Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Largest Ever Online Robbery Hits Swedish Bank

Zonk posted more than 7 years ago | from the put-your-bits-up dept.

Security 218

ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"

Sorry! There are no comments related to the filter you selected.

In other news... (5, Funny)

lixee (863589) | more than 7 years ago | (#17684886)

In other news, Nordea is planning to relocate to Sealand.

Options (2, Insightful)

MrNaz (730548) | more than 7 years ago | (#17684910)

Slashdot Option 1: Encourage stupid people by paying out when they do stupid things like believe email that reads "Dwonlaod tihs spam fihgting tool". Slashdot Option 2: Encourage banks to absorb financial responsibility of eCommerce mishaps and take the lead in system security. Can't... make... decision... brain... splitting... in... half...

Re:Options (0, Flamebait)

Joebert (946227) | more than 7 years ago | (#17685020)

You think that's a toughy, wait untill they announce the people responsible are the same ones who lost money.

This is a Swedish bank we're talking about.

Re:Options (1)

jgrahn (181062) | more than 7 years ago | (#17685234)

You think that's a toughy, wait untill they announce the people responsible are the same ones who lost money.

This is a Swedish bank we're talking about.

Sweden != Switzerland.

Re:Options (1)

Joebert (946227) | more than 7 years ago | (#17685306)

Of course it's not, everyone knows what goes on in Swiss banks.

Re:Options (2, Insightful)

P3NIS_CLEAVER (860022) | more than 7 years ago | (#17685196)

My bank now demands additional secrets if I try to log in from an IP that is different than the usual one. A little inconvenient but i am sure it helps.

Re:Options (2, Insightful)

Poruchik (1004331) | more than 7 years ago | (#17685860)

And how does this help if your regular computer has a trojan?

Re:Options (1)

P3NIS_CLEAVER (860022) | more than 7 years ago | (#17685940)

You never type in the secret because this is your 'regular' ip.

Re:Options (1)

sholden (12227) | more than 7 years ago | (#17686030)

The trojan can just perform the transactions itself... from your normal IP... probably using the auth cookie you just created...

Re:Options (2, Insightful)

P3NIS_CLEAVER (860022) | more than 7 years ago | (#17686318)

Note that I said "helps". There is no one method to secure a computer or transaction, only improvements.

According to whom?! (5, Interesting)

rumith (983060) | more than 7 years ago | (#17684956)

According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia.
And what has established Swedish police according to Swedish police? Why quote McAffee? What business do they have here?

Re:According to whom?! (1)

Artaxs (1002024) | more than 7 years ago | (#17685162)

"Why quote McAffee? What business do they have here?"
McAffee and Symantec love all the free press when news outlets turn to them as "experts" for comments on computer security stories. The more inflated the "damage in dollars" numbers they come up with, the more free advertising they get.

Re:According to whom?! (1)

AutopsyReport (856852) | more than 7 years ago | (#17685600)

Ever consider that perhaps McAfee was consulted on this matter?

Re:According to whom?! (1)

rumith (983060) | more than 7 years ago | (#17685686)

Still, I do not quite understand, why should an article quote a software security company when reporting actions of foreign police. It would be okay if they quoted McAfee on what kind of trojan was used and such stuff, but to quote them on the number of suspects? I think that's too much.

Re:According to whom?! (1)

AutopsyReport (856852) | more than 7 years ago | (#17685804)

They didn't quote on the number of suspects -- the "121 suspects" was an additional fact mentioned a sentence after the McAfee sentence. And you are reading the Slashdot summary, not the actual article.

Also, McAfee did provide details on the trojan. Read the third, fourth and fifth paragraph of the article. Read the article next time.

Re:According to whom?! (1)

rumith (983060) | more than 7 years ago | (#17686158)

Read my initial post again [which contains a quote from the article, not summary; thus I indeed have read it]. And regarding the trojan details - perhaps I expressed myself a bit unclear; what I meant was that it's okay to see the trojan details in the article given by McAfee, but strange to see police operation details given by them, too.

Re:According to whom?! (1)

Nemetroid (883968) | more than 7 years ago | (#17685886)

Because http://polisen.se/ [polisen.se] doesn't even mention that this has happened, so unless you are in direct contact with the Swedish police you can't get any info from them.

