Largest Ever Online Robbery Hits Swedish Bank

ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"

In other news...

[lixee (863589)]

In other news, Nordea is planning to relocate to Sealand.

Re:In other news...

[KUHurdler (584689)]

One witness [wikipedia.org] was heard saying:
"Yorn desh born, der ritt de gitt der gue, Orn desh, dee born desh, de umn børk! børk! børk!"

Options

[MrNaz (730548)]

Slashdot Option 1: Encourage stupid people by paying out when they do stupid things like believe email that reads "Dwonlaod tihs spam fihgting tool". Slashdot Option 2: Encourage banks to absorb financial responsibility of eCommerce mishaps and take the lead in system security. Can't... make... decision... brain... splitting... in... half...

Re:

[P3NIS_CLEAVER (860022)]

My bank now demands additional secrets if I try to log in from an IP that is different than the usual one. A little inconvenient but i am sure it helps.

Re:

[Poruchik (1004331)]

And how does this help if your regular computer has a trojan?

Re:

[jgrahn (181062)]

You think that's a toughy, wait untill they announce the people responsible are the same ones who lost money.

This is a Swedish bank we're talking about.

Sweden != Switzerland.

According to whom?!

[rumith (983060)]

According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia.

And what has established Swedish police according to Swedish police? Why quote McAffee? What business do they have here?

Re:

[AutopsyReport (856852)]

Ever consider that perhaps McAfee was consulted on this matter?

Re:

[AutopsyReport (856852)]

They didn't quote on the number of suspects -- the "121 suspects" was an additional fact mentioned a sentence after the McAfee sentence. And you are reading the Slashdot summary, not the actual article.

Also, McAfee did provide details on the trojan. Read the third, fourth and fifth paragraph of the article. Read the article next time.

Re:

[Nemetroid (883968)]

No, this has been reported by Dagens Nyheter [www.dn.se], The Daily News, which is Sweden's largest and most serious newspaper.

I am not surprised...

[Corporate Troll (537873)]

Those who are not into technology have no idea.... Look at my latest journal [slashdot.org]. You can have a PhD and fall for the simplest scam there is. Computers do seem to have this effect on people: their common sense fails because computers are somehow "Magic".

It's tragic if you ask me.

Re:

[PadRacerExtreme (1006033)]

So a PhD in medieval literature makes you an expert in computers and email? I am not saying that she shouldn't have known better (the SPAM indicator), but the PhD alone doesn't really matter. Besides some people are always looking for a get rich quick scheme.

Re:

[hritcu (871613)]

So it was targeted towards women: "Probably the promise of 850.000,00 turned of her common sense." Makes sense.

Crime Doesn't Pay

[Zzesers92 (819281)]

$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers

Re:

[arevos (659374)]

$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime.

Whilst this may be true in a country like the USA, it's worth noting that the difference between average incomes between western Europe and Russia make it more profitable than it might seem at first glance. The average yearly salary in Russia is around $4800, whilst the average salary in countries like the US and Sweden is about 8 times that.

Multiplying by 8 gives $66,116, and whilst I suspect such a figure would still not be worth the risk of being caught (and with 121 people involved, there's got to be

LULZ

[by Anonymous Coward]

The biggest online robbery ever was a lousy million dollars? Oh come on, someone's gotta be able to do better than that. Get it in gear, people, it's 2007, we should be having way bigger cybercrimes by now. Someone hax0r the Gibson or something.

the hard part

[Lord Ender (156273)]

Stealing passwords is trivially easy. Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.

The trick is getting cash transfered from someone's bank once you have their credentials.

Re:

[sglane81 (230749)]

Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.

You don't keep "something you have" (keys, tokens, etc) or "something you are" (retina, fingers, etc) in your computer. Therefore, MITM (man in the middle) would not work even if someone pwns your computer. That is the whole point of two factor auth.

Re:

[dgatwood (11270)]

Two-factor auth is really not that useful. Indeed, n-factor is not better than single factor. What is required for a transaction to be secure are the following:

• A known secure endpoint (a computer without spyware)
• A secure communication channel between the two (https)

Without BOTH of those, no additional factors will help.

