Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Online Banking Trojan Stole Money From Belgians

kdawson posted more than 4 years ago | from the routing-around dept.

Crime 144

hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.

Sorry! There are no comments related to the filter you selected.

sweden??? (5, Informative)

lordholm (649770) | more than 4 years ago | (#33027128)

The article does not even mention the word Sweden or Zweden. It does however mention Denmark, which is not equal to Sweden.

Re:sweden??? (4, Funny)

MadKeithV (102058) | more than 4 years ago | (#33027296)

Yeah, but why NOT Sweden, it has some lovely lakes?

We apologise for the fault in the Post (1, Funny)

BrightSpark (1578977) | more than 4 years ago | (#33027760)

You failed to mention the wonderful telephøne system and mani interesting furry animals. Those responsible for that post have all been sacked. signed : JUTTE HERMSGERVORDENBROTBORDA http://www.smouse.force9.co.uk/monty.htm [force9.co.uk]

Re:We apologise for the fault in the Post (0)

Anonymous Coward | more than 4 years ago | (#33027844)

You failed Swedish 101 by using a slashed o.

Re:We apologise for the fault in the Post (0)

Anonymous Coward | more than 4 years ago | (#33028174)

Nej, du misslyckades Mony Python 101 (och att följa länken i den föregående kommentaren).

(Översättningen: *whooosh*.)

People (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33027130)

Regardless of the effort or complexity, every security system has one inherent flaw.

Re:People (-1, Troll)

should_be_linear (779431) | more than 4 years ago | (#33027744)

And thats Windows. Seriously, why such news are not written correctly: "Online Banking Trojan Stole Money From Windows Users In Belgium". Journalists usually mention that OS like Linux or OSX cannot run many programs, like games, made exclusively for Windows. So, following same logic, in this case they should mention every single time, "this trojan is working on Windows only. If you are using any flavour of Linux or OSX, problem is not related with your computer."

Re:People (2, Informative)

smallfries (601545) | more than 4 years ago | (#33027810)

The article doesn't say that the trojan was written for Windows either. Are you under the mistaken belief that there are no trojans out there for OSX or Linux?

Re:People (0)

vtcodger (957785) | more than 4 years ago | (#33028100)

Of course you can write a trojan -- or any other sort of malware -- targeted at Unix. Unix has the same architecture and pretty much the same vulnerable technologies as NT based Windows. But so far, few people have bothered. But for the time being, security through obscurity -- plus the difficulty of writing low level code that works reliably with seventy or so different Unix distributions -- protects Unix users.

That won't last of course.

Prediction: First we'll see malware targeting Ubuntu. Then malware targeting all Unixes. Then malware that has Unix, MacOS and Unix versions all tidily packaged together.

Re:People (2, Informative)

speculatrix (678524) | more than 4 years ago | (#33028442)

Unix has the same architecture and pretty much the same vulnerable technologies as NT based Windows.

WTF? sure, they both run on computers (usually x86) but there's fundamental differences in everything from the kernel to the drivers!

Re:People (1)

should_be_linear (779431) | more than 4 years ago | (#33028702)

There is fundamental cultural difference in way people are installing apps on both platforms. I am taking here Ubuntu as representative for Unix/Linux world, because it is. On Ubuntu BFU installs app by selecting it in verified repository. On Windows, BFU search web for various utilities and then starts downloading from any web that contain what apears to be install files.

Re:People (1)

smallfries (601545) | more than 4 years ago | (#33028706)

You seem to be lagging behind in your predictions somewhat. There have already been several stories this year about OSX trojans being discovered in the wild. This [osnews.com] was the first hit on Google just now, there are many others.

OS-X has much bigger market-share than any of the linux distros so it makes sense it would be the first target. Once more of these are established I would expect more linux distros to be targeted, and then finally the emergence of unix-wide trojans.

Re:People (1)

abigsmurf (919188) | more than 4 years ago | (#33027968)

There's no reason why a trojan like this couldn't be installed on Linux or OSX. You don't even need admin rights to install something that could log their key presses.

So sorry (1)

jplopez (1067608) | more than 4 years ago | (#33027152)

Poor Mr. Belgians :-(

Sweden Denmark (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#33027162)

For most Americans, they are, or could be. I live in Amsterdam, but when on vacation in the US, very few people could identify that as a city in the Netherlands. (Let alone realized that "Holland" and "the Netherlands" are - incorrectly - synonymous.)

Re:Sweden Denmark (1, Funny)

Anonymous Coward | more than 4 years ago | (#33027784)

Are you saying that there is another land outside America? That America is not the one and only inhabited ground on this planet, and that anywhere else there are not just aliens or eventually oil but also other human beings?

That's impossible. Another lie of those freaky evolutionists.

Re:Sweden Denmark (1)

rve (4436) | more than 4 years ago | (#33027834)

Stop acting so self important about the name of your country in other languages. Do Germans complain that their country is called Germany in English or Allemagne in French instead of Deutschland? Are Russians upset that their capital is called Moscow in English instead of Moskwa? Are Americans upset that you call their country Vereenigde Staaten? No, they couldn't care less. Your collective loathing for / envy towards one of your provinces is your own business, don't expect anyone else to care about it. The English name for your country is Holland, deal with it.

