Banks Urge Businesses To Lock Down Online Banking 201
tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."
Re:...and how would you do that? (Score:5, Informative)
By locking down everything *but* that site?
Emphasis web *browsing* - if you're locked to a subset of one site, you can't do a whole lot of browsing. The browser effectively turns into a sandboxed application, which is what the banks here want.
English is a wonderful language.
Re:...and how would you do that? (Score:1, Informative)
Businesses do not use the web browser - they have special programs. These programs allow for multiple authorized people to sign off on a payment before it can be processed and it allows for quick and easy access to statements relating to hundreds of different accounts. One such software is NAB Online.
Unfortunately in the case of NAB online, you have to connect to the bank by using a Dial-up modem. Kaspersky Antivirus (and Norton from what I heard) both refuse to play nice with the dial-up executable for NAB Online.
The hardest part of locking down a business is actually trying to stop the biological mass between the keyboard and the chair from doing stupid things.
I am a Linux server admin, and I spend 90% of my time trying to troubleshoot and lock down all this Windows related junk!
ATMs here uses Windows (Score:3, Informative)
Re:Sounds like they should hand out liveCDs (Score:3, Informative)
In other words, this is about a million times more secure than using any given general purpose desktop computer to do your banking.
Re:...and how would you do that? (Score:3, Informative)
Any online banking transaction for me requires:
*My 10-digit personal number ("personnummer" = Swedish equivalent of SSN)
*My 4-digit PIN (assigned by bank when card is issued, not changeable by user)
*6-digit authorisation key from bank's website, good for 4 minutes from time of issue (I have 4 minutes to enter it into the card reader)
*My bank card
*Card reader (fits in a shirt pocket; first one provided gratis by bank, replacement unit is SEK 100 or about US$12.00)
*9-digit response code generated by card reader, good for 4 minutes from time of issue (I have 4 minutes to enter this on the web page and click the Submit button)
All of these are required for login, requesting transaction, and finalising/authorising transaction. Any one of the pieces missing = no transaction.
This combination seems pretty secure, and it is actually quite quick and easy to use.
Re:...and how would you do that? (Score:4, Informative)
Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated)
Not true, actually. You most certainly can lock down Windows fairly heavily - in fact, Microsoft provide a tool to help you do it [microsoft.com].
Though to be perfectly honest I'd still stick the computer in it's own little /29 subnet with a firewall blocking all traffic in both directions except that which is explicitly allowed.
Old Tech. (Score:3, Informative)
Why bother trying to beef up local security when the best option is to take the transaction off the web. Just dial in to the bank with a good old 56K modem. It's common place with some Australian banks to have a small business's accounts department line up all transactions on a local client and then dial in to the bank and send them. Never even touches the internet.
It scales with dedicated DSL and Fibre lines that never touch the internet (separate routing infrastructure). A little bit costly, but when your transactions begin to max out a 56k line you should be able to afford some overpriced DSL.
Re:Sounds like they should hand out liveCDs (Score:3, Informative)
I've been using such a challenge-response mechanism with my Dutch bank for several years now.
It works together with the smart chip in your bank card:
- At the appropriate points the bank website gives you a number that you enter in a little device where you have your bank card slotted. The device (using the smart chip in your bank card) calculates a response number which you type back in the bank website. If the numbers match you are given-access/have-pending-payments-approved.
No passwords or any other important keywords will ever go through the network or even enter your PC (and thus cannot be sniffed or keylogged). Your PIN code is needed to activate your bank card when first slotted into the device but even if somebody manages to visually see you type it (the only way to do it remotelly is to own your machine, turn on it's webcam and look through it at the right time), physical possession of the card is still needed.
The most significant weakness of this is some form of man-in-the-middle attack within a running session with the bank's website (maybe using a dynamically generated fake bank website front-end talking to the real one in the back-end and injecting payment operations in the appropriate moments).
Funnily enough I've moved to the UK where most banks are still comparativelly in the stone age (multiple-passwords is the most common of tricks). The best one I've used here (for my business account) is similar to the one from my Dutch bank but for initial authorization the smart card in your bank card does not receive a challenge-number, it just generates a number on it's own.
The truth is that most problems of unauthorized access to bank accounts via a bank's website are squarelly to blame on the banks themselves - any system relying on long-lived shared authorization codes (i.e. passwords) which must go through non-hardenned and potentially insecure devices (a user's PC, a browser, a network connection) is exceptionally unsafe and prone to be broken remotelly using automated means.
Even if users have the technical expertise to harden their own system, there are just too many potentially elements outside the user's control (the OS, thousands of network-listening applications, the actual browser, the SSL implementation used, the certification authorities, the bank's website implementation - to name just a couple) and vectors of attack. Using long-lived shared authorization codes which go through all sorts of potentially remotelly compromised systems for securing high-value targets is as dumb as it gets. To top it all up, if you happen to live in certain geographical locations, automated remote takeover of bank accounts is a low-risk-high-reward activity.
Safer systems exist and are deployed by some banks already (i.e. challenge-response systems relying on shared keys running inside hardenned devices - smart chip on the client, SAM on the server - and never coming out) but they cost money and most banks are not willing to spend it.
Until the banks get full financial responsability for this kind of intrusion, most won't do anything to provide an online banking environment which is not prone to them.