How Banker Trojans Steal Millions Every Day 183
redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."
Well duh! (Score:5, Funny)
Banker trojans have become a serious problem
Look at how much they stole from the American taxpayer! Oh wait, you're talking about computers.
Speaking of Trojans, they didn't even lube it up before they put it in our ass!
Re: (Score:3, Insightful)
This is how i spent my afternoons.
Gah. Here I am married with kids and holding a steady job. I've wasted my life!!!
Re: (Score:2, Funny)
I, for one, welcome our new insect overlords, to kick your ass.
I LOL'd so hard (Score:2)
Your post is hilarious, but you're totally offtopic so I can't bring myself to mod you Funny.
Re: (Score:2)
Well... (Score:2)
We need to develop greater use of proveable correctness in bank security, promote the use of isolated secure workstations for private banking transactions online, and use contractual incentives and accountability to incentivize better security systems.
Seriously, how about a physical random token generator where someone has to enter what the token currently displays each time they make a transaction for an account with a $5000+ balance, or more than $500 in a single transaction, or $1000 in a day? Or simila
Re: (Score:3, Interesting)
Re:Well... (Score:4, Informative)
No security system is perfect, and there will always be a way around anything you do, but intelligent security layers like this hinder the chances of a cash mule being sent dud money, as every transaction and every piece of security is handled at the mid tier, and the web page remains a dumb client, simply passing information to be confirmed to a trusted server.
Re: (Score:3)
It would have to be turned off by default (not everyone wants a $.10+ additional text message charged on their cell
Re: (Score:2)
The issue is, as always, EDUCATE THEM. Seriously. It's not good enough to just edumacate the young ones, so you can improve shit when they're older and the previous generation is dead. What you do is you beat it in to the damn skulls of anyone too thick to get it, or you have them sign a waiver saying they can only access their money in-branch since they cannot comply with the more stringent security measures.
Re:Well... (Score:5, Insightful)
The issue is, as always, EDUCATE THEM.
You can educate them but they won't care. Look at how hard it is for a lot of these type of people to even browse the internet, something that is designed to be really easy to use. Even with education you run the risk of them remembering only misinformation and making them paranoid. Look at the '90s and people thinking ZOMG COOKIES ARE VIRUSES!!!11!111!1! and rather than doing sane things, they just kept up the paranoia. The last thing we need is people scared to go to a generic site because its not secured with HTTPS even though it doesn't need to be.
Paranoia is almost worse than being ignorant, especially in a business. Being ignorant -may- cost the company money, being paranoid -will- cost the company money.
Re: (Score:2)
I would guess that the people who don't know how to check voicemail do not have a big overlap with the people who want to wire money.
Re: (Score:2)
> The issue is, as always, EDUCATE THEM.
If everybody was well educated in all spheres of life, we would live in a perfect world ! ;-)
"EDUCATE THEM" as a solution sometimes seems to me like utopia.
I am really sorry to say that. Of course, trying to educate people is a noble cause but sometimes it is a hard task to fulfill.
Re: (Score:2)
Basically, the baby won't know that the fire hurts until it tries to play with it.
Re: (Score:2)
It would have to be turned off by default (not everyone wants a $.10+ additional text message charged on their cell phone bill
Wait, you have to pay to receive an SMS?? Even when I'm abroad receiving an SMS is free...
Re: (Score:3, Informative)
Re: (Score:2)
The point of TFA wa that SMS verification does nothing to protect your from MitB attacks. You type the verification code into your browser, and it sends that code to the attacker, who uses it to empty your account during the minute or so the code is valid.
Re: (Score:2, Interesting)
You plug it in to a computer and 'blackhat' will create MITM kind of situation, security lost...
The physical token *should not* contact Computer other than via user entry.
Re: (Score:3, Interesting)
Which is why a cell phone is a very good proxy. You have both the cell phone that should belong to you, and you have the login information for the bank. Not a bad system, and much more secure than captchas and such.
Re: (Score:2)
Uhuh, sure tough guy ... you can use a MITM attack on SSH tunnels with pre-existing key pairs.
You're wrong ... without reverse engineering the key from the physical device you can't get in the middle. To reverse engineer the key you have to dissolve chip cover, put probes on the naked die, try not to break it, find the key, put it back together and let the mark use it and THEN you can get in the middle ... not a very practical attack.
