Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Banks Urge Businesses To Lock Down Online Banking

kdawson posted more than 5 years ago | from the no-social-no-engineering dept.

Businesses 201

tsu doh nimh writes "Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the US, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions, The Washington Post's Security Fix blog reports: '"In the past six months, financial institutions, security companies, the media and law enforcement agencies are all reporting a significant increase in funds transfer fraud involving the exploitation of valid banking credentials belonging to small and medium sized businesses," reads a confidential alert issued by the Financial Services Information Sharing and Analysis Center, an industry group created to share data about critical threats to the financial sector.' The banking group is urging that commercial bank customers 'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.' The story includes interviews with several victim businesses, and explains that in each case, the fraudsters — thought to reside in Eastern Europe — are using "'money mules,' unwitting or willing accomplices in the US hired via Internet job boards. The blog has more stories and details about these crimes."

Sorry! There are no comments related to the filter you selected.

8==C=O=C=K==S=L=A=P==D ~~-_ (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29194969)

thunk.

Bigger than Rob's dick (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29195019)

Too bad that Rob Malda's penis is eclipsed by the length of the penis in the parents title line.

Re:Bigger than Rob's dick (1)

Dmxftw (1622951) | more than 5 years ago | (#29196199)

Maybe Rob has a huge monitor with very low resolution ..... then you wouldn't be laughing............

First Post (0, Offtopic)

Garrard (205508) | more than 5 years ago | (#29195009)

First Post?

Re:First Post (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#29195157)

Failst Post!

...and how would you do that? (5, Interesting)

sicapo (622621) | more than 5 years ago | (#29195021)

'carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible. When almost all online banking is done through Web Sites...

Re:...and how would you do that? (0)

Anonymous Coward | more than 5 years ago | (#29195053)

live cd

Eastern Europe is a euphemism for KOMMIE BASTARDS (0, Troll)

Anonymous Coward | more than 5 years ago | (#29195851)

KOMMIE BASTARDS!!!!!

The dirty russians are at it and always will, the 3rd world example of a toilet overflowing with shit and lots and lots of rotting remains.

Re:...and how would you do that? (4, Informative)

ScytheBlade1 (772156) | more than 5 years ago | (#29195055)

By locking down everything *but* that site?

Emphasis web *browsing* - if you're locked to a subset of one site, you can't do a whole lot of browsing. The browser effectively turns into a sandboxed application, which is what the banks here want.

English is a wonderful language.

Re:...and how would you do that? (1)

xeoron (639412) | more than 5 years ago | (#29195243)

Maybe the banks should release browser extensions that turn on bank lock down mode via the press of a button. Or, people can merely run a locked down VM instance of a OS/browser combo that is solely used for banking; going ever further, someone should package a slim VM just for that purpose and share it with all to use (maybe a version of gOS with Google Chrome or freeBSD with Firefox, or use that Kiosk SuSE linux builder app....). Hrm... think I might have to play with those things this weekend....

Re:...and how would you do that? (1)

maxume (22995) | more than 5 years ago | (#29195305)

To be worth much, you have to do all your risky activity inside of a VM. Running a 'safe' VM on top of a compromised system is only going to buy a little bit of protection.

Re:...and how would you do that? (2, Interesting)

eric31415927 (861917) | more than 5 years ago | (#29195865)

My dream:

A bank could dole out thumb drives to its customers, which thumb drives could boot up into an O/S [hopefully not within a VM] that only allows Internet access to the bank's website. Passwords could change every minute with use of a RSA key chain (eTrade facilitates minute-by-minute password changing).

It would be nice if the thumb drives were read only; perhaps some sort of dongle might work.

This would make me feel more secure in my online bank transactions.

Re:...and how would you do that? (1)

Shakrai (717556) | more than 5 years ago | (#29196231)

This would make me feel more secure in my online bank transactions.

Or you could just secure your computer and put the tin-foil hat away. Just an idea. I've been using online banking in one form or another for 12 years from my regular old PC and I've yet to encounter a problem. Of course I don't generally agree to install the "ANTI-VIRUS SOFTWARE UPDATE ACTIVEX APPLICATION V 6.5.19.1.61" that pops up while I'm surfing for porn or warez ;)

Re:...and how would you do that? (3, Insightful)

Jurily (900488) | more than 5 years ago | (#29195897)

The browser effectively turns into a sandboxed application, which is what the banks here want.

Why not just make a separate application? You're trying to force a browser to be essentially different than what it was designed to be, and then you're complaining that it's not really working.

I know cross-platform availability is great, but you can also do that with say Qt. Not to mention you'd have your own nicely designed UI instead of the clunky pile of shit most banks today do, without inheriting the security problems of every fucking browser out there. One would think that because this is an absolutely critical task in terms of security, banks would at least try to minimize the amount of code involved, or at least the amount of code they have no fucking control over whatsoever.

I know Web 2.0 is hyped right now, but stop acting like the browser is the only application capable of establishing a network connection. As a famous cat put it: THIS IS WHY WE CAN'T HAVE NICE THINGS.

Re:...and how would you do that? (1, Informative)

thatkid_2002 (1529917) | more than 5 years ago | (#29195155)

Businesses do not use the web browser - they have special programs. These programs allow for multiple authorized people to sign off on a payment before it can be processed and it allows for quick and easy access to statements relating to hundreds of different accounts. One such software is NAB Online.

Unfortunately in the case of NAB online, you have to connect to the bank by using a Dial-up modem. Kaspersky Antivirus (and Norton from what I heard) both refuse to play nice with the dial-up executable for NAB Online.

The hardest part of locking down a business is actually trying to stop the biological mass between the keyboard and the chair from doing stupid things.

I am a Linux server admin, and I spend 90% of my time trying to troubleshoot and lock down all this Windows related junk!

Re:...and how would you do that? (2, Interesting)

ArcherB (796902) | more than 5 years ago | (#29195235)

Businesses do not use the web browser

Yes they do. OK, big businesses may have apps that dial into big banks, but small businesses use local banks and local banks can not afford a custom written proprietary app that they give to their business customers. The vast majority of small businesses that use local banks do most of their banking through a web browser. I've seen businesses to payroll, wires, ACH payments, transfers, you name it, all through a common web browser.

