Largest Ever Online Robbery Hits Swedish Bank

ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"

According to whom?!

[rumith]

According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia.

And what has established Swedish police according to Swedish police? Why quote McAffee? What business do they have here?

the hard part

[Lord Ender]

Stealing passwords is trivially easy. Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.

The trick is getting cash transfered from someone's bank once you have their credentials.

Largest ever robbery?

[A beautiful mind]

Well according to my anecdotal evidence coming from an ex security admin at a bank who was giving a lecture on bank security on a security themed conference, banks have a certain percentage of loss every year due to online activites. The loss they suffer is tuned to the line that spending more on security would cost more than the current losses they suffer.

Anyway, I highly doubt that this was the largest ever online robbery, maybe it was the largest phishing attack.

Use private cryptography !

[Anonymous Coward]

I happen to have an account at a swedish bank (S.E.B.), and they give this wonderfull little box they call a "digipass". When you want to log on, they give you 8 numbers, which you have to type in your digipass, which then gives you another little sequence of number, which is the password you have to use to login. It's kinda challenge-response authentification, but with the private key safely saved outside of the computer, and out of reach to the client themselves in fact... Just don't lose your digipass, your pincode and your account number all at the same time ! :+)

Numerous attacks against this bank

[boldie]

If I remember this correctly this is the 3rd or 4th time this bank, Nordea, takes a hit in the last year! The first three or four times there were false e-mail and a dupe website saying that the customer for security reasons should supply three of their single use codes (you have them on a plastic card), then their PIN-code and their account number. The phishing email and website were full off misspelled and fake words and bad language in general, it's amazing that anybody fell for it!
This was really big in the media several times last year.

And now this! For the love of Darwin (God or whatever), who, WHO clicked on a link in an email saying it's from the bank??

Well well they will probably make me use some sort of certificate that is windows or mac only. Anyhow I will stop use this bank.

Re:Incentives for The Bank

[RKBA]

Plus Citibank has a feature that I now find essential - the ability to generate "virtual" credit card numbers as needed, and to be able to set the expiration date and limit on the amount of purchase that can be charged to each virtual credit card number. It makes online shopping perfectly safe. MBNA offered a similar feature until they were bought up by BofA, which is when I changed to Citibank, and so far I'm very happy with Citibank.

There's a rather humorous corollary to this, and since I feel loquacious today I shall tell the story:

When I was employed and had a six digit salary, credit card offers with credit limits upward of $50,000 routinely came in the mail. Now that I'm retired and have no visible income anymore (just my retirement savings and Social Security), what happened when I switched from my MBNA credit card with it's open ended limit (once or twice MBNA raised my credit limit so high that I called them and asked them to reduce it for fear that if my credit card were stolen, someone might use it to purchase their own island or something, har!) was that my new Citi card only came with a $4,000 credit limit. As it turns out, even though I pay each month's credit card bill in full, my wife and I maxed out the $4,000 credit limit in almost the first month - not because we spend more than that each month, but because the delay between the time the charge is incurred by the bank and the time I receive the bill for that charge can be as much as five or six weeks in certain cases. The effect of this delay is that the actual "real time" charges on my credit card account can be the total of six weeks worth of spending rather than one month's spending. Because of this and Citibank's understandable refusal to raise our credit limit until we'd had the account for at least six months, I've ended up having to send Citibank an OVERPAYMENT each month to avoid maxing out our ostensible $4,000 monthly limit (ie; if I receive a bill for $1,500, I send a check for $3,500 so that I always have a positive balance on file). I'm effectively using my Citibank "credit" card as a "debit" card. I'm sure the bank loves it, but as long as they raise my credit limit to something more reasonable in six months I don't mind waiting.