Re: (Score:2)
Re: (Score:2)
> such as "what IP address you are logging in from", before you enter your code.
The problem is that a signficantly-nonzero percentage of users are forced to use proxies where the IP address can (and does) change from request to request (and remember, a single web page can generate dozens or hundreds of individual http requests -- one for each image, referenced .css file, embedded object, Javascript, etc). AOL and my employer's proxy server have done it for years, and it's only going to get worse with the
Re: (Score:3, Insightful)
There are two choices:
a) Build the perfect system. Complicated to do. Users will not understand it and still be vulnerable to scams.
b) Build a simple system and use trust. For example, you can revert transactions from your bank account that you didn't authorize within 14 days.
Everyone that works in a bank today knows that stuff isn't secure. But it doesn't really matter because damages are small, and the profits cover mistakes quite easily.
Re:Well... (Score:4, Insightful)
That's because the customers are who lose out in cases of "identify theft". Banks have no culpability, so they don't care so much. If they did, the transactions would be much more closely and securely performed.
Re:Well... (Score:4, Informative)
give the man a +1. Ever since modern banking and lending started of back in the 1700s, the risk have been shifted from the lender/banker to the customer. cant pay your debt, bye bye security. Bank account gets zeroed, customer was careless with access info. Basically, the same party that holds the most to gain, also holds the least risk. Just like in a las vegas casino, the odds favor the "house"...
Re: (Score:2)
Money mules loose too (not that banks give a damn about them) and if we could get people to understand that there is no such thing as a free lunch and laundering money is a bad idea all those transactions could be traced and the banks that get them could be told 'go get Ivan or don't expect wire transfers in the future.' The local banks would do it just to reduce the paperwork they have to do and save some money.
Re:Well... (Score:4, Informative)
Done. There's already a cryptographic device that offers near-perfect cryptographic security for web banking. ABN AMRO uses it for their e.dentifier2 [abnamro.nl] device. The brilliant part is that the trust lies only within the card's chip and the handheld device, never only the PC or the browser. It's exactly what a bank should provide: end to end encryption of the user's authorization to perform a transaction, where both ends are created and maintained by the bank.
Now we just need a bank that's willing to deploy those here in the U.S.
Re: (Score:2)
Why can't we use a cell phone as a proxy for this? A lot more people have those, and the vectors for attack go down significantly if the attacker has to both intercept cell communications (hard, but not impossible) and bug the correct computer. Combining the two seems like it'd be close enough to perfectly secure while still being more usable and built on existing infrastructure.
Re:Well... (Score:5, Informative)
Why can't we use a cell phone as a proxy for this?
Because the cell phone is reprogrammable, and so ultimately can't be trusted. You might get a virus or install some kind of Trojan horse J2ME app that pretends to be your PIN pad, but makes large withdrawals silently in the background after you enter the PIN for a legitimate transaction. A cell phone is actually the worst possible place, because it can go on-line immediately and start abusing your account right up until you yank the battery (or go broke.)
The best possible security will come from the bank supplying the end user with both the card and the PIN Entry Device. Sure, they might want to offer it in a cell-phone-carrying-case-form-factor (think iPhone cradle with a PIN pad on the back.) Slightly ugly but more convenient to carry. But it needs its own dedicated PIN pad and display.
The first version of the e.dentifier was even more secure than this one IMHO because it did NOT have the convenient USB port. The user had to type in the values into the pad manually. The security advantage is the air gap is something no hacker can ever bridge (without resorting to social engineering, extortion, or threats of violence.) Mind you, this device is probably plenty secure as long as it can never be re-flashed or re-programmed through the consumer facing USB port.
RSA actually offers credit card form factor devices with a little 10-key pad and a one line LCD display. They are used for SecurID tokens where the user has to enter a PIN to get the generated #. The same form factor would make an excellent bank card where you don't have to carry around the extra little device to use it.
