Largest Ever Online Robbery Hits Swedish Bank

ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"

In other news...

[lixee]

In other news, Nordea is planning to relocate to Sealand.

Re:In other news...

[KUHurdler]

One witness [wikipedia.org] was heard saying:
"Yorn desh born, der ritt de gitt der gue, Orn desh, dee born desh, de umn børk! børk! børk!"

Options

[MrNaz]

Slashdot Option 1: Encourage stupid people by paying out when they do stupid things like believe email that reads "Dwonlaod tihs spam fihgting tool". Slashdot Option 2: Encourage banks to absorb financial responsibility of eCommerce mishaps and take the lead in system security. Can't... make... decision... brain... splitting... in... half...

Re:

[P3NIS_CLEAVER]

My bank now demands additional secrets if I try to log in from an IP that is different than the usual one. A little inconvenient but i am sure it helps.

Re:

[Poruchik]

And how does this help if your regular computer has a trojan?

Re:

[sholden]

The trojan can just perform the transactions itself... from your normal IP... probably using the auth cookie you just created...

Re:

[P3NIS_CLEAVER]

Note that I said "helps". There is no one method to secure a computer or transaction, only improvements.

Re:

[jgrahn]

You think that's a toughy, wait untill they announce the people responsible are the same ones who lost money.

This is a Swedish bank we're talking about.

Sweden != Switzerland.

According to whom?!

[rumith]

According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia.

And what has established Swedish police according to Swedish police? Why quote McAffee? What business do they have here?

Re:

[AutopsyReport]

Ever consider that perhaps McAfee was consulted on this matter?

Re:

[AutopsyReport]

They didn't quote on the number of suspects -- the "121 suspects" was an additional fact mentioned a sentence after the McAfee sentence. And you are reading the Slashdot summary, not the actual article.

Also, McAfee did provide details on the trojan. Read the third, fourth and fifth paragraph of the article. Read the article next time.

Re:

[Nemetroid]

No, this has been reported by Dagens Nyheter [www.dn.se], The Daily News, which is Sweden's largest and most serious newspaper.

I am not surprised...

[Corporate Troll]

Those who are not into technology have no idea.... Look at my latest journal [slashdot.org]. You can have a PhD and fall for the simplest scam there is. Computers do seem to have this effect on people: their common sense fails because computers are somehow "Magic".

It's tragic if you ask me.

Re:

[PadRacerExtreme]

So a PhD in medieval literature makes you an expert in computers and email? I am not saying that she shouldn't have known better (the SPAM indicator), but the PhD alone doesn't really matter. Besides some people are always looking for a get rich quick scheme.

Re:

[fbjon]

This is not a simple scam. Judging from my experience with the Finnish branch and the comments below, the Swedish branch also uses a unique id for every customer and a one-time password, printed on a list. The password was captured as it was entered on the real login page, after which the trojan displayed an "error" page, supposedly from the bank, saying that the system is down for maintenance. I don't see any authentication method that could prevent this, especially if the trojan piggybacks on the browser'

Re:

[fbjon]

Replying to myself, since I found out the difference between the Finnish and Swedish branches:

The Finnish branch says this scam won't work in their system, because they require a separate confirmation code to complete any transaction. The Swedish branch does not, so that's why capturing login info is sufficient to steal the loot.

Re:

[hritcu]

So it was targeted towards women: "Probably the promise of 850.000,00 turned of her common sense." Makes sense.

Crime Doesn't Pay

[Zzesers92]

$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers

Re:

[arevos]

$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime.

Whilst this may be true in a country like the USA, it's worth noting that the difference between average incomes between western Europe and Russia make it more profitable than it might seem at first glance. The average yearly salary in Russia is around $4800, whilst the average salary in countries like the US and Sweden is about 8 times that.

Multiplying by 8 gives $66,116, and whilst I suspect such a figure would still not be worth the risk of being caught (and with 121 people involved, there's got to be

Re:

[networkBoy]

just some quick math in my head:
4800 x 10 == 48,000 66,116 != 8 x 4800

Re:

[networkBoy]

should be an < between the 48,000 and 66,l16, sorry.

Re:

[arevos]

I was talking about multiplying the 8264.46 figure by 8. I probably should have been more specific, but I'd have thought it would have been obvious from the context.