However, most of these systems are cookie limited to a single computer per login and Mulit-Factor challenged if the IP changes. The biggest problem we've seen have been phishing scams looking for credentials of non-business accounts. Although these sites are usually shut down within hours of the bank finding out what is up.

Re:...and how would you do that? (1)

JWSmythe (446288) | more than 5 years ago | (#29195265)

    That's an exception, not a rule.

    I know back in the day, there were more interesting methods of security, just as you mentioned. They may need to use a special app, dial up or have a leased line, and then do the transactions directly. I can't say that I've seen that in years with any small or medium size business. I personally hold a business account at a large bank. My choices for interfacing with them are to show up at the teller, go to the web site, or call the CS department who will run me around for 30+ minutes confirming my identity before I get anything resembling an answer that is usually wrong.

    Well, there's another option, the CC POS terminal. But I don't have one. :) That doesn't give your balance or transaction history anyways.

    I'm not terribly concerned about *my* business account. It has $4.68 in it, and that's been like that for 6 months. Good luck if you get my account info, you'll have wasted your time. :)

Re:...and how would you do that? (1)

markdavis (642305) | more than 5 years ago | (#29195771)

>Businesses do not use the web browser - they have special programs.

Sorry, but that is just wrong. Our business is not exactly small (400+ employees). We use https web to transfer our direct deposit to the bank, to download statements, to perform money transfers, to do just about everything. And we are not at all atypical.

Of course, it is all done in Firefox under Linux... and THAT part *is* atypical.

Many of us fought for years trying to get the banks to stop using crappy MS-Windows-only proprietary code and stupid IE-only junk. I would hate to see that all slip away because of MS-Windows malware.

Re:...and how would you do that? (5, Interesting)

JWSmythe (446288) | more than 5 years ago | (#29195227)

    Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ [example.com] . Brilliant advice.

    Since 99.99[ad nauseum]% of the users wouldn't know a hardened secure computer (I'm pretty sure Windows is categorically eliminated), I'm not sure who they were suggesting that to. I have the only Linux virus I've ever seen, and it's safely tucked away on a floppy disk, in a concrete vault, underground, at a location that I forgot. :) Dammit, I knew I shouldn't have left the map in the vault. Most "bank customers" wouldn't keep a dedicated machine just to check their bank balance with. Hell, they'll call out on the company PBX and give their credit card information over the phone to any arbitrary business, with coworkers happily writing it down and the phone admin recording the call.

    Users are their own worst enemy. Hmm, wasn't there a story today saying something to that effect? I once found a bank card (w/ Visa logo) on top of an ATM. For some reason, they set it down and forgot it there. Brilliant. Since there was no one around to claim it, I called the bank. It took me an hour to convince them that I found it and that the card should be canceled. They "couldn't release any information on the card holder until...." I told them, "I'm holding the card in my hand. I guess that makes me the card holder." Finally, they told me "Oh, just bring it to a branch on Monday", at which point they finally canceled it. I knew the people at the branch, so they knew I was legitimate, and they confirmed that it hadn't been canceled. The account hadn't even been noted that I called in to report it. What if I wasn't a nice guy? I would have had 2 days or more to charge anything I wanted. If you can't get a person to maintain control over a little physical piece of plastic, why should you they think that they're going to do any better elsewhere?

In related news... (4, Funny)

InsertWittyNameHere (1438813) | more than 5 years ago | (#29195805)

Ya, I caught that too. Get on a computer that can't browse to web sites, and then browse to http://mybank.example.com/ [example.com] . Brilliant advice.

Microsoft is urging it's customers to 'carry out all computing activity from a standalone, hardened, and locked-down computer which is not plugged into any electrical outlet. Such a secure "computer" is known colloquially as the "typewriter"

Re:...and how would you do that? (2, Insightful)

Falconhell (1289630) | more than 5 years ago | (#29196155)

Users are their own worst enemy

Quite so. I dont know where I read it but the quote below sums it up nicely.

The average user wouldn't know a security issue if it was parading down the main street naked carrying a large sign saying "I am a security issue"

Re:...and how would you do that? (1)

hedwards (940851) | more than 5 years ago | (#29195551)

While it would be both foolhardy and a gross exaggeration to say that it doesn't generally matter a whole lot about the client side, most of the time that kind of operation is just not cost effective. More cost effective is phishing or compromising the server side stuff. Dumpster diving for insecure records is also a convenient way of doing it all too often.

Re:...and how would you do that? (4, Insightful)

Runaway1956 (1322357) | more than 5 years ago | (#29195623)

Could we at least start by replacing the freaking pin numbers with something meaningful? A four digit numeric does NOT make a password FFS!!

Maybe next, we could graduate the bank's computers from Windows 2000 up to something remotely sane - like Redhat SEL.

The idea of a biometric ID in conjuntion with a reasonably secure password hash has it's appeal, as well. If my bank would use it, I'd install a fingerprint reader on my HOME computer. Businesses should just jump on that idea - it's a small price to increase security dramatically.

Finally, maybe we can get around to "Linux - the year of the desktop!" Face it, boys and fanbois - no unix-like machine is open to as many exploits as Windows is.

I'm just dreaming, of course. If I manage to live another 20 years, we'll still be having similar discussions, PIN numbers will still be 4 digit numerics, and Windows XP will be the ancient, outdated operating system of choice for banks.

Re:...and how would you do that? (1)

maxume (22995) | more than 5 years ago | (#29195957)

Malware doesn't care about the difference between you typing in a password and swiping your thumb on a fingerprint scanner.

And really, we will be stuck with PINs until banks decide that the costs of moving to something more secure are smaller than eating the costs of fraud (if you are talking about U.S. atm transactions, the bank usually eats those losses; I'm not sure how various PIN payment schemes around the globe shake out).

Re:...and how would you do that? (1)

berzerke (319205) | more than 5 years ago | (#29196217)

Nice ideas, but there are flaws so big you could drive an 18 wheeler through them.

Could we at least start by replacing the freaking pin numbers with something meaningful? A four digit numeric does NOT make a password FFS!!