Re:Well... (Score:5, Informative)
We've got something like this in the UK, and I'm sure there are plenty of other places that have them. You can't make a transaction without getting the correct cryptographic response from the card using the card reader. Here's a picture: http://www.nationwide.co.uk/rca/How-does-it-work/find.htm [nationwide.co.uk]
I don't like the sound of a USB type device, because it seems that there is some possibility it could be interfered with in the same way as the recently discovered chip+pin break. In fact I'm quite surprised they came up with what seems to be a pretty well implemented system, given that they seem to have tried pretty hard to make design mistakes with c+p
Re:Well... (Score:4, Insightful)
The Nationwide device/scheme appears to be heavily flawed in that it is trivially susceptible to a very simple form of replay attack it seems.
It is better than the previous scheme that Nationwide had in place, that required me to invent and remember a favourite colour for example, which is why I haven't whinged about this, and it could work very well with more intelligent programming at the server end (ie I think the current hardware already issued is fine).
But I do hope Nationwide realises how broken the current scheme is, and fixes it soon.
Regards,
Damon
Re: (Score:2, Interesting)
The card reader generates a validation code for a transaction based on the amount and destination account number, and it's only valid for that txn. Changing the details before submitting them (mitm) would fail, as would resubmitting different details with the same code (is that what you mean?)
I have thought some about this (Score:3, Interesting)
We need cell phones to have a hard switch that changes them between normal "powerful" mode and a limited secure mode.
Then you could do simple things like authentication and digital signatures in secure mode (e.g. transferring money), and do everything else in the normal mode.
Without something physical that can't be overridden with software, there is no way to be sure secure is really secure.
Of course, something physical is still vulnerable if someone gets physical access to your device for some period of ti
Re: (Score:2)
Not enoughq (Score:2)
This device uses a time-dependant (be it iterative or time-synchronised) password. It requires no input from the bank it self. The device simply gives you a number, you type it into the log-in screen and you're logged in.
Once logged in, a hi-jacked browser could pretty much change the account information on-the-fly during a transfer (the browser screen says your transfering money to the merchant you're buying from, but secretly the trojans changes it on the fly, so the bank is actually ordered to transfer m
Re: (Score:3, Insightful)
Really? Forced to type a whole PIN? Did you also go to the bank manager and complain "Gosh, Mr. Banker, please don't make me be so responsible for my money!"
Since you seem to like convenient access to your cash, do you just tape your money to the outside of your clothes so you don't have to go through all the work of digging in your pocket, pulling out your wallet, opening it up, and removing the bills? Or rather than counting, do you just hand your wallet to the bus driver and ask the driver to "take wh
How about simple upgrading? (Score:2)
I have noticed in IT an almost physical revulsion of the idea of upgrading. I can't count the times I have worked on a system and found it to be several versions out of date, the reason? "Well it works".
No, it does not.
While for some software new releases indeed only happen to sell more copies and add useless features, for production software and OS, security, reliability and bug fixes tend to be improved. If nothing else, then at least you present a moving target.
A lot of exploits happen with code BASED
Re: (Score:2)
I guess what they really need is out of band confirmation of the transaction. I.E. you don't type the little number you get from SMS or whatever into the browser. You SMS back to the bank a prearranged code that means OK, or anything else is NO. If you could trust USB plugged in devices with strong security somehow, you could of course send an RSA signed message back saying OK for this amount to this account. I wonder if you could create something with Air Gap that would somehow MD5 hash a combo of your 30
News? (Score:2)
Re: (Score:2, Interesting)
This article was not worth the five minutes I spent reading it.
Congratulations on being the only person on slashdot to actually read an article!
Seriously, it's never impossible to get compromised, but security has come a long way, what with tokens and forced password changes every 30 days and forced complex passwords (at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits). To log in I need both my password which is ente
Re: (Score:3, Informative)
(at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits)
I'm nullifying several mod points to comment, but... This is actually really stupid. Putting too many constraints on passwords makes them less secure, not more. Your bank has drastically reduced the set of possible passwords and thereby made them easier to guess.
Re: (Score:2)
No I'm sorry, it's my fault - there's no limit to password length. The password must contain AT LEAST 4 letters AND 4 characters. I just didn't type it very well.
Re:News? (Score:4, Interesting)
Re: (Score:2)
Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day.
Even if you have good reason to believe John Smith knows your PIN, proving it is going to be next to impossible.
