×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Cyber Gangs Raise Profile of Commercial Online Bank Security

Soulskill posted more than 4 years ago | from the only-you-can-prevent-identity-theft dept.

Security 140

tsu doh nimh writes "The Washington Post's Security Fix blog has published a rapid-fire succession of investigative stories on the theft of hundreds of thousands of dollars from companies, schools, and public institutions at the hands of organized cyber thieves and 'money mules,' willing or unwitting people recruited via online job scams. Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs. Last week, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules. The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball. Most recently, the Post's series outlined a sophisticated online system used by criminals to recruit, track and manage money mules."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

140 comments

Hmm (0, Funny)

Anonymous Coward | more than 4 years ago | (#29557797)

, a Maine firm sued its bank, saying the institution's lax approach to so-called multi-factor authentication failed after thieves stole $588,000 from the company, sending the money to dozens of money mules

I don't see how this is the bank's fault; the thieves stole the money before the security system was broken.

Re:Hmm (0)

Anonymous Coward | more than 4 years ago | (#29558185)

This phenomenon is purely due to an american's failure to use proper grammer.

Re:Hmm (3, Insightful)

hedwards (940851) | more than 4 years ago | (#29558719)

You know, Kelsey Grammer is only one man. You can't expect him to go out and fix all the worlds English language issues, now can you?

Re:Hmm (0, Offtopic)

Anonymous Coward | more than 4 years ago | (#29559301)

It never fails to amaze me how many fucking stupid people get mod points around here. What part of the modding guidelines did the person with mod points not understand?

I have to agree but..... (1)

Chrisq (894406) | more than 4 years ago | (#29563277)

From the summary

The same group is thought to have taken $447,000 from a California wrecking company, whose bank also is playing hardball.

Wouldn't it be funny to see the wrecking company play hardball with the bank [wboy.com] as payback.

I like Bank of America's approach (4, Interesting)

Iphtashu Fitz (263795) | more than 4 years ago | (#29557817)

I have accounts at a few different financial institutions and have to say that despite all their other problems I think Bank of America has about the best two-factor authentication scheme I've seen so far.

Cell phones are extremely common these days, and BoA has leveraged that ubiquity. You can set up your account so that any time you attempt to log on the bank will send you an SMS text message with a totally random 6 digit number. You have to enter that number as you're logging into their website (along with your regular password). Since they're using an out-of-band method of sending you the random code the chances of it being intercepted are extremely small. And since it can only be used once then even a keylogger can't defeat it. The only type of attack that I think would work in this situation would be a man-in-the-middle attack, which is very unlikely as well.

Re:I like Bank of America's approach (5, Interesting)

Anonymous Coward | more than 4 years ago | (#29557879)

I can think of a *lot* of attacks on that. Most of them just as illegal as the intended crime...but...yeah... It's technically trivial to intercept SMS data. As it is, you can already see the fraud shops working around it--the new trojans send an alert to some amazon-turk type person in the middle of nowhere when you login, and just hide a window that gets relayed to them. While you're logged in, they can do very bad things...

Also, as somebody working in an industry that once depended on SMS. Let me tell you the service is ridiculously unreliable. How'd you like not being able to log into your bank b/c you couldn't get an SMS? In the US I can tell you from experience that any given vendor will have SMS "down" for about four days (total) a year.

Finally--even if it can only be used once, a keylogger can defeat it, unless only the last message is valid, and/or there's a rapid timeout. All I need to do is make the keylogger a little aggressive, and popup a box prompting you for *two* passwords. Of course, the first one actually goes to the bank--the second one crossposts to evil.com so I can login later today and drain you.

I realize--it's probably a "small" concern--but when you need your bank info--you often *need* it quickly.

Looks, there's a lot of *good* technologies out there to help filter this. The credit card companies use some of them. But in the case of banks, what's going on is outright criminal negligence that they refuse to fix.

Re:I like Bank of America's approach (0)

Anonymous Coward | more than 4 years ago | (#29558271)

The problem with most attacks on the said scheme is that they need to focus on a certain person. It's much harder to deploy such attacks on a larger scale. *If* you only do your banking at home, you should be safe with this system unless someone is really after you, in which case I can think of a lot more and easier 'attacks'. Such as punching you in the face until you give me all your money.

Re:I like Bank of America's approach (1)

Pinky's Brain (1158667) | more than 4 years ago | (#29558483)

Depends on what they are targeting, if they are targeting the money directly ... sure. If they are however targeting the bank and it's stock price things can get very ugly.

Lets say that at the moment there is yet another remote hole in windows making a large percentage of computers vulnerable. A hacker exploits that and installs trojans and instead of making a botnet logs bank transactions for a while, then with enough data it starts falsifying them but engineered in such a way to avoid heuristics. Best case you transfer 100s of millions before they catch on ... worst case you transfer millions before they catch on but have to shut down their online banking entirely (your trojan isn't going to go away in a hurry, if it's a well written rootkit nothing except a reinstall is going to help) and clean up an ungodly mess.

Re:I like Bank of America's approach (1)

MrPhilby (1493541) | more than 4 years ago | (#29563009)

My Bank lets me log-in normally but I have to use SMS authentication for EVERY transaction while logged on.

So close ... and yet so FUCKED (1)

Pinky's Brain (1158667) | more than 4 years ago | (#29557915)

It's a good approach, almost ... but it doesn't stop trojans at all. Why didn't they go the extra mm and make it secure? This is no better than the little calculator I have at home which generates a random number using my card and my pin, which doesn't stop trojans either.

What they should have done is send the transaction details and the confirmation code in the same SMS.

Re:So close ... and yet ... (1)

JLavezzo (161308) | more than 4 years ago | (#29558237)

I don't get it. How's a trojan going to read an sms off my cell phone?

Re:So close ... and yet ... (0)

Anonymous Coward | more than 4 years ago | (#29558281)

The trojan will intercept the 6-digit code mentioned above when you type it into the computer.