Remember the user. If we make the password/pin to big, it will be hard to remember for a major segment of the users. What happens then is it gets written down, and from my experience, more than few will just write down on the card itself. This makes everyone less secure, as thieves will realize this rather quickly and start stealing the cards, by force if necessary. And they won't stop to check first if your card has your pin number written on it or not.

Maybe next, we could graduate the bank's computers from Windows 2000 up to something remotely sane - like Redhat SEL.

While I certainly think this is a great idea, it solves very little. The problem is the end user's computer is getting compromised, not the banks' computers, at least as far as the article is concerned. (Yes, I know about Heartland.) Now, the banks could definitely improve transaction security...

The idea of a biometric ID in conjuntion with a reasonably secure password hash has it's appeal, as well. If my bank would use it, I'd install a fingerprint reader on my HOME computer. Businesses should just jump on that idea - it's a small price to increase security dramatically.

Fingerprint readers have been beaten many times already. I won't list all the ways and times, but I will give a link to one such story [thedailywtf.com] . But let's say you can magically make a cheap fingerprint reader that is totally unbeatable. Guess what? At some point, the fingerprint reader has to convert the fingerprint into electronic data and transmit that. I doubt it will take the bad guys very long to target this link in the security chain.

...no unix-like machine is open to as many exploits as Windows is...

That should read no properly configured unix-like machine is open to as many exploits as a fully patched, properly configured Windows is. Remember that many, perhaps even a majority, of the exploits take advantage of already patched holes.

Re:...and how would you do that? (1)

timmarhy (659436) | more than 5 years ago | (#29196399)

it's not hard to lock down banking, it's called one time passwords/cc numbers. we pay more then enough in banking fee's that the banks can afford to issue us a FREE token that produces a unquie password that is synced with the bank's systems. it's only good for one use and must be used with a traditional 6 pin access you remmeber.

Getting the money back? WTF? (2, Interesting)

dnaumov (453672) | more than 5 years ago | (#29195071)

The article talks about the victims actually intending to sue their banks to get their money back. WTF? Since when it the bank responcible for the lax security on the customer's side?

Re:Getting the money back? WTF? (5, Interesting)

jumpingfred (244629) | more than 5 years ago | (#29195149)

It is also lax security on the banks side. The bank is not properly verifying that the transactions really come from the businesses. It is much like identity theft. The person didn't steal my identity they got around the bank or credit card companies poor security to trick the bank. They took nothing from me they tricked the bank into giving them my money.

Re:Getting the money back? WTF? (2, Interesting)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29195171)

Probably depends on the strength of the bank's verification system. If I leave my front door open, and somebody walks in and steals my ID, I'm guilty of being lax. If the bank accepts my stolen ID, from a guy who looks completely different than I do, they are guilty of being lax, even though my laxness precipitated the incident.

In the online banking case, for instance, any bank that doesn't red-flag an situation where simultaneous online sessions on the same account are going on from an IP near the customer's address and an IP somewhere in Latvia is, arguably, negligently overlooking a likely fraud situation, even if it was malware on my machine that let the Latvian session be established.

My bank challenges each overseas wire transfer (0)

Anonymous Coward | more than 5 years ago | (#29196341)

I run a small business here in San Francisco, and about once a month I send money to foreign businesses.

These are USD$500 to USD$25,000 transfers from my bank account to a business bank account (in China, India, Romania, etc).

Until last year, my bank, Wells Fargo, made the transfers with little more than my signature on a fax.

Now, the transfers won't go through until a security officer calls me and talks to me to confirm that I want to send the funds. Even for little transfers, as small as $600. Last time, they asked me a couple good questions (like "when did you first open this account?" and "Who else is listed on your account")

Naturally, I'm perfectly happy to get these phone calls! Not perfect, but much more secure than a faxed request to transfer money.

Re:Getting the money back? WTF? (2, Interesting)

AnyoneEB (574727) | more than 5 years ago | (#29195197)

I agree that suing the banks seems like a strange reaction, but this type of attack only works because the banks simply do not care about security. On previous articles I have seen posters mention their banks (somewhere in Europe) have papers which have a list of single-use transaction codes which are used in some sort of challenge-response system. For example, choosing a code based on the transaction date, target, amount, and some randomness would protect against attacks like the one described where a compromised computer is used to drain a bank account.

The client should have better security -- after all, even seeing the bank account info would likely be interesting to some attackers -- but the banks need to be held accountable for their lack of security features as well.

Read Much? WTF? (1)

PhreakOfTime (588141) | more than 5 years ago | (#29195783)

Yes, and you can bet your ignorant ass they will win too. They are responsible for it since the client can produce a contract stating exactly what has been violated. If the client honored their side of the contract, HOWEVER SHITTY THE SECURITY REQUIRED WAS, then it is the banks problem.

This article specifically deals with COMMERCIAL banks, and identifies them as such.

You, in your apparently myopic life bubble, specifically deal with RETAIL banks, and therefore think that is all that exists in the world, since its all you have ever seen

There is a difference. Next time you dont understand something, learn about it before speaking about it.

Re:Read Much? WTF? (1)

russotto (537200) | more than 5 years ago | (#29196225)

This article specifically deals with COMMERCIAL banks, and identifies them as such.

In the US, a regular bank which accepts deposits is called a "commercial" bank. The other type is an "investment bank"; I'm not sure if any currently exist which are not also commercial banks.

The article concerns itself with commercial (business) CUSTOMERS, but the banks are mostly the same ones which individuals deal with.

"Next time you dont understand something, learn about it before speaking about it."

ubuntu (1, Insightful)

wizardforce (1005805) | more than 5 years ago | (#29195095)

why cripple the machine just because of some malware?

Re:ubuntu (1)

wizardforce (1005805) | more than 5 years ago | (#29195555)

to whomever modded my post "flamebait" there is absolutely no reason why these companies can't use ubuntu to avoid malware. I didnt mean anything other than that poor choice of words and all...

USA Stimulus Package Payback Plan (0, Offtopic)

fibrewire (1132953) | more than 5 years ago | (#29195099)

And you all thought that Obama was just having the US Mint print more money? That China would buy all of our debt and take over the US without firing a single shot? HA! Just wait until big businesses in China are bankrupted by cyberterrorism. And you thought that new US Air Force division was just for our defense? Tell that to our new Cybertron... er... Cyber Command. And Obama is really MEGATRON. Hail Decepticons!
- WTF?

