Banks Urge Businesses To Lock Down Online Banking 201
tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."
...and how would you do that? (Score:5, Interesting)
Getting the money back? WTF? (Score:3, Interesting)
Re:Getting the money back? WTF? (Score:5, Interesting)
It is also lax security on the banks side. The bank is not properly verifying that the transactions really come from the businesses. It is much like identity theft. The person didn't steal my identity they got around the bank or credit card companies poor security to trick the bank. They took nothing from me they tricked the bank into giving them my money.
Huh...funny... (Score:2, Interesting)
Never once seen such a thing go down with Mac & Linux users. But hey, that's me.
Re:Getting the money back? WTF? (Score:3, Interesting)
In the online banking case, for instance, any bank that doesn't red-flag an situation where simultaneous online sessions on the same account are going on from an IP near the customer's address and an IP somewhere in Latvia is, arguably, negligently overlooking a likely fraud situation, even if it was malware on my machine that let the Latvian session be established.
Re:Getting the money back? WTF? (Score:2, Interesting)
I agree that suing the banks seems like a strange reaction, but this type of attack only works because the banks simply do not care about security. On previous articles I have seen posters mention their banks (somewhere in Europe) have papers which have a list of single-use transaction codes which are used in some sort of challenge-response system. For example, choosing a code based on the transaction date, target, amount, and some randomness would protect against attacks like the one described where a compromised computer is used to drain a bank account.
The client should have better security -- after all, even seeing the bank account info would likely be interesting to some attackers -- but the banks need to be held accountable for their lack of security features as well.
Re:...and how would you do that? (Score:5, Interesting)
Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ [example.com] . Brilliant advice.
Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated), I'm not sure who they were suggesting that to. I have the only Linux virus I've ever seen, and it's safely tucked away on a floppy disk, in a concrete vault, underground, at a location that I forgot. :) Dammit, I knew I shouldn't have left the map in the vault. Most "bank customers" wouldn't keep a dedicated machine just to check their bank balance with. Hell, they'll call out on the company PBX and give their credit card information over the phone to any arbitrary business, with coworkers happily writing it down and the phone admin recording the call.
Users are their own worst enemy. Hmm, wasn't there a story today saying something to that effect? I once found a bank card (w/ Visa logo) on top of an ATM. For some reason, they set it down and forgot it there. Brilliant. Since there was no one around to claim it, I called the bank. It took me an hour to convince them that I found it and that the card should be canceled. They "couldn't release any information on the card holder until...." I told them, "I'm holding the card in my hand. I guess that makes me the card holder." Finally, they told me "Oh, just bring it to a branch on Monday", at which point they finally canceled it. I knew the people at the branch, so they knew I was legitimate, and they confirmed that it hadn't been canceled. The account hadn't even been noted that I called in to report it. What if I wasn't a nice guy? I would have had 2 days or more to charge anything I wanted. If you can't get a person to maintain control over a little physical piece of plastic, why should you they think that they're going to do any better elsewhere?
Re:...and how would you do that? (Score:3, Interesting)
Businesses do not use the web browser
Yes they do. OK, big businesses may have apps that dial into big banks, but small businesses use local banks and local banks can not afford a custom written proprietary app that they give to their business customers. The vast majority of small businesses that use local banks do most of their banking through a web browser. I've seen businesses to payroll, wires, ACH payments, transfers, you name it, all through a common web browser.
However, most of these systems are cookie limited to a single computer per login and Mulit-Factor challenged if the IP changes. The biggest problem we've seen have been phishing scams looking for credentials of non-business accounts. Although these sites are usually shut down within hours of the bank finding out what is up.
what about this (Score:3, Interesting)
i think the banks need to be more careful about who is logging on to their systems
Re:Sounds like they should hand out liveCDs (Score:1, Interesting)
How about just using SSL for the login page? Most of them don't--it's hidden in an iframe, and without viewing source or checking the form, you've got no reason to be certain your login data will be securely transferred. And don't get me started on *every single bank* I've used having XSS vulnerabilities -- to top it off, most of the the little ones outsource all of their financing/credit card transactions to third party companies--just to pay the damned balance on my visa, I have to allow javascript from four different domains.
Most every bank trying to comply with increased security requirements met the rules for two factor authentication by SAVING A FUCKING COOKIE on my drive (I wish congress would pass an additional law mandating strict liability in event of security breach for any institution that circumvented the intent of that rule in such a manner)
If I purge the cookies, they have me authenticate with MORE "passwords" (two passwords is two-factor, right? So if we ask for three we can claim we have 5-factor authentication) including such tidbits as my first school or grandfather's name. Surely I'd never reveal those in conversation to anyone. How about they spend $20 or give me the option to pay it myself to buy a dongle with a rotating pin?
I think you're going way too far too fast... a lot of the problems is on the customer side (and that's almost every programmers fault for requiring things like javascript/cookies and using them in excess) when a lot of the issues stem from...lax, lazy attitudes--but the banks are just as guilty. I guess you can say it's best to start with the weakest link in the chain--but the whole system is in need of overhaul and a few rolled heads.
Sorry to rant in reply--you're right that livecds would help...but the whole system is so screwed up that shipping them would be like putting a bandaid on a corpse.