Re:So close ... and yet ... (1)

Gordonjcp (186804) | more than 4 years ago | (#29558321)

The trojan will intercept the 6-digit code mentioned above when you type it into the computer.

And do what with it? Squirrel it away to be used later, when it's no longer valid?

Re:So close ... and yet ... (1)

MeanMF (631837) | more than 4 years ago | (#29558337)

It'll give it to the attacker to log in with.. And it'll tell you that you entered the wrong code and that you need to try again.

Or it'll let you log in and quietly submit a transaction on your behalf every minute or two while you're logged on.

Re:So close ... and yet ... (2, Informative)

Pinky's Brain (1158667) | more than 4 years ago | (#29558341)

Just for instance ... it can connect to a server, retrieve a transaction from it and validate it with the key you just entered. The server at the same time sends off a couple of SMS to money mules.

Automation is the key.

Re:So close ... and yet ... (0)

Anonymous Coward | more than 4 years ago | (#29559319)

So when you said "Why didn't they go the extra mm and make it secure?", what did you have in mind? Ban Windows, MacOS X and everything else except FreeBSD? Or ban every type of personal computer and provide bank-controlled terminals? Hey that's an idea, they could place one every few blocks in each city. Oh wait, those already exist and are called ATMs.

Re:So close ... and yet ... (1)

Pinky's Brain (1158667) | more than 4 years ago | (#29559797)

"What they should have done is send the transaction details and the confirmation code in the same SMS."

Re:So close ... and yet ... (2, Interesting)

Opportunist (166417) | more than 4 years ago | (#29563385)

Not at all. Why should it? The trojan will just make YOU do all the work for it.

Scenario: You want to transfer 40 bucks to Aunt Bessy for that wonderful cake she sent you. You have one of those trojans in your box, though. This trojan got information from its maker that it should send whatever your account can possibly send without setting off alarm clocks at the bank to Mr. Hackme and sits quietly inside your box 'til the next time you log into your account.

"Fortunately" most banks conveniently display the amount of money you have on the page, so the question how much money can be sent is trivial to answer. What happens now is that the trojan lets you enter all the data, but before sending it to the bank it changes Aunt Bessy's account number with that of Mr. Hackme, and those 40 bucks with whatever it can rip off. The bank will accept that input and return to you the information that you're gonna send your fortune to Mr. Hackme, which the trojan will "translate" to 40 bucks to Aunt Bessy, and ask for the confirmation. You confirm those 40 bucks, but in fact you just confirmed the trojan deal.

The only way to thwart this is by sending not only a confirmation code but also the amount and account to send it to by SMS, and you verifying that this data is correct before punching in the code.

Re:So close ... and yet so FUCKED (1)

thelamecamel (561865) | more than 4 years ago | (#29560427)

What they should have done is send the transaction details and the confirmation code in the same SMS.

Which is exactly what the Commonwealth Bank of Australia does.

Whenever you try to do anything 'serious', e.g. transfer money to someone new, change your details etc, you have to enter a code they'll send you by SMS. This SMS will briefly say what you're trying to do, e.g. a part of the account number you're sending money to. It's fast and doesn't get in your way unless you're doing something potentially dangerous

Re:So close ... and yet so FUCKED (1)

Pinky's Brain (1158667) | more than 4 years ago | (#29563629)

Glad to hear some banks get it right ... a bit too far out of my neck of the woods unfortunately.

Re:I like Bank of America's approach (4, Insightful)

maladroit (71511) | more than 4 years ago | (#29557921)

As Bruce Schneier recently pointed out [schneier.com], MITM attacks are now much more common, and likely to become widespread.

Now, if they used that cell phone message to authenticate the exact transaction you are performing, you'll be much more secure.

Of course, if it's too easy to update the cell phone number, all bets are off.

Re:I like Bank of America's approach (3, Informative)

jasonwc (939262) | more than 4 years ago | (#29558089)

They do! By default, anytime you add a BillPay account, modify BillPay settings, or make an electronic transfer of funds you're asked to authenticate via SMS for THAT transaction. SMS authentication is not merely used to login. It's used to authenticate any major financial transaction.

Re:I like Bank of America's approach (1)

MeanMF (631837) | more than 4 years ago | (#29558141)

For it to work correctly, the SMS or other out-of-band message should include the details of the transaction that you're authenticating. Otherwise a MITM attacker could make you think you're just logging in when actually you're authorizing a wire transfer.

Re:I like Bank of America's approach (3, Informative)

jasonwc (939262) | more than 4 years ago | (#29558207)

Not really. By default, SMS is not used to login; only to authenticate transactions. If you know you haven't requested any such transaction, you should immediately reject the authentication attempt, log out, and contact BoA.

To successfully transfer funds out of your account, they would need you to authenticate via SMS twice - once to login and once to authenticate the transaction. If you know you haven't authorized any transactions, you simply should refuse any further authentication attempts.

I suppose they could make it appear that the original attempt failed. However, that should raise enough suspicion to cause you to log off. In addition, they would have to correctly guess your SiteKey image to attempt the attack. When you login, Bank of America displays a unique image of your choosing to ensure you're at the authentic site.

Re:I like Bank of America's approach (2, Informative)

jasonwc (939262) | more than 4 years ago | (#29558259)

Oh, and Bank of America uses an EV SSL cert making it particularly easy to verify that you're on the correct site. Any of the above behavior should cause a cautious individual to inspect the validity of the SSL certificate.

Re:I like Bank of America's approach (1)

mrjohnson (538567) | more than 4 years ago | (#29559395)

EV (and certs in general) are little better than snake oil. If the browser is already compromised, trusting it to tell you the site your visiting is trusted is foolish.