Re:USA Stimulus Package Payback Plan (0)

Anonymous Coward | more than 5 years ago | (#29195135)

-1 inaccurate. everyone knows Obama is an autobot.

Re:USA Stimulus Package Payback Plan (2, Insightful)

Runaway1956 (1322357) | more than 5 years ago | (#29195717)

"wait until big businesses in China are bankrupted by cyberterrorism"

Maybe they've just thawed you out after a nice cryogenic nap? China is migrating to Linux. Red Flag Linux. They may not be invulnerable to cyberterrorism, but they certainly don't leave their WINDOWS OPEN for terrorists, like US businesses do.

Sounds like they should hand out liveCDs (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29195107)

It wouldn't be rocket surgery, or especially onerous in cost/seat terms, for major financial institutions to hack together and press a bunch of "Banking liveCDs".

No writable persistent storage, just a browser(configured so that it will only accept pages from the institution's set of domains and only when those pages have appropriate SSL certs. Completely reject all non-SSL pages, and any SSLed pages with certs for other institutions, or from other CAs).

There would probably be some annoying edge cases(some ghastly graphics card that isn't supported by default, and freaks out in VESA mode, say) or network issues(though you could always offer a cheap USB ethernet or wifi adapter, with a known working chipset, at cost to interested customers); but it'd be fairly easy to cover 95% of the boring business boxes and common home machines that you would be concerned about, if suitably generic settings were used.

As hardware gets cheaper and/or for larger accounts, it might even make sense to put together a dedicated banking appliance offering, basically the cheapo embedded ARM embodiment of the above.

Re:Sounds like they should hand out liveCDs (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29195261)

How about just using SSL for the login page? Most of them don't--it's hidden in an iframe, and without viewing source or checking the form, you've got no reason to be certain your login data will be securely transferred. And don't get me started on *every single bank* I've used having XSS vulnerabilities -- to top it off, most of the the little ones outsource all of their financing/credit card transactions to third party companies--just to pay the damned balance on my visa, I have to allow javascript from four different domains.

Most every bank trying to comply with increased security requirements met the rules for two factor authentication by SAVING A FUCKING COOKIE on my drive (I wish congress would pass an additional law mandating strict liability in event of security breach for any institution that circumvented the intent of that rule in such a manner)

If I purge the cookies, they have me authenticate with MORE "passwords" (two passwords is two-factor, right? So if we ask for three we can claim we have 5-factor authentication) including such tidbits as my first school or grandfather's name. Surely I'd never reveal those in conversation to anyone. How about they spend $20 or give me the option to pay it myself to buy a dongle with a rotating pin?

I think you're going way too far too fast... a lot of the problems is on the customer side (and that's almost every programmers fault for requiring things like javascript/cookies and using them in excess) when a lot of the issues stem from...lax, lazy attitudes--but the banks are just as guilty. I guess you can say it's best to start with the weakest link in the chain--but the whole system is in need of overhaul and a few rolled heads.

Sorry to rant in reply--you're right that livecds would help...but the whole system is so screwed up that shipping them would be like putting a bandaid on a corpse.

Re:Sounds like they should hand out liveCDs (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29195407)

True enough. Particularly brilliant is the concept of "identity theft". Since it's your identity, they stole it from you, figure it out yourself, sorry. If it were bank fraud, than it would be there problem.

Re:Sounds like they should hand out liveCDs (1)

Falconhell (1289630) | more than 5 years ago | (#29196211)

That would be "identity copyright breach" wouldn't it?

(-:

Re:Sounds like they should hand out liveCDs (2, Insightful)

maxume (22995) | more than 5 years ago | (#29195985)

I make up single use lies for the security questions and store them in Password Safe (from what I gather, Keepass has better support for more platforms). That solves the Palin problem. Of course, I then can't access my bank account from other computers, but I don't trust all that many other computers, so that doesn't hurt all that much.

Re:Sounds like they should hand out liveCDs (2, Interesting)

JWSmythe (446288) | more than 5 years ago | (#29195361)

    But, that's the type of technical support headache that they've been trying to get away from, with virtual POS terminals, using the web page instead of their custom app, etc, etc. Even if your live CD worked on every machine ever known to man, when something flakes out, they're calling the bank first. Come on, how many times have you fixed a "my computer can't get on the Internet" because they accidentally unplugged the network cable? Or maybe they didn't even turn it on. Anyone who's worked in any kind of office where the management found out that you really now everything about computers, will bug the shit out of you to fix theirs (and their home machine, and the kids machine, and grand auntie Gertrude's machine too, even though she's legally blind and can't figure out what to do with a mouse).

    I've spent the last month or two touring the country, going from site to site on demand to fix everything. You wouldn't believe how many "best practices" have been completely ignored. Even when you say "there was malware that intercepted everything done online. They have all of your usernames and passwords, credit card numbers, and account numbers. Call the bank and cancel every credit card you've used online, and change every password that you have", they say they'll get around to it sometime and won't actually do it.

    I got a call today. It was a machine that I worked on two months ago, where I removed more viruses than I care to remember. Someone uninstalled the antivirus software that I installed, but they were kind enough to click through every way to get a new virus. 3 hours later it's clean again. I'll be getting the same call in a month.

    Your edge cases aren't edge cases. I'm afraid they'd be pretty damned close to 50%. The first banks that tried to force it would go out of business, because the customers would go to another bank that's "easier to work with".

Re:Sounds like they should hand out liveCDs (1, Interesting)

Anonymous Coward | more than 5 years ago | (#29195369)

Problem with a Live CD is that it can't be kept up to date. Linux has lots of vulnerabilities too. Just recently there was a big kernel bug exposed and the software you run on Linux (Firefox, etc) always has bugs too. Currently they don't seem to be targeted too often but if banks started handing out these "secure" Live CD's you can bet they would be targeted then. Because it's a Live CD the bugs would probably persist for long periods of time.

As the posted above me makes a good point. I hate that websites in general, especially banks, have non-SSL pages that you use to log into the secure SSL site. That is an extremely poor design because it then becomes super easy for a hacker to create a fake login page.