Here's a short description of how the basic attack works. Your second factor is a SecurID or CryptoCard token. You key in your pin number and the value currently shown on that to

Re:

[dgatwood (11270)]

Or possibly not a DNS lookup. Possibly just delaying ACKs and stuff on the outbound TCP connection to make the connection open more slowly and delay any useful receipt of data... or inserting bogus NAKs or... could be anything. The point is that an attacker would do something to delay the connection.

These sorts of flaws have been talked about for a while now. Man-in-the-middle attacks are hard to protect against, and impossible if one endpoint is the untrusted man in the middle. In this way, it is bas

Re:

[Lord Ender (156273)]

Like so many things in life, something you (know|have|are){2,} is an oversimplification. It's a lossy compression (if you will) of the much-more-complex science of authentication. This is why you misunderstand the subject.

Think it through: I have a keystroke logger on your PC. You type in your username (something you know) and your SecurID code (something you think you have :-). I then log in to your online bank app using the stuff you just typed and start transferring money.

For these purposes, the SecurID

the ends justify the means?

[by Anonymous Coward]

The sender encouraged clients to download a "spam fighting" application.

the 'spam fighting' app almost did exactly what it was deceptively claiming to do;

bankrupt the people, force them to sell their technological idolatry, bam-- no more spam.

Victims

[Sloppy (14984)]

The bank is refunding everyone who lost money (even if they hadn't taken precautions) - good news for the victims

No, that merely changes who the victims are. There is no such thing as "good news for the victims" unless the stolen money is recovered.

FDIC?

[Thansal (999464)]

If this was to happen in the US, would the FDIC cover these types of things?

And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!

For those of you who have an ING account you know what their security is like. Nothing much that will hamper a real customer, but things that should stop non-customers.

Re:

[tinkertim (918832)]

>> If this was to happen in the US, would the FDIC cover these types of things?

I don't think so. The FDIC is more of a surerty for the bank itself. In this case the bank wasn't actually the one robbed, the customers were digitally conned. It's a good business for FDIC itself as your premium as a bank would depend on your fraud record.

[this] bank is being pretty cool about it, probably because the phishing e-mail containing the trojan appeared to come from the bank's domain. Its a semi dangerous public

Human factors

[Beryllium Sphere(tm) (193358)]

>idiots

We'll never get decent security as long as we set traps for users and call them idiots when they fall in.

The email containing the Trojan came from the bank's domain, apparently. Is it the fault of the users that email isn't authenticated? Are they idiots for not knowing how SMTP sessions can be spoofed?

How many places require software downloads to work? Include Flash and PDF readers in that list. Are people idiots for installing something that any non-expert would think came from their bank?

Do we

Re:

[Thansal (999464)]

wait, if they are ussing one time keys, HOW THE HECK did a keylogger help?

single use keys should make a keyloger pointless. I actualy like that method more so then the other company. If they are generating codes based on a static pin, that must be crackable.

I still preffer ones that have a decent selection of possible questions you will be asked (making a keyloger that much less effective), a VPK for your PIN (AKA your keyboard can NOT enter your pin), and an identifier (Picture+phrase) so you know you ar

Sounds easy enough...

[supremebob (574732)]

Why can't movie studios come up with plans this ingenious for robbing a bank? The last bank robbing movie I saw involved some terrorist types kidnapping the head of bank security and having him steal the account numbers with a wacky device made out of scanner module from a fax machine and the hard drive from an iPod Mini.

Re:

[businessnerd (1009815)]

Sounds easy enough...

That's the problem, it's too easy. Robbers spam bank customers with phishing attack. Out of the thousands of customers, 121 dumbasses fall for it. Robbers transfer funds. Robbers go on vacation and buy a car. End of story.

You're missing all of the critical pieces of a Hollywood heist movie. No hostages? No hereos? No fictional wonder tool fabricated out of duct tape a an old microwave oven? There's not even room for a car chase or an explosion.

On another note, there's no

1 Million Dollars?

[nherc (530930)]

Boy, if all of the nefarious Slashdotters got together couldn't we beat that by at least an order of magnitude? After all, didn't Sean Connery and Catherine Zeta get away with a few billion?

121 people involved?

