How Banker Trojans Steal Millions Every Day 183
redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."
The problem is Bob (Score:5, Insightful)
Just R'ed the FA, and my first reaction was "Bob's an idiot."
First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.
Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.
Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.
Fourth, he continues to use this browser after it exhibits strange behavior.
Fifth, he ignores red flags like unexplained 'Safety Pass' requests.
If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.
Re:The problem is Bob (Score:5, Insightful)
Re:Well... (Score:3, Insightful)
There are two choices:
a) Build the perfect system. Complicated to do. Users will not understand it and still be vulnerable to scams.
b) Build a simple system and use trust. For example, you can revert transactions from your bank account that you didn't authorize within 14 days.
Everyone that works in a bank today knows that stuff isn't secure. But it doesn't really matter because damages are small, and the profits cover mistakes quite easily.
Re:I have a simple solution (Score:4, Insightful)
The first property crime happened the day property was invented.
So what you're saying is, the solution to theft is communism?
Re:Well... (Score:5, Insightful)
The issue is, as always, EDUCATE THEM.
You can educate them but they won't care. Look at how hard it is for a lot of these type of people to even browse the internet, something that is designed to be really easy to use. Even with education you run the risk of them remembering only misinformation and making them paranoid. Look at the '90s and people thinking ZOMG COOKIES ARE VIRUSES!!!11!111!1! and rather than doing sane things, they just kept up the paranoia. The last thing we need is people scared to go to a generic site because its not secured with HTTPS even though it doesn't need to be.
Paranoia is almost worse than being ignorant, especially in a business. Being ignorant -may- cost the company money, being paranoid -will- cost the company money.
Re:The problem is Bob (Score:2, Insightful)
My how high is that horse you're on! Think about Bob for a minute. Bob's not a techie. Bob doesn't seem to mind those pop ups he gets when he turns on his computer - they're just ads. Those ads on websites are relevant, and so are those emails that remind him to reset his Facebook/Paypal/Bank password. Bob also uses that computer work gave him when he logs into the online payroll processing account to make sure that you get paid this month. That's right, Bob's got other stuff in life to worry about than some stupid program on his computer. Would you like to convince Bob otherwise?
To start, you're going to have to acknowledge that Bob isn't an idiot. Bob might actually enjoy learning stuff about that computer - like how to make it faster and safer. Talk to Bob like a human being because he's not trying to screw up. Bob's just doing the best he knows how.
Oh yeah, one other thing: you can't fire Bob because he's your boss. Being nice to him might help you out.
I think Banks Don't Actually Care (Score:4, Insightful)
I'm thinking of some past conversations I've had with people in banking and payment systems. I have a suspicion based off of some of those conversations and what we actually see. Banking has two related security problems:
1) They think they don't need to care (and might be somewhat right)
2) Leadership in the industry largely just doesn't have the ability to tell who's good at security.
As an industry bankers have long naturally had an awful lot of clout legally and politically, and so they're very used to dealing with problems that way. It might not be particularly more expensive to hire some good security professionals and developers to get their systems right than it would be to do some lobbying for harder penalties, more attention from specialized law enforcement, some kind of public insurance against this kind of theft and fraud, and most importantly, laws that push the liability onto other parties (remember, being a banker means *never* having to take any responsibility!), but I suspect they're a lot more practiced at the latter approach than the former. And this is *before* you get into some of the darker corners of banking. There are no small number of people who will tell you a little bit of looseness in the system is a feature, not a bug, because it makes it a lot easier to handle money for, shall we say, extralegal enterprises.
And while it might not be more *expensive* to hire good security professionals, it's probably harder. As the old saying goes, it takes one to know one. The banking community knows good lawyers and lobbyists. They don't really know what computer security looks like.
Re:The problem is Bob (Score:2, Insightful)
Just R'ed the FA, and my first reaction was "Bob's an idiot."
I think you might be overreacting a bit.
First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.
Fair point, but what if Bob is accessing his own, personal bank account from home?
Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.
Read the article a little more closely; it specifies an infection via cross-site scripting, not a download. I don't think he can be considered an "idiot" for not researching every search engine listing for reliability before visiting the site.
Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.
See point 2
Fourth, he continues to use this browser after it exhibits strange behavior.
Again, I don't think it qualifies someone as an "idiot" if they don't do a complete system security review every time their browser crashes.
Fifth, he ignores red flags like unexplained 'Safety Pass' requests.
That's not necessarily a red flag, maybe his bank rechecks this periodically; I doubt, in that case, that most people would keep the schedule of these checks handy to sniff out any suspicious deviations.
If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.
Again see point 2; Companies aren't the only ones with bank accounts.
Re:fuckfuck (Score:3, Insightful)
This is how i spent my afternoons.
Gah. Here I am married with kids and holding a steady job. I've wasted my life!!!
Re:Well... (Score:4, Insightful)
That's because the customers are who lose out in cases of "identify theft". Banks have no culpability, so they don't care so much. If they did, the transactions would be much more closely and securely performed.
Re:Test (Score:1, Insightful)
Mac users.
Re:The problem is Bob (Score:3, Insightful)
Bob isn't an idiot, he's a typical windows user.
In general I agree with you. In this case, I think you have it wrong on Bob and he's really a tool.
My mom knows jack sh1t about computers, and jack just left town. But multiple times, she surprised me by mentioning how she called the bank when experiencing something dodgy, deleting strange mails, rather used the laptop when her desktop displayed strange behavior, etc. She notices, like most human beings, when something is out of the ordinary. Bob noticed, too -- but with copious amounts of stupidity, managed to do the wrong thing.
Re:Well... (Score:4, Insightful)
The Nationwide device/scheme appears to be heavily flawed in that it is trivially susceptible to a very simple form of replay attack it seems.
It is better than the previous scheme that Nationwide had in place, that required me to invent and remember a favourite colour for example, which is why I haven't whinged about this, and it could work very well with more intelligent programming at the server end (ie I think the current hardware already issued is fine).
But I do hope Nationwide realises how broken the current scheme is, and fixes it soon.
Regards,
Damon
Re:No no no! Please! (Score:3, Insightful)
Really? Forced to type a whole PIN? Did you also go to the bank manager and complain "Gosh, Mr. Banker, please don't make me be so responsible for my money!"
Since you seem to like convenient access to your cash, do you just tape your money to the outside of your clothes so you don't have to go through all the work of digging in your pocket, pulling out your wallet, opening it up, and removing the bills? Or rather than counting, do you just hand your wallet to the bus driver and ask the driver to "take whatever?" My guess is you take better care of your personal pocket money than that. So why would you expect less security from a bank who you *pay* to hold and protect your money?
Which would you select if you were given this choice: A) Full insurance against theft from your account if you use the e.dentifier; or B) No insurance on your account but you don't need the e.dentifier. I'm pretty sure a bank wouldn't even want to offer choice B because they wouldn't want to have to tell those customers "sorry but your money is all gone and there's nothing we can do for you."