Re:Sounds like they should hand out liveCDs (2, Informative)

palegray.net (1195047) | more than 5 years ago | (#29195639)

It doesn't matter if these LiveCDs are kept up to date. They won't be hosting any network services, so there's nothing to exploit there. The browser can only go to the bank's website, and will only accept SSL pages. Unless the bank's web servers are compromised and attackers somehow managed to insert code designed to exploit a particular browser vulnerability, there's nothing to exploit there either. Note that that last scenario isn't impossible, but hugely improbable. One could just as easily argue that a hardware keystroke logger could be installed on the local machine. Not likely; if someone cares enough to go that far to get your data, they're gonna get it regardless.

In other words, this is about a million times more secure than using any given general purpose desktop computer to do your banking.

Re:Sounds like they should hand out liveCDs (0)

Anonymous Coward | more than 5 years ago | (#29195787)

That's extremely naive to think that just because they aren't hosting network services, they are not vulnerable. Trust me, when money is involved they will go that far to get your data.

The article mentions $400k and $100k as some examples of the amount of money taken. Criminals will go to extreme lengths to get that kind of money. They may not bother with hardware keyloggers (at least not commonly) because that actually is a lot of effort for the amount of physical risk, but they could target an ISP or somehow insert themselves on the network so they could sit between the users and the remote network resources they are accessing (thereby allowing them to insert malcious code, insert code to hack your machine, just hack your machine directly, or whatever they need). This would give them easy access to many users at the same time and would be worth the risk because of the payoff.

Re:Sounds like they should hand out liveCDs (1)

Statecraftsman (718862) | more than 5 years ago | (#29195403)

I like this idea but instead of livecd, make it an encrypted bootable usb key. Then it can be updated, encrypted, signed and gnu/linux based. The password at boot? Just another pin.

Re:Sounds like they should hand out liveCDs (1)

antic (29198) | more than 5 years ago | (#29195411)

In the US, do you have a system where any bank transfers to a new (previously unused) external account must be approved by a time-limited PIN that is sent to you by SMS? Both banks that I use provide this by default.

Re:Sounds like they should hand out liveCDs (3, Interesting)

Spit (23158) | more than 5 years ago | (#29195517)

Scammers are getting around that by hijacking your phone number. Probably the best I've seen is using a challenge-response for all transactions, with a frob supplied by the bank.

Re:Sounds like they should hand out liveCDs (1)

palegray.net (1195047) | more than 5 years ago | (#29195659)

Navy Federal Credit Union sends the PIN in the mail to the "sending" account holder's mailbox, and it must be entered within 30 days or the request is nullified.

Re:Sounds like they should hand out liveCDs (1)

asticia (1623063) | more than 5 years ago | (#29195953)

My bank uses one-time PIN sent via SMS; you can pick also either RSA token, or challenge-response "calculator" bound to your card. Then you get static GRID card for interactive response. You get it free if you have internet banking enabled, just select what security means you want to use for logging in and verifying each transaction. Same if you have active phonebanking. (And I am from Eastern Europe.)

The only weakness it has is credit/debit card: all information needed for transactions are directly on that one card! What's worse, for online payments you do not even need that card physically! Still it puzzles me why is this highly insecure way of paying over internet still being used when there are lots of means to make transactions safer. Because "people are used to it" from offline world and something more complicated causes headache? History of credit cards in my region is not that long to get used to it, so I can just shake head and get one-time virtual i-card for online transaction...

Re:Sounds like they should hand out liveCDs (1)

Microlith (54737) | more than 5 years ago | (#29195433)

Hot damn!

Want to check your bank balance? Reboot!

Pay your installment loan? Reboot!

Import your information into Gnucash or Quicken? Oh sorry, no can do!

Awesome, total security at the cost of total and complete inconvenience.

Re:Sounds like they should hand out liveCDs (1)

Runaway1956 (1322357) | more than 5 years ago | (#29195797)

Convenience above all else, yes!! /sarcasm

In the case of business, it isn't SUPPOSED to be convenient. It's someone's JOB to take the time to be right.

In the case of private individuals - if you can't take time to be secure, don't whine to me about someone ripping you off.

Besides which, you're exaggerating beyond anything that's reasonable. A business can afford to use a dedicated machine for banking. Plug that LiveCD in, and there's NEVER a reason to reboot. At home? Maybe you don't have an extra machine - but you most likely are able to fire up a VM to run the special operating system from.

Oh, wait - I can run a VM. Nothing says that you or the average Windows computer is able to do so. Half of America can't even spell VM.

Re:Sounds like they should hand out liveCDs (2, Insightful)

rho (6063) | more than 5 years ago | (#29195521)

Sounds to me like a valid reason to run OpenBSD.

Or maybe all those fucking banks can make Web sites that don't recommend (or require) Internet Explorer.

Re:Sounds like they should hand out liveCDs (0)

Anonymous Coward | more than 5 years ago | (#29196319)

Or maybe all those fucking banks can make Web sites that don't recommend (or require) Internet Explorer.

I would settle for RSA not requiring IE. Yes, RSA, a company founded by the inventors of public-key cryptography, requires that you use IE to sign up for their security portal:

https://knowledge.rsasecurity.com/registration.asp [rsasecurity.com]

They use a lot of weird client-side javascript in their webpage that only works with IE.

Doesn't look good for a company in the security business to require their customers to use the world's most insecure browser.

Re:Sounds like they should hand out liveCDs (0)

Anonymous Coward | more than 5 years ago | (#29195569)

Great, you've now made it easier than ever. Criminals just start mailing out their own custom banking CDs, and all your transactions go through them. No worrying about finding vulnerabilities or fighting security patches or anything.

Re:Sounds like they should hand out liveCDs (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29195649)

I'd hope(he says with a sheeplike look...) that businesses who have been getting things like account statements, new checkbooks, credit/debit cards, cashier's checks, cash, and the like into people's hands for decades now might manage to distribute these things more or less safely, even if it meant requiring that you visit a branch.

Re:Sounds like they should hand out liveCDs (0)

Anonymous Coward | more than 5 years ago | (#29195729)

You can hope, but I bet the first time users receive an "updated, more secure" banking cd in the mail, a fair number will start using it. Just like phishers don't intercept and rewrite legitimate emails from paypal, they just send their own that look like paypal emails. Although, the distribution system could also provide some new vulnerabilities...