First you have to persuade the bank that someone else knows your PIN through no fault of your own. How do you prove this to the satisfaction of a huge organisation which is set up at every level to assume that this is physically impossible?
Next you have to convince them that not only did someone else find your PIN, that someone was one of their staff. As opposed to, say, the postman who's on a l
Re: (Score:2)
MITB attack happened in Finland just a month ago. If criminals are willing to attack a very small audience with a very difficult language[1] what do you think, is this happening to bigger banks?
One bank now requires SMS *reply* for "suspicious" transfers. Note that the query and reply both go through SMS so it is much harder to crack - MITB is not enough.
[1] They did use English, but that does decrease the success rate a lot.
Re:News? (Score:4, Funny)
The problem is Bob (Score:5, Insightful)
Just R'ed the FA, and my first reaction was "Bob's an idiot."
First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.
Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.
Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.
Fourth, he continues to use this browser after it exhibits strange behavior.
Fifth, he ignores red flags like unexplained 'Safety Pass' requests.
If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.
Re:The problem is Bob (Score:5, Insightful)
Re: (Score:3, Interesting)
But no matter how quickly you fire Bob, the thieves still have that money
That statement misses the point.
First, I have a chance to detect Bob's dangerous behavior before the thieves do. Your "no matter how quickly" statement assumes they get to Bob before I do.
Second, my point is, if it weren't for Bobs, these thieves would be looking at boobies on channel 9 and filing TPS reports instead of collecting ill-gotten booty. Bob is a root cause. (Thieves' greed is another.)
The point isn't to blame the victim, but to figure out how to prevent them from becoming victims
Bob's not the victim, in this scenario. I am. Bob is the exploit.
At least you demonstrate my underlying poi
Yeah but if you fire Bob (Score:2)
Other employees will be more likely to read and use the IT security SOPs.
Re: (Score:2)
The point is that Bob is an idiot, and should be more damn careful with his shit. If people would use some common sense, botnets wouldn't survive very well.
The obvious fact is that botnets do survive.
Bob may be an idiot, but there are many like him in very responsible positions.
Re:The problem is Bob (Score:5, Interesting)
Bob isn't an idiot, he's a typical windows user. Not to ping on MS, but they do manage to capture the low end of the market in that respect. A vast majority of computer users think that computer programmers are modern day wizards, and blindly trust that only bad programmers build bad programs. Further there are only two kinds of programs, good ones and bad ones like viruses and malware. Any program that is not bad is good, and has things like virus checking and mind reading built into them. Stack overflow is a card mishap at the casino and cross site scripting sounds like a multi site movie writers program.
These warped expectations leads to things like ... well, like Bob.
Bob and his friends are why so many virus and malware programs are profitable, so in a sad way, Bob is right.
Re: (Score:3, Insightful)
Bob isn't an idiot, he's a typical windows user.
In general I agree with you. In this case, I think you have it wrong on Bob and he's really a tool.
My mom knows jack sh1t about computers, and jack just left town. But multiple times, she surprised me by mentioning how she called the bank when experiencing something dodgy, deleting strange mails, rather used the laptop when her desktop displayed strange behavior, etc. She notices, like most human beings, when something is out of the ordinary. Bob noticed, too -- but with copious amounts of stupidity, manage
Re: (Score:2)
Bob isn't an idiot, he's a typical windows user.
So he is an idiot then.
Re: (Score:3, Funny)
Not all Windows users are called Bob.
Re: (Score:2)
Re: (Score:2)
As it turned out, being the program manager for Bob was perhaps the best paying job in the hstory of mankind. Don't knock Bob.
Re: (Score:2)
Actually, Mac users are generally about as stupid as Windows users. Linux users are only better because that OS is so damn fucking hard to use, you HAVE to be computer savvy just to get the shit to work (not that you can actually do anything useful with it as a desktop OS once its running though).
That's just so false it hurts. Ubuntu is easier, safer, and faster than any version of windows. It comes with all the software you would ever want and you don't even have to pay for it.
Bob would be an idiot on linux as well but there are still security benefits to a better designed OS.
Re: (Score:2)
Re: (Score:2)
Just R'ed the FA, and my first reaction was "Bob's an idiot."
First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.
Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.
Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.
