Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Banker Trojans Steal Millions Every Day

kdawson posted more than 4 years ago | from the in-ur-browzer-stealin-ur-dataz dept.

Security 183

redsoxh8r notes a blog post describing in some detail the operation of "man in the browser" Trojans used to empty victims' bank accounts. "Banker trojans have become a serious problem, especially in South America and the US. Trojans like Zeus, URLZone and others are the tip of the iceberg. These toolkits are now standard-issue weapons for criminals and state-sponsored hackers. Like Zeus, URLZone was created using a toolkit (available in underground markets). What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem."

Sorry! There are no comments related to the filter you selected.

Test (1, Funny)

Anonymous Coward | more than 4 years ago | (#31239934)

Test

Re:Test (0)

Anonymous Coward | more than 4 years ago | (#31240908)

I see what you did there. Damn!

Re:Test (0)

Anonymous Coward | more than 4 years ago | (#31240944)

What this means is that the buyer of this toolkit can then create customized malware or botnets with different command-and-controls and configurations (such as which banks to attack), but having all the flexibility and power of the original toolkit. Having such a toolkit in the hands of multiple criminal groups paints a scary picture. It's simply not enough to eliminate a particular botnet and criminal group to solve this problem.

I agree it's not enough. They should also eliminate the use of any Windows computer by all banks. Seriously, name just one large botnet that contains no infected Windows machines. I dare you.

Re:Test (1, Insightful)

MrNaz (730548) | more than 4 years ago | (#31241166)

Seriously, name just one large botnet that contains no infected Windows machines. I dare you.

Mac users.

Well duh! (5, Funny)

pitchpipe (708843) | more than 4 years ago | (#31239944)

Banker trojans have become a serious problem

Look at how much they stole from the American taxpayer! Oh wait, you're talking about computers.

Speaking of Trojans, they didn't even lube it up before they put it in our ass!

Re:Well duh! (0)

Anonymous Coward | more than 4 years ago | (#31240198)

the money system is such a joke. one day it will break... mark my words.

Re:Well duh! (0, Offtopic)

ls671 (1122017) | more than 4 years ago | (#31240936)

> the money system is such a joke. one day it will break... mark my words.

Well if it does, maybe this will be an important contributor: ;-)

http://en.wikipedia.org/wiki/Peak_oil [wikipedia.org]

The problem with the modern economy is that it is based on perpetual growth. We might find a way to adapt, hopefully.

fuckfuck (1, Interesting)

Anonymous Coward | more than 4 years ago | (#31240514)

Slashdot, downstairs in my house has a major ant problem. Luckily I reside upstairs. Nevertheless, once every 5 minutes or so an ant comes trotting along my desk. First I place a coin or another object in its path. This confuses the ant, causing it to run off in a different direction, but my finger is waiting. I block its path with my finger. It runs in the opposite direction, but I anticipate this. Soon the ant is encircled by pens and other barriers, and if it attempts to climb them, swift punishment is issued. The ant remains in my arena. Then I take my knife, and nimbly place the tip onto one of its legs, holding it in place, then I press down hard and chop the leg off. The ant does not run, it merely enters a craze moving all around wildly. I allow it to suffer like this for a minute or so, chopping off another leg if it appears not to be in pain. Then comes a decision. Sometimes I will wait for another ant, and place it in the arena to see what it does. Occasionally it will pick up its comrade, and run off, but this is an offense punishable by death. Other times, I will merely watch the ant until it gives up. It will stop moving all but one leg. At this point I give in and slice the ant in two, putting it out of its misery. I save the corpses in a small pile, and once I have a considerable stack, I scatter them in my arena. This is where the real fun begins.

I venture outside to my back yard and find a red ant. This is my gladiator. I return to my room and place him in among the corpses. He wanders, confused. I do not let him leave. I pound the desk near him with my fingers, scaring him. I toughen my gladiator up until another ant comes along. I place the intruder into the arena. The red ant will go after the black ant, and they engage in mortal combat. If the red ant wins, another corpse decorates my arena. If the black ant vanquishes his foe, he wins the prize of life. I carry him in my hands and bring him downstairs and place him among his comrades. If he put up a good fight, I give him a warriors welcome and feed his colony with bread. If he barely defeated the red ant, he receives no food, only the gift of life. This is how i spent my afternoons.

Re:fuckfuck (2, Insightful)

jamesh (87723) | more than 4 years ago | (#31240582)

This is how i spent my afternoons.

Gah. Here I am married with kids and holding a steady job. I've wasted my life!!!

Re:fuckfuck (1)

Therilith (1306561) | more than 4 years ago | (#31240658)

Is that the best you can do? I'm barely offended and not at all shocked. This is Slashdot for Thor's sake. We pride ourselves on our trolls.

Re:fuckfuck (1)

MrNaz (730548) | more than 4 years ago | (#31241180)

Yes, this is Slashdot. You read it didn't you? So it wasted your time, right?

Re:fuckfuck (1, Offtopic)

T Murphy (1054674) | more than 4 years ago | (#31240668)

Wow, time to beak out the +5 offtopic mod.

Re:fuckfuck (1)

pevans (44803) | more than 4 years ago | (#31240784)

AC troll, yes. But to write that number of words on it means you are a seriously sick, twisted individual. Wow. The detail.

Even for /. it amazes me how you got a +4 interesting.

It takes a lot for me to log in and post but holy hannah you are one sick puppy, even for a troll.

Re:Well duh! (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31240918)

Speaking of Trojans, they didn't even lube it up before they put it in our ass!

No Need. The Republicans pulled one cheek to the side and The Democrats pulled the other cheek to the side. It's good to see politicians put aside party differences and get together for an old fashioned mass ass raping of their mutual constituency. I tell you, it gives me a warm feeling... speaking of that, does anyone have any Preparation-H?

I like Bacon (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#31239952)

Yumm Bacon!!

Well... (1)

Oxford_Comma_Lover (1679530) | more than 4 years ago | (#31239998)

We need to develop greater use of proveable correctness in bank security, promote the use of isolated secure workstations for private banking transactions online, and use contractual incentives and accountability to incentivize better security systems.

Seriously, how about a physical random token generator where someone has to enter what the token currently displays each time they make a transaction for an account with a $5000+ balance, or more than $500 in a single transaction, or $1000 in a day? Or similar systems that make phishing alone useless.

Re:Well... (2, Interesting)

T Murphy (1054674) | more than 4 years ago | (#31240068)

The second attack scenario would get around this, as it just "corrects" payments you try to make so that they go to a different account. Using an SMS with a confirmation message could avoid this, though.

