Largest Ever Online Robbery Hits Swedish Bank 218
ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"
Options (Score:2, Insightful)
I am not surprised... (Score:2, Insightful)
Those who are not into technology have no idea.... Look at my latest journal [slashdot.org]. You can have a PhD and fall for the simplest scam there is. Computers do seem to have this effect on people: their common sense fails because computers are somehow "Magic".
It's tragic if you ask me.
Crime Doesn't Pay (Score:3, Insightful)
Re:I am not surprised... (Score:3, Insightful)
Victims (Score:5, Insightful)
No, that merely changes who the victims are. There is no such thing as "good news for the victims" unless the stolen money is recovered.
Re:Options (Score:2, Insightful)
Incentives for The Bank (Score:3, Insightful)
All that not refunding the customer's money would accomplish is hurt a lot of people and discourage people from using online banking or encourage them to change banks. People are never going to become security gurus just so they can bank online and if you make banking online too risky or hard they will just give it up.
By making sure it is the bank who has to pay for security losses while still making sure people have some incentive (annoyance, possibility they might pay next time or lossing $50) to be safe you end up with the best results. The bank is the entity that can roll out new security solutions and most easily improve security practices so giving them incentives to improve security is the best move.
Re:Crime Doesn't Pay (Score:3, Insightful)
Whilst this may be true in a country like the USA, it's worth noting that the difference between average incomes between western Europe and Russia make it more profitable than it might seem at first glance. The average yearly salary in Russia is around $4800, whilst the average salary in countries like the US and Sweden is about 8 times that.
Multiplying by 8 gives $66,116, and whilst I suspect such a figure would still not be worth the risk of being caught (and with 121 people involved, there's got to be an increased chance of someone slipping up), it's probably a lot more attractive than the figure of $8264.46 would suggest.
Re:Incentives for The Bank (Score:3, Insightful)
What bank issued your credit card? I've had to reverse charges multiple times for different reasons. I've been billed twice for the same item, I've been billed incorrect amounts, I even reversed a Paypal charge because the seller never sent the item.
In all cases it was simple (I have Citibank cards). Call up and tell them what charge you are disputing. Immediately you get a conditional credit for that charge. They send you a single page form. Fill out a couple of lines, and send it back with any receipts (if you have them). In every single case I have received my money back, and the most time consuming part was dialing the phone (ok, not really, but just about. In total each dispute took less than 10 minutes of my time).
Remember, you are the customer. If the bank is treating you like crap, go elsewhere.
-dave
Re:Options (Score:2, Insightful)
Re:the hard part (Score:3, Insightful)
Or possibly not a DNS lookup. Possibly just delaying ACKs and stuff on the outbound TCP connection to make the connection open more slowly and delay any useful receipt of data... or inserting bogus NAKs or... could be anything. The point is that an attacker would do something to delay the connection.
These sorts of flaws have been talked about for a while now. Man-in-the-middle attacks are hard to protect against, and impossible if one endpoint is the untrusted man in the middle. In this way, it is basically the same fundamentally unsolvable problem as digital rights management, and for precisely the same reason: with a potentially untrusted device as a communication endpoint, you cannot guarantee that you can protect data sent or received by that endpoint from compromise.
Re:Options (Score:2, Insightful)
A Digipass make it secure? (Score:3, Insightful)
If your computer has been rooted, it really IS ball game over. Just sitting here thinking how I would exploit a rooted system that someone uses for banking...
1 - establish account offshore that offers SWIFT transfer (or other convenient inter-bank wire), and can deal with bank that requires no ID.
2 - Monitor victims on-line banking activity for a couple of months.
3 - Intercept after online session has next been established.
4a - Inject low level "noise" transfer, if victims balance is medium level
4b - Take it all, if victim balance is at high level.
5 - Complete transfer from SWIFT bank next day, to "no ID" bank.
6 - transfer from "no ID" to Bahamanian account (Swiss account, you pick). Cash out.
Ob.Holywood: Add sound effects, and visual effects as appropriate: "I'm in!" and up/down counters with ticking.
Of course this doesn't work if you DON'T do on-line banking; this is a good thing(tm) because on-line activity would otherwise be exceptional.
Bear in mind that this is the first solution I came up with. And I suspect it would be very workable. Especially, if that "Digipass" gave you a sense of security.
Thing thing you "Trust": the thing that you have faith in because you have no other choice. And that which you must trust, you must be able to verify. With Internet Banking, you do not trust the network (thus, we use cyrptographically sound protocols). You trust your password, and are forced to trust your computer. (And, you trust your bank). So, secure that computer, and don't give out your password. I wouldn't trust a digikey, simply because I have no way of verifying (I can restrict access to my computer, and my password is under my control).
