6101739
story
Comments: 140 +- News: Cyber Gangs Raise Profile of Commercial Online Bank Security on Sunday September 27, @12:26PM
Posted
by
Soulskill
on Sunday September 27, @12:26PM
from the only-you-can-prevent-identity-theft dept.
from the only-you-can-prevent-identity-theft dept.
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicmoney.gif); width:84px; height:74px;
money
background: url(//a.fsdn.com/sd/topics/topicnews.gif); width:60px; height:66px;
news
tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."
Related Stories
: by
Executive ability is prominent in your make-up.
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2010 Geeknet, Inc.
I like Bank of America's approach (Score:5, Interesting)
I have accounts at a few different financial institutions and have to say that despite all their other problems I think Bank of America has about the best two-factor authentication scheme I've seen so far.
Cell phones are extremely common these days, and BoA has leveraged that ubiquity. You can set up your account so that any time you attempt to log on the bank will send you an SMS text message with a totally random 6 digit number. You have to enter that number as you're logging into their website (along with your regular password). Since they're using an out-of-band method of sending you the random code the chances of it being intercepted are extremely small. And since it can only be used once then even a keylogger can't defeat it. The only type of attack that I think would work in this situation would be a man-in-the-middle attack, which is very unlikely as well.
Re:I like Bank of America's approach (Score:5, Interesting)
I can think of a *lot* of attacks on that. Most of them just as illegal as the intended crime...but...yeah... It's technically trivial to intercept SMS data. As it is, you can already see the fraud shops working around it--the new trojans send an alert to some amazon-turk type person in the middle of nowhere when you login, and just hide a window that gets relayed to them. While you're logged in, they can do very bad things...
Also, as somebody working in an industry that once depended on SMS. Let me tell you the service is ridiculously unreliable. How'd you like not being able to log into your bank b/c you couldn't get an SMS? In the US I can tell you from experience that any given vendor will have SMS "down" for about four days (total) a year.
Finally--even if it can only be used once, a keylogger can defeat it, unless only the last message is valid, and/or there's a rapid timeout. All I need to do is make the keylogger a little aggressive, and popup a box prompting you for *two* passwords. Of course, the first one actually goes to the bank--the second one crossposts to evil.com so I can login later today and drain you.
I realize--it's probably a "small" concern--but when you need your bank info--you often *need* it quickly.
Looks, there's a lot of *good* technologies out there to help filter this. The credit card companies use some of them. But in the case of banks, what's going on is outright criminal negligence that they refuse to fix.
Parent
Re: (Score:2)
Depends on what they are targeting, if they are targeting the money directly ... sure. If they are however targeting the bank and it's stock price things can get very ugly.
Lets say that at the moment there is yet another remote hole in windows making a large percentage of computers vulnerable. A hacker exploits that and installs trojans and instead of making a botnet logs bank transactions for a while, then with enough data it starts falsifying them but engineered in such a way to avoid heuristics. Best cas
So close ... and yet so FUCKED (Score:2)
It's a good approach, almost ... but it doesn't stop trojans at all. Why didn't they go the extra mm and make it secure? This is no better than the little calculator I have at home which generates a random number using my card and my pin, which doesn't stop trojans either.
What they should have done is send the transaction details and the confirmation code in the same SMS.
Re:So close ... and yet ... (Score:2)
I don't get it. How's a trojan going to read an sms off my cell phone?
Re: (Score:3, Interesting)
Not at all. Why should it? The trojan will just make YOU do all the work for it.
Scenario: You want to transfer 40 bucks to Aunt Bessy for that wonderful cake she sent you. You have one of those trojans in your box, though. This trojan got information from its maker that it should send whatever your account can possibly send without setting off alarm clocks at the bank to Mr. Hackme and sits quietly inside your box 'til the next time you log into your account.
"Fortunately" most banks conveniently display the
Re: (Score:2)
The trojan will intercept the 6-digit code mentioned above when you type it into the computer.
And do what with it? Squirrel it away to be used later, when it's no longer valid?
Re: (Score:2)
Or it'll let you log in and quietly submit a transaction on your behalf every minute or two while you're logged on.
Re: (Score:3, Informative)
Just for instance ... it can connect to a server, retrieve a transaction from it and validate it with the key you just entered. The server at the same time sends off a couple of SMS to money mules.
Automation is the key.
Re:I like Bank of America's approach (Score:4, Insightful)
As Bruce Schneier recently pointed out [schneier.com], MITM attacks are now much more common, and likely to become widespread.
Now, if they used that cell phone message to authenticate the exact transaction you are performing, you'll be much more secure.
Of course, if it's too easy to update the cell phone number, all bets are off.
Parent
Re:I like Bank of America's approach (Score:4, Informative)
Parent
Re: (Score:2)
Re:I like Bank of America's approach (Score:4, Informative)
To successfully transfer funds out of your account, they would need you to authenticate via SMS twice - once to login and once to authenticate the transaction. If you know you haven't authorized any transactions, you simply should refuse any further authentication attempts.