Re:Well... (3, Informative)

Cryacin (657549) | more than 4 years ago | (#31240130)

Here in Australia, the Commonwealth Bank does exactly this. If you are entering a new account to transfer money to, it will send out a confirmation SMS with a code to your phone. The next time you transfer within a bound of amount to a particular account, it assumes that this account is OK to transfer to, thus reducing the inconvenience of the number confirmation system, and saving the bank an SMS.

No security system is perfect, and there will always be a way around anything you do, but intelligent security layers like this hinder the chances of a cash mule being sent dud money, as every transaction and every piece of security is handled at the mid tier, and the web page remains a dumb client, simply passing information to be confirmed to a trusted server.

Re:Well... (2)

Darkness404 (1287218) | more than 4 years ago | (#31240218)

The problem is, for a lot of these people, having an SMS wouldn't work because they don't have texting (not uncommon in the US). Look at "Bob" in the example in TFA, he represents a large number of Americans with A) Access to technology B) Experience with strange security policies that don't make sense and C) A machine running an insecure OS. Using an SMS wouldn't work for one main reason:

It would have to be turned off by default (not everyone wants a $.10+ additional text message charged on their cell phone bill and there are a -lot- of people who don't know how to check voicemail, let alone read a SMS) and this would mean that most people (such as Bob) would never activate it and it would simply fall apart. Most of these scams aren't targeting the average /.er or even someone who knows just a bit about technology but rather the large technologically-illiterate older middle class.

Re:Well... (1)

twidarkling (1537077) | more than 4 years ago | (#31240278)

The issue is, as always, EDUCATE THEM. Seriously. It's not good enough to just edumacate the young ones, so you can improve shit when they're older and the previous generation is dead. What you do is you beat it in to the damn skulls of anyone too thick to get it, or you have them sign a waiver saying they can only access their money in-branch since they cannot comply with the more stringent security measures.

Re:Well... (4, Insightful)

Darkness404 (1287218) | more than 4 years ago | (#31240324)

The issue is, as always, EDUCATE THEM.

You can educate them but they won't care. Look at how hard it is for a lot of these type of people to even browse the internet, something that is designed to be really easy to use. Even with education you run the risk of them remembering only misinformation and making them paranoid. Look at the '90s and people thinking ZOMG COOKIES ARE VIRUSES!!!11!111!1! and rather than doing sane things, they just kept up the paranoia. The last thing we need is people scared to go to a generic site because its not secured with HTTPS even though it doesn't need to be.

Paranoia is almost worse than being ignorant, especially in a business. Being ignorant -may- cost the company money, being paranoid -will- cost the company money.

Re:Well... (1)

ottothecow (600101) | more than 4 years ago | (#31240502)

Either they will learn or they won't be making wire transfers online--wire transfers are not a particularly common method of moving money in the US due to the high costs and as such are only used for special transactions (ACH transfers are far more common...though usually limited to movement between your own accounts and the auth process is not instant)

I would guess that the people who don't know how to check voicemail do not have a big overlap with the people who want to wire money.

Re:Well... (0)

Anonymous Coward | more than 4 years ago | (#31241266)

The last thing we need is people scared to go to a generic site because its not secured with HTTPS even though it doesn't need to be.

That would be fine, imho. Having end-to-end encryption over the entire web wouldn't waste anything but a few processor cycles, and wouldn't harm anyone but eavesdroppers.

Re:Well... (1)

ls671 (1122017) | more than 4 years ago | (#31241046)

> The issue is, as always, EDUCATE THEM.

If everybody was well educated in all spheres of life, we would live in a perfect world ! ;-)

"EDUCATE THEM" as a solution sometimes seems to me like utopia.

I am really sorry to say that. Of course, trying to educate people is a noble cause but sometimes it is a hard task to fulfill.

Re:Well... (1)

mysidia (191772) | more than 4 years ago | (#31240368)

The physical token needs a second piece you plug into your computer, so that the details of the transaction are displayed on an LCD screen present on the hardware token.

To complete the transaction, you plug in the token, read the transaction details off the token's LCD display and click a "confirm" button on the token which sends a ticket to the computer it cannot decrypt, to be sent along with the transaction.

A "confirmation code" is displayed on the token, which you are prompted to type into the website, and click "Ok" before final entry of the transaction.

Re:Well... (2, Interesting)

Anonymous Coward | more than 4 years ago | (#31240454)

You plug it in to a computer and 'blackhat' will create MITM kind of situation, security lost...
The physical token *should not* contact Computer other than via user entry.

Re:Well... (2, Interesting)

PitaBred (632671) | more than 4 years ago | (#31240774)

Which is why a cell phone is a very good proxy. You have both the cell phone that should belong to you, and you have the login information for the bank. Not a bad system, and much more secure than captchas and such.

Re:Well... (1)

NormalVisual (565491) | more than 4 years ago | (#31241118)

Blizzard Entertainment started using a similar (optional) system for their Battle.net accounts to combat account theft - they offer a small hardware authenticator that is totally separate from the PC for $6.50. You first associate the authenticator's serial number with your Battle.net account, then any time you want to play, you log in with your user/pass, and they request a code from the authenticator. Press the button on the authenticator, and it displays a 6-digit number that you then enter online. The number is good for about 30 seconds, then becomes invalid. Their devices are Vasco's Digipass Go 6 [vasco.com] .

At first blush it appears to be a reasonably secure system, although Blizz also offers Java-based software versions with the same functionality that can be used on a variety of cell phones, so I'd wonder if the key generation algorithm could be cracked via that means. Even if it was, it seems that it'd still be difficult to generate a correct response without knowing the key that's registered with the system.

Re:Well... (1)

mysidia (191772) | more than 4 years ago | (#31241242)

I'm sure it's just a variant of the SecurID algorithm. What they don't do though is have you plug the token into a USB port on your computer and display info on the LCD screen such as "what IP address you are logging in from", before you enter your code.

So in theory... if someone MITM'ed your session. You typing your code in just got the bad guy into your account.

Re:Well... (2, Informative)

powerspike (729889) | more than 4 years ago | (#31240876)

My bank does this. If you try to send funds to an account you haven't before, you HAVE to sms verify, it's great. Transfer funds, get a window asking for the sms verification code. If i got one randomly i'd call up support asap. Another thing the bank does - is send out emails, but it tells you up the top they'll never put links in the emails, and to visit the site like they normally do. While this is upto the intelligence of the user in the end, the more they see the message, the more likely they'll be not to do click on phishing emails.