The whole article appears to be FAKE (1)

rumith (983060) | more than 7 years ago | (#17686254)

Because, you see, http://mcafee.com/ [mcafee.com] doesn't even mention that this has happened, either. The McAfee site search returns empty results [mcafee.com] . Besides, Google searches on `nordea mcafee` and `nordea robbery` also didn't return anything comprehensive. Did a McAfee contact whisper it secretly in the ZDNet editor's ear?

Re:The whole article appears to be FAKE (3, Informative)

Nemetroid (883968) | more than 7 years ago | (#17686298)

No, this has been reported by Dagens Nyheter [www.dn.se] , The Daily News, which is Sweden's largest and most serious newspaper.

I am not surprised... (2, Insightful)

Corporate Troll (537873) | more than 7 years ago | (#17684958)

Those who are not into technology have no idea.... Look at my latest journal [slashdot.org] . You can have a PhD and fall for the simplest scam there is. Computers do seem to have this effect on people: their common sense fails because computers are somehow "Magic".

It's tragic if you ask me.

Re:I am not surprised... (3, Insightful)

PadRacerExtreme (1006033) | more than 7 years ago | (#17685096)

So a PhD in medieval literature makes you an expert in computers and email? I am not saying that she shouldn't have known better (the SPAM indicator), but the PhD alone doesn't really matter. Besides some people are always looking for a get rich quick scheme.

Users' fault (0)

Anonymous Coward | more than 7 years ago | (#17684986)

>>The sender encouraged clients to download a "spam fighting" application.

Why should the bank have to fork out cash because the users can't see an obvious phishing email?

Re:Users' fault (1)

mangu (126918) | more than 7 years ago | (#17685976)

Why should the bank have to fork out cash because the users can't see an obvious phishing email?


I can see several reasons for that. One is that maybe there's something in the law or banking regulations about it. The second is that if it's mostly small amounts that were stolen, it would be cheaper to pay than to fight it in court.


But I guess the most important reason is that the bank wants to make people confident about doing business online. It's so much cheaper for the bank to do online business rather than having cashiers at the counter that it pays to do some reimbursements to people who, technically, wouldn't be entitled to them.

Twofo fucks you (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#17685014)

Go fuck them first [twofo.co.uk]

dc++ hub.twofo.co.uk:4144

fuck this shit

Crime Doesn't Pay (3, Insightful)

Zzesers92 (819281) | more than 7 years ago | (#17685028)

$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers

Re:Crime Doesn't Pay (1)

x3nos (773066) | more than 7 years ago | (#17685354)

Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee.

While I am sure that "121 people are suspected", in reality, it is going to be much less. Many of these 121 that are being counted, I am sure are zombied machines, associates that in reality have no involvement and just plaing "suspects", however I assume that there are probably less than a dozen or so actual_bad_guys.

Re:Crime Doesn't Pay (2, Insightful)

arevos (659374) | more than 7 years ago | (#17685634)

$1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime.

Whilst this may be true in a country like the USA, it's worth noting that the difference between average incomes between western Europe and Russia make it more profitable than it might seem at first glance. The average yearly salary in Russia is around $4800, whilst the average salary in countries like the US and Sweden is about 8 times that.

Multiplying by 8 gives $66,116, and whilst I suspect such a figure would still not be worth the risk of being caught (and with 121 people involved, there's got to be an increased chance of someone slipping up), it's probably a lot more attractive than the figure of $8264.46 would suggest.

Re:Crime Doesn't Pay (1)

networkBoy (774728) | more than 7 years ago | (#17686234)

just some quick math in my head:
4800 x 10 == 48,000 66,116 != 8 x 4800

Re:Crime Doesn't Pay (1)

networkBoy (774728) | more than 7 years ago | (#17686264)

should be an < between the 48,000 and 66,l16, sorry.

Hmm... (1)

borawjm (747876) | more than 7 years ago | (#17685032)

Bank pays for user ignorance? Sounds like a nice bank. My bank would probably tell me I'm SOL.

Re:Hmm... (1)

usmdesigner (1049806) | more than 7 years ago | (#17685174)

i'm sure my bank would actually want money back for the actually money that was taken due to that mistake

Good PR i guess (0)

Anonymous Coward | more than 7 years ago | (#17685588)

In the grand scheme of things, 1 million dollars is probably not that much for one of the largest banks in Sweden. If it was 1 billion the tune would probably be a bit different.

