Forgot your password?
typodupeerror
Security The Almighty Buck News

How Banker Trojans Steal Millions Every Day 183

Posted by kdawson
from the in-ur-browzer-stealin-ur-dataz dept.
redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."
This discussion has been archived. No new comments can be posted.

How Banker Trojans Steal Millions Every Day

Comments Filter:
  • Well duh! (Score:5, Funny)

    by pitchpipe (708843) on Monday February 22, 2010 @10:37PM (#31239944)

    Banker trojans have become a serious problem

    Look at how much they stole from the American taxpayer! Oh wait, you're talking about computers.

    Speaking of Trojans, they didn't even lube it up before they put it in our ass!

  • We need to develop greater use of proveable correctness in bank security, promote the use of isolated secure workstations for private banking transactions online, and use contractual incentives and accountability to incentivize better security systems.

    Seriously, how about a physical random token generator where someone has to enter what the token currently displays each time they make a transaction for an account with a $5000+ balance, or more than $500 in a single transaction, or $1000 in a day? Or simila

    • Re: (Score:3, Interesting)

      by T Murphy (1054674)
      The second attack scenario would get around this, as it just "corrects" payments you try to make so that they go to a different account. Using an SMS with a confirmation message could avoid this, though.
      • Re:Well... (Score:4, Informative)

        by Cryacin (657549) on Monday February 22, 2010 @11:03PM (#31240130)
        Here in Australia, the Commonwealth Bank does exactly this. If you are entering a new account to transfer money to, it will send out a confirmation SMS with a code to your phone. The next time you transfer within a bound of amount to a particular account, it assumes that this account is OK to transfer to, thus reducing the inconvenience of the number confirmation system, and saving the bank an SMS.

        No security system is perfect, and there will always be a way around anything you do, but intelligent security layers like this hinder the chances of a cash mule being sent dud money, as every transaction and every piece of security is handled at the mid tier, and the web page remains a dumb client, simply passing information to be confirmed to a trusted server.
      • The problem is, for a lot of these people, having an SMS wouldn't work because they don't have texting (not uncommon in the US). Look at "Bob" in the example in TFA, he represents a large number of Americans with A) Access to technology B) Experience with strange security policies that don't make sense and C) A machine running an insecure OS. Using an SMS wouldn't work for one main reason:

        It would have to be turned off by default (not everyone wants a $.10+ additional text message charged on their cell
        • The issue is, as always, EDUCATE THEM. Seriously. It's not good enough to just edumacate the young ones, so you can improve shit when they're older and the previous generation is dead. What you do is you beat it in to the damn skulls of anyone too thick to get it, or you have them sign a waiver saying they can only access their money in-branch since they cannot comply with the more stringent security measures.

          • Re:Well... (Score:5, Insightful)

            by Darkness404 (1287218) on Monday February 22, 2010 @11:32PM (#31240324)

            The issue is, as always, EDUCATE THEM.

            You can educate them but they won't care. Look at how hard it is for a lot of these type of people to even browse the internet, something that is designed to be really easy to use. Even with education you run the risk of them remembering only misinformation and making them paranoid. Look at the '90s and people thinking ZOMG COOKIES ARE VIRUSES!!!11!111!1! and rather than doing sane things, they just kept up the paranoia. The last thing we need is people scared to go to a generic site because its not secured with HTTPS even though it doesn't need to be.

            Paranoia is almost worse than being ignorant, especially in a business. Being ignorant -may- cost the company money, being paranoid -will- cost the company money.

            • Either they will learn or they won't be making wire transfers online--wire transfers are not a particularly common method of moving money in the US due to the high costs and as such are only used for special transactions (ACH transfers are far more common...though usually limited to movement between your own accounts and the auth process is not instant)

              I would guess that the people who don't know how to check voicemail do not have a big overlap with the people who want to wire money.

          • by ls671 (1122017) *

            > The issue is, as always, EDUCATE THEM.

            If everybody was well educated in all spheres of life, we would live in a perfect world ! ;-)

            "EDUCATE THEM" as a solution sometimes seems to me like utopia.

            I am really sorry to say that. Of course, trying to educate people is a noble cause but sometimes it is a hard task to fulfill.

          • by Ltap (1572175)
            You can only educate people who want to be educated. The problem is that most people don't consider this a concern (i.e.: "It could never happen to me!") until it does, sort of like with identity theft. They will only educate themselves after the fact.