Re:Well... (2, Insightful)

buchner.johannes (1139593) | more than 4 years ago | (#31240254)

There are two choices:

a) Build the perfect system. Complicated to do. Users will not understand it and still be vulnerable to scams.

b) Build a simple system and use trust. For example, you can revert transactions from your bank account that you didn't authorize within 14 days.

Everyone that works in a bank today knows that stuff isn't secure. But it doesn't really matter because damages are small, and the profits cover mistakes quite easily.

Re:Well... (3, Insightful)

PitaBred (632671) | more than 4 years ago | (#31240776)

That's because the customers are who lose out in cases of "identify theft". Banks have no culpability, so they don't care so much. If they did, the transactions would be much more closely and securely performed.

Re:Well... (1)

maxume (22995) | more than 4 years ago | (#31240258)

Millions of dollars a day is a few billion dollars a year. It's insane, but it is peanuts.

Re:Well... (3, Informative)

plover (150551) | more than 4 years ago | (#31240282)

Done. There's already a cryptographic device that offers near-perfect cryptographic security for web banking. ABN AMRO uses it for their e.dentifier2 [abnamro.nl] device. The brilliant part is that the trust lies only within the card's chip and the handheld device, never only the PC or the browser. It's exactly what a bank should provide: end to end encryption of the user's authorization to perform a transaction, where both ends are created and maintained by the bank.

Now we just need a bank that's willing to deploy those here in the U.S.

Re:Well... (1)

PitaBred (632671) | more than 4 years ago | (#31240806)

Why can't we use a cell phone as a proxy for this? A lot more people have those, and the vectors for attack go down significantly if the attacker has to both intercept cell communications (hard, but not impossible) and bug the correct computer. Combining the two seems like it'd be close enough to perfectly secure while still being more usable and built on existing infrastructure.

Re:Well... (4, Informative)

plover (150551) | more than 4 years ago | (#31240964)

Why can't we use a cell phone as a proxy for this?

Because the cell phone is reprogrammable, and so ultimately can't be trusted. You might get a virus or install some kind of Trojan horse J2ME app that pretends to be your PIN pad, but makes large withdrawals silently in the background after you enter the PIN for a legitimate transaction. A cell phone is actually the worst possible place, because it can go on-line immediately and start abusing your account right up until you yank the battery (or go broke.)

The best possible security will come from the bank supplying the end user with both the card and the PIN Entry Device. Sure, they might want to offer it in a cell-phone-carrying-case-form-factor (think iPhone cradle with a PIN pad on the back.) Slightly ugly but more convenient to carry. But it needs its own dedicated PIN pad and display.

The first version of the e.dentifier was even more secure than this one IMHO because it did NOT have the convenient USB port. The user had to type in the values into the pad manually. The security advantage is the air gap is something no hacker can ever bridge (without resorting to social engineering, extortion, or threats of violence.) Mind you, this device is probably plenty secure as long as it can never be re-flashed or re-programmed through the consumer facing USB port.

RSA actually offers credit card form factor devices with a little 10-key pad and a one line LCD display. They are used for SecurID tokens where the user has to enter a PIN to get the generated #. The same form factor would make an excellent bank card where you don't have to carry around the extra little device to use it.

Re:Well... (4, Informative)

squizzar (1031726) | more than 4 years ago | (#31241750)

We've got something like this in the UK, and I'm sure there are plenty of other places that have them. You can't make a transaction without getting the correct cryptographic response from the card using the card reader. Here's a picture: http://www.nationwide.co.uk/rca/How-does-it-work/find.htm [nationwide.co.uk]

I don't like the sound of a USB type device, because it seems that there is some possibility it could be interfered with in the same way as the recently discovered chip+pin break. In fact I'm quite surprised they came up with what seems to be a pretty well implemented system, given that they seem to have tried pretty hard to make design mistakes with c+p

Re:Well... (1)

stephanruby (542433) | more than 4 years ago | (#31241238)

When you said near-perfect security, you were not kidding. Here is a customer's testimonial [savingadvice.com] confirming that very point.

Absolute worst service I have ever encountered with any institution. I left Holland after being a client of ABN for over a year, for a year of traveling. I desperately needed a new e.dentifier, but after many emails and many phone calls to the bank, it seems like they are doing everything in their power not to be of help. They said they can only send it to my Amsterdam address, which is useless for me, as I am not there, and don't know anyone in Amsterdam to post one to me. I had a very simple and straightforward suggestion: Please could you send me a new e.dentifier to the address I am currently staying in London. My God what a revalation!! Simple yeah? Nope. Sorry, we can only send it to the address that is in the computer. Can you get someone to post it to you from there they asked. No I replied, there is no one at that address. The idea of simply posting it to the address I was at in London, seemed to go against what the almighty computer screen displayed. After pleading over emails and phone calls to let common sense and logic prevail, I received a snotty email saying they simply cannot help me. Hmm, I wonder if having a couple of million in my account would have persuaded ABN to help a client get a new e.dentifier. I cannot wrap my mind around it. So they suggested I change my address to the London one. Can't do that, as I don't live in London, I was visiting family. Changing the address would have to be done online anyway, and guess what - no identifier so no can do!! It seems that logic still has to take a back seat, even today. Shocking service from an unhelpful bank, which doesn't seem to be concerned about a client who was in desperate need of assistance. Thanks, I had to spend 200 euros on a flight to Amsterdam simply to get another e.dentifier before I went on my travels.

No no no! Please! (0)

Anonymous Coward | more than 4 years ago | (#31241602)

I'm forced to use those things here in Sweden. They are an incredible PITA. You have to put in the card, punch in a PIN, and then digitally sign every transaction. It's such a pain. This also means you have to take your card and reader with you anytime you travel if you want to log into your bank.

Re:Well... (1)

moco (222985) | more than 4 years ago | (#31240400)

My bank already has this as well as several other banks. What ends up happening is that the attackers are performing the man in the middle attack in "real time". The one time token is sent to the attackers through the malicious website and they have whatever time the designers allowed for timeout to use it. After all they already have your credentials.

How about simple upgrading? (1)

SmallFurryCreature (593017) | more than 4 years ago | (#31241484)

I have noticed in IT an almost physical revulsion of the idea of upgrading. I can't count the times I have worked on a system and found it to be several versions out of date, the reason? "Well it works".

No, it does not.