LULZ (5, Funny)

Anonymous Coward | more than 7 years ago | (#17685072)

The biggest online robbery ever was a lousy million dollars? Oh come on, someone's gotta be able to do better than that. Get it in gear, people, it's 2007, we should be having way bigger cybercrimes by now. Someone hax0r the Gibson or something.

the hard part (3, Interesting)

Lord Ender (156273) | more than 7 years ago | (#17685076)

Stealing passwords is trivially easy. Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.

The trick is getting cash transfered from someone's bank once you have their credentials.

Re:the hard part (1)

sglane81 (230749) | more than 7 years ago | (#17685466)

Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.
You don't keep "something you have" (keys, tokens, etc) or "something you are" (retina, fingers, etc) in your computer. Therefore, MITM (man in the middle) would not work even if someone pwns your computer. That is the whole point of two factor auth.

Re:the hard part (1)

FallLine (12211) | more than 7 years ago | (#17685990)

You don't keep "something you have" (keys, tokens, etc) or "something you are" (retina, fingers, etc) in your computer. Therefore, MITM (man in the middle) would not work even if someone pwns your computer. That is the whole point of two factor auth.
Not quite. SecurID and similar schemes makes it a lot harder, but there's no reason why someone couldn't perform a man in the middle attack while the victim is attempting to log-into the service. Once the victim types in the key, they could simply cancel/kill the victim's session (or computer) and then proceed to use the victim's key on the service. Of course, SecurID and other implementations make this much harder since the window of opportunity is at most ~30 seconds (or whatever the duration the key is valid for) -- the hacker would have to be very quick.

Re:the hard part (1)

adamstew (909658) | more than 7 years ago | (#17686518)

Isn't this what trusted computing is supposed to protect against? If you have a secure channel between your keyboard and your browser, and the browser's memory is protected, then a keylogger simply wouldn't be able to grab your password or secure ID token.

As much as we might not like trusted computing, as far as the DRM implications are concerned, it does have some legit and very useful applications...especially in thwarting phishing attacks like this.

Re:the hard part (2, Informative)

dgatwood (11270) | more than 7 years ago | (#17686138)

Two-factor auth is really not that useful. Indeed, n-factor is not better than single factor. What is required for a transaction to be secure are the following:

  • A known secure endpoint (a computer without spyware)
  • A secure communication channel between the two (https)

Without BOTH of those, no additional factors will help.

Here's a short description of how the basic attack works. Your second factor is a SecurID or CryptoCard token. You key in your pin number and the value currently shown on that token. The software captures the keystrokes. It then causes your browser's DNS lookup to be delayed several seconds during which time it sends the information to another computer belonging to the attacker, which automatically logs in. At that point, it releases the stream and allows the DNS request to complete, taking you to your bank's website.

Now at this point, that value has already been used. Depending on the bank's systems, your token value might be accepted for a short window of time, in which case you won't know anything is wrong. In the worst case, it gets rejected, but you assume you mistyped/misremembered it. By that time, the next token is on the screen (SecurID) or the screen is blank (CryptoCard), so you have to use the NEXT number. You log in with the new number and think that everything is okay. The attacker keeps his/her connection alive through meaningless browsing until the spyware says that you have logged off the remote banking site, then transfers all the money from your account into a Swiss bank account.

Re:the hard part (2, Insightful)

dgatwood (11270) | more than 7 years ago | (#17686306)

Or possibly not a DNS lookup. Possibly just delaying ACKs and stuff on the outbound TCP connection to make the connection open more slowly and delay any useful receipt of data... or inserting bogus NAKs or... could be anything. The point is that an attacker would do something to delay the connection.

These sorts of flaws have been talked about for a while now. Man-in-the-middle attacks are hard to protect against, and impossible if one endpoint is the untrusted man in the middle. In this way, it is basically the same fundamentally unsolvable problem as digital rights management, and for precisely the same reason: with a potentially untrusted device as a communication endpoint, you cannot guarantee that you can protect data sent or received by that endpoint from compromise.