Re:Sweden Denmark (0, Offtopic)

Killjoy_NL (719667) | more than 4 years ago | (#33027882)

Pffff, somebody pissed in your cheerios this morning, jeez.
It is the same when we say America and then you counter that with The United States of America since America is more than North America alone.
And we technical people like to be technically correct, so the AC is 100% correct.
Calling the Netherlands Holland only shows ignorance and arrogance, deal with it.

Names of countries (0)

Anonymous Coward | more than 4 years ago | (#33027986)

And telling other people how to use their language is showing arrogance, too. (If two people speaking with each other, both can be arrogant).

Re:Sweden Denmark (1)

emj (15659) | more than 4 years ago | (#33028090)

Calling the Netherlands Holland only shows ignorance and arrogance, deal with it.

Most dutch people I've asked don't really care, and in many of the surrounding countries Holland is per definition the same as Netherlands.

Re:Sweden Denmark (1)

rve (4436) | more than 4 years ago | (#33028094)

Pffff, somebody pissed in your cheerios this morning, jeez.
It is the same when we say America and then you counter that with The United States of America since America is more than North America alone.
And we technical people like to be technically correct, so the AC is 100% correct.
Calling the Netherlands Holland only shows ignorance and arrogance, deal with it.

Well no, the Dutch name is Nederland, not 'The Netherlands'. To be absolutely 100% pedantic, 'The Netherlands' refers to a region, not to a country. There is no basis whatsoever for pouncing on every single mention of the word 'Holland' on the internet and telling English speakers to prefer one word over another in their own language!

Do English speakers tell you to say 'Wat zeg je?' instead of 'wablief'? The whole concept is ridiculous.

Re:Sweden Denmark (1)

houghi (78078) | more than 4 years ago | (#33028250)

'The Netherlands' refers to a region, not to a country.

I think you are a bit confused by "the nether lands" The Netherlands" is a country, hence the captital T and N.

And yes, I would tell an English speaker to first use proper wording. That is if he is willing to learn and I have done so.

Re:Sweden Denmark (1)

dave420 (699308) | more than 4 years ago | (#33028102)

That's embarassing. The Netherlands is the name of the country. Holland is the name of two of its 12 provinces (North Holland & South Holland). So no, comparing it to Germany not being called Deutschland in English is flat-out wrong. It would be like someone calling the US "Carolina", and then insisting that they're right.

Re:Sweden Denmark (0)

Anonymous Coward | more than 4 years ago | (#33028120)

but when on vacation in the US, very few people could identify that as a city in the Netherlands. (Let alone realized that "Holland" and "the Netherlands" are - incorrectly - synonymous.)

Who'd have known I'd defend stereotypical US ignorance, but as a German, I didn't know the distinction between Holland and Netherlands, either. Both names are pretty much used as synonyms around here.

Anyway, a few Wikipedia articles later I now know the distinction. I'm a bit surprised that Holland isn't actually the name of the country. Then again, I knew what Benelux stands for, so that should have been a clue.

Re:Sweden Denmark (1)

houghi (78078) | more than 4 years ago | (#33028284)

Everywhere I go in Europe (Including The Netherlands) The Netherlands and Holland are interchangable.
Want proof? Hup, Holland. Hup. [flickr.com]

They even market themselves in international faires with Holland, Tulip and wooden shoes, even if the company is from Twente.

Pay attention (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33027168)

This should still be impossible if The user pays attention. The user could be tricked to re-enter the amount or the recipients account number repeated times. But for the attack to be successful, the victim has to be tricked into entering the attackers account number at some point. Before, the login procedure could be hijacked (since it required challenge of a random number) but these days that should be a recognizable number, for example starting with a specific digit.

Re:Pay attention (2, Informative)

MadKeithV (102058) | more than 4 years ago | (#33027226)

I use the system mentioned in the article, and I've never noticed the log-in random challenge to have any recognizable number, nor do I recall any communication from my bank (Dexia) that this is so. If this is actually the case, it wasn't made clear to users.

Potentially even more worrying is that this system is now also being applied to online payments using my Dexia VISA card, which is more vulnerable still because it originates at the merchant's site, and isn't always so easy to verify.

Re:Pay attention (2, Insightful)

StoneOldman79 (1497187) | more than 4 years ago | (#33027256)

Entering some extra recognizable info in the 2-way factor authentication is indeed "the way to go".
Account number is not that user friendly (and which number to enter if you have multiple transfers in one go?)
My current online bank requires me to type in the amount of money to transfer as an extra fail-safe.
This should be "good enough" for the near future.
Sadly, many online banks do not have anything like this. Not implementing proper security and paying to "robbed" customers is apparently still the cheapest option.

Re:Pay attention (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33027302)

Each (new) account number should be challenged.

Like I said earlier, the biggest problem was the login challenge, but using a fixed prefix (not shared with any account numbers) is enough to avoid the login from being used to get the correct response from the attackers account number. I don't think this news is about a technical weakness but rather about customers using a system they haven't quite understood.

Re:Pay attention (1)

emj (15659) | more than 4 years ago | (#33028112)

Each (new) account number should be challenged.