            Basically, the baby won't know that the fire hurts until it tries to play with it.
        • by Meumeu (848638)

          It would have to be turned off by default (not everyone wants a $.10+ additional text message charged on their cell phone bill

          Wait, you have to pay to receive an SMS?? Even when I'm abroad receiving an SMS is free...

      • Re: (Score:3, Informative)

        by powerspike (729889)
        My bank does this. If you try to send funds to an account you haven't before, you HAVE to sms verify, it's great. Transfer funds, get a window asking for the sms verification code. If i got one randomly i'd call up support asap. Another thing the bank does - is send out emails, but it tells you up the top they'll never put links in the emails, and to visit the site like they normally do. While this is upto the intelligence of the user in the end, the more they see the message, the more likely they'll be no
        • by lgw (121541)

          The point of TFA wa that SMS verification does nothing to protect your from MitB attacks. You type the verification code into your browser, and it sends that code to the attacker, who uses it to empty your account during the minute or so the code is valid.

    • Re: (Score:3, Insightful)

      There are two choices:

      a) Build the perfect system. Complicated to do. Users will not understand it and still be vulnerable to scams.

      b) Build a simple system and use trust. For example, you can revert transactions from your bank account that you didn't authorize within 14 days.

      Everyone that works in a bank today knows that stuff isn't secure. But it doesn't really matter because damages are small, and the profits cover mistakes quite easily.

      • Re:Well... (Score:4, Insightful)

        by PitaBred (632671) <slashdot@NoSPaM.pitabred.dyndns.org> on Tuesday February 23, 2010 @12:44AM (#31240776) Homepage

        That's because the customers are who lose out in cases of "identify theft". Banks have no culpability, so they don't care so much. If they did, the transactions would be much more closely and securely performed.

        • Re:Well... (Score:4, Informative)

          by hitmark (640295) on Tuesday February 23, 2010 @06:57AM (#31242622) Journal

          give the man a +1. Ever since modern banking and lending started of back in the 1700s, the risk have been shifted from the lender/banker to the customer. cant pay your debt, bye bye security. Bank account gets zeroed, customer was careless with access info. Basically, the same party that holds the most to gain, also holds the least risk. Just like in a las vegas casino, the odds favor the "house"...

        • Money mules loose too (not that banks give a damn about them) and if we could get people to understand that there is no such thing as a free lunch and laundering money is a bad idea all those transactions could be traced and the banks that get them could be told 'go get Ivan or don't expect wire transfers in the future.' The local banks would do it just to reduce the paperwork they have to do and save some money.

    • Re:Well... (Score:4, Informative)

      by plover (150551) * on Monday February 22, 2010 @11:25PM (#31240282) Homepage Journal

      Done. There's already a cryptographic device that offers near-perfect cryptographic security for web banking. ABN AMRO uses it for their e.dentifier2 [abnamro.nl] device. The brilliant part is that the trust lies only within the card's chip and the handheld device, never only the PC or the browser. It's exactly what a bank should provide: end to end encryption of the user's authorization to perform a transaction, where both ends are created and maintained by the bank.

      Now we just need a bank that's willing to deploy those here in the U.S.

      • by PitaBred (632671)

        Why can't we use a cell phone as a proxy for this? A lot more people have those, and the vectors for attack go down significantly if the attacker has to both intercept cell communications (hard, but not impossible) and bug the correct computer. Combining the two seems like it'd be close enough to perfectly secure while still being more usable and built on existing infrastructure.

        • Re:Well... (Score:5, Informative)

          by plover (150551) * on Tuesday February 23, 2010 @01:16AM (#31240964) Homepage Journal

          Why can't we use a cell phone as a proxy for this?

          Because the cell phone is reprogrammable, and so ultimately can't be trusted. You might get a virus or install some kind of Trojan horse J2ME app that pretends to be your PIN pad, but makes large withdrawals silently in the background after you enter the PIN for a legitimate transaction. A cell phone is actually the worst possible place, because it can go on-line immediately and start abusing your account right up until you yank the battery (or go broke.)

          The best possible security will come from the bank supplying the end user with both the card and the PIN Entry Device. Sure, they might want to offer it in a cell-phone-carrying-case-form-factor (think iPhone cradle with a PIN pad on the back.) Slightly ugly but more convenient to carry. But it needs its own dedicated PIN pad and display.