While for some software new releases indeed only happen to sell more copies and add useless features, for production software and OS, security, reliability and bug fixes tend to be improved. If nothing else, then at least you present a moving target.

A lot of exploits happen with code BASED on FIXES. So the bad guys learn what to attack by watching the patches that don't come out and basically attack everyone who hasn't patched.

Often the official excuse is that code must be tested... yeah... because you tested it so well before that you did not find the security holes. If you ever been told that you can't upgrade beyond IE6 because it hasn't been certified yet, ask yourself: "Who the hell certified IE6?" Really, how did that ever get approved if any ever did any real testing? Answer: Nobody ever did.

It is just that the support companies want to see big bucks first because if they upgrade their clients they got to retrain their people. Same with stuff that is developed for legacy systems, to cheap to do essential maintenance.

Car anology: It is like not replacing your brakes because they still stop your car eventually and you need to cut costs and then when the remains of the brakes have becomes fused to the rims you can't afford the now increased costs so you defend that you need the car as it is and everyone else is to blame for it being a road hazard.

UPGRADE. If you are afraid that you might be bitten by some new bug, then at least such a bug is an honest mistake, you might loose some data but that is what backups are for. If you do not, your data might not simply be lost but be stolen. And sooner or later someone will start to hold you accountable for your lousy business practices... oh we are talking the financial industry here? Never mind.

News? (1)

Meshach (578918) | more than 4 years ago | (#31240010)

This is somebody's blog describing some hypothetical situation. "Oh no! My browser session is going to get hacked." Seems just as likely someone working at the bank could steal your account or someone behind you at the atm seeing your pin. This article was not worth the five minutes I spent reading it.

Re:News? (1, Interesting)

Dunbal (464142) | more than 4 years ago | (#31240124)

This article was not worth the five minutes I spent reading it.

      Congratulations on being the only person on slashdot to actually read an article!

      Seriously, it's never impossible to get compromised, but security has come a long way, what with tokens and forced password changes every 30 days and forced complex passwords (at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits). To log in I need both my password which is entered by a java "keyboard" that randomizes the keys every time, and my token. It will take more than just a keylogger to get into my account.

Re:News? (1)

BrokenHalo (565198) | more than 4 years ago | (#31241504)

must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits...

...which in itself is probably not so good, since they're limiting the number of characters you can use, and thus the number of potential combinations.

Everybody would be much better off if the bank would allow you to construct a single really good password of some decent length and keep using it for as long as nobody else knows it than forcing you to attempt to memorise a shorter, weaker password every month. This latter has a tendency to cause password overload, which puts users in a situation where they have to write the token down somewhere, which is an instant hole in security.

I'm not saying that the other tokens you mention aren't good, it just seems to me that too many organisations force users to use unecessarily dumb passwords.

Re:News? (3, Informative)

LordArgon (1683588) | more than 4 years ago | (#31241582)

(at least in my bank - must be 4 digits and 4 letters, no vowels and no consecutive/repeated digits)

I'm nullifying several mod points to comment, but... This is actually really stupid. Putting too many constraints on passwords makes them less secure, not more. Your bank has drastically reduced the set of possible passwords and thereby made them easier to guess.

Re:News? (3, Interesting)

Darkness404 (1287218) | more than 4 years ago | (#31240160)

Sure, but its a -lot- easier to prove that John Smith working at the bank got your PIN and made a withdraw of $XXX on X day. Its quite hard to get money from Vladimir Hacker who lives in Russia. While it might be easy to trace an IP, if it is outside of the US jurisdiction, theres not that much you can do. Yeah, you -might- be able to get the money back, but Vladimir Hacker can still do the same thing to someone else and no doubt it will require a lot of paperwork to get your money back.

Re:News? (0)

plover (150551) | more than 4 years ago | (#31240296)

This article was not worth the five minutes I spent reading it.

Tell me about it. I clicked on the link hoping it would have pictures of "the little man in the browser." Was I disappointed.

Re:News? (3, Funny)

gmuslera (3436) | more than 4 years ago | (#31240406)

Clicked in the link too. My browser crashed and now extrange lett$(@#& all is working normally. Nothing to see here, move along.

Re:News? (1)

jhol13 (1087781) | more than 4 years ago | (#31240336)

MITB attack happened in Finland just a month ago. If criminals are willing to attack a very small audience with a very difficult language[1] what do you think, is this happening to bigger banks?

One bank now requires SMS *reply* for "suspicious" transfers. Note that the query and reply both go through SMS so it is much harder to crack - MITB is not enough.

[1] They did use English, but that does decrease the success rate a lot.

The problem is Bob (5, Insightful)

bughunter (10093) | more than 4 years ago | (#31240056)

Just R'ed the FA, and my first reaction was "Bob's an idiot."

First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.

Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.

Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.

Fourth, he continues to use this browser after it exhibits strange behavior.

Fifth, he ignores red flags like unexplained 'Safety Pass' requests.

If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.

Re:The problem is Bob (5, Insightful)

T Murphy (1054674) | more than 4 years ago | (#31240096)

But no matter how quickly you fire Bob, the thieves still have that money, and they will continue to make more attacks. The point isn't to blame the victim, but to figure out how to prevent them from becoming victims in the first place. I'm tempted to join the "he deserved it" crowd, but that is far outweighed by my hate for the jerks who prey upon these people.

Re:The problem is Bob (1)

thomasw_lrd (1203850) | more than 4 years ago | (#31240544)

The point is that Bob is an idiot, and should be more damn careful with his shit. If people would use some common sense, botnets wouldn't survive very well.

Re:The problem is Bob (2, Interesting)

bughunter (10093) | more than 4 years ago | (#31241130)

But no matter how quickly you fire Bob, the thieves still have that money

That statement misses the point.

First, I have a chance to detect Bob's dangerous behavior before the thieves do. Your "no matter how quickly" statement assumes they get to Bob before I do.

Second, my point is, if it weren't for Bobs, these thieves would be looking at boobies on channel 9 and filing TPS reports instead of collecting ill-gotten booty. Bob is a root cause. (Thieves' greed is another.)

The point isn't to blame the victim, but to figure out how to prevent them from becoming victims

Bob's not the victim, in this scenario. I am. Bob is the exploit.

At least you demonstrate my underlying point even as you pick nits at the example. The way to prevent being a victim is to not be Bob.

In other words, don't be stupid and you won't be a victim. Blaming the stupidity is not blaming the victim.