Re:the hard part (2, Informative)

Lord Ender (156273) | more than 7 years ago | (#17686146)

Like so many things in life, something you (know|have|are){2,} is an oversimplification. It's a lossy compression (if you will) of the much-more-complex science of authentication. This is why you misunderstand the subject.

Think it through: I have a keystroke logger on your PC. You type in your username (something you know) and your SecurID code (something you think you have :-). I then log in to your online bank app using the stuff you just typed and start transferring money.

For these purposes, the SecurID "something you have" is an illusion: It is really just "something you know (for sixty seconds)".

Even "something you are" is really "something you know" if the bioscanner is external to the system to which you are authenticating (which is the case for all over-the-net type apps).

Oversimplification is loved by sales people, but it is bad overall. It causes people like you to think SecurID really is "two-factor authentication." It's not, at least not entirely.

the ends justify the means? (3, Funny)

Anonymous Coward | more than 7 years ago | (#17685102)

The sender encouraged clients to download a "spam fighting" application.


the 'spam fighting' app almost did exactly what it was deceptively claiming to do;

bankrupt the people, force them to sell their technological idolatry, bam-- no more spam.

Victims (5, Insightful)

Sloppy (14984) | more than 7 years ago | (#17685122)

The bank is refunding everyone who lost money (even if they hadn't taken precautions) - good news for the victims

No, that merely changes who the victims are. There is no such thing as "good news for the victims" unless the stolen money is recovered.

Re:Victims (1)

Metathran0 (1052636) | more than 7 years ago | (#17686506)

It seems to me that not only does refunding the money not change the overall situation, it's also going to indoctrinate those who were the original victims with the idea that "oh, now I don't have to worry about future attacks, because if anything happens, the bank will just reimburse me." While I realize that it's not the customer's fault, there must be something else that can be done to make customers more aware of phishing attacks. Honestly, reviewing the bank's security features may be helpful, but it completely ignores the other problem, namely the gullibility of the customers.

FDIC? (4, Informative)

Thansal (999464) | more than 7 years ago | (#17685138)

If this was to happen in the US, would the FDIC cover these types of things?

And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!

For those of you who have an ING account you know what their security is like. Nothing much that will hamper a real customer, but things that should stop non-customers.

Re:FDIC? (1, Informative)

Anonymous Coward | more than 7 years ago | (#17685488)

And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!

This bank promoted it's online services with ads with elderly women showing how easy it was to use.

And it is slightly easier than it's main competitor (Swebank/foreningssparbanken) that uses a personal code box (like a little calculator) to generate codes on the fly. You get a number, run it in your box, and get a code that you feed back to the page. You make a one for logging in, and another to confirm a transaction and so on.

Nordea on the other hand supplies a list of one time codes for verification, but as is evident, if you can get such a code along with some personal info you're good to go. So the reason they are not harder on the clients are that they sold them on the service being simpler. They have attracted clients with less web savvy deliberately and chosen a less secure method to simplify their system. Not to shoulder responsibility would be hypocritical.

Re:FDIC? (1)

Thansal (999464) | more than 7 years ago | (#17685724)

wait, if they are ussing one time keys, HOW THE HECK did a keylogger help?

single use keys should make a keyloger pointless. I actualy like that method more so then the other company. If they are generating codes based on a static pin, that must be crackable.

I still preffer ones that have a decent selection of possible questions you will be asked (making a keyloger that much less effective), a VPK for your PIN (AKA your keyboard can NOT enter your pin), and an identifier (Picture+phrase) so you know you are on the bank's page (and not a fake).

Re:FDIC? (1)

jmoen (169557) | more than 7 years ago | (#17685930)

They changed from password/account number + pin authentication or something to printed one time passwords shortly after they detected the breake in. In fact they changed it over night so to speak.

Re:FDIC? (1)

Thansal (999464) | more than 7 years ago | (#17685998)

ah HA!

AC lies! They were ussing an incredibly insecure method.

Thanks for the info. One time pins are rather nice, the only problem is that they are either cumbersome (having to request them and what not), or a target for gathering (as people will get them in batches, and then store them in .txt on their desktop).

Re:FDIC? (0)

Anonymous Coward | more than 7 years ago | (#17686182)

Well, I used to be a Nordea customer and they've been using single use codes for at least 3 years. I assure you. Maybe not for all users?