There are devices that ask you questions like: "Do you want to transfer 100 Crowns to the account of Emj", they just cost a lot more (like $10 more?). Your scheme is already being used on most devices I've seen, but users don't understand that they even miss that they are not using and encrypted connection.

Re:Pay attention (1)

jonbryce (703250) | more than 4 years ago | (#33027998)

An amount of money is not good enough, because the attacker just needs to see what amount you want to transfer and steal that amount for himself.

Re:Pay attention (2, Insightful)

ZeroExistenZ (721849) | more than 4 years ago | (#33027276)

This should still be impossible if The user pays attention

Well, you cannot expect the user to take this responsibility of "checking for a specific digit", they'll go to the competition if the procedure is too "complex". Why is Apple booming? Not because of feature-gallore.

You cannot imagine how many emails I get of "regular users" who entered their login details on some random webpage resulting in a email to all contacts in a format "follow this link to see [facebook-style test results]" to be prompted to login with your credentials and continue the chain.
(I've given up on educating and sending a reply explaining how their credentials have been comprimised").

And why wouldn't those people?

It is simular as Microsofts' passport or the facebook implementation on webpages which is pushed everywhere as a "ease of use" and "seemlessly integration everywhere". (which, if with malicious intent, could hijack your accounts as well and get to your emails, banking details or get creative and infect someone)

Re:Pay attention (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33027344)

My bank simply states during the login that the login challenge number always starts with the digit 9.

Unless I don't pay attention to that I could be on a fake site displayed by a trojan that challenges an attackers account number. There is no peactical way to prevent that. The system is "safe enough" even with ignorant users, and really safe with attentive users. It has worked for 15 years without big problems. To put things in perspective, ATM fraud and card skimming probably steals more money every minute than this type of attack does in a year.

Re:Pay attention (0)

Anonymous Coward | more than 4 years ago | (#33027390)

My bank simply states during the login that the login challenge number always starts with the digit 9.

With the Vasco Digipass system, login is without a challenge code; the Digipass generates a login code from an internal clock, combined with PIN number and a secret stored on the personal bank card.

I have noticed that the login code usually (always?) starts with the same digit, but I don't see how this could make the job harder for the attacker. He wants access to YOUR bank account, not to his own bank account, isn't it? (I always assumed that the first digits identify the Digipass device, in case the user has several digipasses with different internal clock drifts).

Re:Pay attention (1)

houghi (78078) | more than 4 years ago | (#33028336)

From what I understand, the virus acts like a sort of proxyserver. You are chalanged to enter the Vasco code. Then it takes that code (as there is a timelimit on it or can be used only once) and uses it to transfer money in the background to another account.

Then the bank system will ask to retype your code, because it can't use the other code anymore. Always pretty random numbers.

I work on Linux (so no virus there) and I have misstyped the code more then once, so such an error message is not uncommon.

It is sort of an automated Man-in-the-Midlle attack.

Re:Pay attention (0)

Anonymous Coward | more than 4 years ago | (#33027406)

After working in a certain company for some time, I have to say I can't blame those users anymore.
A lot of companies ask you all the time for your Windows user/password for all kinds of intranet sites, but some of those intranet sites are not obviously on the intranet.
Honestly, they usually mess up so thoroughly that's it's impossible for a user to know whether it is ok to enter their username and password (unless it is something really obvious), and since they have a job to do they just think "f*ck those idiots, I'll just enter it, and if it's compromised it's IT's problem for not coming up with a proper solution".

Re:Pay attention (1)

Sabriel (134364) | more than 4 years ago | (#33027388)

"the victim has to be tricked into entering the attackers account number at some point"

If a trojan has control of your browser, what it sends to the bank doesn't have to be what you typed into the account field...

Re:Pay attention (2, Informative)

Anonymous Coward | more than 4 years ago | (#33027434)

If a trojan has control of your browser, what it sends to the bank doesn't have to be what you typed into the account field...

No, the user types the recipient's bank account number into his Digipass device in order to generate an authentication code.

During a legitimate transaction, the website will tell you

Enter the challenge code 138427, then the amount in euro 5600, then the recipient bank account number 98765432 into your card reader and enter the authorization code in the field below.

However, a trojan could transform that into:

The authorization code was incorrect. For extra security, enter the the following three challenge codes 138427, 5600, and 98765432 into your card reader and enter the authorization code in the field below.

My bank only asks a single challenge code for small transactions; only for larger transactions (1000 euro and up), the extra codes show up. A victim may not have encountered the triple challenge codes often enough to realize that they must indicate the amount and the account number.

Re:Pay attention (1)

SharpFang (651121) | more than 4 years ago | (#33027680)

If the device requires only the last digit of the account number, you need a total of 10 money mules to capture money from all infected people.

Re:Pay attention (2, Interesting)

Mattpw (1777544) | more than 4 years ago | (#33027516)

This is the problem with putting complicated user action into the transaction authentication process, if you control the browser you can request the user do just about anything in the name of a test or error as related in the article. My Passwindow method encodes the transaction information (ie destination account) into the challenge from the server so the user must only visually check the information, because this information is cycled alongside the authentication digits they are forced to inspect it and cannot simply ignore it and blindly authorize the transaction.