          The first version of the e.dentifier was even more secure than this one IMHO because it did NOT have the convenient USB port. The user had to type in the values into the pad manually. The security advantage is the air gap is something no hacker can ever bridge (without resorting to social engineering, extortion, or threats of violence.) Mind you, this device is probably plenty secure as long as it can never be re-flashed or re-programmed through the consumer facing USB port.

          RSA actually offers credit card form factor devices with a little 10-key pad and a one line LCD display. They are used for SecurID tokens where the user has to enter a PIN to get the generated #. The same form factor would make an excellent bank card where you don't have to carry around the extra little device to use it.

          • Re:Well... (Score:5, Informative)

            by squizzar (1031726) on Tuesday February 23, 2010 @03:33AM (#31241750)

            We've got something like this in the UK, and I'm sure there are plenty of other places that have them. You can't make a transaction without getting the correct cryptographic response from the card using the card reader. Here's a picture: http://www.nationwide.co.uk/rca/How-does-it-work/find.htm [nationwide.co.uk]

            I don't like the sound of a USB type device, because it seems that there is some possibility it could be interfered with in the same way as the recently discovered chip+pin break. In fact I'm quite surprised they came up with what seems to be a pretty well implemented system, given that they seem to have tried pretty hard to make design mistakes with c+p

            • Re:Well... (Score:4, Insightful)

              by DamonHD (794830) <d@hd.org> on Tuesday February 23, 2010 @06:29AM (#31242494) Homepage

              The Nationwide device/scheme appears to be heavily flawed in that it is trivially susceptible to a very simple form of replay attack it seems.

              It is better than the previous scheme that Nationwide had in place, that required me to invent and remember a favourite colour for example, which is why I haven't whinged about this, and it could work very well with more intelligent programming at the server end (ie I think the current hardware already issued is fine).

              But I do hope Nationwide realises how broken the current scheme is, and fixes it soon.

              Regards,

              Damon

              • Re: (Score:2, Interesting)

                by sproot (1029676)
                You might be right, I don't know enough about it, but I didn't think it was susceptible to replay attacks.
                The card reader generates a validation code for a transaction based on the amount and destination account number, and it's only valid for that txn. Changing the details before submitting them (mitm) would fail, as would resubmitting different details with the same code (is that what you mean?)
          • We need cell phones to have a hard switch that changes them between normal "powerful" mode and a limited secure mode.

            Then you could do simple things like authentication and digital signatures in secure mode (e.g. transferring money), and do everything else in the normal mode.

            Without something physical that can't be overridden with software, there is no way to be sure secure is really secure.

            Of course, something physical is still vulnerable if someone gets physical access to your device for some period of ti

      • When you said near-perfect security, you were not kidding. Here is a customer's testimonial [savingadvice.com] confirming that very point.

        Absolute worst service I have ever encountered with any institution. I left Holland after being a client of ABN for over a year, for a year of traveling. I desperately needed a new e.dentifier, but after many emails and many phone calls to the bank, it seems like they are doing everything in their power not to be of help. They said they can only send it to my Amsterdam address, which is use

      • This device uses a time-dependant (be it iterative or time-synchronised) password. It requires no input from the bank it self. The device simply gives you a number, you type it into the log-in screen and you're logged in.
        Once logged in, a hi-jacked browser could pretty much change the account information on-the-fly during a transfer (the browser screen says your transfering money to the merchant you're buying from, but secretly the trojans changes it on the fly, so the bank is actually ordered to transfer m

    • I have noticed in IT an almost physical revulsion of the idea of upgrading. I can't count the times I have worked on a system and found it to be several versions out of date, the reason? "Well it works".

      No, it does not.

      While for some software new releases indeed only happen to sell more copies and add useless features, for production software and OS, security, reliability and bug fixes tend to be improved. If nothing else, then at least you present a moving target.

      A lot of exploits happen with code BASED

  • by Meshach (578918)
    This is somebody's blog describing some hypothetical situation. "Oh no! My browser session is going to get hacked." Seems just as likely someone working at the bank could steal your account or someone behind you at the atm seeing your pin. This article was not worth the five minutes I spent reading it.
    • Re: (Score:2, Interesting)

      by Dunbal (464142) *

      This article was not worth the five minutes I spent reading it.