Re:Sounds like they should hand out liveCDs (1)

markdavis (642305) | more than 5 years ago | (#29195803)

Some of us don't want to have to reboot our computer just to access a bank "website". And we are to just trust that this live-whatever they make doesn't install something persistent on our computers or read data off the drives?

And each bank or "important" site would have their own pseudo-proprietary bootable image? So I have to reboot again with something else to access my retirement funds site? Reboot again to access Paypal?

Doesn't this sound a little impractical?

For now, I use a carefully administered Linux machine running Firefox... *I* don't want to reboot (besides, it would ruin my wonderful uptime numbers).

Re:Sounds like they should hand out liveCDs (1)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#29196113)

I would, by no means, have this be obligatory. The bank's website would still be there, accessible from a browser under any OS you'd like.

I merely suspect that, for the vast hordes of the clueless(or the otherwise interested: my dad was cranking out financial simulations in assembly when I was prenatal, and is far from stupid; but that doesn't help him much when it comes to the arcana of whether AV program X can detect infection Y) "Urg[ing] businesses to lock down online banking" will be a more or less futile effort, while telling people "Shove this in your CD drive. Reboot. If 'Fidelity CD-Banking' pops up, you are all set. If not, call somebody who knows computers and tell them 'I need to boot from a CD.'" might just be concrete enough to be effective.

If somebody doesn't know or doesn't care about security, telling them that they need more of it won't do much. Giving them a simple set of steps might, sometimes, actually work. No reason to bother about the people who already know what to do.

Re:Sounds like they should hand out liveCDs (1)

RickRussellTX (755670) | more than 5 years ago | (#29195965)

press a bunch of "Banking liveCDs"

And you'll be setting up a special call center to teach people how to switch their boot drive on BRAND X PC to the CD-ROM?

"Yes ma'am. I know it says LG-DVD. No, not the movie kind of DVDs. Yes, well, I guess it could play movies. No, ma'am, there's no movie on the CD we gave you. I know I said that, but the CD will work in a DVD player. No, ma'am, you have to use it with your computer, I mean the DVD player that's in your computer. Now press F10 and... what? No ma'am, don't select RESET. No, oh crap, now you've totally pooched it. No, ma'am don't cry. Please don't cry."

Huh...funny... (2, Interesting)

Anonymous Coward | more than 5 years ago | (#29195165)

Never once seen such a thing go down with Mac & Linux users. But hey, that's me.

Re:Huh...funny... (1)

AHuxley (892839) | more than 5 years ago | (#29195811)

But the bank workers do not get a nice long lunch with the tall handsome man or curvy lady from MS if they support Linux or Macs.
Win win MS numbers on the back of a napkin after a fine wine every body is happy for another year.

Re:Huh...funny... (1)

MyLongNickName (822545) | more than 5 years ago | (#29195859)

Nope, I am sure no woman has ever gone down on a Mac or Linux user. Oh wait, I think I misunderstood you..

Oh, yeah! Another "Eastern Europe" story... (0)

LanceUppercut (766964) | more than 5 years ago | (#29195195)

Apparently, it is that time of the month again. Despite the well-established fact that 95% of all computer-related fraud originates in the USA, they still keep pushing the mandatoty "Eastern Europe" BS. I wonder how much of the taxpayers money is spent on cooking such propaganda stories?

Re:Oh, yeah! Another "Eastern Europe" story... (3, Insightful)

Grishnakh (216268) | more than 5 years ago | (#29195257)

Do you have a citation for your claim?

I would certainly believe that most of this crime comes from places like Eastern Europe and Russia, because it makes perfect sense. Those parts of the world are now connected to the West through the internet, and the people there are smarter and better educated than Americans (especially in regards to science and math). There's a good reason so many companies have software development teams in places like Russia, Latvia, and Romania these days. With all the computer expertise in those regions, it makes perfect sense that a lot of fraudulent activity would come from there as well.

Re:Oh, yeah! Another "Eastern Europe" story... (2, Interesting)

CastrTroy (595695) | more than 5 years ago | (#29195541)

I would say that low wages have a lot more to do with the presence of software development teams in countries like Russia. Sure there's probably a lot of smart people in Russia, but if they were top notch, they would be working for the same wage as American workers (because they would be providing the same value), or they would start their own software firms, and put out their own products, allowing them to earn much more money because they wouldn't be paid by how many hours they spent programming, but rather by how many people they could get to buy the product that takes the same number of hours to program whether you sell 1 or 10000 copies.

Re:Oh, yeah! Another "Eastern Europe" story... (1)

Scrameustache (459504) | more than 5 years ago | (#29196323)

lot of smart people in Russia, but if they were top notch, they would be working for the same wage as American workers (because they would be providing the same value)

Career analyst Dan Pink examines the puzzle of motivation, starting with a fact that social scientists know but most managers don't: Traditional rewards aren't always as effective as we think. Listen for illuminating stories -- http://www.youtube.com/watch?v=rrkrvAUbU9Y [youtube.com]

Seriously? (3, Funny)

marciot (598356) | more than 5 years ago | (#29195211)

Seriously? A *standalone* machine? You mean I shouldn't check my bank accounts from my kids' Windows ME computer?

Just joking, I've already mastered the first skill of safe computer use ... not having kids, or Windows ME.

A worry, but limited in scope (1)

Trogre (513942) | more than 5 years ago | (#29195217)

Of course it's not nearly as big a problem as it could be here, since no tech-savvy person, running a business or otherwise, would ever have internet banking set up with any level of access other than read-only, except perhaps for a small number of pre-approved payees.

Ever.

Re:A worry, but limited in scope (0)

Anonymous Coward | more than 5 years ago | (#29195929)

Err... you can do that? Seriously, your bank offers that as an option? That sounds like a great idea, but I have never even heard it suggested before.

what about this (2, Interesting)

FudRucker (866063) | more than 5 years ago | (#29195249)

say for example i own a sporting goods store in St. Louis Missouri and my bank is in the same town, dont you think the bank should reject anyone using my identity with an IP address that is in another country?

i think the banks need to be more careful about who is logging on to their systems

Re:what about this (0)

Anonymous Coward | more than 5 years ago | (#29195303)

If the banks cared, they would. But who loses money when someone from another country uses your identity? Not the banks.