Re:I like Bank of America's approach (1)

MeanMF (631837) | more than 4 years ago | (#29558295)

Making it look like the initial login failed is one way, another is to tell you that your session timed out and that you need to reauthenticate to continue. If you're a very security-conscious customer you might catch on, but the overwhelming majority of people are going to be fooled by this. If the SMS message told you exactly what you were authorizing, it would go a long way towards defeating this kind of attack. Unless the attacker can intercept and modify the SMS message before it gets to you, you're going to see what's really going on.

SiteKey is practically useless [nytimes.com]. People either don't notice that the picture is missing, or they're so used to answering security questions that they just go ahead and do it without thinking.

Re:I like Bank of America's approach (1)

jasonwc (939262) | more than 4 years ago | (#29558435)

However, the "overwhelming majority of people" are unlikely to change the default setting to require SMS for logins as well as transactions.

Therefore, even a non-security conscious person should be very suspicious when their banking site asks them to authenticate via SMS due to a session timeout when they have never had to do so in the past and their only use of SMS in the past resulted from significant financial transactions.

Perhaps I expect too much from Joe Sixpack. :P

I think BoA is doing a reasonable job of securing its website with SMS authentication, the use of an EV certificate, and SiteKey. I agree, though, that the SMS authentication could be made more secure by stating the transaction in the message.

However, I think there's a bigger issue that's likely to confuse non-technical people. They display an image of a lock icon above the sign-in box. This suggests to users that the site is secure when in fact it has no significant whatsoever. Users need to use their browser to authenticate the authenticity of a website. Training users to rely on the existence of a lock icon on the web page itself is just asking for trouble.

Re:I like Bank of America's approach (1)

MeanMF (631837) | more than 4 years ago | (#29558487)

Yes, that's pretty much the point of the article. As long as the banks aren't responsible for the losses, they have little incentive to spend money securing their systems. They just focus on generating as much business as possible, which means less focus on security and more focus on making things easy for users. If they were at least partially responsible for the losses, then they would not allow Joe Sixpack or anybody to do a funds transfer without SMS or some other better form of authentication. Or they would implement other measures like anomaly detection which have worked reasonably well in reducing credit card fraud losses.

Re:I like Bank of America's approach (2, Interesting)

Opportunist (166417) | more than 4 years ago | (#29563433)

Since I worked for banks with exactly this problem, I can reassure you that even if they aren't responsible for the losses, they have a very keen interest in making the whole deal secure: Cost.

You have NO idea how much money banks save by shifting the work of transfers to you, their customer. Banks shut down a lot of branches and laid off a lot of people because they don't need so many brick and mortar outlets and tellers anymore. Now imagine people lost faith in the security of online banking, to the point where they consider it untrustworthy enough to demand their human monkeys again to do their work. The losses due to bank fraud have been laughable in comparison (we're talking 7 and 8 digits savings here, and we're not even close to huge corporations like the BoM).

Furthermore, banks could not even easily return to brick and mortar transactions if everybody suddenly stopped using online banking, some banks are by now very dependent on online banking, to the point where they would quickly lose customers simply because there are no local branches anymore.

Re:I like Bank of America's approach (1)

Opportunist (166417) | more than 4 years ago | (#29563405)

I think you do expect too much. Considering that people sent out a barrage of transaction IDs due to an email telling them to do so or their bank account is going to be terminated, I think people would not get suspicious if they suddenly got an SMS from their bank that they never requested. They will just think their bank changed the security setup, maybe even consider it a good sign that the bank is working on improving security, and play along.

Re:I like Bank of America's approach (1)

ArsenneLupin (766289) | more than 4 years ago | (#29558989)

If the SMS message told you exactly what you were authorizing, it would go a long way towards defeating this kind of attack.

Exactly. And moreover, the attacker could always wait for you to submit a legitimate transaction, and submit his own (with different recipient, and different amount) instead. How would you spot that without the transaction details contained in the SMS?

Re:I like Bank of America's approach (1)

Pinky's Brain (1158667) | more than 4 years ago | (#29558519)

What if you want to authorize a transaction but they just change the transaction to one they had already lined up earlier?

Re:I like Bank of America's approach (2, Interesting)

ArsenneLupin (766289) | more than 4 years ago | (#29558979)

they would have to correctly guess your SiteKey image to attempt the attack

They won't have to guess. If they've placed a MITM or rooted your windows box, they can just ask the bank in your name to supply the correct image.

Re:I like Bank of America's approach (0)

Anonymous Coward | more than 4 years ago | (#29557971)

If an evil person does a proper MitM attack, it won't help you. First, you log in to what you think is the bank's website (it's actually redirected to the evil one's website by malware on your computer). Then, you enter your username and password. The bank sends the SMS to you. You enter the SMS password, and send it to the evil one's website. The evil one now has your username and password, and is logged in to your account. His website returns a "temporary maintenance" message, telling you to try again later. Later, when you try again, you find that you no longer have any money.

Re:I like Bank of America's approach (4, Informative)

Rick17JJ (744063) | more than 4 years ago | (#29558381)

I have a PayPal security key on my key chain, which I use whenever paying for something by PayPal. Most people do not realize that PayPal offers the option of using a security key. That multi-factor identification, which is where I need to know something and I also need to have something, to access the account. The security key generates a different 6-digit number every 30 seconds. So if someone managed to steal my password through a keystroke logger or a phishing email message, they would not have the security key that I keep in my pocket. If someone found my security key laying on the ground, they would not know my password.

https://www.paypal.com/securitykey

As for the alternative of getting in my answering the security questions for the account, I have used very hard to guess made up answers for the stupid security questions (I did not use real information).

An employee at the bank, where I have my checking account, recently suggested that I should do online banking. First I asked him if that would work with my computer which runs Linux, intead of Windows. He said Linux would work just fine. I then mentioned my concerns about security and the fake phishing emails that I get, which claim to be about my online banking account at their bank. I said, you know the ones that want me to click on some long complicated looking URL going to some foreign country, and then probably have me log-in and give them my user name and password. He said, "yes just ignore all of those fake email messages."

