Banks Urge Businesses To Lock Down Online Banking 201
tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."
ubuntu (Score:1, Insightful)
why cripple the machine just because of some malware?
Sounds like they should hand out liveCDs (Score:5, Insightful)
No writable persistent storage, just a browser(configured so that it will only accept pages from the institution's set of domains and only when those pages have appropriate SSL certs. Completely reject all non-SSL pages, and any SSLed pages with certs for other institutions, or from other CAs).
There would probably be some annoying edge cases(some ghastly graphics card that isn't supported by default, and freaks out in VESA mode, say) or network issues(though you could always offer a cheap USB ethernet or wifi adapter, with a known working chipset, at cost to interested customers); but it'd be fairly easy to cover 95% of the boring business boxes and common home machines that you would be concerned about, if suitably generic settings were used.
As hardware gets cheaper and/or for larger accounts, it might even make sense to put together a dedicated banking appliance offering, basically the cheapo embedded ARM embodiment of the above.
Re:Oh, yeah! Another "Eastern Europe" story... (Score:4, Insightful)
Do you have a citation for your claim?
I would certainly believe that most of this crime comes from places like Eastern Europe and Russia, because it makes perfect sense. Those parts of the world are now connected to the West through the internet, and the people there are smarter and better educated than Americans (especially in regards to science and math). There's a good reason so many companies have software development teams in places like Russia, Latvia, and Romania these days. With all the computer expertise in those regions, it makes perfect sense that a lot of fraudulent activity would come from there as well.
Re:what about this (Score:3, Insightful)
Re:what about this (Score:3, Insightful)
Maybe. Maybe not. You, with your sporting good store, may have suppliers in other countries. You may go to their site. You may go on a trip elsewhere. While you're out, you can trust that the interim manager can handle everything, or you can look in on your bank accounts while you're gone. I know, it's not the best idea in the world, but no one ever said business owners always follow best security practices.
If you were locked out of the account while you were overseas, you'd probably call and bitch the bank out (at $5/min for the phone charges). Not all businesses have the luxury of being mom & pop shops, and only ever doing business from their office line. Geo-locating the IP isn't exactly fool proof either. Depending on the line I'm on any day, I've been located in several states around the US, China, and Europe. All of those have been within one state, and generally just a handful of cities. It's not a failure on the ISP's part, it's a failure on the folks who are maintaining the geo-locating databases being used. Well, not exactly a failure, since they give a percentage of accuracy in their advertising.
I just checked the IP I'm on today with MaxMind's site (the providers of GeoIP). The result was close, but still the wrong city. What if I told them to only expect traffic from City X and determine anything from anywhere else was fraud? Now I'm going to be considered an attacker. Wheee. I hope the feds don't come knocking my door down. Well, I am sitting by the pool, sipping some pretty serious rum drinks right now, but that's what happens when you're on vacation. :)
Re:Sounds like they should hand out liveCDs (Score:3, Insightful)
Sounds to me like a valid reason to run OpenBSD.
Or maybe all those fucking banks can make Web sites that don't recommend (or require) Internet Explorer.
Re:what about this (Score:3, Insightful)
Re:...and how would you do that? (Score:5, Insightful)
Could we at least start by replacing the freaking pin numbers with something meaningful? A four digit numeric does NOT make a password FFS!!
Maybe next, we could graduate the bank's computers from Windows 2000 up to something remotely sane - like Redhat SEL.
The idea of a biometric ID in conjuntion with a reasonably secure password hash has it's appeal, as well. If my bank would use it, I'd install a fingerprint reader on my HOME computer. Businesses should just jump on that idea - it's a small price to increase security dramatically.
Finally, maybe we can get around to "Linux - the year of the desktop!" Face it, boys and fanbois - no unix-like machine is open to as many exploits as Windows is.
I'm just dreaming, of course. If I manage to live another 20 years, we'll still be having similar discussions, PIN numbers will still be 4 digit numerics, and Windows XP will be the ancient, outdated operating system of choice for banks.
Re:USA Stimulus Package Payback Plan (Score:3, Insightful)
"wait until big businesses in China are bankrupted by cyberterrorism"
Maybe they've just thawed you out after a nice cryogenic nap? China is migrating to Linux. Red Flag Linux. They may not be invulnerable to cyberterrorism, but they certainly don't leave their WINDOWS OPEN for terrorists, like US businesses do.
Re:...and how would you do that? (Score:4, Insightful)
The browser effectively turns into a sandboxed application, which is what the banks here want.
Why not just make a separate application? You're trying to force a browser to be essentially different than what it was designed to be, and then you're complaining that it's not really working.
I know cross-platform availability is great, but you can also do that with say Qt. Not to mention you'd have your own nicely designed UI instead of the clunky pile of shit most banks today do, without inheriting the security problems of every fucking browser out there. One would think that because this is an absolutely critical task in terms of security, banks would at least try to minimize the amount of code involved, or at least the amount of code they have no fucking control over whatsoever.
I know Web 2.0 is hyped right now, but stop acting like the browser is the only application capable of establishing a network connection. As a famous cat put it: THIS IS WHY WE CAN'T HAVE NICE THINGS.
Re:Sounds like they should hand out liveCDs (Score:2, Insightful)
I make up single use lies for the security questions and store them in Password Safe (from what I gather, Keepass has better support for more platforms). That solves the Palin problem. Of course, I then can't access my bank account from other computers, but I don't trust all that many other computers, so that doesn't hurt all that much.
Re:...and how would you do that? (Score:3, Insightful)
Users are their own worst enemy
Quite so. I dont know where I read it but the quote below sums it up nicely.
The average user wouldn't know a security issue if it was parading down the main street naked carrying a large sign saying "I am a security issue"
people from Eastern Europe condemn crime (Score:4, Insightful)
Why should a malicious software be possible on a PC at all? People pay for the operating system. And they have to pay for anti-virus, for ant-spy-ware. This is the point.
Why Windows-One-Care cannot be part of the OS? And people all over the world will sigh with a relief. Is it not done to milk billions from customers first for a monopoly insecure OS and then second time for making the OS secure.
Very conveniently fit people from Eastern Europe of criminal persuasion in this picture. Very conveniently. But this image really hurts interests of honest hard working people from Eastern Europe on a global market scene. There are a lot of good people in Eastern Europe who brought good things into this world, say, periodical system of elements, first flight into space, etc.
Include the Windows-One-Care in Windows and stop harassing us.
Re:...and how would you do that? (Score:3, Insightful)
> The browser effectively turns into a sandboxed application, which is what
> the banks here want.
Regardless of the wishes of those greedy fucks, a browser and each site should
be sand-boxed in the first place. Viewing one site should have no relevance to
the tab beside it, even less for your user files and most certainly not your
system files.
Re:...and how would you do that? (Score:3, Insightful)
It is pointless to secure a system that is to be used by idiots.
A Default installation of XP or Vista is the most secure system in the world for an average user any security beyond that is invalidated by their stupidity. What they need are competent employees then these issues wouldn't exist.
Comment removed (Score:3, Insightful)