Cyber Gangs Raise Profile of Commercial Online Bank Security 140
tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."
I like Bank of America's approach (Score:5, Interesting)
I have accounts at a few different financial institutions and have to say that despite all their other problems I think Bank of America has about the best two-factor authentication scheme I've seen so far.
Cell phones are extremely common these days, and BoA has leveraged that ubiquity. You can set up your account so that any time you attempt to log on the bank will send you an SMS text message with a totally random 6 digit number. You have to enter that number as you're logging into their website (along with your regular password). Since they're using an out-of-band method of sending you the random code the chances of it being intercepted are extremely small. And since it can only be used once then even a keylogger can't defeat it. The only type of attack that I think would work in this situation would be a man-in-the-middle attack, which is very unlikely as well.
Re:I like Bank of America's approach (Score:5, Interesting)
I can think of a *lot* of attacks on that. Most of them just as illegal as the intended crime...but...yeah... It's technically trivial to intercept SMS data. As it is, you can already see the fraud shops working around it--the new trojans send an alert to some amazon-turk type person in the middle of nowhere when you login, and just hide a window that gets relayed to them. While you're logged in, they can do very bad things...
Also, as somebody working in an industry that once depended on SMS. Let me tell you the service is ridiculously unreliable. How'd you like not being able to log into your bank b/c you couldn't get an SMS? In the US I can tell you from experience that any given vendor will have SMS "down" for about four days (total) a year.
Finally--even if it can only be used once, a keylogger can defeat it, unless only the last message is valid, and/or there's a rapid timeout. All I need to do is make the keylogger a little aggressive, and popup a box prompting you for *two* passwords. Of course, the first one actually goes to the bank--the second one crossposts to evil.com so I can login later today and drain you.
I realize--it's probably a "small" concern--but when you need your bank info--you often *need* it quickly.
Looks, there's a lot of *good* technologies out there to help filter this. The credit card companies use some of them. But in the case of banks, what's going on is outright criminal negligence that they refuse to fix.
Cahoot in the UK (Score:3, Interesting)
I emailed Cahoot about a flaw in their system, about 5 times as it happens, over a period of months, but only ever received stock replies. What happens is: you attempt a login with username/password. Then you get to a screen where you select 2 letters from a second password via drop down boxes. If you get that second page wrong a few times it tells you that your account is locked and you have to contact them. But you don't - your account is not locked. You can simply attempt another login. So if you know someone's username/password (username is visible when someone logs in so you just have to know their first password), then you get as many guesses as you like of their second password, and it doesn't vary the 2 letters it wants from that one. The drop down list gives a-z and 0-9. 36 * 36 isn't very many guesses to have to attempt.
Go after microsoft (Score:5, Interesting)
Re:Sweden rocks (Score:4, Interesting)
In Britain you get
Username (the most difficult thing to remember), password, and some top secret information like Mother's maiden name or date of birth.
Or, some banks, mainly in the HBOS group, will send you a code by text message which you have to enter into the website. This is vulnerable to man in the middle attacks
Some banks (Royal Bank of Scotland Group, Nationwide, Barclays) have a calculator sized device where you insert your debit card, type in your debit card pin number and a number displayed on the website, and get another number off the device which you enter into the website. Again, this is vulnerable to man in the middle attacks and apparently other sorts of attacks as well.
Re:No thanks, nanny bank (Score:3, Interesting)
The other problem is that the banks shunt *all* responsibility onto you. My parents were kind enough to begin investing in a mutual fund (for retirement..but not actually a retirement account) for me...when I was a child. That's some foresight. Not a lot of cash--I've already saved more in five years of working--it was mostly about teaching me the values of savings.
In order to gain access to my account online and be able to manipulate things without a *ton* of paperwork, they require a form absolving them of *ALL* liability in event of account fraud. Furthermore, in the event of fraud--if my computer doesn't have antivirus they approve of (not that they published a list of approved a/v!), I'm liable not only for my losses--but theirs.
Great--now I've got to do paper banking, and get charged *extra* for the paper statements. Worse, if I take the money out of the account--just to move it to another company or invest it myself (because I now officially hate them)--I'm going to get nailed with a capital gains tax that will hit me like two years of rent. Taxes are the IRS' way of locking you into a bank for life.