I suppose they could make it appear that the original attempt failed. However, that should raise enough suspicion to cause you to log off. In addition, they would have to correctly guess your SiteKey image to attempt the attack. When you login, Bank of America displays a unique image of your choosing to ensure you're at the authentic site.
Parent
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Therefore, even a non-security conscious person should be very suspicious when their banking site asks them to authenticate via SMS due to a session timeout when they have never had to do so in the past and their only use of SMS in the past resulted from significant financial transactions.
Perhaps I expect too much from Joe Sixpack.
I think BoA is doing a reasonable jo
Re: (Score:2)
Re: (Score:3, Interesting)
Since I worked for banks with exactly this problem, I can reassure you that even if they aren't responsible for the losses, they have a very keen interest in making the whole deal secure: Cost.
You have NO idea how much money banks save by shifting the work of transfers to you, their customer. Banks shut down a lot of branches and laid off a lot of people because they don't need so many brick and mortar outlets and tellers anymore. Now imagine people lost faith in the security of online banking, to the point
Re: (Score:3, Interesting)
Re: (Score:2)
If the SMS message told you exactly what you were authorizing, it would go a long way towards defeating this kind of attack.
Exactly. And moreover, the attacker could always wait for you to submit a legitimate transaction, and submit his own (with different recipient, and different amount) instead. How would you spot that without the transaction details contained in the SMS?
Re: (Score:2)
What if you want to authorize a transaction but they just change the transaction to one they had already lined up earlier?
Re: (Score:3, Interesting)
they would have to correctly guess your SiteKey image to attempt the attack
They won't have to guess. If they've placed a MITM or rooted your windows box, they can just ask the bank in your name to supply the correct image.
Re: (Score:2)
So no one without a cellphone can have a BOA account?
Re:I like Bank of America's approach (Score:5, Informative)
https://www.paypal.com/securitykey
As for the alternative of getting in my answering the security questions for the account, I have used very hard to guess made up answers for the stupid security questions (I did not use real information).
An employee at the bank, where I have my checking account, recently suggested that I should do online banking. First I asked him if that would work with my computer which runs Linux, intead of Windows. He said Linux would work just fine. I then mentioned my concerns about security and the fake phishing emails that I get, which claim to be about my online banking account at their bank. I said, you know the ones that want me to click on some long complicated looking URL going to some foreign country, and then probably have me log-in and give them my user name and password. He said, "yes just ignore all of those fake email messages."
I also mentioned my concerns about keystroke loggers, although I added I have probably managed to secure my Linux computer, better than most average computer users do. However, a keystroke logger might still a slight possibility, even for my Linux computer, so I knew I wanted the additional protection of multi-factor authentication. I pulled my security key out of my pocket, and asked him if they offer two-factor authentication, using something like this. He said the did not offer anything like that. I told him that I would not feel comfortable doing online banking with them, because they do not offer multi-factor authentication.
Two-factor authentication may not be totally perfect, because most forms might still be vulnerable to a man-in-the-middle attack, but it would still be a major upgrade to their security. The cell phone plus 6-digit number in an SMS text message technique, that you said Bank One is using, also sounds great.
Parent
Re: (Score:3, Insightful)
I think as we see an increase in cellphone usage for common internet tasks, the "out of band" benefits of this scheme are going to be lost for many people.
Re: (Score:2)
Re: (Score:2)
The only type of attack that I think would work in this situation would be a man-in-the-middle attack, which is very unlikely as well.
Actually, those attacks are some of the most relevant in Europe, where they've been doing that sort of stuff for a while.
Although, strictly speaking, it's more 'man at your end', where they simply put trojans on systems that wait for you to, entirely legitimately, log into your account, and then simply send some money their way from your now-authenticated web browser.
Cahoot in the UK (Score:3, Interesting)
I emailed Cahoot about a flaw in their system, about 5 times as it happens, over a period of months, but only ever received stock replies. What happens is: you attempt a login with username/password. Then you get to a screen where you select 2 letters from a second password via drop down boxes. If you get that second page wrong a few times it tells you that your account is locked and you have to contact them. But you don't - your account is not locked. You can simply attempt another login. So if you know someone's username/password (username is visible when someone logs in so you just have to know their first password), then you get as many guesses as you like of their second password, and it doesn't vary the 2 letters it wants from that one. The drop down list gives a-z and 0-9. 36 * 36 isn't very many guesses to have to attempt.
Wow ... (Score:2)
Why do you bank with them?
Online banking with a single factor security is silly (two passwords are not two factors). I don't feel entirely safe with the code calculator my bank gives, but at least I know how to recognise large transactions (you can see by the way you have to enter the website verification number, not that they tell you that) so trojans could only ever hijack a small transaction.
I can haz lurid sensationalist hedlien? (Score:2)
Oooh, yooz no eeted it!
kthxbye!
P.S.: See, even the cats notice it!
Sweden rocks (Score:2, Informative)
Depending on your bank in Sweden, you either got:
* A user/pass combination that you input on their website. You then get a code that you input on a personal code generator thingy, and you get another code back that you enter on the website. (Downside: You need your code generator with you)
* A user/pass combination and one-time-use codes that you scratch off a card that you carry with you. (Downside: You gotta order more codes after a while)
* A digital ID encrypted on file, and a password that decrypts it. (
Re:Sweden rocks (Score:4, Interesting)
In Britain you get
Username (the most difficult thing to remember), password, and some top secret information like Mother's maiden name or date of birth.
