvious ones where you install a "crack" for something that also quietly installs a rootkit.
How could any OS avoid this? By requiring root access for anything but the most trivial actions? So? The user will grant it. Imagine you promise the user a crack for his OS so it won't activate but is still usable. Will he get suspicious if the crack wants to install ring0 drivers or manipulate system files (assuming he knows at all what I'm now talking about)? No, after all that crack is supposed to change his OS. Not only would he not be alarmed, quite possibly he would do whatever is in his power to help the rootkit install itself. If it doesn't work, oh well, maybe those bastards at MS changed something and the crack doesn't work anymore. Happens all the time with new firmware for those consoles...
Don't try to shift the blame, people. It's not Ford's fault if you don't check your brake fluids and your car doesn't stop when you slam the brakes. It's not your plumber's fault when you clog the sink and it floods the apartment. It's not Smith&Wesson's fault if you can't handle your gun and shoot yourself in the foot. And it's not MS fault when you can't keep your machine clean.