      Congratulations on being the only person on slashdot to actually read an article!

      Seriously, it's never impossible to get compromised, but security has come a long way, what with tokens and forced password changes every 30 days and forced complex passwords (at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits). To log in I need both my password which is ente

      • Re: (Score:3, Informative)

        by LordArgon (1683588)

        (at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits)

        I'm nullifying several mod points to comment, but... This is actually really stupid. Putting too many constraints on passwords makes them less secure, not more. Your bank has drastically reduced the set of possible passwords and thereby made them easier to guess.

    • Re:News? (Score:4, Interesting)

      by Darkness404 (1287218) on Monday February 22, 2010 @11:07PM (#31240160)
      Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day. Its quite hard to get money from Vladimir Hacker who lives in Russia. While it might be easy to trace an IP, if it is outside of the US jurisdiction, theres not that much you can do. Yeah, you -might- be able to get the money back, but Vladimir Hacker can still do the same thing to someone else and no doubt it will require a lot of paperwork to get your money back.
      • by jimicus (737525)

        Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day.

        Even if you have good reason to believe John Smith knows your PIN, proving it is going to be next to impossible.

        First you have to persuade the bank that someone else knows your PIN through no fault of your own. How do you prove this to the satisfaction of a huge organisation which is set up at every level to assume that this is physically impossible?

        Next you have to convince them that not only did someone else find your PIN, that someone was one of their staff. As opposed to, say, the postman who's on a l

    • by jhol13 (1087781)

      MITB attack happened in Finland just a month ago. If criminals are willing to attack a very small audience with a very difficult language[1] what do you think, is this happening to bigger banks?

      One bank now requires SMS *reply* for "suspicious" transfers. Note that the query and reply both go through SMS so it is much harder to crack - MITB is not enough.

      [1] They did use English, but that does decrease the success rate a lot.

  • The problem is Bob (Score:5, Insightful)

    by bughunter (10093) <<ten.knilhtrae> <ta> <retnuhgub>> on Monday February 22, 2010 @10:49PM (#31240056) Journal

    Just R'ed the FA, and my first reaction was "Bob's an idiot."

    First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.

    Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.

    Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.

    Fourth, he continues to use this browser after it exhibits strange behavior.

    Fifth, he ignores red flags like unexplained 'Safety Pass' requests.

    If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.

    • by T Murphy (1054674) on Monday February 22, 2010 @10:57PM (#31240096) Journal
      But no matter how quickly you fire Bob, the thieves still have that money, and they will continue to make more attacks. The point isn't to blame the victim, but to figure out how to prevent them from becoming victims in the first place. I'm tempted to join the "he deserved it" crowd, but that is far outweighed by my hate for the jerks who prey upon these people.
      • Re: (Score:3, Interesting)

        by bughunter (10093)

        But no matter how quickly you fire Bob, the thieves still have that money

        That statement misses the point.

        First, I have a chance to detect Bob's dangerous behavior before the thieves do. Your "no matter how quickly" statement assumes they get to Bob before I do.

        Second, my point is, if it weren't for Bobs, these thieves would be looking at boobies on channel 9 and filing TPS reports instead of collecting ill-gotten booty. Bob is a root cause. (Thieves' greed is another.)

        The point isn't to blame the victim, but to figure out how to prevent them from becoming victims

        Bob's not the victim, in this scenario. I am. Bob is the exploit.

        At least you demonstrate my underlying poi

      • Other employees will be more likely to read and use the IT security SOPs.

         

    • by zappepcs (820751) on Monday February 22, 2010 @11:03PM (#31240126) Journal

      Bob isn't an idiot, he's a typical windows user. Not to ping on MS, but they do manage to capture the low end of the market in that respect. A vast majority of computer users think that computer programmers are modern day wizards, and blindly trust that only bad programmers build bad programs. Further there are only two kinds of programs, good ones and bad ones like viruses and malware. Any program that is not bad is good, and has things like virus checking and mind reading built into them. Stack overflow is a card mishap at the casino and cross site scripting sounds like a multi site movie writers program.

      These warped expectations leads to things like ... well, like Bob.

      Bob and his friends are why so many virus and malware programs are profitable, so in a sad way, Bob is right.

      • Re: (Score:3, Insightful)

        by cerberusss (660701)

        Bob isn't an idiot, he's a typical windows user.