Re:

[PW2]

> $1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers
 
This is the point in time when the fun begins -- the "smarter" team members start taking out some of the others and increasing their personal stash every few days

LULZ

[Anonymous Coward]

The biggest online robbery ever was a lousy million dollars? Oh come on, someone's gotta be able to do better than that. Get it in gear, people, it's 2007, we should be having way bigger cybercrimes by now. Someone hax0r the Gibson or something.

Re:

[Korin43]

Yeah seriously. All these people hyped up about "cyber terrorism" or "cyber theft" or other phrases involving computer and bad things, and the BIGGEST CYBER THEFT EVER is one million dollars? Wasn't there a movie where someone steals like 10 billion dollars from an international bank? That's way more cool..

Bigger ones

[Beryllium Sphere(tm)]

Citibank, 1994, US$10 million.

Security Pacific, 1974, about the same amount from someone who eavesdropped and social engineered his way past te security measures on the wire room.

the hard part

[Lord Ender]

Stealing passwords is trivially easy. Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.

The trick is getting cash transfered from someone's bank once you have their credentials.

Re:

[sglane81]

Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.

You don't keep "something you have" (keys, tokens, etc) or "something you are" (retina, fingers, etc) in your computer. Therefore, MITM (man in the middle) would not work even if someone pwns your computer. That is the whole point of two factor auth.

Re:

[FallLine]

You don't keep "something you have" (keys, tokens, etc) or "something you are" (retina, fingers, etc) in your computer. Therefore, MITM (man in the middle) would not work even if someone pwns your computer. That is the whole point of two factor auth.

Not quite. SecurID and similar schemes makes it a lot harder, but there's no reason why someone couldn't perform a man in the middle attack while the victim is attempting to log-into the service. Once the victim types in the key, they could simply cancel/kill

Re:

[Lord Ender]

That doesn't help much at all. Read past the press releases. There are many ways around this. The attacker could present the user with a fake browser window. He could modify the browser itself to insert transactions into a normal user-initiated session. The list goes on.

Re:

[dgatwood]

Two-factor auth is really not that useful. Indeed, n-factor is not better than single factor. What is required for a transaction to be secure are the following:

• A known secure endpoint (a computer without spyware)
• A secure communication channel between the two (https)

Without BOTH of those, no additional factors will help.

Here's a short description of how the basic attack works. Your second factor is a SecurID or CryptoCard token. You key in your pin number and the value currently shown on that to

Re:

[dgatwood]

Or possibly not a DNS lookup. Possibly just delaying ACKs and stuff on the outbound TCP connection to make the connection open more slowly and delay any useful receipt of data... or inserting bogus NAKs or... could be anything. The point is that an attacker would do something to delay the connection.

These sorts of flaws have been talked about for a while now. Man-in-the-middle attacks are hard to protect against, and impossible if one endpoint is the untrusted man in the middle. In this way, it is bas

Re:

[Lord Ender]

Like so many things in life, something you (know|have|are){2,} is an oversimplification. It's a lossy compression (if you will) of the much-more-complex science of authentication. This is why you misunderstand the subject.

Think it through: I have a keystroke logger on your PC. You type in your username (something you know) and your SecurID code (something you think you have :-). I then log in to your online bank app using the stuff you just typed and start transferring money.

For these purposes, the SecurID

Re:

[sglane81]

You're using a flawed implementation to illustrate your point. The idea of two factor auth does what it is intended to do: make it more difficult to access resources for those it is not intended. Perfect security is an illusion. The point is to make it more difficult, not 100% guaranteed.

Confirm the transaction with the person

[Hoi Polloi]

Maybe you'd have to carry a cellphone and they'd autodial you with a message asking you to confirm the transaction ("Please press 1 to confirm $500 to Alxei in Moscow, Press 2 to inform the police..."). Hopefully the transactions don't all occur at 3AM. Now if the crooks have your account info AND your cellphone then you are probably more concerned about how you are going to escape from your kidnappers.

My credit card company has called me to confirm heavy activity or big purchases that veer from my normal

Re:

[flyingfsck]

Yup, it is the bank's fault for allowing transfers to unaudited destinations. If someone would get into my bank account, all they can do is pay my existing bills with a handful of large corporations and financial institutions. The system doesn't allow transfers to random accounts.

Schtooopidddttt bank. I hope the Swedes do a run on it and put it out of business/misery.

the ends justify the means?