The digikey in no way mitigates responsibility for keeping your computer secure.
incentives are where they belong (Score:3, Insightful)
Consumers are told by people who market computers that they are easy and safe to use. Consumers are told by internet service providers that online services are easy and safe to use. Consumers are told by banks that online banking is secure and convenient.
Aside from the criminals, who appear to have escaped without any consequences to them, the burden is falling where it should be, namely on agents who allow marketing over reality. While the
The customers didn't lose money. (Score:5, Insightful)
Antivirus may not help (Score:3, Insightful)
Often these guys use directed fraud mails written in reasonably good Swedish, so I wouldn't really doubt they have custom made keyloggers too to attempt to escape antivirus tools.
Sure, they could use detection by heuristics like some support, but then the accuracy falls rapidly, as well as the fact that not nearly all popular tools even supporting that.
What's needed here is that users don't become so naive when they sit down in front of a computer. To many, it seems like they then enter a world of safety where they don't have to think much and just click through mails that "look right" even if they ask for logon details that the banks has earlier been very careful to inform they'll never request. (because they already have that info, or can reset it at their whim anyway, duh!) The problem is that on the Internet, the exact opposite mostly holds true.
Human factors (Score:3, Insightful)
We'll never get decent security as long as we set traps for users and call them idiots when they fall in.
The email containing the Trojan came from the bank's domain, apparently. Is it the fault of the users that email isn't authenticated? Are they idiots for not knowing how SMTP sessions can be spoofed?
How many places require software downloads to work? Include Flash and PDF readers in that list. Are people idiots for installing something that any non-expert would think came from their bank?
Do we even know that they weren't running antivirus? Would there have been signatures for a Trojan that was only distributed to a few hundred or a few thousand people? Would behavior-based antivirus have caught it, given that the crooks had the chance to test it against every common antivirus program?
Are the users idiots because the bank used a security protocol so unutterably lame that it was subject to undetectable replay attacks?
Calling the users idiots is just an excuse for not fixing the real problems.
Re:Antivirus may not help - being a nerd does (Score:2, Insightful)
I don't know how well-designed this scam was. But it is possible to make the real and the false pages look exactly the same, or so similar that only the most suspicious minds will discover the difference.
At least with the IE 6 browser, you can design a popup with layout at the top pretending to be the Menu and Address bar, making the user believe he is at the bank's true address. And you might add the image of a lock giving the impression that he is on a SSL secured site. You don't need an infected computer to do this, you only have to make the user click a link. (It is hard to do this convincingly for every user, but doing it convincingly for 70% is obviously enough).
And given a rootkit, the criminal could change the behaviour of the browser, change the dns-service, or whatever - resistance is futile. With malware running stealthily in the background, intercepting and changing some of the communication with the bank, there is not much point in high security authentication tools like digipass calculators or smartcards.
In my view, the bank's loss is mainly due to the fact that today's common os-es and browsers are not safe. Period. The chief problem is that the industry is selling a product which is full of security loopholes. With today's popular OS-es, most home users are running with administrator rights (making the result of security breaches possibly very serious), and with common browsers and web standards, it is hard to see whom you are communicating with - especially when using popups and frames.
The users might be a little to blame in this case, but the important thing is that one - for the time being - can not expect users to have the skills necessary to keep the computer safe and surf safely. With nerds and computer professionals, expectations can be higher.
Users might be asked to keep their computers updated with anti-virus software. In my experience (with family and students), a lot of them are incapable of doing this by themselves. After some time, the computer is sluggish because of spyware or different programs and updates they have involuntarily accepted be installed. Keeping a computer safe and in working order is a profession.
What banks must do to limit attacks? Make attacks expensive. And encourage the software developing community/industry to integrate security in the products.
1) Make a policy to avoid simple attacks. Maybe should users be advised always to enter the bank's address in the address bar (if so, banks must never send links themselves
2) And make sure that the malware must be complex, i.e. make sure that the authentication data cannot be reused from another computer (static passwords are an obvious no-no), perhaps also prevent concurrent background transfers (deny dual sessions with the bank).
Re:I am not surprised... (Score:2, Insightful)
You can say that again. My girlfriend is a physician (who has practiced psychiatry for 25+ years), and she is absolutely devoid of any understanding of the risks in those 'scratch and win', 'you may be a winner' type scams that proliferate online. It astonishes me, and it's tragic, like you said. I'll try to discuss it with her, and she'll come back with, "You're right, i probably wouldn't win anything, anyway." And there I am, speechless...