        In general I agree with you. In this case, I think you have it wrong on Bob and he's really a tool.

        My mom knows jack sh1t about computers, and jack just left town. But multiple times, she surprised me by mentioning how she called the bank when experiencing something dodgy, deleting strange mails, rather used the laptop when her desktop displayed strange behavior, etc. She notices, like most human beings, when something is out of the ordinary. Bob noticed, too -- but with copious amounts of stupidity, manage

      • by 1s44c (552956)

        Bob isn't an idiot, he's a typical windows user.

        So he is an idiot then.

    • There are , alas, too many Bobs in the world. Do you believe that most people using computers *aren't* dumb enough to do this? And since it only takes one occurrence to be compromised, it doesn't matter how quickly you fire him.
    • by geekmux (1040042)

      Just R'ed the FA, and my first reaction was "Bob's an idiot."

      First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.

      Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.

      Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.

      Fourth, he continues to use this browser after it exhibits strange behavior.

      Fifth, he ignores red flags like unexplained 'Safety Pass' requests.

      If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.

      Er, yeah, the real problem is when Bobs official title to you is "Sir", which far too often online ignorance rises with pay grade.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      My how high is that horse you're on! Think about Bob for a minute. Bob's not a techie. Bob doesn't seem to mind those pop ups he gets when he turns on his computer - they're just ads. Those ads on websites are relevant, and so are those emails that remind him to reset his Facebook/Paypal/Bank password. Bob also uses that computer work gave him when he logs into the online payroll processing account to make sure that you get paid this month. That's right, Bob's got other stuff in life to worry about than som

    • by gmuslera (3436)
      The key component there is visiting with an insecure browser a "trusted" site. No matter if uses an antivirus to check whatever he is aware to download, the site exploited a vulnerability on the browser (that if well is not named there, IE have all the tickets) and in that way compromised his machine (no matter if was with admin or just that user priviledges, for what have to do to be as user is enough).

      No matter neither if use secure or insecure connection, once he went to internet, is the machine and not
    • Re: (Score:2, Insightful)

      by ScaryMonkey (886119)

      Just R'ed the FA, and my first reaction was "Bob's an idiot."

      I think you might be overreacting a bit.

      First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.

      Fair point, but what if Bob is accessing his own, personal bank account from home?

      Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.

      Read the article a little more closely; it specifies an infection via cross-site scripting, not a download. I don't think he can be considered an "idiot" for not researching every search engine listing for reliability before visiting the site.

      Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.

      See point 2

      Fourth, he continues to use this browser after it exhibits strange behavior.

      Again, I don't think it qualifies someone as an "idiot" if they don't do a complete system security review every time their browser cra

    • First 3 would be a failure on your side not his for allowing this and not locking down the machine(s). 4th would be a failure of education, if he hasn't been told, how is he going to know. "Bob" is busy doing his job, not yours. 5th - this is 50/50, if he gets to many red flags, in doing his normal work, he's just going to ignore them all isn't he ? if i discovered a tech going on a warpath to fire another employee for not doing his job, i'd fire the tech on the spot There's two sides to every story.
    • by ls671 (1122017) *

      > he does it without scanning the downloaded files or researching the reliability of the publisher

      Is this what my nephew meant last week ?

      He talked to me about mj55 verifying sums and computerized signature to assure that all the nice free programs I download aren't viruses but I did not quite get everything...

    • Re: (Score:3, Informative)

      by jimicus (737525)

      Trojans have moved on a bit since a couple of years ago.

      You no longer need to be an utter moron or surfing to some dodgy websites to get infected. It's not unknown for rooted webservers to be serving up a side order of drive-by download (I have actually seen this happen on a respectable retailer's website).

      It no longer sticks out like a sore thumb - you won't, for instance, find that attempting to point your web browser at www.symantec.com mysteriously doesn't work.

      Your PC doesn't slow down to a total craw

  • This round of panic brought to you by Fireeye -- but rest assured, they can protect you from this latest 2-year-old+ threat.
  • We should just give away copies of all the best hack tools. As soon as they appear they should be all over the net for free. What will this do? Simple. It removes the monetary incentive to write good hacking tools. If what any idiot can download for free is as good as it gets then the money is sucked right out of the market for supplying tools.

    On top of that when you have every idiot out there using the best tools vendors WILL be forced to deal with the flaws a lot more quickly and release higher quality co

    • We should just give away copies of all the best hack tools.