And ultimately, it's my stupidity -- If I give a Bob access to my bank account, I'm the stupid one. So therefore, I don't give that job to a Bob.

Re:The problem is Bob (4, Interesting)

zappepcs (820751) | more than 4 years ago | (#31240126)

Bob isn't an idiot, he's a typical windows user. Not to ping on MS, but they do manage to capture the low end of the market in that respect. A vast majority of computer users think that computer programmers are modern day wizards, and blindly trust that only bad programmers build bad programs. Further there are only two kinds of programs, good ones and bad ones like viruses and malware. Any program that is not bad is good, and has things like virus checking and mind reading built into them. Stack overflow is a card mishap at the casino and cross site scripting sounds like a multi site movie writers program.

These warped expectations leads to things like ... well, like Bob.

Bob and his friends are why so many virus and malware programs are profitable, so in a sad way, Bob is right.

Re:The problem is Bob (0)

Anonymous Coward | more than 4 years ago | (#31240188)

Bob isn't an idiot, he's a typical windows user. Not to ping on MS, but they do manage to capture the low end of the market in that respect.

Actually, Mac users are generally about as stupid as Windows users. Linux users are only better because that OS is so damn fucking hard to use, you HAVE to be computer savvy just to get the shit to work (not that you can actually do anything useful with it as a desktop OS once its running though).

Re:The problem is Bob (0)

Anonymous Coward | more than 4 years ago | (#31240248)

define 'anything useful' and I'll bite (seems obvious Troll to me)

Re:The problem is Bob (1)

BrokenHalo (565198) | more than 4 years ago | (#31241586)

Linux users are only better because that OS is so damn fucking hard to use, you HAVE to be computer savvy just to get the shit to work (not that you can actually do anything useful with it as a desktop OS once its running though).

I've been using Linux on the desktop for about 15 years or more, and I have a MacBook laptop. Linux is no harder to use than OS X. The only difference is that some of the buttons are in different places. If anything, I sometimes find it more frustrating to work with Windows machines, where for one reason or another settings that I made earlier somehow become "forgotten" and I have to go through the rigmarole of putting them back in place and trying to make them stick.

Re:The problem is Bob (0)

Anonymous Coward | more than 4 years ago | (#31240244)

"Bob isn't an idiot, he's a typical windows user."
I seem to have missed something, what's the difference again?

Re:The problem is Bob (2, Funny)

Yvan256 (722131) | more than 4 years ago | (#31240598)

Not all Windows users are called Bob.

Re:The problem is Bob (1)

NormalVisual (565491) | more than 4 years ago | (#31241132)

You're right, some of their user interfaces are called Bob too. :-)

Re:The problem is Bob (0)

Anonymous Coward | more than 4 years ago | (#31240830)

Windows users tend to have a LIFE outside the basement so they couldn't care less how free or how open is the shit that make the stuff they want to do. Nobody cares, you do, get a life, leave other people alone with the money they have harvested from that HUGE Windblox Lu$er user base.

Re:The problem is Bob (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#31240144)

There are , alas, too many Bobs in the world. Do you believe that most people using computers *aren't* dumb enough to do this? And since it only takes one occurrence to be compromised, it doesn't matter how quickly you fire him.

Re:The problem is Bob (0)

Anonymous Coward | more than 4 years ago | (#31240184)

Uh. Yeah. Bob is an idiot.

I work for a big ass company that's undoubtedly targeted for these things, and I'd say a good 75% of the folks (with VPN access) I know are Bobs.

Unfortunately, Bob is a damned good salesman who's bringing in money hand over fist. That is why Bob doesn't get fired.

(AC for fairly obvious reasons)

Re:The problem is Bob (1)

geekmux (1040042) | more than 4 years ago | (#31240236)

Just R'ed the FA, and my first reaction was "Bob's an idiot."

First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.

Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.

Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.

Fourth, he continues to use this browser after it exhibits strange behavior.

Fifth, he ignores red flags like unexplained 'Safety Pass' requests.

If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.

Er, yeah, the real problem is when Bobs official title to you is "Sir", which far too often online ignorance rises with pay grade.

Re:The problem is Bob (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31240338)

My how high is that horse you're on! Think about Bob for a minute. Bob's not a techie. Bob doesn't seem to mind those pop ups he gets when he turns on his computer - they're just ads. Those ads on websites are relevant, and so are those emails that remind him to reset his Facebook/Paypal/Bank password. Bob also uses that computer work gave him when he logs into the online payroll processing account to make sure that you get paid this month. That's right, Bob's got other stuff in life to worry about than some stupid program on his computer. Would you like to convince Bob otherwise?

To start, you're going to have to acknowledge that Bob isn't an idiot. Bob might actually enjoy learning stuff about that computer - like how to make it faster and safer. Talk to Bob like a human being because he's not trying to screw up. Bob's just doing the best he knows how.

Oh yeah, one other thing: you can't fire Bob because he's your boss. Being nice to him might help you out.

Re:The problem is Bob (1)

gmuslera (3436) | more than 4 years ago | (#31240436)

The key component there is visiting with an insecure browser a "trusted" site. No matter if uses an antivirus to check whatever he is aware to download, the site exploited a vulnerability on the browser (that if well is not named there, IE have all the tickets) and in that way compromised his machine (no matter if was with admin or just that user priviledges, for what have to do to be as user is enough).

No matter neither if use secure or insecure connection, once he went to internet, is the machine and not the connection the compromised one...and that is enough.

Regarding your other points, no matter where he is, while he can visit that site, And about programs crashing and having strange behavior... ever used windows/IE?

Re:The problem is Bob (2, Insightful)

ScaryMonkey (886119) | more than 4 years ago | (#31240576)

Just R'ed the FA, and my first reaction was "Bob's an idiot."

I think you might be overreacting a bit.

First, either he is using his home PC to make financial transactions for his employer, or he is taking a laptop home that can be used to access his employer's financial institution.

Fair point, but what if Bob is accessing his own, personal bank account from home?

Second, he's installing shareware/freeware on this machine, and he does it without scanning the downloaded files or researching the reliability of the publisher.

Read the article a little more closely; it specifies an infection via cross-site scripting, not a download. I don't think he can be considered an "idiot" for not researching every search engine listing for reliability before visiting the site.

Third, he uses a browser over an unsecured internet connection instead of via VPN to the company network, which should incorporate well maintained filters and firewalls.

See point 2

Fourth, he continues to use this browser after it exhibits strange behavior.

Again, I don't think it qualifies someone as an "idiot" if they don't do a complete system security review every time their browser crashes.