Not unique to Belgium (3, Interesting)

arivanov (12034) | more than 4 years ago | (#33027180)

There is a similar scam doing the rounds in the UK targeting nationwide which uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).

The scam apparently asks you to "resync" your challenge device. If you do you end up sending a sum of money to a money mule.

Re:Not unique to Belgium (1)

Mattpw (1777544) | more than 4 years ago | (#33027606)

Do you have a link to any articles?

Re:Not unique to Belgium (3, Informative)

arivanov (12034) | more than 4 years ago | (#33027802)

No, but Nationwide has been using nagware banners that tell the customers that they NEVER ask them to resync the device for a few months now. From there on to deduce what the scam is is fairly trivial. Even if the scam was not around when they started the hint contained in the warning is sufficient for anyone clued up enough to design the relevant trojan by now.

Re:Not unique to Belgium (1)

AlexiaDeath (1616055) | more than 4 years ago | (#33027854)

Around here banks have limited the transactions for such "two factor" signing schemes to near nothing in favor of RSA based digital signing schemes that require you to use a pass-coded certificate on a chip card, that is also your national ID card, or a certificate on your cellphone SIM linked to the ID-card one.

Re:Not unique to Belgium (1)

js_sebastian (946118) | more than 4 years ago | (#33027970)

Around here banks have limited the transactions for such "two factor" signing schemes to near nothing in favor of RSA based digital signing schemes that require you to use a pass-coded certificate on a chip card, that is also your national ID card, or a certificate on your cellphone SIM linked to the ID-card one.

So? That doesn't solve the problem. You still have to enter the amount and destination account number onto an external device which then does the signing.. otherwise how can you be sure what you are signing, if your PC is compromised and anything on your screen could come from attackers?

And, you have to be educated to what the numbers you enter mean, so that you cannot be scammed into sending money to someone else.

How long until..... (2, Interesting)

CastrTroy (595695) | more than 4 years ago | (#33027210)

How long until we move to using dedicated terminals to access our online banking. A device that only did banking could be really cheap [cgi.ebay.ca] . Load a custom, hardened version of Linux on there, that only displayed a web browser, and only went to the bank's website, and you'd probably go a long way to stopping this, and many other kinds of fraud.

Re:How long until..... (2, Insightful)

phantomfive (622387) | more than 4 years ago | (#33027322)

Sounds like an excellent plan. One you can implement personally for yourself right now (I personally discourage all my family members from doing online banking from a windows computer). You can have your own personal terminal at your house that you use to connect to the bank. If you think it is an idea people will like, you can start a business setting up similar terminals for other people.

As for you question, how long: banks will not start sending out terminals to all their clients until the cost of paying for fraud becomes higher than the cost of sending out terminals. Individual users will not start using them until the cost of not using them becomes great enough to overcome the laziness and annoyance of acquiring/using a separate terminal. If banks continue to pay them off like they did in this case, it is not likely to happen.

Re:How long until..... (1)

Zocalo (252965) | more than 4 years ago | (#33027520)

Why would you need a dedicated device? You could quite easily do the same thing using a bootable, non-writable memory USB stick, and even combine the same device with a one time pin generator if you wanted to have a few extra security bells and whistles. I doubt we'd see such a device for any other platforms apart from those that are x86 compatible though, and even then it's not going to help against MitM attacks, DNS poisoning or any of the other attack vectors that don't target the end user's system, but at least it would be a start.

Re:How long until..... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33027624)

You can't prevent DOS type attacks, but you can prevent man-in-the-middle attacks (or at least make them useless) by strong end-to-end encryption. However, the encryption key would not be safe it it was on an USB stick... unless the USB stick in turn is encrypted with a password that the user must enter. Ok, that would work. Unless the attacker patches the BIOS to insert a keylogger or something.

Re:How long until..... (1)

Lexical_Scope (578133) | more than 4 years ago | (#33027860)

Surely an even better idea would be some kind of read-only VMWare Appliance (or similar). User clicks a link on their desktop which launches a program that checks the VMWare image hasn't been tampered with (CRC and md5 or something like) and then boots a basic Linux VM which opens a kiosk-mode browser that goes straight to your online banking. Couple that with a proper two-factor hardware token and that should be good enough for most things. If the VM/Browser had draconian checks on things like SSL certificates and DNSSEC, that would be even better.

There would probably be some possibility of an attack at the Hypervisor level I guess, but you'd still have the other forms of protection as well.

Re:How long until..... (1)

js_sebastian (946118) | more than 4 years ago | (#33027984)

Surely an even better idea would be some kind of read-only VMWare Appliance (or similar). User clicks a link on their desktop which launches a program that checks the VMWare image hasn't been tampered with (CRC and md5 or something like) and then boots a basic Linux VM which opens a kiosk-mode browser that goes straight to your online banking. Couple that with a proper two-factor hardware token and that should be good enough for most things.

When you click the link on the desktop, how do you know it is really booting the kiosk-mode image, and not just pretending to? This is not a solution, you would need some kind of trusted boot process, and a reboot. Honestly a little cheap, offline device with a key in it and a little screen and keypad for entering the transaction to sign (or at least a screen to display the transaction) seems simpler and safer.