I also mentioned my concerns about keystroke loggers, although I added I have probably managed to secure my Linux computer, better than most average computer users do. However, a keystroke logger might still a slight possibility, even for my Linux computer, so I knew I wanted the additional protection of multi-factor authentication. I pulled my security key out of my pocket, and asked him if they offer two-factor authentication, using something like this. He said the did not offer anything like that. I told him that I would not feel comfortable doing online banking with them, because they do not offer multi-factor authentication.

Two-factor authentication may not be totally perfect, because most forms might still be vulnerable to a man-in-the-middle attack, but it would still be a major upgrade to their security. The cell phone plus 6-digit number in an SMS text message technique, that you said Bank One is using, also sounds great.

Re:I like Bank of America's approach (1)

1s44c (552956) | more than 4 years ago | (#29560235)

I have a PayPal security key on my key chain

You are securing yourself against the wrong people.

Paypal have the habit of demanding payment for some non-existing debt and cleaning out every account and credit card they can access.

Re:I like Bank of America's approach (1)

Rick17JJ (744063) | more than 4 years ago | (#29560463)

Do you have a link to an article, or a specific example, which talks more about the problem of demanding payment for some non-existing debt, which you mention?

I do not actually use PayPal very much, except for occasionally using that as the method of payment on web sites which offer PayPal as an optional method of paying. I have never actually yet tried using PayPal to purchase something from another individual over the Internet (which is probably what most people use PayPal for). I really have not yet used PayPal very much, so despite have the security key, I do not yet know very much about PayPal.

Do you have any specific tips for how to minimize the risk of that happening?

Re:I like Bank of America's approach (1)

Rick17JJ (744063) | more than 4 years ago | (#29560367)

Apparently they are starting to see man-in-the-middle attacks and trojan attacks being used against two factor authentication. I just noticed where maladroit's post had a link to where Bruce Schneier talks about how those types of attacks are being used against two-factor authentication.

Bruce suggests authenticating the transaction instead of authenticating the user, although at least in the article below, he does not give any details about how exactly to do that.

http://www.schneier.com/blog/archives/2009/09/hacking_two-fac.html

I decided to reply to my own post, to say that does somewhat weaken the argument for two factor authentication being the primary solution to the problem, by itself.

Re:I like Bank of America's approach (1)

zippthorne (748122) | more than 4 years ago | (#29561927)

The only downside is that Paypal is not a bank. So they charge usury rates and aren't FDIC insured and have a whole host of banking regulations they somehow aren't bound by.

Re:I like Bank of America's approach (1)

RMH101 (636144) | more than 4 years ago | (#29563247)

Paypal in the UK doesn't offer the Security key, but they do offer SMS confirmation to your phone. I'm presuming they've implemented this in such a way that you can't steal the password and login and change your mobile phone number without this feature!
If done well, this is quite neat: raises the security without adding a cost.

Re:I like Bank of America's approach (1)

Opportunist (166417) | more than 4 years ago | (#29563457)

A security key will defend you against others stealing your passwords and trying to pose as you, but it cannot defend you against a MITM attack inside your box. You will simply just authenticate the bogus transaction. A trojan that manipulates your data on the fly, which does exist in the wild and has been widely used since the advent of security keys, will not be thwarted by this.

Re:I like Bank of America's approach (0)

Anonymous Coward | more than 4 years ago | (#29558409)

And how do you prevent thieves from updating the SMS number that is associated to your bank account? After all, there must be a way to change it without the old phone available in case you accidentally drop your phone into the ocean while on a cruise. What verification do they use for that, mother's maiden name? Then that's the real security level, not the SMS part.

Re:I like Bank of America's approach (2, Insightful)

Sir_Lewk (967686) | more than 4 years ago | (#29558465)

I think as we see an increase in cellphone usage for common internet tasks, the "out of band" benefits of this scheme are going to be lost for many people.

Re:I like Bank of America's approach (1)

mrjohnson (538567) | more than 4 years ago | (#29559443)

Yes, but cellphones are locked down and patched by the carriers. And the limited memory, diverse hardware and software makes creating most typical Windows malware pretty impractical. In all, I'd much rather have users logging in from a cell phone than a Windows computer.

Re:I like Bank of America's approach (1)

DavidTC (10147) | more than 4 years ago | (#29558693)

The only type of attack that I think would work in this situation would be a man-in-the-middle attack, which is very unlikely as well.

Actually, those attacks are some of the most relevant in Europe, where they've been doing that sort of stuff for a while.

Although, strictly speaking, it's more 'man at your end', where they simply put trojans on systems that wait for you to, entirely legitimately, log into your account, and then simply send some money their way from your now-authenticated web browser.

Re:I like Bank of America's approach (1)

Opportunist (166417) | more than 4 years ago | (#29563309)

Just for logging in? No security at all.

The attack is inside your computer, manipulating the data that is sent between you and the bank, showing you bogus information. I have first hand proof of malware that does indeed manipulate the transfered amount and target account while displaying to you the correct account and amount.

So unless the transaction itself is two-factored, i.e. you get an SMS with an authorization code for this specific transaction, sending not only the code but also the target account and the intended amount of money to be sent by SMS when you try to finalize the transaction, the whole thing is mainly smokescreen.

In you didn't know... (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#29557861)

banks rule the wold. They own you and they will do to you as they like.

Commerical (0)

Anonymous Coward | more than 4 years ago | (#29557889)

Interesting, I'd never heard of Commerical Online Bank Security.

Cahoot in the UK (3, Interesting)

Threni (635302) | more than 4 years ago | (#29557893)

I emailed Cahoot about a flaw in their system, about 5 times as it happens, over a period of months, but only ever received stock replies. What happens is: you attempt a login with username/password. Then you get to a screen where you select 2 letters from a second password via drop down boxes. If you get that second page wrong a few times it tells you that your account is locked and you have to contact them. But you don't - your account is not locked. You can simply attempt another login. So if you know someone's username/password (username is visible when someone logs in so you just have to know their first password), then you get as many guesses as you like of their second password, and it doesn't vary the 2 letters it wants from that one. The drop down list gives a-z and 0-9. 36 * 36 isn't very many guesses to have to attempt.