Fifth, he ignores red flags like unexplained 'Safety Pass' requests.

That's not necessarily a red flag, maybe his bank rechecks this periodically; I doubt, in that case, that most people would keep the schedule of these checks handy to sniff out any suspicious deviations.

If I discovered Bob did this when he worked for me, I'd fire Bob, no matter how much the boss on the temp agency radio commercials loves him.

Again see point 2; Companies aren't the only ones with bank accounts.

Re:The problem is Bob (1)

powerspike (729889) | more than 4 years ago | (#31240866)

First 3 would be a failure on your side not his for allowing this and not locking down the machine(s). 4th would be a failure of education, if he hasn't been told, how is he going to know. "Bob" is busy doing his job, not yours. 5th - this is 50/50, if he gets to many red flags, in doing his normal work, he's just going to ignore them all isn't he ? if i discovered a tech going on a warpath to fire another employee for not doing his job, i'd fire the tech on the spot There's two sides to every story. On another note, do you think bob is going to go and spend hours researching software when he just wants to listen to some music, or watch a video?

Re:The problem is Bob (1)

ls671 (1122017) | more than 4 years ago | (#31241108)

> he does it without scanning the downloaded files or researching the reliability of the publisher

Is this what my nephew meant last week ?

He talked to me about mj55 verifying sums and computerized signature to assure that all the nice free programs I download aren't viruses but I did not quite get everything...

Dingey Harry hasn't met his House counterpart (0)

Anonymous Coward | more than 4 years ago | (#31240070)

"Reid said that the effects of joblessness on domestic violence were especially pronounced among men, because, Reid said, women tend to be less abusive.

"Women don't have jobs either, but women aren’t abusive, most of the time," he said."
--Excerpt from thehill.com

I guess ol' Dingey Harry hasn't met his House counterpart. Most people consider her to be quite abusive, which is why her popularity rating is even lower than Obama's.

Brought to you by fireeye! (1)

thePowerOfGrayskull (905905) | more than 4 years ago | (#31240114)

This round of panic brought to you by Fireeye -- but rest assured, they can protect you from this latest 2-year-old+ threat.

I have a simple solution (1)

Giant Electronic Bra (1229876) | more than 4 years ago | (#31240212)

We should just give away copies of all the best hack tools. As soon as they appear they should be all over the net for free. What will this do? Simple. It removes the monetary incentive to write good hacking tools. If what any idiot can download for free is as good as it gets then the money is sucked right out of the market for supplying tools.

On top of that when you have every idiot out there using the best tools vendors WILL be forced to deal with the flaws a lot more quickly and release higher quality code to start with. It won't stop the people using the tools from using them and stealing money, but nothing is going to stop that.

The first property crime happened the day property was invented. Nothing we do is going to stop it, but we can suck some of the wind out of the blackhats sails.

Re:I have a simple solution (1)

Darkness404 (1287218) | more than 4 years ago | (#31240290)

We should just give away copies of all the best hack tools.

Most pentest software is already available for free (nmap, Cain and Abel, John the Ripper, etc)

What will this do? Simple. It removes the monetary incentive to write good hacking tools

No it won't. Like I said before, there are a lot of -good- hacking tools out there, the problem is, they are made for someone who knows about computers to use them, what script kiddies need is something with a GUI, with simple options and the ability to run on the OS they use (mostly Windows)

These don't make them good hacking tools. All they do is make it easier to do one task. Most, if not all hacking tools used by script kiddies can be replicated using good tools that pentesters use.

On top of that when you have every idiot out there using the best tools vendors WILL be forced to deal with the flaws a lot more quickly and release higher quality code to start with.

Have you not looked at the security bulletins for most proprietary (and some poorly-maintained OSS) programs? Adobe, Microsoft and others have a -long- list of vulnerabilities some critical that have not been patched in -years- and are easily exploitable by someone who knows what they are doing.

but we can suck some of the wind out of the blackhats sails.

Not really, software sales is a minor part of black hat cracking, most of the big problems come from A) Spam B) Botnets C) Malware and all of those aren't going to be created by the average script kiddie even with the easiest tools.

Re:I have a simple solution (1)

Giant Electronic Bra (1229876) | more than 4 years ago | (#31240384)

So your answer is what? Continue with the losing proposition that is the status quo? lol. That isn't any answer at all.

My point is there is good money being made by people making the tools that the crooks use. Take that money out of the hands of those people. Its not going to solve the problem but sooner or later everyone has to realize that there IS no "better" solution. At least it mitigates a part of the problem.

Of course if you have a better idea, then by all means go out there and make your multi-billion $ fortune hocking it! I got a hint for you though, it isn't going to be found "inside the box".

Re:I have a simple solution (1)

Darkness404 (1287218) | more than 4 years ago | (#31240470)

So your answer is what? Continue with the losing proposition that is the status quo? lol. That isn't any answer at all.

I don't have the answer, if I did I might be a millionaire. My point wasn't to prove that I had the answers but rather to show that your answer didn't quite work the way you thought it would.

My point is there is good money being made by people making the tools that the crooks use. Take that money out of the hands of those people. Its not going to solve the problem but sooner or later everyone has to realize that there IS no "better" solution. At least it mitigates a part of the problem.

But its such a minor problem that it wouldn't really solve anything.

If I -really- want 500 credit card numbers, would I A) Buy the software to collect the 500 credit card numbers or B) Buy the numbers directly from some Russian hacker? The only real buyers of script kiddie software is script kiddies which, although annoying aren't the real threat. All that releasing script kiddie software would do would be to increase the number of script kiddies. If you think it through, the ability to DDoS a site isn't going to happen because of script kiddie software but rather by purchasing a botnet which is a real threat. Yeah, selling software to script kiddies might make a hacker $500, but when compared to the income made through spam, botnets or adware, it is just a small drop in the bucket. Your proposal would do much more harm than good. I mean, we already have all the good hacker tools released for free, all script kiddie tools would do would be to increase the number of more script kiddies which is not a good thing even if it does take a few thousand away from black hat crackers.

Re:I have a simple solution (1)

Giant Electronic Bra (1229876) | more than 4 years ago | (#31240628)

Well, then answer this question. Why are a whole lot of people making big bucks hocking malware? They're making that money because the software they have to hock is the best there is. Now, whether or not its the most technically sophisticated product or not is irrelevant. Heck, this is Slashdot, we all can just take a gander at the market for operating systems and see that the best selling software has little to do with technical quality...