      Most pentest software is already available for free (nmap, Cain and Abel, John the Ripper, etc)

      What will this do? Simple. It removes the monetary incentive to write good hacking tools

      No it won't. Like I said before, there are a lot of -good- hacking tools out there, the problem is, they are made for someone who knows about computers to use them, what script kiddies need is something with a GUI, with simple options and the ability to run on the OS they use (mostly Windows)

      These don't make them good hacking tools. All they do is make it easier to do one task. Most, if not all hacking too

      • So your answer is what? Continue with the losing proposition that is the status quo? lol. That isn't any answer at all.

        My point is there is good money being made by people making the tools that the crooks use. Take that money out of the hands of those people. Its not going to solve the problem but sooner or later everyone has to realize that there IS no "better" solution. At least it mitigates a part of the problem.

        Of course if you have a better idea, then by all means go out there and make your multi-billi

        • So your answer is what? Continue with the losing proposition that is the status quo? lol. That isn't any answer at all.

          I don't have the answer, if I did I might be a millionaire. My point wasn't to prove that I had the answers but rather to show that your answer didn't quite work the way you thought it would.

          My point is there is good money being made by people making the tools that the crooks use. Take that money out of the hands of those people. Its not going to solve the problem but sooner or later everyone has to realize that there IS no "better" solution. At least it mitigates a part of the problem.

          But its such a minor problem that it wouldn't really solve anything.

          If I -really- want 500 credit card numbers, would I A) Buy the software to collect the 500 credit card numbers or B) Buy the numbers directly from some Russian hacker? The only real buyers of script kiddie software is script kiddies which, altho

          • Well, then answer this question. Why are a whole lot of people making big bucks hocking malware? They're making that money because the software they have to hock is the best there is. Now, whether or not its the most technically sophisticated product or not is irrelevant. Heck, this is Slashdot, we all can just take a gander at the market for operating systems and see that the best selling software has little to do with technical quality...

            But the day you go to start selling your new wizz-bang botnet buildi

    • by Viceice (462967) on Monday February 22, 2010 @11:29PM (#31240304)

      The first property crime happened the day property was invented.

      So what you're saying is, the solution to theft is communism?

      • by 1s44c (552956)

        The first property crime happened the day property was invented.

        So what you're saying is, the solution to theft is communism?

        The solution to theft is to remove the incentive to steal. If the people writing cracking tools are not making money out of it they will soon stop.

        Getting vendors to fix their screwups will be a nice side effect.

    • by pnewhook (788591)

      Thats kinda like saying that guns are a problem in armed home robberies, so lets give everyone a gun, then there will be so many stupid people with guns firing them off that houses will have to be built with better security..

      The problem with your solution is that the internet will be so unsafe that no one will be able to use it for anything lest they be robbed blind. We might as well just throw out the computers and go back to manual bank transactions.

      • Re: (Score:3, Interesting)

        Or we can continue with the already totally unsafe Internet we already have. Anyone with a couple bucks and no scruples can do whatever they want on the 'net now. That isn't going to change.

        The truth is we need hell-of-a-lot-better quality software for people to use and the quickest and dirtiest way to get it is quite simple. If you go online with anything less, you get instantly robbed blind. Pretty soon we'll have better quality software. The truth is that right now most people just figure they're going t

  • Surely the good news (Score:3, Interesting)

    by bugs2squash (1132591) on Monday February 22, 2010 @11:32PM (#31240332)
    about so many groups using the same toolkit is that if you find a weakness in the toolkit then you can clear up multiple attacks all at once.
  • by lullabud (679893) on Monday February 22, 2010 @11:34PM (#31240356) Homepage

    I'm so pissed at Apple. I bought the toolkit and made a mobile botnet iPhone app with controller but they won't approve it. *sigh* Such bullshit, they don't approve anything!

    • by rockNme2349 (1414329) on Tuesday February 23, 2010 @12:04AM (#31240546)

      Dear lullabud,
       
      Thank you for submitting iBotnet to the App Store. We’ve reviewed iBotnet and determined that we cannot post this version of your iPhone application to the App Store because it duplicates existing functionality of the iPhone and is in violation of Section 3.1.337 from the iPhone Developer Program License Agreement.
       