Wow ... (1)

Pinky's Brain (1158667) | more than 4 years ago | (#29558023)

Why do you bank with them?

Online banking with a single factor security is silly (two passwords are not two factors). I don't feel entirely safe with the code calculator my bank gives, but at least I know how to recognise large transactions (you can see by the way you have to enter the website verification number, not that they tell you that) so trojans could only ever hijack a small transaction.

Sweden rocks (2, Informative)

Anonymous Coward | more than 4 years ago | (#29558127)

Depending on your bank in Sweden, you either got:

* A user/pass combination that you input on their website. You then get a code that you input on a personal code generator thingy, and you get another code back that you enter on the website. (Downside: You need your code generator with you)

* A user/pass combination and one-time-use codes that you scratch off a card that you carry with you. (Downside: You gotta order more codes after a while)

* A digital ID encrypted on file, and a password that decrypts it. (Downside: you need the file on a USB memory stick or something)

* (New). A digital ID on a card that you carry with you, and a non-personal card reader. This card is like a digital version of your ID.
You can either enter your card and a 6-digit PIN with the reader connected through USB.
Or you can enter the card and PIN, and you get a code that you enter on the website. You then get a code back that you enter into the reader, which in turn generates another code that you enter on the website.
(Downside: You need a card reader when you're away from home. If everyone uses the same bank, this wouldn't be a problem)

Everything is done over HTTPS, so it seems pretty secure.

Re:Sweden rocks (3, Interesting)

jonbryce (703250) | more than 4 years ago | (#29558219)

In Britain you get

Username (the most difficult thing to remember), password, and some top secret information like Mother's maiden name or date of birth.

Or, some banks, mainly in the HBOS group, will send you a code by text message which you have to enter into the website. This is vulnerable to man in the middle attacks

Some banks (Royal Bank of Scotland Group, Nationwide, Barclays) have a calculator sized device where you insert your debit card, type in your debit card pin number and a number displayed on the website, and get another number off the device which you enter into the website. Again, this is vulnerable to man in the middle attacks and apparently other sorts of attacks as well.

Re:Sweden rocks (1)

Plouf (957367) | more than 4 years ago | (#29559445)

Here in Belgium you'll typically need to feed the calculator with two numbers: the first one is the bank's reference, while the second one is composed of the target bank account number and the amount of money you're willing to transfer. The way this second number is calculated is emphasized on the website's display. That way, even if a Trojan intercepts the traffic either way, there is nothing it can do except transfering that specific amount of money to that specific account. This only works if you spend the 3 seconds that are required to check that the second code indeed matches your order, but I didn't spot any major flaws with that system.

Re:Sweden rocks (1)

jonbryce (703250) | more than 4 years ago | (#29559541)

But some trojans work in real time with someone in the middle controlling it over IM and are targeted at specific banks. It could replace the number on the website with another one for the money mule account details.

Re:Sweden rocks (1)

owlstead (636356) | more than 4 years ago | (#29561097)

That would only work if the customer does not know the number of the person receiving the money. For larger transaction amounts the Dutch Rabobank requires you to fill in the total transaction amount as well. At first they forgot to notify the customer of the meaning of the number, rendering it mostly useless (and also showing how clueless even banks can be). Of course, this does not mean the money will be made out to the correct account at all.

I'm personally thinking of creating a USB stick or hard drive with a small Linux distro for the sole reason of doing banking; that way MITM attacks to the machine itself will at least become less of a problem.

No thanks, nanny bank (2, Insightful)

religious freak (1005821) | more than 4 years ago | (#29558145)

Some businesses are starting to challenge the financial industry's position that they are not responsible for online banking losses from things like keystroke logging malware that attacks customer PCs

How exactly is this the banks' responsibility? And if is a bank's responsibility, are they going to go into my PC to fix it?

Re:No thanks, nanny bank (3, Insightful)

MeanMF (631837) | more than 4 years ago | (#29558173)

The point is that as long as banks are not responsible for the losses, they have no incentive to implement strong security measures on their websites. A large number of the current attacks on customer PCs could be eliminated if banks didn't let people do everything with just a username and password. Imagine how bad credit card fraud would be today (or how few people would use credit cards) if you were responsible for fraudulent use and not the bank.

Re:No thanks, nanny bank (3, Informative)

gordguide (307383) | more than 4 years ago | (#29558651)

" ... The point is that as long as banks are not responsible for the losses, they have no incentive to implement strong security measures on their websites. ..."

Actually, it goes beyond that. As long as banks are not responsible for the losses, they have an incentive to weaken security in order to maximize the number of clients in the available pool of clients, who actively online bank.

This lowers the cost of running the bank and therefore maximizes profits (which cannot be impacted by pesky requirements to provide compensation for breaches and customer losses via weak security).

Re:No thanks, nanny bank (1)

Opportunist (166417) | more than 4 years ago | (#29563503)

The problem is that you want the bank to secure what they cannot secure: Your PC.

I do not know of a single case of bank fraud where the fraud has been in any way connected to a security breach on the bank's side, and due to my work I know of a fair lot of fraud cases. Invariably the problem was on the customer's side. Either he willingly surrendered credentials to a con artist ("log in to this site NOW or your account gets frozen") or his machine has been compromised and either his credentials were logged and used or his computer was poisoned with a MITM attack.

The core problem about online banking is that the bank has to trust a machine it has no control over: The user's machine. The bank has to assume that the data sent by this machine is what the user entered. They cannot verify that. The only sensible way is to open another channel (as is now done with SMS verification codes) so a potential attacker is forced to compromise two channels instead of one. It creates an additional layer of security, but it still does not guarantee that the transaction was established by the rightful user.