But the day you go to start selling your new wizz-bang botnet buildin' super crackin' gizmo-ware that you just spent the last 6 months putting together and 3 hours later all your potential customers have it for free. Yeah, that'll put an actual dent in those people's business. It will not solve the theft problem, but in the long run it will destroy the incentive for smart people to try to make their living selling malware (etc). That WILL do what can be done, which is to reach a kind of stasis in the arms race.

Its kind of a funny way to defend yourself, but it isn't without precedent. When you can't beat someone full up face to face you have to do it another way. In this case you just poison the whole field. At first it might even make things worse, but eventually we'll arrive at a balance, just ironically with our own tools.

Re:I have a simple solution (3, Insightful)

Viceice (462967) | more than 4 years ago | (#31240304)

The first property crime happened the day property was invented.

So what you're saying is, the solution to theft is communism?

Re:I have a simple solution (1)

pnewhook (788591) | more than 4 years ago | (#31240346)

Thats kinda like saying that guns are a problem in armed home robberies, so lets give everyone a gun, then there will be so many stupid people with guns firing them off that houses will have to be built with better security..

The problem with your solution is that the internet will be so unsafe that no one will be able to use it for anything lest they be robbed blind. We might as well just throw out the computers and go back to manual bank transactions.

Re:I have a simple solution (2, Interesting)

Giant Electronic Bra (1229876) | more than 4 years ago | (#31240416)

Or we can continue with the already totally unsafe Internet we already have. Anyone with a couple bucks and no scruples can do whatever they want on the 'net now. That isn't going to change.

The truth is we need hell-of-a-lot-better quality software for people to use and the quickest and dirtiest way to get it is quite simple. If you go online with anything less, you get instantly robbed blind. Pretty soon we'll have better quality software. The truth is that right now most people just figure they're going to be the lucky majority that don't get hit. The threat hasn't escalated to a high enough level yet. ;)

This isn't the only thing going wrong (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31240280)

Millions of fags get pounded in the ass every day. Too bad they just didn't all get the aids and die.

Surely the good news (2, Interesting)

bugs2squash (1132591) | more than 4 years ago | (#31240332)

about so many groups using the same toolkit is that if you find a weakness in the toolkit then you can clear up multiple attacks all at once.

Pissed at Apple (3, Funny)

lullabud (679893) | more than 4 years ago | (#31240356)

I'm so pissed at Apple. I bought the toolkit and made a mobile botnet iPhone app with controller but they won't approve it. *sigh* Such bullshit, they don't approve anything!

Re:Pissed at Apple (1)

pookemon (909195) | more than 4 years ago | (#31240488)

Never gonna give you up,
Never gonna let you down
Never gonna run around and desert you

Re:Pissed at Apple (1)

flydpnkrtn (114575) | more than 4 years ago | (#31240820)

did I just get rickrolled via ASCII? wow...

Re:Pissed at Apple (4, Funny)

rockNme2349 (1414329) | more than 4 years ago | (#31240546)

Dear lullabud,
 
Thank you for submitting iBotnet to the App Store. We’ve reviewed iBotnet and determined that we cannot post this version of your iPhone application to the App Store because it duplicates existing functionality of the iPhone and is in violation of Section 3.1.337 from the iPhone Developer Program License Agreement.
 
If you believe that you can make the necessary changes so that iBotnet does not violate the iPhone Developer Program License Agreement, we encourage you to do so and resubmit it for review.
 
Regards,
iPhone Developer Program

Chump change ... (1)

joelsanda (619660) | more than 4 years ago | (#31240452)

... elected officials do better than that, and they get the girls.

I think Banks Don't Actually Care (3, Insightful)

weston (16146) | more than 4 years ago | (#31240466)

I'm thinking of some past conversations I've had with people in banking and payment systems. I have a suspicion based off of some of those conversations and what we actually see. Banking has two related security problems:

1) They think they don't need to care (and might be somewhat right)
2) Leadership in the industry largely just doesn't have the ability to tell who's good at security.

As an industry bankers have long naturally had an awful lot of clout legally and politically, and so they're very used to dealing with problems that way. It might not be particularly more expensive to hire some good security professionals and developers to get their systems right than it would be to do some lobbying for harder penalties, more attention from specialized law enforcement, some kind of public insurance against this kind of theft and fraud, and most importantly, laws that push the liability onto other parties (remember, being a banker means *never* having to take any responsibility!), but I suspect they're a lot more practiced at the latter approach than the former. And this is *before* you get into some of the darker corners of banking. There are no small number of people who will tell you a little bit of looseness in the system is a feature, not a bug, because it makes it a lot easier to handle money for, shall we say, extralegal enterprises.

And while it might not be more *expensive* to hire good security professionals, it's probably harder. As the old saying goes, it takes one to know one. The banking community knows good lawyers and lobbyists. They don't really know what computer security looks like.

Re:I think Banks Don't Actually Care (1)

tlhIngan (30335) | more than 4 years ago | (#31241076)

Banks don't care, because they don't have to.

1) Legally, they're protected. Read your cardholder agreement and any agreements you have regarding online banking. Even the ones that claim "Zero Liability". At the very least, you need to have a PC with latest updates (OK), antivirus/antispyware software (there goes OS X, Linux and smartphones) with latest updates, approved browser and version (see a website...) and other junk. Oh, and if you access your account from any unapproved machine practically ever, poof. No bank liability.

2) Exactly. Look at 3DS (Verified by Visa/Mastercard SecureCode). Even Chip & PIN has stupid vulnerabilities. And many banks use "Wish it was two factor" (http://thedailywtf.com/Articles/WishItWas-TwoFactor-.aspx) security that pretends to be two-factor, but is barely another password.

Banks don't care, because they can weasel out of any "protection" they offer. And half the "protection" they offer really just shifts liability back to you.

PMITAP (0)

Anonymous Coward | more than 4 years ago | (#31240474)

You mean like in Superman 2?

Safest way to bank: (1)

LoRdTAW (99712) | more than 4 years ago | (#31240484)

Use a trusted Live Linux CD (Ubuntu, Knoppix etc..) in a VM or boot your PC with it. Browse directly to your banks site and take care of business.

Not that I know anything about this (1)

T Murphy (1054674) | more than 4 years ago | (#31240570)

There are already physical random password generators- can they be directly plugged into the computer? If it either sends a password every few seconds or every time you are transmitting any financial information, it would require the attacker to stay in the middle to do anything. If the password generator uses the user input to help seed the password, shouldn't a MitM attack be foiled, as they cannot change the information and still have the password check out? The issue here is that the password generator has to be immune to input from the attacker.