[Anonymous Coward]

The sender encouraged clients to download a "spam fighting" application.

the 'spam fighting' app almost did exactly what it was deceptively claiming to do;

bankrupt the people, force them to sell their technological idolatry, bam-- no more spam.

Victims

[Sloppy]

The bank is refunding everyone who lost money (even if they hadn't taken precautions) - good news for the victims

No, that merely changes who the victims are. There is no such thing as "good news for the victims" unless the stolen money is recovered.

Re:

[rm999]

It seems to me that the only victim is the bank itself (at least if Swedish banks compete with each other, like in the USA). In that case, they are not "victims" because they gave up the money by choice, presumably to make their customers feel safer.

FDIC?

[Thansal]

If this was to happen in the US, would the FDIC cover these types of things?

And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!

For those of you who have an ING account you know what their security is like. Nothing much that will hamper a real customer, but things that should stop non-customers.

Re:

[tinkertim]

>> If this was to happen in the US, would the FDIC cover these types of things?

I don't think so. The FDIC is more of a surerty for the bank itself. In this case the bank wasn't actually the one robbed, the customers were digitally conned. It's a good business for FDIC itself as your premium as a bank would depend on your fraud record.

[this] bank is being pretty cool about it, probably because the phishing e-mail containing the trojan appeared to come from the bank's domain. Its a semi dangerous public

Re:

[silentounce]

1 million is nothing to a bank that large. They won't need to raise ATM fees. All they'd have to do to recoup that is raise interest rates on loans a fracture of a percent for a while. Or lower their rates to investors in the same manner. Besides, they probably already got the money back.

Re:

[ptbarnett]

If this was to happen in the US, would the FDIC cover these types of things?

FDIC insures the bank customer against bank failure (as in going out of business).

http://www.fdic.gov/about/learn/symbol/index.html [fdic.gov]

They also enforce the Electronic Fund Transfer Act. That may address this particular problem, if it's an EFT that you (or someone you authorized) did not make.

Re:

[stephanruby]

If this was to happen in the US, would the FDIC cover these types of things?

And don't forget to ask this other question

If this happened in the US and if the FDIC didn't step up, would the bank be worried enough about losing its online customers and reputation to take the hit themselves?

I suspect a bank might do that if worse came to worse. Online banking holds a lot of promise for a lot of banks. It may be expensive to get going at its core, but online banking holds the promise of scalability and redu

Human factors

[Beryllium Sphere(tm)]

>idiots

We'll never get decent security as long as we set traps for users and call them idiots when they fall in.

The email containing the Trojan came from the bank's domain, apparently. Is it the fault of the users that email isn't authenticated? Are they idiots for not knowing how SMTP sessions can be spoofed?

How many places require software downloads to work? Include Flash and PDF readers in that list. Are people idiots for installing something that any non-expert would think came from their bank?

Do we

Re:

[alnjmshntr]

I think this was covered in Fight Club.

If The cost of a class action suit (or lost business in this case) is X, the number of defective products (or victim here) is A and the cost of each recall (or refund here) is B. Then if A*B > X you don't do the recall.

So most banks will probably reckon that refunding these customers (thereby giving their other customers a false sense of security that they will also be refunded if this ever happened to them) is worthwhile. Otherwise they would lose a lot of money i

Re:

[Thansal]

wait, if they are ussing one time keys, HOW THE HECK did a keylogger help?

single use keys should make a keyloger pointless. I actualy like that method more so then the other company. If they are generating codes based on a static pin, that must be crackable.

I still preffer ones that have a decent selection of possible questions you will be asked (making a keyloger that much less effective), a VPK for your PIN (AKA your keyboard can NOT enter your pin), and an identifier (Picture+phrase) so you know you ar

Re:

[Thansal]

ah HA!

AC lies! They were ussing an incredibly insecure method.

Thanks for the info. One time pins are rather nice, the only problem is that they are either cumbersome (having to request them and what not), or a target for gathering (as people will get them in batches, and then store them in .txt on their desktop).

Re:

[Thansal]

ahh, thanks for the clarification, and I appologize to AC!

So this was not a keylogger, it was considerably more.