VM? (1)

nten (709128) | more than 4 years ago | (#33028028)

I'm too lazy to think this through, but intuition says running a safe guest inside a compromised host isn't going to protect you. Motherboard firmware is already being tampered with too as another poster pointed out. I really do think a stand alone machine with dedicated hardware, locked down to do that one thing is in order. Final user wouldn't even have root (sounds kinda like an i-anything). I'd not do the read-only thing so that signed security updates can be installed from the creator. Its a weak-point (two really, the update sigs, and the writeability), but I suspect there are enough vulnerabilities still popping up in most OS ('cept VMS maybe), to make it a worthwhile trade. If you can get a VMS browser to open your bank's website read-only might be in order. It would also have an IP (not domain!) whitelist with only your bank's ip's in it.

Re:How long until..... (1)

arivanov (12034) | more than 4 years ago | (#33028038)

Rebooting the machine to do just banking? Joe Average User is not going to do that.

Also, what exactly makes you sure that you have booted your USB stick directly and not in a VM? The technique of loading a hypervisor first before loading the supposedly hardened machine has already been demonstrated a while back. A small hypervisor + control software is the ultimate super-trojan. Works with Windows, works with Linux works with anything. It is not that difficult to implement either. Each drive has reserved space to store it and as it is "emulating" the drive it can be 100% stealthy for the OS.

Re:How long until..... (3, Insightful)

Mattpw (1777544) | more than 4 years ago | (#33027570)

Banks wont run the IT tech support required, and theres also the liability issues. Even if you could guarantee the software had no security bugs the user can just as easily fall victim to phishing type scams and then sue the bank, this is essentially the same problem with the bootable linux LiveCD concept which does guarantee no trojans getting into it but fails to prevent simple phishing. The tech support for all the different drivers and other things a person might use the terminal for would kill the bank. The other problem is banking rarely happens in a vacum, a user wants their account program, their files etc and so locked devices become good for security demonstrations but impractical in real life.

Re:How long until..... (1)

antifoidulus (807088) | more than 4 years ago | (#33027638)

Actually what you are more likely to see is more people switching from the web to dedicated smartphone apps published by the banks and officially blessed by the smartphone manufacturer(apple,google,rim etc). Not perfect but closer to a standalone terminal and much more likely to see widespread adoption.

Re:How long until..... (1)

emj (15659) | more than 4 years ago | (#33028144)

dedicated smartphone apps [..] blessed by the smartphone manufacturer(apple,google,rim etc).

There goes software freedom, there is no room for user created software on a phone that is used to identify you to your bank.

Re:How long until..... (2, Interesting)

SharpFang (651121) | more than 4 years ago | (#33027664)

There is a system that is currently (AFAIK) uncrackable. Details of the transaction you sign are sent back to you through SMS with authorization code. So you know the transaction has been hijacked if the SMS contains wrong data. The code is one-use, generated by bank upon submitting the transaction for authorization.

(of course this may still fall victim to people not reading the SMS beyond the auth code...)

I guess it could be hackable if the attackers could hijack the owner's phone (make a clone of the SIM card?) and learn the password at the same time.

Re:How long until..... (1)

Mattpw (1777544) | more than 4 years ago | (#33027700)

The simple way they get around the SMS without just putting a trojan on the phone like they do with a terminal is to just phone up the telecommunications company and say please transfer all my calls to xxx number, the girl asks what is your birthday (you google it) and the crime is done. The telecommunication companies cant increase the difficulties of authenticating users because of anti competition legislation which some used to lock in customers.

Re:How long until..... (1)

SharpFang (651121) | more than 4 years ago | (#33027736)

Nope, the girl asks what is your phone account management code. This is how it works with all operators in my country. If it's a birthsday in your country, it's completely retarded.

Re:How long until..... (1)

Mattpw (1777544) | more than 4 years ago | (#33027796)

If this is the case in your country I would just ring you up (or get an autodialer like they do with this scam in USA) and say "Hi im from (telecom company) we have some important information about your account but first I need to confirm your phone account management code". Actually I read about another version of the scam where the trojan would detect when the transaction was done and then they would would just ring up the number and say, "hi im from bank and we need to confirm a transaction you just did" Ive also read from Polish researchers that in the GSM protocol there is a kill last SMS command you can send out, so in this case rather than ringing anyone up you send this sms through and remotely delete the confirmation codes.

Re:How long until..... (1)

SharpFang (651121) | more than 4 years ago | (#33027964)

1) Please send it to my mailing address. I have requested over and again that I do NOT consent to ANY telemarketing.
2) Well, please do. I just performed it. I can give you the number I just used (it's been used up and it can only confirm that particular transaction anyway). I don't really see them being able to obtain anything of use to them.
3) So they can DoS the transaction by cancelling the codes I receive. They still don't get me to sign transactions they want to perform.

The possible scenario for hijack in this case could be: my PC is compromised, and they control the SMS transmission.
* I enter transaction details, and click "send".
* The trojan hijacks the POST content and replaces account number and value with their own,
* The trojan notifies the hacked SMS gateway with both real and fake details of the transaction.
* The gateway intercepts the incoming SMS (with wrong transaction details and a valid code to authorize the illegal transaction)
* it then cancels the SMS from the bank before I get to read it.
* it sends out their own SMS containing the "correct" transaction details (the ones I have entered) and auth code for the fraudulent transaction.
* the trojan displays confirmation page with the bank's reply (mule's account#) replaced with details I have entered.