So they've got my money, I really can't touch it, and the agreement is if I want to be able to shift it around online, *I'm* responsible for everything, including their acts of malfeasance (and that sort of agreement isn't just negligence...it's malicious). I'm sure they'll recognize clamAV right?
Better yet, do you think their fraud team would understand in event of a problem when I said "The system that accessed your account has no AV, because it doesn't need it by definition?"--would you? You think they're going to give a damn and not fight tooth and nail when I say all my banking is done on a readonly checksummed VM image used only for secure banking?
You've got to learn--security is not ONE PARTIES responsibility. It's a mutli-layer problem. I need to keep my system safe and clean, and they need to authenticate my transactions. As it is--if you gave me your checking account and bank routing number, I could clean your account out. It'd be illegal...but the system is set up to do it. In the face of this sort of problem, the only solution is both parties working to a solution.
So yes, it should be the bank's problem--and they still shouldn't have to go onto your system to fix it.
Re:Go after microsoft (Score:2, Interesting)
I disagree. Software vendors should not be accountable for their bugs, unless they agree to be accountable for them.
from WinXP EULA [microsoft.com]:
Well I was going to put a quote from the EULA here, showing the disclaimer of warranty, but slashdot doesn't like all caps, and wouldn't let me. It says:
Filter error: Don't use so many caps. It's like YELLING.
The GPL [gnu.org] also has a disclaimer of warranty, but slashdot wouldn't let me include that either.
Re:I like Bank of America's approach (Score:3, Interesting)
they would have to correctly guess your SiteKey image to attempt the attack
They won't have to guess. If they've placed a MITM or rooted your windows box, they can just ask the bank in your name to supply the correct image.
Yeah it's not like security is the banks' job ... (Score:3, Interesting)
Say the bank does not implement basic security measures such as monitoring brute force attempts, and someone brute forces your account ... how are YOU gonna prove you didn't just post your password on myspace? You can't! Only the bank can! It's better to put the burden on them, and have them, in turn, enforce security measures on the clients, because the other way around cannot work, and would screw over even the few of us who have a clue about comp.sec.
Also, I would like to take this opportunity to point out that banks have had a few centuries of experience looking after their clients' cash .. it's their GOD DAMN JOB for fuck's sake.
Re:So close ... and yet ... (Score:3, Interesting)
Not at all. Why should it? The trojan will just make YOU do all the work for it.
Scenario: You want to transfer 40 bucks to Aunt Bessy for that wonderful cake she sent you. You have one of those trojans in your box, though. This trojan got information from its maker that it should send whatever your account can possibly send without setting off alarm clocks at the bank to Mr. Hackme and sits quietly inside your box 'til the next time you log into your account.
"Fortunately" most banks conveniently display the amount of money you have on the page, so the question how much money can be sent is trivial to answer. What happens now is that the trojan lets you enter all the data, but before sending it to the bank it changes Aunt Bessy's account number with that of Mr. Hackme, and those 40 bucks with whatever it can rip off. The bank will accept that input and return to you the information that you're gonna send your fortune to Mr. Hackme, which the trojan will "translate" to 40 bucks to Aunt Bessy, and ask for the confirmation. You confirm those 40 bucks, but in fact you just confirmed the trojan deal.
The only way to thwart this is by sending not only a confirmation code but also the amount and account to send it to by SMS, and you verifying that this data is correct before punching in the code.
Re:I like Bank of America's approach (Score:3, Interesting)
Since I worked for banks with exactly this problem, I can reassure you that even if they aren't responsible for the losses, they have a very keen interest in making the whole deal secure: Cost.
You have NO idea how much money banks save by shifting the work of transfers to you, their customer. Banks shut down a lot of branches and laid off a lot of people because they don't need so many brick and mortar outlets and tellers anymore. Now imagine people lost faith in the security of online banking, to the point where they consider it untrustworthy enough to demand their human monkeys again to do their work. The losses due to bank fraud have been laughable in comparison (we're talking 7 and 8 digits savings here, and we're not even close to huge corporations like the BoM).
Furthermore, banks could not even easily return to brick and mortar transactions if everybody suddenly stopped using online banking, some banks are by now very dependent on online banking, to the point where they would quickly lose customers simply because there are no local branches anymore.
Re:I like Bank of America's approach (Score:3, Interesting)