Re:what about this (3, Insightful)

AnyoneEB (574727) | more than 5 years ago | (#29195349)

That should definitely raise a red flag at a bank. Credit card companies definitely do that type of check. On the other hand, if your computer is already infected with malware, making the attacker proxy the connection through your computer (and use the same cookies and user agent, too, so it looks like the same user) seems like a minor hoop to jump through.

Re:what about this (2, Insightful)

CastrTroy (595695) | more than 5 years ago | (#29195571)

Would it be too much trouble to give customers an RSA SecurID [rsa.com] , so it would be impossible for them to give their password to some third party person, without being ultimately stupid, and handing them a physical device. Real two factor authentication would be great. Something you know (a password), and something you have (RSA SecurID), should be the minimum for logging into any bank account.

Re:what about this (1)

markdavis (642305) | more than 5 years ago | (#29195847)

+1 insightful... mod parent up. That is the best suggestion I have seen on this entire thread.

Re:what about this (1)

asticia (1623063) | more than 5 years ago | (#29196039)

Ummm ... my bank uses that for quite some time, I use internet banking since 1999.

Re:what about this (1)

AnyoneEB (574727) | more than 5 years ago | (#29196035)

Wonderful idea. But it has very little to do with this attack. RSA keyfobs ensure that if you log on now, an observer cannot log on to your account at some later time, which is a good thing to guarantee. Note that the generated PIN may be unique, but the attacker can get around that by simply sharing a session with you. This requires the attack to be real-time, so it does make it somewhat more difficult.

If the attacker controls your computer, then I cannot see how you could still prevent an attacker from making transactions without having a challenge-response based on the transaction performed by something not directly connected to the computer (a physical page of single-use codes would work and some people on /. have mentioned their bank using such a solution).

Trying to use a possibly rooted computer to do something securely is a hard problem, but unfortunately it is one that has to be dealt with. Optimally, people would be using more secure setups, but that is not realistic, especially when successful exploits can net such large sums of money.

Re:what about this (1)

tsu doh nimh (609154) | more than 5 years ago | (#29196121)

the malware discussed in the blog posts linked from the summary illustrates how the crooks are defeating securID-like tokens, as well. Zeus, eg., is often seen in an attack rewriting the HTML of the bank's Web site as the victim sees it in his or her browser. In the simplest case, where the code is required at login, the attackers simply serve the victim with a maintenance page (down for maintenance, please try back in 15 min). e.g., Beware of Error Pages at Bank Web Sites [washingtonpost.com] Some banks require businesses to provide a SecurID or other token key when they initiate a wire or ACH transfer. This is getting closer to the solution, but a lot of commercial banks don't like to require that because many customers initiate such a high number of transfers each day, that it becomes impractical. The hard-to-attack solution, which really doesn't address the usability issue -- is to require the SecurID number both on login and on transfer.

Re:what about this (2, Insightful)

JWSmythe (446288) | more than 5 years ago | (#29195465)

    Maybe. Maybe not. You, with your sporting good store, may have suppliers in other countries. You may go to their site. You may go on a trip elsewhere. While you're out, you can trust that the interim manager can handle everything, or you can look in on your bank accounts while you're gone. I know, it's not the best idea in the world, but no one ever said business owners always follow best security practices.

    If you were locked out of the account while you were overseas, you'd probably call and bitch the bank out (at $5/min for the phone charges). Not all businesses have the luxury of being mom & pop shops, and only ever doing business from their office line. Geo-locating the IP isn't exactly fool proof either. Depending on the line I'm on any day, I've been located in several states around the US, China, and Europe. All of those have been within one state, and generally just a handful of cities. It's not a failure on the ISP's part, it's a failure on the folks who are maintaining the geo-locating databases being used. Well, not exactly a failure, since they give a percentage of accuracy in their advertising.

    I just checked the IP I'm on today with MaxMind's site (the providers of GeoIP). The result was close, but still the wrong city. What if I told them to only expect traffic from City X and determine anything from anywhere else was fraud? Now I'm going to be considered an attacker. Wheee. I hope the feds don't come knocking my door down. Well, I am sitting by the pool, sipping some pretty serious rum drinks right now, but that's what happens when you're on vacation. :)

Re:what about this (1)

SethJohnson (112166) | more than 5 years ago | (#29195477)

dont you think the bank should reject anyone using my identity with an IP address that is in another country?

Scenario: Your computer is compromised with a keylogger. It's also got a proxy and other remote control features. The illicit transaction is bounced off your computer, so the bank sees it as coming from your IP address.

Seth

Re:what about this (0)

Anonymous Coward | more than 5 years ago | (#29196241)

Hmmm...typical American small company thinking...

I'm in Japan. I bank in Canada. I routinely web bank from Japan through my Canadian bank.
(Using linux, of course, so quite safe and secure...in fact, I'm been doing a lot of web banking for years...from and to various countries...over the years...using linux, of course.
I heartily discourage anyone who is using a windows machine though, and encourage them to use linux, etc. :-))

Cost of using Windows (3, Funny)

Grishnakh (216268) | more than 5 years ago | (#29195329)

I guess this is what you get when you run your small business on Windows.

That's a great idea (5, Funny)

amRadioHed (463061) | more than 5 years ago | (#29195393)

And maybe the banks can even set up some standalone, hardened, and locked-down computers in convenient locations around the city for their customers to use. Maybe they could even get money out of these computers. They could be like bank tellers, but automated.

Re:That's a great idea (4, Funny)

noidentity (188756) | more than 5 years ago | (#29196053)

And maybe the banks can even set up some standalone, hardened, and locked-down computers in convenient locations around the city for their customers to use. Maybe they could even get money out of these computers. They could be like bank tellers, but automated.

Yeah, but you know they'd screw it up somehow, like have it run Windows or have a company like Diebold to make them...

Whoa, flashback (1)

HangingChad (677530) | more than 5 years ago | (#29195543)

...carry out all online banking activity from a standalone, hardened, and locked-down computer from which e-mail and Web browsing is not possible.