MY question is how the program worked. If it was simply tossing up dummy pages instead of the actualy bank page then the easy fix is one where you make sure the customer knows they are on their own page (show a customer slected image/phrase/whatnot). The amusing this is that the first place I ever saw this was on NeoPets (It showed you your active pet and their name before taking your PW), and t

Re:

[fbjon]

Well, I watched an interview with a rep for the Finnish branch, and he said this particular attack wouldn't work here because the Finnish branch uses a different auth system: a list of OTPs. They've had this system for much more than 3 years too.. so, what exactly does the Swedish branch use really?

Re:

[jackbird]

Legislate that the banks have to pay for fraud, and the security will take care of itself. Look at what happened to credit card fraud.

Re:

[fbjon]

They didn't use a confirmation code, however. The system in the Finnish branch requires that you give a confirmation code as a last step to actually complete any transaction, which makes login info useless by itself, and makes trojaning more difficult. I have no idea why the Swedish branch doesn't use it...

Sounds easy enough...

[supremebob]

Why can't movie studios come up with plans this ingenious for robbing a bank? The last bank robbing movie I saw involved some terrorist types kidnapping the head of bank security and having him steal the account numbers with a wacky device made out of scanner module from a fax machine and the hard drive from an iPod Mini.

Re:

[businessnerd]

Sounds easy enough...

That's the problem, it's too easy. Robbers spam bank customers with phishing attack. Out of the thousands of customers, 121 dumbasses fall for it. Robbers transfer funds. Robbers go on vacation and buy a car. End of story.

You're missing all of the critical pieces of a Hollywood heist movie. No hostages? No hereos? No fictional wonder tool fabricated out of duct tape a an old microwave oven? There's not even room for a car chase or an explosion.

On another note, there's no

1 Million Dollars?

[nherc]

Boy, if all of the nefarious Slashdotters got together couldn't we beat that by at least an order of magnitude? After all, didn't Sean Connery and Catherine Zeta get away with a few billion?

121 people involved?

[It doesn't come easy]

Seems like a fairly precise number...wonder how they derived it? And if true, for $1,000,000 that works out to be just over $8,000 per participant (assuming the proceeds were/are shared equally). Hardly seems worth the risk. On the other hand, the article says (indirectly) that it took 15 months to decide a heist was in progress. Heh, as they say "Patience is a virtue".

Quoted..

[ZOMFF]

An employee of the Swedish Bank was quoted as saying, "Gersh gurndy morn-dee hack-zee hack-zee!"

Re:

[Sponge Bath]

Gersh gurndy morn-dee hack-zee hack-zee!

Translation: They're always after me lucky charms!

Incentives for The Bank

[logicnazi]

Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience. It involves lots of forms and remembering to do things at the right time and spending time on telephone lines. In short it is a pretty good incentive not to be careless with your banking security.

All that not refunding the customer's money would accomplish is hurt a lot of people and discourage people from using online banking or encourage them to change banks. People are never going to become security gurus just so they can bank online and if you make banking online too risky or hard they will just give it up.

By making sure it is the bank who has to pay for security losses while still making sure people have some incentive (annoyance, possibility they might pay next time or lossing $50) to be safe you end up with the best results. The bank is the entity that can roll out new security solutions and most easily improve security practices so giving them incentives to improve security is the best move.

Re:

[planetmn]

Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience.

What bank issued your credit card? I've had to reverse charges multiple times for different reasons. I've been billed twice for the same item, I've been billed incorrect amounts, I even reversed a Paypal charge because the seller never sent the item.

In all cases it was simple (I have Citibank cards). Call up and tell them what charge you are disputing. Immediately you get a conditiona

Re:

[RKBA]

Plus Citibank has a feature that I now find essential - the ability to generate "virtual" credit card numbers as needed, and to be able to set the expiration date and limit on the amount of purchase that can be charged to each virtual credit card number. It makes online shopping perfectly safe. MBNA offered a similar feature until they were bought up by BofA, which is when I changed to Citibank, and so far I'm very happy with Citibank.

There's a rather humorous corollary to this, and since I feel loquacious

How about suspending accounts?

[phorm]

not really an incentive to take more care in future

I'm hoping that the banks at least suspended and revoked the privilage of online banking from the users in question. If you can't take care not to download trojans/etc online that affect online banking, you shouldn't be allowed to do your banking online.