[It doesn't come easy (695416)]

Seems like a fairly precise number...wonder how they derived it? And if true, for $1,000,000 that works out to be just over $8,000 per participant (assuming the proceeds were/are shared equally). Hardly seems worth the risk. On the other hand, the article says (indirectly) that it took 15 months to decide a heist was in progress. Heh, as they say "Patience is a virtue".

Quoted..

[ZOMFF (1011277)]

An employee of the Swedish Bank was quoted as saying, "Gersh gurndy morn-dee hack-zee hack-zee!"

Incentives for The Bank

[logicnazi (169418)]

Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience. It involves lots of forms and remembering to do things at the right time and spending time on telephone lines. In short it is a pretty good incentive not to be careless with your banking security.

All that not refunding the customer's money would accomplish is hurt a lot of people and discourage people from using online banking or encourage them to change banks. People are never going to become security gurus just so they can bank online and if you make banking online too risky or hard they will just give it up.

By making sure it is the bank who has to pay for security losses while still making sure people have some incentive (annoyance, possibility they might pay next time or lossing $50) to be safe you end up with the best results. The bank is the entity that can roll out new security solutions and most easily improve security practices so giving them incentives to improve security is the best move.

Re:

[planetmn (724378)]

Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience.

What bank issued your credit card? I've had to reverse charges multiple times for different reasons. I've been billed twice for the same item, I've been billed incorrect amounts, I even reversed a Paypal charge because the seller never sent the item.

In all cases it was simple (I have Citibank cards). Call up and tell them what charge you are disputing. Immediately you get a conditiona

Re:

[RKBA (622932)]

Plus Citibank has a feature that I now find essential - the ability to generate "virtual" credit card numbers as needed, and to be able to set the expiration date and limit on the amount of purchase that can be charged to each virtual credit card number. It makes online shopping perfectly safe. MBNA offered a similar feature until they were bought up by BofA, which is when I changed to Citibank, and so far I'm very happy with Citibank.

There's a rather humorous corollary to this, and since I feel loquacious

How about suspending accounts?

[phorm (591458)]

not really an incentive to take more care in future

I'm hoping that the banks at least suspended and revoked the privilage of online banking from the users in question. If you can't take care not to download trojans/etc online that affect online banking, you shouldn't be allowed to do your banking online.

Re:

[Thansal (999464)]

quick little drama for you to understand why that is NOT happening:

Bank: You all suck at online skills, so you can't use our online banking services!
Customers: Bye!
Bank: What?
Ex-Customers: ...

simple, aint it? Also, actions like that will also have other customers leave.

However, in reimbursing the customers, despite it being their fault, they have created a VERY good image for the bank.

not really an incentive

[wiredog (43288)]

It's an incentive for the Bank to improve security. If every bank was required to do this (and cc companies as well) it'd do quite a bit to improve security in online shopping and banking.

Largest ever robbery?

[A beautiful mind (821714)]

Well according to my anecdotal evidence coming from an ex security admin at a bank who was giving a lecture on bank security on a security themed conference, banks have a certain percentage of loss every year due to online activites. The loss they suffer is tuned to the line that spending more on security would cost more than the current losses they suffer.

Anyway, I highly doubt that this was the largest ever online robbery, maybe it was the largest phishing attack.

Re:

[KokorHekkus (986906)]

A major swedish newspaper (www.dn.se) write that the amount is somewhere over 1.1 million USD (8 million SEK). A sizeable chunk of money but perhaps not the most anyone has gotten hold of in this. Other types of financial fraud go way over that. Last year a financial officer of a company fudged the numbers in the computer and transfered 3+ million to her own account (and used a good part of it as well... just hang around to long I guess).

Predefined one-time keys are insecure

[hankwang (413283)]

I was curious about the security protocol for Nordea bank and although links on the Nordea site are currently broken (an attempt to cover up?), I could find them on Google.

• Login demo [nordea.se] - a fixed PIN code plus a one-time key from a scratch card.
• Transfer money to a different account [nordea.se] - confirm with another one-time key from the scratch card.

So the scammer just needs the fixed PIN code, plus a few of the one-time codes.

I used to have a bank account in Sweden with a different bank that uses a cryptographic challenge/response key generator, both for logging in and confirming a transaction. The website supplies you with a code number that you enter, as well as a PIN code. The device uses the code together with a secret key and the time from an internal clock and lets you send back the data.