That's a lot of steps to perform. And there's reading out someone's SMS, injecting some SMS with spoofed caller's number, and associating a hijacked computer's IP with owner's phone number too.

Re:How long until..... (1)

js_sebastian (946118) | more than 4 years ago | (#33028012)

This has happened in a spear phishing case in south africa. A woman went to the cell phone provider's shop pretending to be the man's wife and that he had lost the SIM-card, and managed to convince them to give her a replacement SIM-card, which was then used to receive the authorization code.

And of course a legal battle started over liability between the bank and phone provider (not sure how or if it ended). Sure, the phone provider should not have given the SIM-card out, but does it follow that they are liable for fraudulent banking transactions? I wouldn't think so, otherwise the banks would basically be externalizing the costs of their security to the cell phone providers. Still, the cell-phone-based 2 factor is pretty good. My main practical worry with that is that, in cases where I don't have a sheet of paper with the target account number, I cannot easily verify that the account I am sending money to is the one I intended (unless I trust what is written on my screen),

Re:How long until..... (1)

hankwang (413283) | more than 4 years ago | (#33028766)

There is a system that is currently (AFAIK) uncrackable. Details of the transaction you sign are sent back to you through SMS with authorization code.

In Netherlands, ING uses this system, but for some reason, the SMS includes only the total amount and not the recipient's identity. A trojan could simply wait until you try to transfer a large sum, and then make you sign for the same amount to the money mule.

Apart from that, if your phone gives you access to your bank account, then you have to treat it as a credit card: never lend it out, always immediately have the SIM card blocked if you lose the phone.

Re:How long until..... (1)

knarf (34928) | more than 4 years ago | (#33027766)

A device that only did banking could be really cheap

Will the bank also charge $54 for 'shipping'?

Don't fall for these eBay scam prices. They advertise low low prices with exorbitant 'shipping' charges to a) fool you into thinking this is a really good deal and b) pay lower eBay fees (which are based on a percentage of the purchase price, not the 'shipping' fees).

Re:How long until..... (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#33027884)

The "ebay-low" price is probably a scam(or just a link to something that is early in its bidding lifecycle/not going to hit reserve this round); but the real world cash-and-go price for those horrid little WinCE based 'netbooks' is $80-$100. Not quite as rosy as 24.99; but still fairly cheap and falling.

I wouldnt dream of using a Windows box for banking (0, Troll)

miffo.swe (547642) | more than 4 years ago | (#33027314)

I personally never use a Windows computer for banking. I always use an updated Linux computer when i do anything involving money.

Windows + Internet Explorer is proven to be unsecure and not fit for anything that demands security. With Linux you can be unsure about security, with Windows you know its very bad and unsecure by design.

Dutch original? (1)

tpgp (48001) | more than 4 years ago | (#33027318)

I'd say if it was Belgium, rather than the Netherlands, then the language in question was Flemish.

Re:Dutch original? (0)

Anonymous Coward | more than 4 years ago | (#33027346)

Most of the Belgian ppl are Flemish, but the official language is still Dutch.
Flemish is just a bunch of dialects, which are very region dependant. (It changes every 20 - 40 km.)

Re:Dutch original? (0)

Anonymous Coward | more than 4 years ago | (#33027350)

I'd say if it was Belgium, rather than the Netherlands, then the language in question was Flemish.

Flemish is a dialect on Dutch.

Re:Dutch original? (0)

Anonymous Coward | more than 4 years ago | (#33027874)

No. Learn the meaning of the word dialect. And while you're at it, please also do some research on the history of the Dutch/Flemish(/German) languages. Then post again. PS: I'm Flemish. And I have an interest in languages and their history.

Re:Dutch original? (0)

Anonymous Coward | more than 4 years ago | (#33027354)

Yes the original is in Dutch. In Flanders they speak Dutch.

Re:Dutch original? (0)

Anonymous Coward | more than 4 years ago | (#33027914)

Stupid Flanders

-- Homer

Re:Dutch original? (0)

Anonymous Coward | more than 4 years ago | (#33027360)

Flemish is a dialect of Dutch.

Re:Dutch original? (4, Informative)

mrvan (973822) | more than 4 years ago | (#33027366)

Flemish is a dialect of the Dutch language. I know, dialect is generally a political rather than a linguistic term, but:

- The official languages of Belgium are Dutch and French (and German...), not Flemish and Walloon
- The written languages are identical (except for some idiom)
- People can understand each other without effort (except for heavy local dialects, which is the same in most languages)
- Anecdotally, I think the within-country dialectal differences (e.g. standard Dutch versus Limburgs, Twents; "standard Flemish" vs. West-vlaams etc) are as great as or greater than the between-country differences.

you should see Dutch and Flemish the way you see British English and American English, minus the spelling differences.