You are, essentially, demanding from a bank that it takes responsibility for something that is not under their control. And unless you willingly surrender control over your online banking machine to your bank, along with your router, your internet connection and so on, they cannot take this responsibility. Or at least they can't if they are at least halfway sane.

Re:No thanks, nanny bank (3, Interesting)

Anonymous Coward | more than 4 years ago | (#29558307)

The other problem is that the banks shunt *all* responsibility onto you. My parents were kind enough to begin investing in a mutual fund (for retirement..but not actually a retirement account) for me...when I was a child. That's some foresight. Not a lot of cash--I've already saved more in five years of working--it was mostly about teaching me the values of savings.

In order to gain access to my account online and be able to manipulate things without a *ton* of paperwork, they require a form absolving them of *ALL* liability in event of account fraud. Furthermore, in the event of fraud--if my computer doesn't have antivirus they approve of (not that they published a list of approved a/v!), I'm liable not only for my losses--but theirs.

Great--now I've got to do paper banking, and get charged *extra* for the paper statements. Worse, if I take the money out of the account--just to move it to another company or invest it myself (because I now officially hate them)--I'm going to get nailed with a capital gains tax that will hit me like two years of rent. Taxes are the IRS' way of locking you into a bank for life.

So they've got my money, I really can't touch it, and the agreement is if I want to be able to shift it around online, *I'm* responsible for everything, including their acts of malfeasance (and that sort of agreement isn't just negligence...it's malicious). I'm sure they'll recognize clamAV right?

Better yet, do you think their fraud team would understand in event of a problem when I said "The system that accessed your account has no AV, because it doesn't need it by definition?"--would you? You think they're going to give a damn and not fight tooth and nail when I say all my banking is done on a readonly checksummed VM image used only for secure banking?

You've got to learn--security is not ONE PARTIES responsibility. It's a mutli-layer problem. I need to keep my system safe and clean, and they need to authenticate my transactions. As it is--if you gave me your checking account and bank routing number, I could clean your account out. It'd be illegal...but the system is set up to do it. In the face of this sort of problem, the only solution is both parties working to a solution.

So yes, it should be the bank's problem--and they still shouldn't have to go onto your system to fix it.

Re:No thanks, nanny bank (1)

ArsenneLupin (766289) | more than 4 years ago | (#29559017)

And if is a bank's responsibility, are they going to go into my PC to fix it?

Here in Luxembourg, some banks actually force you to have an insecure PC. So yes, in that case they should take responsibility if it gets broken into.

Re:No thanks, nanny bank (1)

turbotroll (1378271) | more than 4 years ago | (#29559177)

And if is a bank's responsibility, are they going to go into my PC to fix it?

Here in Luxembourg, some banks actually force you to have an insecure PC. So yes, in that case they should take responsibility if it gets broken into.

Any details?

Re:No thanks, nanny bank (1)

Opportunist (166417) | more than 4 years ago | (#29563527)

Pardon? Could you elaborate on this? This sounds like something I want to write an article about.

Go after microsoft (4, Interesting)

bl8n8r (649187) | more than 4 years ago | (#29558215)

I'm concerned of the potential that malware has to disrupt civilian systems from stuff like waste treatment all the way to energy facilities. The same vulnerabilities that allow your bank creds to be pwned are the same one that could be used to disrupt systems we need for heat or clean water. There neds to be stiffer penalties for neglecting to fix security problems.

Re:Go after microsoft (2, Interesting)

Anonymous Coward | more than 4 years ago | (#29558355)

I disagree. Software vendors should not be accountable for their bugs, unless they agree to be accountable for them.

from WinXP EULA [microsoft.com]:

Well I was going to put a quote from the EULA here, showing the disclaimer of warranty, but slashdot doesn't like all caps, and wouldn't let me. It says:

Filter error: Don't use so many caps. It's like YELLING.

The GPL [gnu.org] also has a disclaimer of warranty, but slashdot wouldn't let me include that either.

Re:Go after microsoft (1)

Trepidity (597) | more than 4 years ago | (#29558587)

And also, food vendors should not be accountable for contamination, unless they agree to be accountable for it.

Re:Go after microsoft (1)

hedwards (940851) | more than 4 years ago | (#29558795)

That's bullshit right there, I can understand allowing software that's provided for free without any cost to the end user being free of liability, it seems fair that if you don't charge you shouldn't be financially liable. However, for companies like MS and those that are selling huge numbers of expensive product, there's no reason on earth why MS shouldn't be responsible if Windows has a bug that leads to real damage to the end user. At least around here, you'd still have to prove the damages to collect anything, but it's only fair.

Especially since for software like Windows or Office, the vendor is the only one that can fix the bugs or see the code.

Banking is a similar thing, they make money by you keeping your funds there, they should be liable for much more than a slap on the wrist if they were negligent when they were storing your information. That TD Ameritrade settlement was probably the biggest joke I've seen in a long time. There really should be triple penalties for companies that buy up records then fail to properly secure them.

Re:Go after microsoft (1, Troll)

Ronald Dumsfeld (723277) | more than 4 years ago | (#29559407)

I'm concerned of the potential that malware has to disrupt civilian systems from stuff like waste treatment all the way to energy facilities. The same vulnerabilities that allow your bank creds to be pwned are the same one that could be used to disrupt systems we need for heat or clean water. There neds to be stiffer penalties for neglecting to fix security problems.

Er, no. The fucktards that connect water, power, or sewage systems to the public Internet need to be taken out behind the chemical sheds and shot in the back of the head.

Re:Go after microsoft (0)

Anonymous Coward | more than 4 years ago | (#29562267)

Who says they are? I'd be more worried if people thought that because they were on a segmented lan (or worse, VPN) that they didnt have to worry about security, as then you're just one network tap away from a world of hurt. Or someone bringing an infected laptop onto the network.

Re:Go after microsoft (1)

Opportunist (166417) | more than 4 years ago | (#29563561)

Hey, they learned from the best. After all, when God created humans, he connected the recreation center right to the waste disposal area.

