Largest Ever Online Robbery Hits Swedish Bank 218
ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"
FDIC? (Score:5, Informative)
And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!
For those of you who have an ING account you know what their security is like. Nothing much that will hamper a real customer, but things that should stop non-customers.
Predefined one-time keys are insecure (Score:5, Informative)
I was curious about the security protocol for Nordea bank and although links on the Nordea site are currently broken (an attempt to cover up?), I could find them on Google.
So the scammer just needs the fixed PIN code, plus a few of the one-time codes.
I used to have a bank account in Sweden with a different bank that uses a cryptographic challenge/response key generator, both for logging in and confirming a transaction. The website supplies you with a code number that you enter, as well as a PIN code. The device uses the code together with a secret key and the time from an internal clock and lets you send back the data.
Banks here in the Netherlands use similar systems, often with a generic card reader that uses a chip that is built into the bank cards. Others send a confirmation code by SMS to a mobile phone number that is registered to your account.
I think cryptographic systems are inherently much more secure than predefined one-time keys. The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction. Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.
Re:FDIC? (Score:1, Informative)
This bank promoted it's online services with ads with elderly women showing how easy it was to use.
And it is slightly easier than it's main competitor (Swebank/foreningssparbanken) that uses a personal code box (like a little calculator) to generate codes on the fly. You get a number, run it in your box, and get a code that you feed back to the page. You make a one for logging in, and another to confirm a transaction and so on.
Nordea on the other hand supplies a list of one time codes for verification, but as is evident, if you can get such a code along with some personal info you're good to go. So the reason they are not harder on the clients are that they sold them on the service being simpler. They have attracted clients with less web savvy deliberately and chosen a less secure method to simplify their system. Not to shoulder responsibility would be hypocritical.
Re:the hard part (Score:3, Informative)
Two-factor auth is really not that useful. Indeed, n-factor is not better than single factor. What is required for a transaction to be secure are the following:
Without BOTH of those, no additional factors will help.
Here's a short description of how the basic attack works. Your second factor is a SecurID or CryptoCard token. You key in your pin number and the value currently shown on that token. The software captures the keystrokes. It then causes your browser's DNS lookup to be delayed several seconds during which time it sends the information to another computer belonging to the attacker, which automatically logs in. At that point, it releases the stream and allows the DNS request to complete, taking you to your bank's website.
Now at this point, that value has already been used. Depending on the bank's systems, your token value might be accepted for a short window of time, in which case you won't know anything is wrong. In the worst case, it gets rejected, but you assume you mistyped/misremembered it. By that time, the next token is on the screen (SecurID) or the screen is blank (CryptoCard), so you have to use the NEXT number. You log in with the new number and think that everything is okay. The attacker keeps his/her connection alive through meaningless browsing until the spyware says that you have logged off the remote banking site, then transfers all the money from your account into a Swiss bank account.
Re:the hard part (Score:3, Informative)
Think it through: I have a keystroke logger on your PC. You type in your username (something you know) and your SecurID code (something you think you have
For these purposes, the SecurID "something you have" is an illusion: It is really just "something you know (for sixty seconds)".
Even "something you are" is really "something you know" if the bioscanner is external to the system to which you are authenticating (which is the case for all over-the-net type apps).
Oversimplification is loved by sales people, but it is bad overall. It causes people like you to think SecurID really is "two-factor authentication." It's not, at least not entirely.
Re:The whole article appears to be FAKE (Score:3, Informative)