Re:FDIC? (1)

jmoen (169557) | more than 7 years ago | (#17686428)

Sorry, but I mixed this case with another scandinavian bank called Scandiabanken that just had this happend to them. Not at so big scale but they have locked all their users out while the users are waiting for printed one time passwords by snail mail.

The Nordea issue is that the trojan sent login information to the scammers while at the same time giving errors at logon to the bank web page. This trojan also links to several other scandinavian banks so it could be bigger than just Nordea.

Re:FDIC? (1)

Thansal (999464) | more than 7 years ago | (#17686748)

ahh, thanks for the clarification, and I appologize to AC!

So this was not a keylogger, it was considerably more.

MY question is how the program worked. If it was simply tossing up dummy pages instead of the actualy bank page then the easy fix is one where you make sure the customer knows they are on their own page (show a customer slected image/phrase/whatnot). The amusing this is that the first place I ever saw this was on NeoPets (It showed you your active pet and their name before taking your PW), and this was well before I saw it on a bank (I think it must have been around 4+ years now).

Ofcourse if they were playing with packets/requests between bank/user then that is harder for the bank to counter.

Re:FDIC? (1)

jmoen (169557) | more than 7 years ago | (#17686130)

Sorry, have to reply to myself, I mixed this up with another similar issue.

Nordea where using one time printed passwords but the trojan gave an error on login and sent the code to the scammers thus allowing the scammers to use that code.

Re:FDIC? (1)

kastberg (726375) | more than 7 years ago | (#17685660)

They are amongst the more secure internet banks I've heard of, especially considering american banks. last time I used it they were using one time pads, that pretty darn secure. But doesn't help if the computer is trojaned. So, it's really the customers at fault here, but I can see it as a good business move to reimburse them, since banking over internets is larger in sweden than anywhere else.

Re:FDIC? (1)

tinkertim (918832) | more than 7 years ago | (#17685688)

>> If this was to happen in the US, would the FDIC cover these types of things?

I don't think so. The FDIC is more of a surerty for the bank itself. In this case the bank wasn't actually the one robbed, the customers were digitally conned. It's a good business for FDIC itself as your premium as a bank would depend on your fraud record.

[this] bank is being pretty cool about it, probably because the phishing e-mail containing the trojan appeared to come from the bank's domain. Its a semi dangerous public precedent they're setting however.

People should take the same precaution logging into their bank from home as they would take using an ATM in a neighborhood where you hear gunfire close by as a normal thing, but for some reason, they just don't get it.

I really doubt FDIC would ever DREAM of rewarding irresponsible behavior (cough ahem wheeze) , that would *never* happen, right? So look for FDIC digi-thug premium hikes in Q3 of this year, less interest paid in checking yet again .. and probably (yes) they'll begin to cover it, and banks have no choice but to buy it.

Bzzzzt (1)

KKlaus (1012919) | more than 7 years ago | (#17686086)

Passing the cost on to the consumer is one of the worst idea's I've ever heard. First off, towards promoting better security, put the hurt on the bank because they're the one's who have the power to improve their security. But more importantly, losing their lifesavings is about as scary as anything can be to first worlders. Remember how people stopped flying after 9/11? When significant numbers of people getting burned out of their retirement funds hits CNN, you can bet online banking stops nearly overnight. Not a step forward.

The only possible good that could come from your suggestion is that public outcry would force congress to enact legislation that required better security, but that's clearly not your intended point and I'm not sure that said path is particularly good anyway. And anyway, if you run windows (which is not me but that doesn't mean I think someone who does is an idiot), being compromised is not neccassarily your fault, nor is your bank's poor security practices.

Re:Bzzzzt (1)

jackbird (721605) | more than 7 years ago | (#17686188)

Legislate that the banks have to pay for fraud, and the security will take care of itself. Look at what happened to credit card fraud.

Sounds easy enough... (1)

supremebob (574732) | more than 7 years ago | (#17685152)

Why can't movie studios come up with plans this ingenious for robbing a bank? The last bank robbing movie I saw involved some terrorist types kidnapping the head of bank security and having him steal the account numbers with a wacky device made out of scanner module from a fax machine and the hard drive from an iPod Mini.