Banks here in the Netherlands use similar systems, often with a generic card reader that uses a chip that is built into the bank cards. Others send a confirmation code by SMS to a mobile phone number that is registered to your account.

I think cryptographic systems are inherently much more secure than predefined one-time keys. The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction. Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.

Re:

[Qzukk (229616)]

Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.

Some banks have gone a step further and made the transaction amount as part of the challenge, meaning that even an attack like this would fail (since you transferring $20 to your landlord wouldn't match his attempt to withdraw all $21.54 in your account)

Re:

[Znork (31774)]

"The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction."

Short time keys make the interception slightly more difficult, but essentially the intercept software would just have to immediately use the collected keys in the alternate transaction, rather than save them for later use. Same with SMS, or anything else; as long as the customers PC is compromised, there's no way to guarantee that what the customer sees is what the bank sends, or that what the custo

Disappointed in you /.ers

[silentounce (1004459)]

What?! No, Soviet Russia jokes yet?!?!
In Soviet Russia, key logs you!
Or even better. In Soviet Russia, you gulag.
Perhaps, in Soviet Russia, bank robs you!
One last note, in Soviet Russia, Russian reversal jokes are funny.

It's a Windows trojan

[HangingChad (677530)]

The sender encouraged clients to download a "spam fighting" application.'"

The trojan in question only runs on Windows [symantec.com].

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

I'm not knocking Windows, the users contributed by not running antivirus software and not being terribly bright. But this is why I don't ever access any of my banking or investment accounts with Windows.

Just makes it that much harder to automate installation of a keylogger

incentives are where they belong

[judd (3212)]

"good news for the victims, but not really an incentive to take more care in future"

Consumers are told by people who market computers that they are easy and safe to use. Consumers are told by internet service providers that online services are easy and safe to use. Consumers are told by banks that online banking is secure and convenient.

Aside from the criminals, who appear to have escaped without any consequences to them, the burden is falling where it should be, namely on agents who allow marketing over reality. While the /. crowd may know better, the average punter does not, and shouldn't have to.

The customers didn't lose money.

[AxelBoldt (1490)]

The bank is refunding everyone who lost money

That's crap. The customers didn't lose anything. The bank lost money; it was tricked into paying out funds without having been authorized to do so by the funds' owners. The bank neglected the first rule of the banking business: "Know your customer". It did not properly check the identity of the people it was interacting with, and therefore has to eat the full loss.

Antivirus may not help

[Jugalator (259273)]

It appears that most of the victims weren't running security protection.

Often these guys use directed fraud mails written in reasonably good Swedish, so I wouldn't really doubt they have custom made keyloggers too to attempt to escape antivirus tools.
Sure, they could use detection by heuristics like some support, but then the accuracy falls rapidly, as well as the fact that not nearly all popular tools even supporting that.

What's needed here is that users don't become so naive when they sit down in front of a computer. To many, it seems like they then enter a world of safety where they don't have to think much and just click through mails that "look right" even if they ask for logon details that the banks has earlier been very careful to inform they'll never request. (because they already have that info, or can reset it at their whim anyway, duh!) The problem is that on the Internet, the exact opposite mostly holds true.

Re:

[Thansal (999464)]

This isn't a fault in windows, it is a case of pebkac.

The phishing (well, not really phishing in my mind) emails told the people to download and install anti spam software, and they did. No exploting holes in outlook or IE, none of that, just simply tellign poeple "Installer our keylogger. err, I ment to say out "anti-spam" software, yah...". It would have worked for Mac, or *nix, or anything else (It probably DIDN'T work for them, simply b/c the attackers did not see it as worth spending the extra time t

A Digipass make it secure?

[ratboy666 (104074)]

No it doesn't.

If your computer has been rooted, it really IS ball game over. Just sitting here thinking how I would exploit a rooted system that someone uses for banking...

1 - establish account offshore that offers SWIFT transfer (or other convenient inter-bank wire), and can deal with bank that requires no ID.
2 - Monitor victims on-line banking activity for a couple of months.
3 - Intercept after online session has next been established.
4a - Inject low level "noise" transfer, if victims balance is medium le