I'm having a flashback to dumb terminal days.

For a second I had hope that companies would be dusting off us old guys again.

People who use Windblows for banking... (0)

Anonymous Coward | more than 5 years ago | (#29195603)

are inept at computing and don't understand the problem. Even if you could tell them why its a bad idea, they can't get away from the Windows mindset. Give them a liveCD, and they wouldn't know how to login to their bank, cuz it doesn't have IE loaded on the 'start' menu. The solution is to charge them for services that solve the problem for them without work on their part.

Out of work gold farmers rejoice! (1)

Ben1234 (558406) | more than 5 years ago | (#29195619)

Well at least there are other career options for all those out of work gold farmers and character levelers...

ATMs here uses Windows (3, Informative)

TheDarkMaster (1292526) | more than 5 years ago | (#29195627)

The ATMs from Brazilian Bank Itau uses Windows 2000. And I not kidding. On the "blaster" virus year, I found more than one ATM with Blaster virus.

people who won't act civilized... (4, Funny)

Simonetta (207550) | more than 5 years ago | (#29195629)

People who won't act civilized should sooner or later find themselves 'de-civilized'. Why are we taking an endless amount of shit from these losers?

    A few hydrogen-to-helium convertors delivered right to their door does wonders to get across the message we are not a people to be fucked with!

    If they can't police themselves and insist on ripping off systematically people in foreign countries, then send 'em some great balls of fire.

    When this shit happened fifty years ago, Khrushchev would have just sent some NKVD to scoop up these parasites, take 'em back behind the outhouse, and beat their brains inside out. And all their friends and family would get ten years in the gulag.

    I miss Nikita and Eisenhauer. (Nike and Ike) Great times. No one took any shit: no one gave anyone chickenshit like this. There were limits and those limits were respected. No one from Eastern Europe was sneaking into your bank account. Fucking peasants. Khrushchev slaughtered almost a million of his own troops to stop the Germans at Stalingrad. One phone call from the US State Department and all these sleazy little cock-sucking hackers would have been mince-meat.

    Nike and Ike had the ability to blow up the world. But, they didn't blow up the world. They came to respect life after taking part in so much slaughter and bloodletting.

    Would you trust a sleezy Ukrainian hacker with a modem to not blow up the world if he had a chance? No way. Or some smug little twisted little shit-for-brains in Estonia to behave himself. Let's face facts here; going to another country and randomly stealing people's money is an act of war! When is Putin gonna knock these guys upside the head so hard that their eyes roll out? We have real enemies now and we need to work together against them. All this cross-border chickenshit financial crime is inexcusable. It's a new world, a new century. Get a real job, stop fucking around with petty rip-offs. Assholes!

    Let's all work together to rid civilization of the shit-people!

    Another great Slashdot rant. Too bad it will get modded down to -1 by toads that don't appreciate this kind of thing.

Re:people who won't act civilized... (0)

Anonymous Coward | more than 5 years ago | (#29195893)

I have the impression I was just exposed to a hard burst of text-like radiation. Should I be thanking you, or cursing you?

Re:people who won't act civilized... (1, Funny)

Anonymous Coward | more than 5 years ago | (#29196019)

I guess it depends on whether you wake up tomorrow with spider powers or cancer.

Re:people who won't act civilized... (1)

Jeremi (14640) | more than 5 years ago | (#29196003)

Let's all work together to rid civilization of the shit-people!

Isn't that a quote from Mein Kampf?

lousy security (2)

speedtux (1307149) | more than 5 years ago | (#29195881)

Security for online banking in the US is awful. Transactions should require a second physical authentication token in addition to the password; most US banks have nothing.

Re:lousy security (1)

the eric conspiracy (20178) | more than 5 years ago | (#29196065)

Real time keyloggers can breach even this level of security.

Online banking application vendors suck. (2, Interesting)

zerofoo (262795) | more than 5 years ago | (#29195883)

I was the network services manager for a small community bank a couple of years ago, and all of our online banking fraud was directly related to the insecurity of the online banking application - specifically SQL injection attacks.

The application vendor's solution was to encrypt everything in the database and block known SQL injection "patterns". I told them they needed to harden their application against SQL injection; encryption and pattern matching are not enough.

Sure enough, some Russian guys (I'm guessing by the originating IP addresses) figured out that if they opened an account with a known password, they could use SQL injection to copy the encrypted known password to an account with lots of money.

Our work-around for the crappy vendor's "security" was implementing RSA tokens (outside of the banking app) on business accounts that could electronically move money out of the bank. Non-business accounts could only transfer money inside the bank - a large fraudulent transaction would get caught by a human before the money left the bank.

Before anyone suggests switching vendors, consider two things:

1. Switching banking software vendors is EXTREMELY disruptive to business. In a business where customers complain about 5 minute drive-through times, a large software migration with downtime and training is intolerable.

2. All small to medium bank software vendors suffer from similar code quality problems. Moving to another product does not necessarily guarantee quality code.

-ted

Ought/ Ought Naught, Ground/Zer0... (1)

scorpivs (1408651) | more than 5 years ago | (#29195887)

Weeee Dogies! Y'all're gonna have ta excuse mah cogitations, Mister Drysdale, but Ah figgers this's one thread just about the perfect Phishin' hole fer them there squattin' folk. Ahmah gonna has ta asks y'al tah not pay no never-mind t'mah sig. Yore Friend, Jed Clampett

How about (dare I say it?) offline? (1)

John Hasler (414242) | more than 5 years ago | (#29195927)

> The banking group is urging that commercial bank customers 'carry out all
> online banking activity from a standalone, hardened, and locked-down computer
> from which e-mail and Web browsing is not possible.

My bank still has actual human tellers.

Trademarks vs Phishing (1)

Doc Ruby (173196) | more than 5 years ago | (#29196369)

These banks can call for everyone else to do all kinds of drastic things. But even though practically all phishing scams should be stopped by banks enforcing their own trademarks, banks do absolutely nothing like that.

These banks are businesses that get paid $TRILLIONS to lose everyone else's money, all the time. Of course they'll demand everyone else do a lot of hard work to protect them, while they do none but keep all the money.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?