Re:Sounds easy enough... (1)

businessnerd (1009815) | more than 7 years ago | (#17685576)

Sounds easy enough...
That's the problem, it's too easy. Robbers spam bank customers with phishing attack. Out of the thousands of customers, 121 dumbasses fall for it. Robbers transfer funds. Robbers go on vacation and buy a car. End of story.

You're missing all of the critical pieces of a Hollywood heist movie. No hostages? No hereos? No fictional wonder tool fabricated out of duct tape a an old microwave oven? There's not even room for a car chase or an explosion.

On another note, there's nothing really ingenious about this scam anyway. Well, maybe the first successful phishing attack might have been ingenious, but this is just more of the same, but the scammers got lucky and made a lot of money. Maybe they did something that made their scam more profitable than others, but I don't think it's anything ingenious, just close attention to details and flawless execution.

1 Million Dollars? (1)

nherc (530930) | more than 7 years ago | (#17685164)

Boy, if all of the nefarious Slashdotters got together couldn't we beat that by at least an order of magnitude? After all, didn't Sean Connery and Catherine Zeta get away with a few billion?

Re:1 Million Dollars? (1)

unchiujar (1030510) | more than 7 years ago | (#17685328)

Yay, 2000 $ dollars for each of us... I can now buy that pack of gum I always wanted...

Running Windows? (0)

kosmosik (654958) | more than 7 years ago | (#17685190)

TFA does not state what operating systems these victims vere using. I bet they were on Windows. Every story like that fails to mention that this is mostly fault of Windows.

Re:Running Windows? (1)

Thansal (999464) | more than 7 years ago | (#17685422)

This isn't a fault in windows, it is a case of pebkac.

The phishing (well, not really phishing in my mind) emails told the people to download and install anti spam software, and they did. No exploting holes in outlook or IE, none of that, just simply tellign poeple "Installer our keylogger. err, I ment to say out "anti-spam" software, yah...". It would have worked for Mac, or *nix, or anything else (It probably DIDN'T work for them, simply b/c the attackers did not see it as worth spending the extra time to try and infect non windows OSes).

enjoy :D

Re:Running Windows? (1)

Thanatos69 (993924) | more than 7 years ago | (#17686068)

When will people quit trying to remove responsibility from themselves?

- lock up M rated games where the eye can't see it because parents shouldn't have to monitor what their children do

- sue McDonalds because they are making people fat, can't blame the people for eating there all the time, it makes perfect sense that eating hamburgers day in day out is going to help keep you lean and trim.

- blame the os because god knows that it isn't the users fault for downloading an unknown piece of software and installing it on their own machine.

It could have happened on any os, but to be fair, it makes far more sense to target users of the dominant os. Even with Vista requiring admin access to install programs this still would have happened because they wanted to install the program. They physically clicked on the link to download the program, they physically double clicked it to install.

For my next trick, I am going to hand a random person on the street my bank card, tell him my password then I am going to publish an article about how ATM security is shxt.

Re:Running Windows? (1)

ts383 (1053564) | more than 7 years ago | (#17686486)

This has no bearing on what OS someone is running. There was no exploit mentioned in the article. If we took all the stupid users and put them on linux, the same thing could/would happen. Granted, they'd have to go to terminal and do something like "apt-get install russian_pretend_swissbank_keylogger_um_i_mean_spyw are_software", but some people really are that dumb.

121 people involved? (1)

It doesn't come easy (695416) | more than 7 years ago | (#17685194)

Seems like a fairly precise number...wonder how they derived it? And if true, for $1,000,000 that works out to be just over $8,000 per participant (assuming the proceeds were/are shared equally). Hardly seems worth the risk. On the other hand, the article says (indirectly) that it took 15 months to decide a heist was in progress. Heh, as they say "Patience is a virtue".

Re:121 people involved? (1)

mafmaf (309544) | more than 7 years ago | (#17685330)

The money has according to Swedish newpaper articles already disappeared overseas. The 121 people are probably suckers who helped move the money in exchange for a small percentage.

Quoted.. (3, Funny)

ZOMFF (1011277) | more than 7 years ago | (#17685238)

An employee of the Swedish Bank was quoted as saying, "Gersh gurndy morn-dee hack-zee hack-zee!"

Re:Quoted.. (1, Funny)

Anonymous Coward | more than 7 years ago | (#17685552)

bork bork bork!

the getaway (1)

cpearson (809811) | more than 7 years ago | (#17685252)

How could you ever turn the stolen money into paper money with out it being completely tracked. What means do cyber criminals launder their money without being immediately apprehended?