Or, some banks, mainly in the HBOS group, will send you a code by text message which you have to enter into the website. This is vulnerable to man in the middle attacks
Some banks (Royal Bank of Scotland Group, Nationwide, Barclays) have a calculator sized device where you insert your debit card, type in your debit card pin number and a number displayed on the website, and get another number off the device which you enter into the website. Again, this is vulnerable to man in the middle attacks and apparently other sorts of attacks as well.
Parent
No thanks, nanny bank (Score:3, Insightful)
Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs
How exactly is this the banks' responsibility? And if is a bank's responsibility, are they going to go into my PC to fix it?
Re:No thanks, nanny bank (Score:4, Insightful)
Parent
Re:No thanks, nanny bank (Score:4, Informative)
" ... The point is that as long as banks are not responsible for the losses, they have no incentive to implement strong security measures on their websites. ..."
Actually, it goes beyond that. As long as banks are not responsible for the losses, they have an incentive to weaken security in order to maximize the number of clients in the available pool of clients, who actively online bank.
This lowers the cost of running the bank and therefore maximizes profits (which cannot be impacted by pesky requirements to provide compensation for breaches and customer losses via weak security).
Parent
Re: (Score:3, Interesting)
The other problem is that the banks shunt *all* responsibility onto you. My parents were kind enough to begin investing in a mutual fund (for retirement..but not actually a retirement account) for me...when I was a child. That's some foresight. Not a lot of cash--I've already saved more in five years of working--it was mostly about teaching me the values of savings.
In order to gain access to my account online and be able to manipulate things without a *ton* of paperwork, they require a form absolving th
Re: (Score:2)
Because the banks are the best placed to fix it.
Re: (Score:2)
And if is a bank's responsibility, are they going to go into my PC to fix it?
Here in Luxembourg, some banks actually force you to have an insecure PC. So yes, in that case they should take responsibility if it gets broken into.
Go after microsoft (Score:5, Interesting)
Re: (Score:2, Interesting)
I disagree. Software vendors should not be accountable for their bugs, unless they agree to be accountable for them.
from WinXP EULA [microsoft.com]:
Well I was going to put a quote from the EULA here, showing the disclaimer of warranty, but slashdot doesn't like all caps, and wouldn't let me. It says:
Filter error: Don't use so many caps. It's like YELLING.
The GPL [gnu.org] also has a disclaimer of warranty, but slashdot wouldn't let me include that either.
Re: (Score:2)
And also, food vendors should not be accountable for contamination, unless they agree to be accountable for it.
Re: (Score:2)
Re: (Score:2, Troll)
I'm concerned of the potential that malware has to disrupt civilian systems from stuff like waste treatment all the way to energy facilities. The same vulnerabilities that allow your bank creds to be pwned are the same one that could be used to disrupt systems we need for heat or clean water. There neds to be stiffer penalties for neglecting to fix security problems.
Er, no. The fucktards that connect water, power, or sewage systems to the public Internet need to be taken out behind the chemical sheds and shot in the back of the head.
Re: (Score:3, Insightful)
How is MS or any vendor of computer hard- or software responsible for user stupidity?
Most of current malware infections are not due to an OS blunder or faulty software. It's social engineering, getting the user to launch a program he better not. From the obvious ones where you get an email from LAWYER telling you to open this attachment immediately and act OR ELSE, to the less obvious ones where you install a "crack" for something that also quietly installs a rootkit.
How could any OS avoid this? By requirin
survival of the fittest (Score:3, Insightful)
My two cents
1) Why should the bank be held responsible for something that is clearly the customer's responsibility? I.e. securing their fucking computer?
2) Maybe this will encourage folks to keep their computers locked down.
Mind you, I think that the bank should bend over backwards to help catch the bad guys. However, they cannot and should not be expected to police their client's computers...and likewise expecting them to pony up for something they can't prevent is also unfair.
The real enemy in this case, as usual, is the crook that did the hacking in the first place.
mod up (Score:2)
Yeah it's not like security is the banks' job ... (Score:3, Interesting)
Say the bank does not implement basic security measures such as monitoring brute force attempts, and someone brute forces your account ... how are YOU gonna prove you didn't just post your password on myspace? You can't! Only the bank can! It's better to put the burden on them, and have them, in turn, enforce security measures on the clients, because the other way around cannot work, and would screw over even the few of us who have a clue about comp.sec.
Also, I would like to take this opportunity to point o
Re: (Score:3, Insightful)
1) The security of financial transactions isn't "clearly the customer's responsibility" .. it is a problem that exists because there are two parties. The bank is one. The customer is the other. Both can take steps to reduce losses. Customers can secure their fucking computers. Banks can secure the fucking web page. Neither party will capture all of the gains from improving security. So, to answer your question.. banks should be held responsible (for some, perhaps most, but not all) of this type of security
Re:Hmm (Score:4, Insightful)
Parent