Re:Sounds like they should hand out liveCDs (Score:3, Interesting)
But, that's the type of technical support headache that they've been trying to get away from, with virtual POS terminals, using the web page instead of their custom app, etc, etc. Even if your live CD worked on every machine ever known to man, when something flakes out, they're calling the bank first. Come on, how many times have you fixed a "my computer can't get on the Internet" because they accidentally unplugged the network cable? Or maybe they didn't even turn it on. Anyone who's worked in any kind of office where the management found out that you really now everything about computers, will bug the shit out of you to fix theirs (and their home machine, and the kids machine, and grand auntie Gertrude's machine too, even though she's legally blind and can't figure out what to do with a mouse).
I've spent the last month or two touring the country, going from site to site on demand to fix everything. You wouldn't believe how many "best practices" have been completely ignored. Even when you say "there was malware that intercepted everything done online. They have all of your usernames and passwords, credit card numbers, and account numbers. Call the bank and cancel every credit card you've used online, and change every password that you have", they say they'll get around to it sometime and won't actually do it.
I got a call today. It was a machine that I worked on two months ago, where I removed more viruses than I care to remember. Someone uninstalled the antivirus software that I installed, but they were kind enough to click through every way to get a new virus. 3 hours later it's clean again. I'll be getting the same call in a month.
Your edge cases aren't edge cases. I'm afraid they'd be pretty damned close to 50%. The first banks that tried to force it would go out of business, because the customers would go to another bank that's "easier to work with".
Re:Sounds like they should hand out liveCDs (Score:1, Interesting)
Problem with a Live CD is that it can't be kept up to date. Linux has lots of vulnerabilities too. Just recently there was a big kernel bug exposed and the software you run on Linux (Firefox, etc) always has bugs too. Currently they don't seem to be targeted too often but if banks started handing out these "secure" Live CD's you can bet they would be targeted then. Because it's a Live CD the bugs would probably persist for long periods of time.
As the posted above me makes a good point. I hate that websites in general, especially banks, have non-SSL pages that you use to log into the secure SSL site. That is an extremely poor design because it then becomes super easy for a hacker to create a fake login page.
Re:Sounds like they should hand out liveCDs (Score:4, Interesting)
Scammers are getting around that by hijacking your phone number. Probably the best I've seen is using a challenge-response for all transactions, with a frob supplied by the bank.
Re:Oh, yeah! Another "Eastern Europe" story... (Score:3, Interesting)
Re:...and how would you do that? (Score:2, Interesting)
My dream:
A bank could dole out thumb drives to its customers, which thumb drives could boot up into an O/S [hopefully not within a VM] that only allows Internet access to the bank's website. Passwords could change every minute with use of a RSA key chain (eTrade facilitates minute-by-minute password changing).
It would be nice if the thumb drives were read only; perhaps some sort of dongle might work.
This would make me feel more secure in my online bank transactions.
Comment removed (Score:3, Interesting)
Linux Partition (Score:3, Interesting)
Re:people who won't act civilized... (Score:4, Interesting)
Besides an image of "fucking peasants", of "sleezy Ukrainian hacker", etc. really hurts us on a global market place.
If Microsoft included One-Care into its Windows OS, we would not have this conversation at all. But they do not do it to milk customers twice: for insecure OS and for the anti-virus, anti-spy-ware products. It is a billions and billions business. And a cultivated image of an in-existing in reality "sleezy Ukrainian hacker" fits very conveniently in this business.
The man who sent the first human into space, Sergey Korolyov, was from Ukraine. The mathematician who helped him to calculate this flight, Ginsburg, was also from Ukraine.
But instead we are getting a reputation of "fucking peasants" and criminals. Of course there criminals and prisons in Ukraine, the same as in your part of the world. But we are not responsible for the insecure OS and the multi-billion business based on this fear.
This is not the weakest link (Score:3, Interesting)
In my dealings with TD Ameritrade, and an online brokerage starting with the letter Z (guess which one I signed an (weak) NDA with and am now regretting), and then dealing with the SEC and the FBI to clean up what I found, I can tell you this:
Businesses with insecure workstations are not necessarily the reason why banks are getting broken it to.
Banks are _careless_ with their online security, leaving things like token validation and referrer logging well beyond their vocabulary. After my findings, contact with the agencies shows that they prioritize things like DDOS (which affects businesses) higher than "loss" of information (which affects customers.)
Re:...and how would you do that? (Score:2, Interesting)
My dream:
A bank could dole out thumb drives to its customers, which thumb drives could boot up into an O/S [hopefully not within a VM] that only allows Internet access to the bank's website. Passwords could change every minute with use of a RSA key chain (eTrade facilitates minute-by-minute password changing).
It would be nice if the thumb drives were read only; perhaps some sort of dongle might work.
This would make me feel more secure in my online bank transactions.
Or they banks give out small card readers that the online shopper sticks their bank pass into, types in his pin and a one time code to yield a one-time key to confirm the transaction.
Wait....we've already got that! In some places anyway.
Re:...and how would you do that? (Score:3, Interesting)
Why not put Linux on your laptop then? You should be able to run Vista in VirtualBox, if you really need it. I am shocked at how quickly VirtualBox became mature, how high-quality it is, how many features it has, and how often it is updated.