Re:Go after microsoft (1)

Arainach (906420) | more than 4 years ago | (#29562303)

If software is required to be verified secure, the cost of development (and thus the cost of software) will increase by an order of magnitude if not more. For proof of that, look at how much it costs to develop software to NASA's standards. In addition, open-source software will cease to exist, or at the very least, will cease to exist in any visible context. Project participation will plummet once devs become financially liable for what they write. Be careful what you wish for.

Re:Go after microsoft (2, Insightful)

Opportunist (166417) | more than 4 years ago | (#29563543)

How is MS or any vendor of computer hard- or software responsible for user stupidity?

Most of current malware infections are not due to an OS blunder or faulty software. It's social engineering, getting the user to launch a program he better not. From the obvious ones where you get an email from LAWYER telling you to open this attachment immediately and act OR ELSE, to the less obvious ones where you install a "crack" for something that also quietly installs a rootkit.

How could any OS avoid this? By requiring root access for anything but the most trivial actions? So? The user will grant it. Imagine you promise the user a crack for his OS so it won't activate but is still usable. Will he get suspicious if the crack wants to install ring0 drivers or manipulate system files (assuming he knows at all what I'm now talking about)? No, after all that crack is supposed to change his OS. Not only would he not be alarmed, quite possibly he would do whatever is in his power to help the rootkit install itself. If it doesn't work, oh well, maybe those bastards at MS changed something and the crack doesn't work anymore. Happens all the time with new firmware for those consoles...

Don't try to shift the blame, people. It's not Ford's fault if you don't check your brake fluids and your car doesn't stop when you slam the brakes. It's not your plumber's fault when you clog the sink and it floods the apartment. It's not Smith&Wesson's fault if you can't handle your gun and shoot yourself in the foot. And it's not MS fault when you can't keep your machine clean.

Opting Out? (1)

Nein Volts (1635979) | more than 4 years ago | (#29558743)

Wow! After reading this, I'm starting to think that maybe opting out on Web services might be something for me. Banks don't appear to be very responsible for any money stolen. Maybe TARP can help us when our money is stolen by thieves, just-like-the-banks! Oh wait I forgot.. we have to be responsible citizens.(Somebody has to!)

survival of the fittest (2, Insightful)

shentino (1139071) | more than 4 years ago | (#29558997)

My two cents

1) Why should the bank be held responsible for something that is clearly the customer's responsibility? I.e. securing their fucking computer?

2) Maybe this will encourage folks to keep their computers locked down.

Mind you, I think that the bank should bend over backwards to help catch the bad guys. However, they cannot and should not be expected to police their client's computers...and likewise expecting them to pony up for something they can't prevent is also unfair.

The real enemy in this case, as usual, is the crook that did the hacking in the first place.

Re:survival of the fittest (1)

Ronald Dumsfeld (723277) | more than 4 years ago | (#29559521)

My two cents

1) Why should the bank be held responsible for something that is clearly the customer's responsibility? I.e. securing their fucking computer?

2) Maybe this will encourage folks to keep their computers locked down.

Mind you, I think that the bank should bend over backwards to help catch the bad guys. However, they cannot and should not be expected to police their client's computers...and likewise expecting them to pony up for something they can't prevent is also unfair.

The real enemy in this case, as usual, is the crook that did the hacking in the first place.

They can prevent it - or at least make it orders of magnitude more difficult for would-be thieves.

It's a really simple security principle, something you know , and something you have .

The what you know bit is what we're all used to, the username and password.

The what you have is some physical device that generates an additional security key - or a digital signature for your transaction. What I got from ING was a DigiPass. You need to know a five digit PIN to use the device, at login you push the "I" button, are prompted for the PIN, and it generates a login key. To finalise a transaction, the website gives you a challenge code, you push the "S" button, enter the PIN and the challenge code, the DigiPass signs it, and you enter the generated signature.

I suppose there may be some way to mount a man-in-the-middle attack on this, but you'd also have to get a valid SSL cert or compromise the user's PC so badly that the browser stopped giving cert errors.

Re:survival of the fittest (1)

Opportunist (166417) | more than 4 years ago | (#29563581)

Problem is where? A simple browser plugin can manipulate the data your get shown and the data that gets sent, before or after being encrypted, just as you need it.

DigiPass or other forms of keychain-keylocks are useful to ensure nobody can log in but you, but they are not useful to ensure that no data manipulation takes place.

Yeah it's not like security is the banks' job ... (2, Interesting)

Nicolas MONNET (4727) | more than 4 years ago | (#29559681)

Say the bank does not implement basic security measures such as monitoring brute force attempts, and someone brute forces your account ... how are YOU gonna prove you didn't just post your password on myspace? You can't! Only the bank can! It's better to put the burden on them, and have them, in turn, enforce security measures on the clients, because the other way around cannot work, and would screw over even the few of us who have a clue about comp.sec.

Also, I would like to take this opportunity to point out that banks have had a few centuries of experience looking after their clients' cash .. it's their GOD DAMN JOB for fuck's sake.

Re:Yeah it's not like security is the banks' job . (1)

Opportunist (166417) | more than 4 years ago | (#29563621)

Care to explain what "security measures" they should enforce on the client? Take control of his computer? Because anything short of this means that the bank cannot enforce anything.

Re:survival of the fittest (2, Insightful)

Moridin42 (219670) | more than 4 years ago | (#29559867)

1) The security of financial transactions isn't "clearly the customer's responsibility" .. it is a problem that exists because there are two parties. The bank is one. The customer is the other. Both can take steps to reduce losses. Customers can secure their fucking computers. Banks can secure the fucking web page. Neither party will capture all of the gains from improving security. So, to answer your question.. banks should be held responsible (for some, perhaps most, but not all) of this type of security because they are in the best position to improve everybody's position at the least expenditure of effort. Making them responsible makes sure they make such an effort.