Re:

[Thansal]

quick little drama for you to understand why that is NOT happening:

Bank: You all suck at online skills, so you can't use our online banking services!
Customers: Bye!
Bank: What?
Ex-Customers: ...

simple, aint it? Also, actions like that will also have other customers leave.

However, in reimbursing the customers, despite it being their fault, they have created a VERY good image for the bank.

Re:

[Hoi Polloi]

Losing customers that just cost you millions of krona? I'd tell them "Don't let the door hit you on the ass on the way out!" Some customers aren't worth keeping.

I wouldn't leave my bank if it enforced rules against careless customers. I'd want them to. The careless customers are endangering the bank's security and financial health.

Re:

[phorm]

You forgot a line...

Bank: You all suck at online skills, so you can't use our online banking services!
Customers: Bye!
Bank: What?
Ex-Customers: ...

Bank: Good riddance

Banks aren't dumb, and they don't make megabucks by holding onto bad investments. In this case, said customers are bad investments. You really think that they bank is going to be overly upset if the a few dozen of the customers that just cost them upwards to a million bucks leave? Do you think that disabling internet accounts of people w

not really an incentive

[wiredog]

It's an incentive for the Bank to improve security. If every bank was required to do this (and cc companies as well) it'd do quite a bit to improve security in online shopping and banking.

Re:

[Hoi Polloi]

What could the bank have done differently? The customers were entrusted with the keys to their accounts and they were tricked into handing them over. If you gave your ATM card and PIN to a stranger what could the bank do to protect you?

Largest ever robbery?

[A beautiful mind]

Well according to my anecdotal evidence coming from an ex security admin at a bank who was giving a lecture on bank security on a security themed conference, banks have a certain percentage of loss every year due to online activites. The loss they suffer is tuned to the line that spending more on security would cost more than the current losses they suffer.

Anyway, I highly doubt that this was the largest ever online robbery, maybe it was the largest phishing attack.

Re:

[KokorHekkus]

A major swedish newspaper (www.dn.se) write that the amount is somewhere over 1.1 million USD (8 million SEK). A sizeable chunk of money but perhaps not the most anyone has gotten hold of in this. Other types of financial fraud go way over that. Last year a financial officer of a company fudged the numbers in the computer and transfered 3+ million to her own account (and used a good part of it as well... just hang around to long I guess).

Predefined one-time keys are insecure

[hankwang]

I was curious about the security protocol for Nordea bank and although links on the Nordea site are currently broken (an attempt to cover up?), I could find them on Google.

• Login demo [nordea.se] - a fixed PIN code plus a one-time key from a scratch card.
• Transfer money to a different account [nordea.se] - confirm with another one-time key from the scratch card.

So the scammer just needs the fixed PIN code, plus a few of the one-time codes.

I used to have a bank account in Sweden with a different bank that uses a cryptographic challenge/response key generator, both for logging in and confirming a transaction. The website supplies you with a code number that you enter, as well as a PIN code. The device uses the code together with a secret key and the time from an internal clock and lets you send back the data.

Banks here in the Netherlands use similar systems, often with a generic card reader that uses a chip that is built into the bank cards. Others send a confirmation code by SMS to a mobile phone number that is registered to your account.

I think cryptographic systems are inherently much more secure than predefined one-time keys. The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction. Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.

Re:

[Qzukk]

Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.

Some banks have gone a step further and made the transaction amount as part of the challenge, meaning that even an attack like this would fail (since you transferring $20 to your landlord wouldn't match his attempt to withdraw all $21.54 in your account)

Re:

[Znork]

"The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction."

Short time keys make the interception slightly more difficult, but essentially the intercept software would just have to immediately use the collected keys in the alternate transaction, rather than save them for later use. Same with SMS, or anything else; as long as the customers PC is compromised, there's no way to guarantee that what the customer sees is what the bank sends, or that what the custo

Re:

[hankwang]

...just verify the forged transaction, rather than the one the customer thought he was entering.

That's of course still an issue; it's the weakest link in the chain that counts. Still, with time-limited cryptographic challenge/response verification, it requires much more effort from the attacker. With user/password or user/password/one-time-key login schemes, the weakest link is even weaker. My Dutch bank actually tells me on the login screen [rabobank.nl]: "Please verify that the URL starts with "https://bankieren.rabob

Re:

[MobyDisk]

That's amazing to me though: My bank just lets me enter in a PIN just the same as if I used an ATM. No one-time-pads at all. It looks to me like the bank was actually being fairly secure.