Fourth, he continues to use this browser after it exhibits strange behavior.
Fifth, he ignores red flags like unexplained 'Safety Pass' requests.
If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.
Er, yeah, the real problem is when Bobs official title to you is "Sir", which far too often online ignorance rises with pay grade.
Re: (Score:2, Insightful)
My how high is that horse you're on! Think about Bob for a minute. Bob's not a techie. Bob doesn't seem to mind those pop ups he gets when he turns on his computer - they're just ads. Those ads on websites are relevant, and so are those emails that remind him to reset his Facebook/Paypal/Bank password. Bob also uses that computer work gave him when he logs into the online payroll processing account to make sure that you get paid this month. That's right, Bob's got other stuff in life to worry about than som
Re: (Score:2)
No matter neither if use secure or insecure connection, once he went to internet, is the machine and not
Re: (Score:2, Insightful)
Just R'ed the FA, and my first reaction was "Bob's an idiot."
I think you might be overreacting a bit.
First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.
Fair point, but what if Bob is accessing his own, personal bank account from home?
Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.
Read the article a little more closely; it specifies an infection via cross-site scripting, not a download. I don't think he can be considered an "idiot" for not researching every search engine listing for reliability before visiting the site.
Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.
See point 2
Fourth, he continues to use this browser after it exhibits strange behavior.
Again, I don't think it qualifies someone as an "idiot" if they don't do a complete system security review every time their browser cra
Re: (Score:2)
Re: (Score:2)
> he does it without scanning the downloaded files or researching the reliability of the publisher
Is this what my nephew meant last week ?
He talked to me about mj55 verifying sums and computerized signature to assure that all the nice free programs I download aren't viruses but I did not quite get everything...
Re: (Score:3, Informative)
Trojans have moved on a bit since a couple of years ago.
You no longer need to be an utter moron or surfing to some dodgy websites to get infected. It's not unknown for rooted webservers to be serving up a side order of drive-by download (I have actually seen this happen on a respectable retailer's website).
It no longer sticks out like a sore thumb - you won't, for instance, find that attempting to point your web browser at www.symantec.com mysteriously doesn't work.
Your PC doesn't slow down to a total craw
Brought to you by fireeye! (Score:2)
I have a simple solution (Score:2)
We should just give away copies of all the best hack tools. As soon as they appear they should be all over the net for free. What will this do? Simple. It removes the monetary incentive to write good hacking tools. If what any idiot can download for free is as good as it gets then the money is sucked right out of the market for supplying tools.
On top of that when you have every idiot out there using the best tools vendors WILL be forced to deal with the flaws a lot more quickly and release higher quality co
Re: (Score:2)
We should just give away copies of all the best hack tools.
Most pentest software is already available for free (nmap, Cain and Abel, John the Ripper, etc)
What will this do? Simple. It removes the monetary incentive to write good hacking tools
No it won't. Like I said before, there are a lot of -good- hacking tools out there, the problem is, they are made for someone who knows about computers to use them, what script kiddies need is something with a GUI, with simple options and the ability to run on the OS they use (mostly Windows)
These don't make them good hacking tools. All they do is make it easier to do one task. Most, if not all hacking too
Re: (Score:2)
So your answer is what? Continue with the losing proposition that is the status quo? lol. That isn't any answer at all.
My point is there is good money being made by people making the tools that the crooks use. Take that money out of the hands of those people. Its not going to solve the problem but sooner or later everyone has to realize that there IS no "better" solution. At least it mitigates a part of the problem.
Of course if you have a better idea, then by all means go out there and make your multi-billi
Re: (Score:2)
So your answer is what? Continue with the losing proposition that is the status quo? lol. That isn't any answer at all.
I don't have the answer, if I did I might be a millionaire. My point wasn't to prove that I had the answers but rather to show that your answer didn't quite work the way you thought it would.
My point is there is good money being made by people making the tools that the crooks use. Take that money out of the hands of those people. Its not going to solve the problem but sooner or later everyone has to realize that there IS no "better" solution. At least it mitigates a part of the problem.
But its such a minor problem that it wouldn't really solve anything.