Re:the getaway (0)

Anonymous Coward | more than 7 years ago | (#17685630)

> What means do cyber criminals launder their money without being immediately apprehended?

The veil of infiltrated, corrupt Russian financial institutions.

Re:the getaway (1)

adamstew (909658) | more than 7 years ago | (#17686678)

Easy...Just wire the money through several banks, in several countries on several continents (be sure to include a few countries that aren't very friendly to outside law enforcement). They would be jumping through legal hoops for YEARS in order track the money...if they ever could.

Incentives for The Bank (2, Insightful)

logicnazi (169418) | more than 7 years ago | (#17685262)

Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience. It involves lots of forms and remembering to do things at the right time and spending time on telephone lines. In short it is a pretty good incentive not to be careless with your banking security.

All that not refunding the customer's money would accomplish is hurt a lot of people and discourage people from using online banking or encourage them to change banks. People are never going to become security gurus just so they can bank online and if you make banking online too risky or hard they will just give it up.

By making sure it is the bank who has to pay for security losses while still making sure people have some incentive (annoyance, possibility they might pay next time or lossing $50) to be safe you end up with the best results. The bank is the entity that can roll out new security solutions and most easily improve security practices so giving them incentives to improve security is the best move.

Re:Incentives for The Bank (2, Insightful)

planetmn (724378) | more than 7 years ago | (#17685636)

Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience.

What bank issued your credit card? I've had to reverse charges multiple times for different reasons. I've been billed twice for the same item, I've been billed incorrect amounts, I even reversed a Paypal charge because the seller never sent the item.

In all cases it was simple (I have Citibank cards). Call up and tell them what charge you are disputing. Immediately you get a conditional credit for that charge. They send you a single page form. Fill out a couple of lines, and send it back with any receipts (if you have them). In every single case I have received my money back, and the most time consuming part was dialing the phone (ok, not really, but just about. In total each dispute took less than 10 minutes of my time).

Remember, you are the customer. If the bank is treating you like crap, go elsewhere.

-dave

How about suspending accounts? (1)

phorm (591458) | more than 7 years ago | (#17685274)

not really an incentive to take more care in future

I'm hoping that the banks at least suspended and revoked the privilage of online banking from the users in question. If you can't take care not to download trojans/etc online that affect online banking, you shouldn't be allowed to do your banking online.

Re:How about suspending accounts? (1)

Thansal (999464) | more than 7 years ago | (#17685508)

quick little drama for you to understand why that is NOT happening:

Bank: You all suck at online skills, so you can't use our online banking services!
Customers: Bye!
Bank: What?
Ex-Customers: ...

simple, aint it? Also, actions like that will also have other customers leave.

However, in reimbursing the customers, despite it being their fault, they have created a VERY good image for the bank.

Re:How about suspending accounts? (1)

Hoi Polloi (522990) | more than 7 years ago | (#17686570)

Losing customers that just cost you millions of krona? I'd tell them "Don't let the door hit you on the ass on the way out!" Some customers aren't worth keeping.

I wouldn't leave my bank if it enforced rules against careless customers. I'd want them to. The careless customers are endangering the bank's security and financial health.

not really an incentive (1)

wiredog (43288) | more than 7 years ago | (#17685312)

It's an incentive for the Bank to improve security. If every bank was required to do this (and cc companies as well) it'd do quite a bit to improve security in online shopping and banking.

Re:not really an incentive (1)

Hoi Polloi (522990) | more than 7 years ago | (#17686676)

What could the bank have done differently? The customers were entrusted with the keys to their accounts and they were tricked into handing them over. If you gave your ATM card and PIN to a stranger what could the bank do to protect you?

Largest ever robbery? (2, Interesting)

A beautiful mind (821714) | more than 7 years ago | (#17685384)

Well according to my anecdotal evidence coming from an ex security admin at a bank who was giving a lecture on bank security on a security themed conference, banks have a certain percentage of loss every year due to online activites. The loss they suffer is tuned to the line that spending more on security would cost more than the current losses they suffer.

Anyway, I highly doubt that this was the largest ever online robbery, maybe it was the largest phishing attack.