Re:

[Alef]

So the scammer just needs the fixed PIN code, plus a few of the one-time codes.

Or, if you have taken control of the user's computer, you can do a man-in-the-middle attack. Since the one-time codes are completely independent of the transaction that is taking place, the cracker can simply wait for the user to transfer money somewhere and substitute the amounts and account numbers.

This is, however, not possible with at least some of the challenge/response systems you mention, because every number then ne

Disappointed in you /.ers

[silentounce]

What?! No, Soviet Russia jokes yet?!?!
In Soviet Russia, key logs you!
Or even better. In Soviet Russia, you gulag.
Perhaps, in Soviet Russia, bank robs you!
One last note, in Soviet Russia, Russian reversal jokes are funny.

Re:

[thePowerOfGrayskull]

In Soviet Russia, the joke is on you.

Re:

[Lord_Slepnir]

In Soviet Russia, dead horse beats you! (google my name if you don't get it)

It's a Windows trojan

[HangingChad]

The sender encouraged clients to download a "spam fighting" application.'"

The trojan in question only runs on Windows [symantec.com].

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

I'm not knocking Windows, the users contributed by not running antivirus software and not being terribly bright. But this is why I don't ever access any of my banking or investment accounts with Windows.

Just makes it that much harder to automate installation of a keylogger

What do you expect, though?

[phorm]

I'm not a windows fanboy ('nix is my preferred OS), but why would the crooks pump out a linux binary or an OSX application in their scammy emails when probably 80-90% of the recipients are likely to use windows, and probably about 80-90% of linux/mac users are slightly more educated in terms of scammy emails.

This wasn't an automatically installed keylogged from the sounds of it, but rather one installed by dumb users. Windows has more users, so they email the windows users. PC's being more prevalent (and

I wish that they had not paid the victims.

[WindBourne]

What they just did was tell users that they can run insecure OSs, do nothing about it, and still not be held responsible for their actions. What these victims did was to buy a straw house, then leave the door wide open, and are now being compensated for stolen money. When will it end.

Re:

[swb]

Nice blame the victim mindset. I suppose you tell women who have been raped to stay home, people who have their cars ripped off to buy more theft-proof cars, and so on.

The better choice is for the banks to recognize that client systems are highly vulnerable and make their own security more immune from these problems. If I was a bank, I would also strongly consider blackholing IP space outside of their normal service area. More of an irritant to serious criminals that a real deterrent, but it might make i

If the trojan was targeted to a specific list

[artifex2004]

If the trojan was targeted to something like a specific list of account holders, instead of wildly blasted around, that could indicate a different breach of security at the bank. In that case, the bank has a lot more cleaning up to do behind the scenes. I'm not saying that definitely happened, but I am given pause.

Brazilian bank - $350m

[OriginalArlen]

Annoyingly I've not been able to google it up, and I can't remember where I read about it, but I read somewhere that a Brazilian bank went bankrupt following fraud enabled by hacking attacks which lost them (IIRC) over $300m. Please, someone, spare my sanity and find me a link? It would have been an Infosec story on the net -- I thought CryptoGram at first, but apparently not. Help! :)

Numerous attacks against this bank

[boldie]

If I remember this correctly this is the 3rd or 4th time this bank, Nordea, takes a hit in the last year! The first three or four times there were false e-mail and a dupe website saying that the customer for security reasons should supply three of their single use codes (you have them on a plastic card), then their PIN-code and their account number. The phishing email and website were full off misspelled and fake words and bad language in general, it's amazing that anybody fell for it!
This was really bi

Is this another Windows genuine advantage?

[toby]

How many OS X users lost money?

Why doesn't the headline name the real enabler: Microsoft.

Running Windows is like putting your money in a cardboard safe. Wet cardboard.

incentives are where they belong

[judd]

"good news for the victims, but not really an incentive to take more care in future"

Consumers are told by people who market computers that they are easy and safe to use. Consumers are told by internet service providers that online services are easy and safe to use. Consumers are told by banks that online banking is secure and convenient.

Aside from the criminals, who appear to have escaped without any consequences to them, the burden is falling where it should be, namely on agents who allow marketing over reality. While the /. crowd may know better, the average punter does not, and shouldn't have to.