2) It won't. Users are dumb, reckless, careless, negligent, and stubborn. How many hours of a poorly performing machine must they suffer before they're willing to tighten security? Many, many years, apparently. How much data must users lose before they'll tighten security? Couldn't tell you. I can pretty much guarantee you that a tiny fraction of the population of internet banking users getting ripped off won't make the rest of the vast hordes of users give a flip about their own machine's security if years of data loss, identity theft, and performance impact have yet to do the job.

Re:survival of the fittest (1)

puentean (1644943) | more than 4 years ago | (#29560321)

I agree, banks should not be responsible for securing a customers computer. However, they should be responsible for letting money in and out of an account. If they can't promise some sort of security, they we would be better off stuffing money in our mattress and installing brinks home security. If banks want to be a profitable as possible, attract as many customers as possible, they will implement the "safest and most secure online banking possible". I mean banks basically charge you a fee for charging you a fee. I think they can afford and should start continuously improving security measures or pay the consequences of their lax approaches.

Re:survival of the fittest (1)

owlstead (636356) | more than 4 years ago | (#29560907)

Yes, let the security hinge on the real experts, the users! If you think this reply is too ironic, wait for my reply to the first one to propose to educate the users.

caveat (1)

shentino (1139071) | more than 4 years ago | (#29561491)

I do, of course, advocate that banks (or any other organization handling sensitive information) do all they can to secure their sites.

* SSL certs
* HTTPS encryption
* DNSSEC
* whatever else

That goes without saying. But after the bank has done all it can to keep things secure, it's really not their fault if an end user gets their machine pwned.

And putting the bank into the position of covering for losses they can't prevent is effectively forcing them to provide free insurance.

Re:survival of the fittest (1)

ekhben (628371) | more than 4 years ago | (#29561559)

My two responses:

  1. Why should the customer be held responsible for something that is clearly the bank's responsibility? ie, using a valid certificate, providing two-factor authentication of transactions, and instigating sensible daily transaction limits?
  2. A completely clean computer system is still vulnerable to infrastructure attacks such as homoglyphs, cache poisoning, and certificate fraud.

Or, in other words, there should be responsibility and accountability on both sides of the exchange.

Re:survival of the fittest (1)

shentino (1139071) | more than 4 years ago | (#29561761)

I agree.

Case 1 is entirely bank responsibility
Case 2 is where the bank is responsible by default thanks to limitations of liability.

What I disagree with is a customer with a malware infested machine getting freebie insurance from the bank.

My opinion:

The bank is presumably liable for all unauthorized transactions, but can escape liability if they prove the consumer was negligent. And having an insecure machine should be considered negligente.

Re:survival of the fittest (1)

ekhben (628371) | more than 4 years ago | (#29561833)

Not sure about your bank, but mine made sure that they disclaimed all responsibility when I signed up for online banking. Fortunately they do offer two-factor transaction authorisation, so a thief has to go to quite a bit more effort to get at my balance. I also have no idea how much responsibility the law (here in Australia) allows the bank to disclaim; typically one can't abrogate negligence via contract, but I sure wouldn't like to take a bank to court to find out.

Re:survival of the fittest (1)

Opportunist (166417) | more than 4 years ago | (#29563673)

That's either trivial or impossible, depending on how you implement it.

If you let the bank go free if they can prove that your credentials issued an order, it's trivial. They log that already. I've seen those logs and I can tell you, paranoid doesn't even come close to describing WHAT they actually log. Every click you do on a bank webpage is logged. So it's trivial for them to follow the trail of every single transaction.

If they have to prove without doubt that your machine was compromised when the fraud took place or, worse, that is was compromised at some arbitrary point in the past so the credentials could have been stolen, it's impossible. Or at the very least very trivial for the customer to make all evidence vanish. Any "incriminating" evidence is firmly in his hands, and since this is hardly a criminal case, the customer cannot be required to surrender the machine in question (which machine, btw? That's something the bank cannot know) without enough time to wipe it or ship it off to Abu Dhabi if he so desires.

Bank strategies in Asia (1)

msutchmk2 (1644577) | more than 4 years ago | (#29559337)

well I don't know how the banks in the United States handle those transactions, but back in Asia,from where I came,once a transaction needs to take place, the bank will send you an SMS including a temporary PIN. If the PIN is not used within 5 minutes, it would expire automatically. Also,if the transaction involves an large amount of money(over $1500), your personal financial advisor from the bank will call you directly to verify. So far, I haven't heard many big losses from the online trasactions in my home country, or at least not reported. I assume it means the way our banks handle the transactions is practical.

Re:Bank strategies in Asia (1)

1s44c (552956) | more than 4 years ago | (#29560169)

...your personal financial advisor from the bank will call you directly to verify...

Your bank has personal financial advisors? I don't think I've ever talked to the same person twice at my bank.

What bank is that?

Re:Bank strategies in Asia (1)

Opportunist (166417) | more than 4 years ago | (#29563707)

Could be any European Bank I dealt with in the past.

With my bank I get a call from my personal financial advisor when:

- A transaction takes place that goes beyond a set limit (you get to set it, so if you constantly transfer multiple 1000 of dollars, you don't get called every time. That limit is kept secret)
- A transaction is sent abroad to a country or account (choice is yours) you usually do not deal with.
- A transaction is issued from abroad (i.e. a foreign IP address is using your account). Can be set to "any IP address is using it but this one (or that range of addresses)".
- The transaction looks "suspicious". This can be quite a nuisance, but it beats losing money.

Live CDs (1)

fafaforza (248976) | more than 4 years ago | (#29560969)

Stories like these make me glad I only log in from a Ubuntu LiveCD that I boot up solely for that purpose.

Phillip Dill, EPA-591 (0)

Anonymous Coward | more than 4 years ago | (#29562357)

I'm not surprised by this. Nothing is a hundred percent unpenatrable. If you yourself can get into it, then I can get into it. The only way to have something be 100 percent safe is for no one to be able to access it including yourself, which then defeats the purpose.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...