Re:Dutch original? (1)

rapiddescent (572442) | more than 4 years ago | (#33027740)

- The official languages of Belgium are Dutch and French (and German...), not Flemish and Walloon

french - but with differences, well 17 for one.

you need to understand the derivation (1, Funny)

circletimessquare (444983) | more than 4 years ago | (#33028024)

although true of all the low countries, belgium is yet more cold and clammy and humid than the netherlands. this means people generally have a lot of mucus build up in their airways. so in belgium they speak their dutch with a more gutteral, throaty idiom

thus, they speak "phlegmish"

Re:Dutch original? (0, Offtopic)

nstlgc (945418) | more than 4 years ago | (#33027368)

Not really. Flemish as a language does not exist - officially it's all Dutch. But don't blame yourself, more than half of the Flemish population is not really aware of this fact. (Full disclosure: I'm from Flanders)

Re:Dutch original? (3, Informative)

Anonymous Coward | more than 4 years ago | (#33027386)

No, Belgium has three official languages: Dutch, French, and German (the first two account for the bulk of Belgian people). There are three dialect families of Dutch in the Dutch-speaking part of Belgium: Flemish ('Vlaams'), Brabantic ('Brabants'), and Limburgish ('Limburgs'). Sometimes all of these are lumped together under the nomer of 'Flemish', which is not really accurate.

Anyhow, Flemish is certainly not a different language, and the language you find in written communication, such as the newspaper article in question, is Dutch, not Flemish. There does exist some variation in e.g. vocabulary between the 'Belgian' and the 'Netherlandic' variants, but the original article would be perfectly readable to any Dutchman.

Re:Dutch original? (1, Funny)

Anonymous Coward | more than 4 years ago | (#33027690)

<homer>stupid Flanders.</homer>

Note the fraud dates from 2007 (2, Interesting)

Anonymous Coward | more than 4 years ago | (#33027332)

The fraud dates from 2007, but it didn't go unnoticed for 3 years. The investigation took 3 years to complete because in Belgium the police does its job properly.

Re:Note the fraud dates from 2007 (3, Informative)

Hognoxious (631665) | more than 4 years ago | (#33028232)

Money-Mules (3, Interesting)

gweihir (88907) | more than 4 years ago | (#33027348)

I can at least attest that the search for money-mules is getting more and more aggressive and annoying here. Everybody thinking of making some easy money that way should think again. If the original target goes to the police, the money-mule will have to refund the full amount of money lost and likely will get punished. The reason is that courts typically rule that the fraudulent nature of the job was obvious and hence the money-mule is an accomplice.

Really good Flash demo (3, Funny)

noidentity (188756) | more than 4 years ago | (#33027372)

(Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code.

That's an excellent Flash demo. For some reason it asked for my account number and password. It's on a safe site so I went ahead and entered it, but it gave some kind of error.

PassWindow could have prevented this (1)

Mattpw (1777544) | more than 4 years ago | (#33027496)

My Passwindow method could have prevented this and cost practically nothing to implement too, the transaction verification method employed by the electronic tokens which do the transaction signing as explained in the article have the fatal flaw in that it requires user action for the transaction verification part. ie entering the website generated challenge and then their transaction destination account number etc (a very laborious process for the users). With passwindow the transaction information is encoded into the challenge and the user is forced to recognize it (not merely click an authentication button with some other devices) as it this info such as destination account number is cycled alongside the actual authentication confirmation numbers. Once you put up complicated user action hurdles if the attacker owns the browser it wouldnt be too difficult to simply instruct the user to do as you wish claiming a security test or some such. Honestly with the amount of digits required to be entered into both the device and terminal by the user (up to 40+ on some of the devices) Im not suprised it all turns into a blur of action for many users.

Re:PassWindow could have prevented this (0)

Anonymous Coward | more than 4 years ago | (#33027840)

So how do you simulate the air-gap? Remember that the local computer including all drivers etc. are owned by the attacker.

I still think the physical device that is not connected to the computer seems like the best solution, we just need to have 3 different encryptions on them, 1 for login, 1 for account verification and 1 for sum verification.

Re:PassWindow could have prevented this (2, Informative)

Mattpw (1777544) | more than 4 years ago | (#33027928)

There is no simulation, it is a real airgap, the PassWindow is just printed onto an ordinary piece of plastic card just like any barcode. There is no electronics, or software or hardware. The challenge is just an animated gif it works on any device regardless of the situation. The transaction information is encoded into the gif so the trojan only has one avenue of attack which is a long term statistical analysis but we assume every terminal is already compromised like this so we do our own analysis at key generation and determine exactly how many interceptions would be required by the theoretical trojan. With some simple tweaks we can get 10K+ interception rates so it would take decades of normal user interceptions to get enough data to analyse. Of course the server issues a new card to a user if their use rate goes anywhere near the interception rate. In short you end up with semi passive transaction verification so the user cant be tricked into entering in the mule account details because its all done serverside, its also much easier to use, the devices from the article are a major pain and take forever to use.

Re:PassWindow could have prevented this (2, Interesting)

hankwang (413283) | more than 4 years ago | (#33027888)

My Passwindow method could have prevented this and cost practically nothing to implement too,

I suppose you mean http://www.passwindow.com/index.html [passwindow.com] ?