Not this again

[Bryansix]

Banks can guard against this by making users click on a randomizing keypad with their PIN in addition to any password/username combination they need to type in. ING Direct does this.

The customers didn't lose money.

[AxelBoldt]

The bank is refunding everyone who lost money

That's crap. The customers didn't lose anything. The bank lost money; it was tricked into paying out funds without having been authorized to do so by the funds' owners. The bank neglected the first rule of the banking business: "Know your customer". It did not properly check the identity of the people it was interacting with, and therefore has to eat the full loss.

Antivirus may not help

[Jugalator]

It appears that most of the victims weren't running security protection.

Often these guys use directed fraud mails written in reasonably good Swedish, so I wouldn't really doubt they have custom made keyloggers too to attempt to escape antivirus tools.
Sure, they could use detection by heuristics like some support, but then the accuracy falls rapidly, as well as the fact that not nearly all popular tools even supporting that.

What's needed here is that users don't become so naive when they sit down in front of a computer. To many, it seems like they then enter a world of safety where they don't have to think much and just click through mails that "look right" even if they ask for logon details that the banks has earlier been very careful to inform they'll never request. (because they already have that info, or can reset it at their whim anyway, duh!) The problem is that on the Internet, the exact opposite mostly holds true.

Don't expect the generous refund policy everytime

[vinn01]

I'm thinking that the refunds are a result of the newness of on-line banking. When the newness wears off - people will lose their life savings with these tricks.

It's no different than meat-space scams that trick people into withdrawing money or allow theives access to their bank accounts (like a stolen ATM card with the PIN number written on it).

The message here should be "if you do on-line banking, your computer is your ATM card. Protect it just as you would your ATM card"

Re:Don't expect the generous refund policy everyti

[geekoid]

My bank will retunr money from unauthorized purchases on an ATM card. With no Min.

"spam-fighting"

[idontgno]

1. mass-email a trojan keylogger
2. capture web banking passwords
3. drain bank accounts
4. ??
5. PROFIT!
6. Never have to eat SPAM again. You're rich!

That's how we fight SPAM.

Site down now + security

[Bender Unit 22]

Damn, seems like their site are down for the moment, and not just the Swedish one(they have banks in more than one country). I guess they are all hosted the same place. I wanted to log in to my account.

The security for their online banking system includes a key file that you must have on your PC so a trojan could be used to gain access if it got found the key file. I am not aware if they have additional optional security options available, like a key card or whatever.

BTW the client side runs Java and works

Re:

[Thansal]

This isn't a fault in windows, it is a case of pebkac.

The phishing (well, not really phishing in my mind) emails told the people to download and install anti spam software, and they did. No exploting holes in outlook or IE, none of that, just simply tellign poeple "Installer our keylogger. err, I ment to say out "anti-spam" software, yah...". It would have worked for Mac, or *nix, or anything else (It probably DIDN'T work for them, simply b/c the attackers did not see it as worth spending the extra time t

Re:

[MichaelSmith]

must either be an immigrant, senile, or just plain dumb

Are immigrants considered dumb in your country?

Re:

[mangu]

Why should the bank have to fork out cash because the users can't see an obvious phishing email?

I can see several reasons for that. One is that maybe there's something in the law or banking regulations about it. The second is that if it's mostly small amounts that were stolen, it would be cheaper to pay than to fight it in court.

But I guess the most important reason is that the bank wants to make people confident about doing business online. It's so much cheaper for the bank to do online business rather th

A Digipass make it secure?

[ratboy666]

No it doesn't.

If your computer has been rooted, it really IS ball game over. Just sitting here thinking how I would exploit a rooted system that someone uses for banking...

1 - establish account offshore that offers SWIFT transfer (or other convenient inter-bank wire), and can deal with bank that requires no ID.
2 - Monitor victims on-line banking activity for a couple of months.
3 - Intercept after online session has next been established.
4a - Inject low level "noise" transfer, if victims balance is medium le

Re:

[silentounce]

Question: Would you go to jail for 10 years for US$200mil?

Jail or prison? US or Russia? Because those are some very different circumstances. A lot of people would say yes even if it was a chance at $200mil otherwise no one would attempt the robbery in the first place.

Re:

[the_B0fh]

Where's

(c) profit!!!!

Oh wait, nevermind.