If I -really- want 500 credit card numbers, would I A) Buy the software to collect the 500 credit card numbers or B) Buy the numbers directly from some Russian hacker? The only real buyers of script kiddie software is script kiddies which, altho
Re: (Score:2)
Well, then answer this question. Why are a whole lot of people making big bucks hocking malware? They're making that money because the software they have to hock is the best there is. Now, whether or not its the most technically sophisticated product or not is irrelevant. Heck, this is Slashdot, we all can just take a gander at the market for operating systems and see that the best selling software has little to do with technical quality...
But the day you go to start selling your new wizz-bang botnet buildi
Re:I have a simple solution (Score:4, Insightful)
The first property crime happened the day property was invented.
So what you're saying is, the solution to theft is communism?
Re: (Score:2)
The first property crime happened the day property was invented.
So what you're saying is, the solution to theft is communism?
The solution to theft is to remove the incentive to steal. If the people writing cracking tools are not making money out of it they will soon stop.
Getting vendors to fix their screwups will be a nice side effect.
Re: (Score:2)
Thats kinda like saying that guns are a problem in armed home robberies, so lets give everyone a gun, then there will be so many stupid people with guns firing them off that houses will have to be built with better security..
The problem with your solution is that the internet will be so unsafe that no one will be able to use it for anything lest they be robbed blind. We might as well just throw out the computers and go back to manual bank transactions.
Re: (Score:3, Interesting)
Or we can continue with the already totally unsafe Internet we already have. Anyone with a couple bucks and no scruples can do whatever they want on the 'net now. That isn't going to change.
The truth is we need hell-of-a-lot-better quality software for people to use and the quickest and dirtiest way to get it is quite simple. If you go online with anything less, you get instantly robbed blind. Pretty soon we'll have better quality software. The truth is that right now most people just figure they're going t
Surely the good news (Score:3, Interesting)
Pissed at Apple (Score:4, Funny)
I'm so pissed at Apple. I bought the toolkit and made a mobile botnet iPhone app with controller but they won't approve it. *sigh* Such bullshit, they don't approve anything!
Re:Pissed at Apple (Score:5, Funny)
Dear lullabud,
Thank you for submitting iBotnet to the App Store. We’ve reviewed iBotnet and determined that we cannot post this version of your iPhone application to the App Store because it duplicates existing functionality of the iPhone and is in violation of Section 3.1.337 from the iPhone Developer Program License Agreement.
If you believe that you can make the necessary changes so that iBotnet does not violate the iPhone Developer Program License Agreement, we encourage you to do so and resubmit it for review.
Regards,
iPhone Developer Program
Re: (Score:2)
did I just get rickrolled via ASCII? wow...
Re: (Score:2)
Just FYI: You misspelled "aixelsyd" in your sig.
Chump change ... (Score:2)
I think Banks Don't Actually Care (Score:4, Insightful)
I'm thinking of some past conversations I've had with people in banking and payment systems. I have a suspicion based off of some of those conversations and what we actually see. Banking has two related security problems:
1) They think they don't need to care (and might be somewhat right)
2) Leadership in the industry largely just doesn't have the ability to tell who's good at security.
As an industry bankers have long naturally had an awful lot of clout legally and politically, and so they're very used to dealing with problems that way. It might not be particularly more expensive to hire some good security professionals and developers to get their systems right than it would be to do some lobbying for harder penalties, more attention from specialized law enforcement, some kind of public insurance against this kind of theft and fraud, and most importantly, laws that push the liability onto other parties (remember, being a banker means *never* having to take any responsibility!), but I suspect they're a lot more practiced at the latter approach than the former. And this is *before* you get into some of the darker corners of banking. There are no small number of people who will tell you a little bit of looseness in the system is a feature, not a bug, because it makes it a lot easier to handle money for, shall we say, extralegal enterprises.
And while it might not be more *expensive* to hire good security professionals, it's probably harder. As the old saying goes, it takes one to know one. The banking community knows good lawyers and lobbyists. They don't really know what computer security looks like.
Re: (Score:2)
Banks don't care, because they don't have to.