      If you believe that you can make the necessary changes so that iBotnet does not violate the iPhone Developer Program License Agreement, we encourage you to do so and resubmit it for review.
       
      Regards,
      iPhone Developer Program

  • ... elected officials do better than that, and they get the girls.
  • by weston (16146) <westonsd@can n c e n t r a l.org> on Monday February 22, 2010 @11:51PM (#31240466) Homepage

    I'm thinking of some past conversations I've had with people in banking and payment systems. I have a suspicion based off of some of those conversations and what we actually see. Banking has two related security problems:

    1) They think they don't need to care (and might be somewhat right)
    2) Leadership in the industry largely just doesn't have the ability to tell who's good at security.

    As an industry bankers have long naturally had an awful lot of clout legally and politically, and so they're very used to dealing with problems that way. It might not be particularly more expensive to hire some good security professionals and developers to get their systems right than it would be to do some lobbying for harder penalties, more attention from specialized law enforcement, some kind of public insurance against this kind of theft and fraud, and most importantly, laws that push the liability onto other parties (remember, being a banker means *never* having to take any responsibility!), but I suspect they're a lot more practiced at the latter approach than the former. And this is *before* you get into some of the darker corners of banking. There are no small number of people who will tell you a little bit of looseness in the system is a feature, not a bug, because it makes it a lot easier to handle money for, shall we say, extralegal enterprises.

    And while it might not be more *expensive* to hire good security professionals, it's probably harder. As the old saying goes, it takes one to know one. The banking community knows good lawyers and lobbyists. They don't really know what computer security looks like.

    • by tlhIngan (30335)

      Banks don't care, because they don't have to.

      1) Legally, they're protected. Read your cardholder agreement and any agreements you have regarding online banking. Even the ones that claim "Zero Liability". At the very least, you need to have a PC with latest updates (OK), antivirus/antispyware software (there goes OS X, Linux and smartphones) with latest updates, approved browser and version (see a website...) and other junk. Oh, and if you access your account from any unapproved machine practically ever, poo

  • Use a trusted Live Linux CD (Ubuntu, Knoppix etc..) in a VM or boot your PC with it. Browse directly to your banks site and take care of business.

  • There are already physical random password generators- can they be directly plugged into the computer? If it either sends a password every few seconds or every time you are transmitting any financial information, it would require the attacker to stay in the middle to do anything. If the password generator uses the user input to help seed the password, shouldn't a MitM attack be foiled, as they cannot change the information and still have the password check out? The issue here is that the password generator
  • Not the ones for the kids. The ones for everyone...

    Except we take parts of pennies and do it a million times a day.

  • I know a non technical solution which even generate jobs, bring back the physical counter...

  • A good solution to phishing is PassWindow (no I have no connection to their product, I just think its a damn good idea). See www.passwindow.com for details of the system.

    Basically your card (ATM card, credit card, bank card or whatever) has a translucent window on it (translucent to make it hard to photocopy). This window contains segments like those on a 7 segment LED display. These segments are in a pre-defined pattern.

    When you log in, the bank generates another set of 7-segment patterns. When you hold yo

  • Windows Security Essentials anti-virus are not available in all countries. I am on the duty trip in the FSU and Windows Security Essentials Page informs me: "Not available in your country".

    Windows update checks for the authenticity of Windows.

    As a result on millions of computers the OS is un-updated and anti-virus is absent.

    In western countries the PCs have the authentic Windows, which is regularly updates itself, and an anti-virus. However, the majority of PCs in the world have a pirated Windows, no anti-v

    • by Tim C (15259)

      Windows update checks for the authenticity of Windows.

      As a result on millions of computers the OS is un-updated and anti-virus is absent.

      Running a copy of Windows that has failed WGA is no excuse for not running AV software, there are plenty of free alternatives to MS Security Essentials. (In fact that's a pretty late comer to the game, there has been free AV software available for years)

  • That's copyright infringement!

    Oh.
    Sorry, wrong thread.

  • Last time when I was in India, every time my brother made an ATM withdrawal he got a text message to his phone. Every time he made a big charge in the credit card he got a text message. Alerting people to withdrawals and transfers immediately would be a good first step. The banks get early warning and stop the fraud quickly. Of course you should not be able to change the alert phone number via the internet, and you should be able to set a threshold on the amount that triggers alerts.

Air is water with holes in it.

Working...