As far as I can tell, there are two problems with this:

  • A Trojan could intercept enough data to reconstruct the mask. The whitepaper claims that you need to capture between 30 and 1000 transactions. That doesn't account for the fact that the trojan does not need to be 100% sucessful (probably the user can try 3 times).
  • Unlike an embedded EMV chip, the mask is trivial to copy; the owner will not notice that his passwindow card is missing. With a telephoto lens, an attacker could photograph you from a distance while you use an ATM. This means that you still need a password or cryptographic authentication.

Re:PassWindow could have prevented this (1)

Mattpw (1777544) | more than 4 years ago | (#33028042)

Yes, when the whitepaper was done and PassWindow was initially featured on Slashdot it was a static challenge with several digits in the static challenge, these were interceptable in say 30 interception so a month or 2 worth of normal use. However since then weve had some major breakthroughs beyond just switching to the purely animated cyclical method, weve been able to easily achieve interception rates of 10K plus with very little usability obfuscation. A side benefit of this new method is the analysis doesnt actually give the attacker a clear probablistic determination at say 80% of the necessary number of interceptions, actually its only until the last few interceptions that it all falls into place for the attacker so a guess at 80% isnt knowing 80% of the key pattern. Of course since the whole key process has been pre analyzed its managed and a new card can be issued before it gets anywhere near this number of authentications which might compromise the key pattern. Once you start talking thousands of interceptions required by a normal user even if they authenticate every single day of the year and the attacker is prepared to analyze over a number of years he still wont get anywhere near the numbers required and the average membership card usually only has a few years of life in it anyway. But beyond that the EMV chip doesnt help online based authentication as was shown in the article, its not even helping much of the atm fraud it was desgined for where most ATM's in the world dont even check the EMV chip. The associated CAP readers which use the digital key off an EMV chip for their online authentication use the exact same method of authentication as provided in the article and we can see that has failed.

re telephoto lens attack etc, you are incorrect, it is not trivial to copy as we simply tint the key pattern, in normal lighting conditions it appears black but screens are quite bright and still allow the user to see quite clearly. This is without even going into transflective laminates etc, really the only way would be with a rubber hose or physical interception and there EMV will fail too. A piece of transparent plastic card costs less than a few cents and so if a bank was really paranoid about their user's waving their credit cards around in public they could easily issue a separate card. A digital version could also be constructed however the costs outweigh the benefits.

As Zaphod would have said (1)

Hozza (1073224) | more than 4 years ago | (#33027558)

Oh. Belgium!

Belgian police does not care about online crime (1, Interesting)

Anonymous Coward | more than 4 years ago | (#33027654)

I'm from Belgium, i rather big websites and i reported fraud a couple of time, they replied to me with this:

> We can't keep ourself occupied with 'things like this'.

So the part about it being unreported might just be "undocumented".

Fancy authentication protocals (1)

david_bandel (909002) | more than 4 years ago | (#33027678)

"The problem with beauty is that it's like being born rich and getting poorer."

This FP _for GhNAA (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#33027908)

shar3, this news to stick something for aal practical members all over

I don't know. (1)

ColaMan (37550) | more than 4 years ago | (#33027930)

I'm torn between pity and some sort of vague feeling that justice has been served upon the Belgian public.

On the one hand, nobody wants to see someone taken advantage of, and on the other, they *do* share a border with the Dutch.

Bank robbery (0)

Anonymous Coward | more than 4 years ago | (#33028062)

The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown.

Wow, imagine the Bank did that for an actual good 'ol fashioned bank robbery...

Nice responses to the original article (1)

houghi (78078) | more than 4 years ago | (#33028096)

From top to bottom the responses are:
* 4.000 EUR is a lot for some people (Get of my lawn)
* Link to FOSDEM (Free and Open Source Software Developers European Meeting)
* Mac is more secure (Standard Mac Fanboy)
* Banks are thieves (Standard non addressing the issue, just namecalling)
* Make banking more secure (Blaming the banks, not the people who stole it)

That looks like /. in only 5 postings.

Re:Nice responses to the original article (1)

Mattpw (1777544) | more than 4 years ago | (#33028148)

Dont forget me with my PassWindow :)
*Works on any device irrespective of OS or software.
*Doesnt matter if a trojan or malware is present on the device, assumes malware is present.
*Costs practically nothing to implement.
*Not vulnerable to phone based extensions of the above attack where users are called and socially engineered out of their authentication keys.

COMON !! EASTERN EUROPE = DIRTY RUSSIANS !! (-1, Offtopic)

Anonymous Coward | more than 4 years ago | (#33028106)

In the Soviet Block... we fucking steal your shit!! That's what we do! That's all we know how to do! And we do it damn well, thank you very much. And here's your wallet back! Huh? Of course there's no money in it you stupid, stupid fool!

typical bank behavior.. (1)

hesaigo999ca (786966) | more than 4 years ago | (#33028328)

This is typical banking behavior when it comes to investigating fraud, they can not really prove THE CLIENT's COMPUTER was at fault...
so once they see the problem being fraud in another country when the person is still here, they just block the card and refund whatever money they lost, and still the banks are showing all time high profit margins....go figure....make's you wonder just how much they really need to up their services charged for transactions all the time....!

Trojan horses... (1)

Mikey48 (1798918) | more than 4 years ago | (#33028734)

"Trojan horses that were planted onto the victims' computers..." and no one noticed the horses? Mike
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?