1) Legally, they're protected. Read your cardholder agreement and any agreements you have regarding online banking. Even the ones that claim "Zero Liability". At the very least, you need to have a PC with latest updates (OK), antivirus/antispyware software (there goes OS X, Linux and smartphones) with latest updates, approved browser and version (see a website...) and other junk. Oh, and if you access your account from any unapproved machine practically ever, poo
Safest way to bank: (Score:2)
Use a trusted Live Linux CD (Ubuntu, Knoppix etc..) in a VM or boot your PC with it. Browse directly to your banks site and take care of business.
Re: (Score:2)
The traffic still goes over your OS, so if it's compromised, you've lost.
The compromised OS might be logging keystrokes, but the actual traffic should at least be ssl so the host wouldn't have access to it.
Not that I know anything about this (Score:2)
It like the pennies tray at the cash register... (Score:2)
Not the ones for the kids. The ones for everyone...
Except we take parts of pennies and do it a million times a day.
I know a non technical solution... (Score:2)
I know a non technical solution which even generate jobs, bring back the physical counter...
A good solution to phishing (Score:2)
A good solution to phishing is PassWindow (no I have no connection to their product, I just think its a damn good idea). See www.passwindow.com for details of the system.
Basically your card (ATM card, credit card, bank card or whatever) has a translucent window on it (translucent to make it hard to photocopy). This window contains segments like those on a 7 segment LED display. These segments are in a pre-defined pattern.
When you log in, the bank generates another set of 7-segment patterns. When you hold yo
Re: (Score:2)
Even if it doesn't stop every threat, its still a good simple cheap idea that requires no extra hardware, software or electronics and nothing you would need to carry around with you.
And like any security, if an attack appears that can acquire enough information to steal money, it can be modified or replaced with something better. Just like DES was used for security in the past and was broken so newer stronger crypto was invented.
pirated Windows (Score:2)
Windows Security Essentials anti-virus are not available in all countries. I am on the duty trip in the FSU and Windows Security Essentials Page informs me: "Not available in your country".
Windows update checks for the authenticity of Windows.
As a result on millions of computers the OS is un-updated and anti-virus is absent.
In western countries the PCs have the authentic Windows, which is regularly updates itself, and an anti-virus. However, the majority of PCs in the world have a pirated Windows, no anti-v
Re: (Score:2)
Windows update checks for the authenticity of Windows.
As a result on millions of computers the OS is un-updated and anti-virus is absent.
Running a copy of Windows that has failed WGA is no excuse for not running AV software, there are plenty of free alternatives to MS Security Essentials. (In fact that's a pretty late comer to the game, there has been free AV software available for years)
Re: (Score:2)
I do not feel sorry for them either. But bot-nets cause problems to hosts. Hosts block IPs of the ISPs and website owners, businesses, suffer.
The truth is that Windows is also free OS, like Linux because, obviously, it is easy to pirate. Too easy, if it routinely done even in developing countries.
But unlike Linux the free version of Windows does not update itself.
As for anti-virus, I do not know free anti-virus for Windows, say, in Russian language. "Clamwin", "Avira", etc. do not have Russian language vers
That's not stealing! (Score:2)
That's copyright infringement!
Oh.
Sorry, wrong thread.
First send a text confirmation, please. (Score:2)
Re:Test (Score:5, Informative)
I agree it's not enough. They should also eliminate the use of any Windows computer by all banks. Seriously, name just one large botnet that contains no infected Windows machines. I dare you.
iServices.A is a mac only botnet that is distributed with pirated copies of iwork.
Re: (Score:2)
iServices.A is a mac only botnet that is distributed with pirated copies of iwork.
Oooh, scary [symantec.com] ! A botnet with literally DOZENS of hosts :
"Threat Assessment
Wild
* Wild Level: Low
* Number of Infections: 0 - 49
* Number of Sites: 0 - 2
* Geographical Distribution: Low
* Threat Containment: Easy
* Removal: Easy"
Re: (Score:2)
It's not just Windows. It's the concept of using a full computer operating system for things as simple as ATMs. Using Windows for those is horrible, but using Mac, Linux or BSD is still pretty bad. Full computer OSes are bloated, and every megabyte of bloat contains potential security vulnerabilities. You need a specially designed minimal system that can't do anything except banking, since such a system would not only have very few vulnerabilities due to lack of size but would also not even be capable of ha
Re: (Score:2)
He said botnet, not buttnet.