Everything I know about security in these situations is from my misinterpretations of posts here on slashdot, so I must be missing something. Anyone care to elaborate on why this works/doesn't, or perhaps a better solution?

Re:Not that I know anything about this (1)

ushere (1015833) | more than 4 years ago | (#31240816)

exactly the system the commonwealth bank has in australia - for free.

Re:Not that I know anything about this (0)

Anonymous Coward | more than 4 years ago | (#31241624)

That how the banks do it in Europe (at least scandinavia), you have a physical key generator (that the bank knows the salt for) and when you log in to your account you get presented with a challenge which you type into your keygenerator and get a response that you type into your browser. Now if your browser is compromised they only know the answer to that particular challenge, which won't happen again.

Now, the smart part is that when you add a new recipient for transfers you have to input their account number (or last 8 digits if it's longer than 8 digits) so that only thing the infected browser can do is change your new recipient to another that has the same last 8 digits which is highly unlikely that they will have any use for. Now second smart part is that you also have to put in a hash of your amount for each transfer (even to trusted recipients) so the browser can't even change the amount sent.

The bad part of this is of course that your key generator could get stolen, but they'd need your 4 digit PIN (3 tries and the generator locks down) and that it's a bit tedious to check the sum and get the hash from your key generator every time you transfer money. Also a bad part is that it can only handle 8 digit account numbers.

The pro's as compared to a USB dongle is that you yourself type in the account number and amount into the generator so even if your entire computer is infected no false information can be injected at this stage. Though they could still intercept your invoice unless you can get that delivered to you securely and change teh account number in the actual invoice, but they need to do that before you make your first payment.

Healthy industry! (1)

postmortem (906676) | more than 4 years ago | (#31240730)

There is still money to be made in IT/CS!

The sites where my money is involved are safe... (0)

Anonymous Coward | more than 4 years ago | (#31240798)

Basically the "big bucks" are on my banking accounts. Great, I happen to have a bank mandating the use of a cryptographic token. Even better, for account numbers never used before or for big amount it is mandatory to make the account number of the recipient part of a cryptographic challenge: good game lowlifes, it is mathematically provable that you cannot work around that.

Noticed the "cryptographic challenge" part? That defeats *every* MITM attack (renamed "Man In The Browser" in TFA for no good reason).

Now another site where I've got $1.5K or so is an online Poker site. The biggest one. 300K players at peak hours. The good news? That site *also* provide a RSA security token. (cue all the clueless about online poker sites being all rigged but I'm actually making money with this while having a lot of fun and, yes, I did already cashout a lot of times and, no, I never had any issue).

Anyway, it ain't the point: the point is... More and more sites are starting to use two-form authentication and this trend ain't going to stop.

Either people using botnet to steal money out of customer account become a real problem and bank SHALL all (or most) mandate the use of physical security tokens + crytographic challenge (once again, it's already done here and it works flawlessly and people don't whine about it) or people using botnet to steal money shall stay an insignificant problem.

I didn't think about using an iPhone to connect to my online banking website (supposed to be safer due to non-unsigned application and also greatly due to the better track security record of OS X compared to Windows)...

That said my security token + cryptographic challenge + Linux bootable CD gives low-lifes a nice finger :)

Piracy (1)

P1aGu3ed (979864) | more than 4 years ago | (#31240834)

How are these underground communities preventing the toolkits from flooding usenet and bittorrent? Perhaps software vendors could take a lesson from them?

It like the pennies tray at the cash register... (1)

barfy (256323) | more than 4 years ago | (#31240950)

Not the ones for the kids. The ones for everyone...

Except we take parts of pennies and do it a million times a day.

I know a non technical solution... (1)

Yaa 101 (664725) | more than 4 years ago | (#31240952)

I know a non technical solution which even generate jobs, bring back the physical counter...

A simple solution might be on the horizon... (1)

x-irrad (1751872) | more than 4 years ago | (#31241008)

The key to solving this problem is secure and cheap transaction authentication, which is what IBM has been trying to achieve with their ztic, but even that I fear is vulnerable. The solution I think that will ultimately put something of a stop to the mitb/trojan is this: http://passwindow.com/ [passwindow.com] It seems at first glance too good to be true, but I read parts of the whitepaper and it seems legit. I heard it mentioned that a few banks might be rolling it out some time this year....

A good solution to phishing (1)

jonwil (467024) | more than 4 years ago | (#31241234)

A good solution to phishing is PassWindow (no I have no connection to their product, I just think its a damn good idea). See www.passwindow.com for details of the system.

Basically your card (ATM card, credit card, bank card or whatever) has a translucent window on it (translucent to make it hard to photocopy). This window contains segments like those on a 7 segment LED display. These segments are in a pre-defined pattern.

When you log in, the bank generates another set of 7-segment patterns. When you hold your card over the pattern, the segments on the card and the segments on the screen match up to generate 1 or more numbers that you then key into the login form.

Each time you login, the set of segments generated by the bank will be different (resulting in different numbers)

This system has the following advantages:
1.Unlike calculators and key-fobs and similar, it requires no batteries to operate. Plus, it is something you would carry with you anyway.
2.Unlike card/pin pads, special certificates and dongles and other devices that plug into your computer, PassWindow cards will work with any device that is capable of rendering the PassWindow image (including cellphones, internet cafe/kiosk computers and work PCs where plugging things in is not allowed)
3.The PassWindow system is essentially totally resistant to social engineering (due to the fact that its not easy to describe in words the layout of the PassWindow markings)
4.Unlike on-screen-keyboards, "click the right picture" and other such systems, the PassWindow system is resistant to trojan horses, keyloggers and any other software or hardware that may be running when you access the bank as the number generated by the PassWindow is 1-time-use-only and will not be valid if the trojan/hacker attempts to log in with it (if the trojan/hacker simply stores it and returns a "bank not working" error instead of actually logging in with it, it wont be valid since it will have expired)
5.The PassWindow system is resistant to brute force due to the number of possible combinations of PassWindow patterns that could be on the card (and the fact that the random image returned by the bank each time you try and log in is different each time)

Now I am not saying its perfect but its better than any other solution I have seen to date. (and cheaper than anything requiring a seperate electronic device of some sort)

If anyone knows of any ways in which the PassWindow technology would be insecure (or more to the point, less secure than alternatives that are currently in use) please speak up.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?