Re:Largest ever robbery? (1)

KokorHekkus (986906) | more than 7 years ago | (#17685610)

A major swedish newspaper (www.dn.se) write that the amount is somewhere over 1.1 million USD (8 million SEK). A sizeable chunk of money but perhaps not the most anyone has gotten hold of in this. Other types of financial fraud go way over that. Last year a financial officer of a company fudged the numbers in the computer and transfered 3+ million to her own account (and used a good part of it as well... just hang around to long I guess).

Predefined one-time keys are insecure (4, Informative)

hankwang (413283) | more than 7 years ago | (#17685414)

I was curious about the security protocol for Nordea bank and although links on the Nordea site are currently broken (an attempt to cover up?), I could find them on Google.

So the scammer just needs the fixed PIN code, plus a few of the one-time codes.

I used to have a bank account in Sweden with a different bank that uses a cryptographic challenge/response key generator, both for logging in and confirming a transaction. The website supplies you with a code number that you enter, as well as a PIN code. The device uses the code together with a secret key and the time from an internal clock and lets you send back the data.

Banks here in the Netherlands use similar systems, often with a generic card reader that uses a chip that is built into the bank cards. Others send a confirmation code by SMS to a mobile phone number that is registered to your account.

I think cryptographic systems are inherently much more secure than predefined one-time keys. The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction. Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.

Re:Predefined one-time keys are insecure (1)

Nemetroid (883968) | more than 7 years ago | (#17685656)

Since I have my money in Nordea, I can confirm that this is fully correct. After three erroneous codes, they will send you a new scratch card by mail automatically, but I don't know if they deactivate the login for some days meanwhile. I suppose not.

Re:Predefined one-time keys are insecure (1)

Qzukk (229616) | more than 7 years ago | (#17685666)

Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.

Some banks have gone a step further and made the transaction amount as part of the challenge, meaning that even an attack like this would fail (since you transferring $20 to your landlord wouldn't match his attempt to withdraw all $21.54 in your account)

Re:Predefined one-time keys are insecure (1)

Znork (31774) | more than 7 years ago | (#17685858)

"The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction."

Short time keys make the interception slightly more difficult, but essentially the intercept software would just have to immediately use the collected keys in the alternate transaction, rather than save them for later use. Same with SMS, or anything else; as long as the customers PC is compromised, there's no way to guarantee that what the customer sees is what the bank sends, or that what the customer enters is what gets sent to the bank. An SMS confirmation code going to the customer phone would just verify the forged transaction, rather than the one the customer thought he was entering.

Possibly you could make it safer by actually sending all of the transaction data over an alternate channel like SMS or fax (with a checksummed validation code), or have an external box which you'd have to enter the transaction details onto to generate a checksummed specific transaction, but then you'd probably be better off using a phone service instead anyway.

Re:Predefined one-time keys are insecure (1)

MobyDisk (75490) | more than 7 years ago | (#17686636)

That's amazing to me though: My bank just lets me enter in a PIN just the same as if I used an ATM. No one-time-pads at all. It looks to me like the bank was actually being fairly secure.

Must be the 4th time (1)

castrox (630511) | more than 7 years ago | (#17685542)

FWIW; this must be the 4th time this happens in a matter of at the most 2 years. Each attempt was made by sending out e-mails in extremely bad Swedish trying to convince customers to Nordea to hand over their user information or visit their website (which was on another domain or hijacked).

Each and everyone who fell for this must either be an immigrant, senile, or just plain dumb (this is a sincere hypothesis). The title of this story absolutely does not ring true to what's really happened - it wasn't huge and it's not a big scandal at all. Also, 2 people have been apprehended and are considered suspects to the fraud. /from a random Swede

Re:Must be the 4th time (1)

MichaelSmith (789609) | more than 7 years ago | (#17685948)

must either be an immigrant, senile, or just plain dumb

Are immigrants considered dumb in your country?

Disappointed in you /.ers (3, Funny)

silentounce (1004459) | more than 7 years ago | (#17685586)

What?! No, Soviet Russia jokes yet?!?!
In Soviet Russia, key logs you!
Or even better. In Soviet Russia, you gulag.
Perhaps, in Soviet Russia, bank robs you!
One last note, in Soviet Russia, Russian reversal jokes are funny.

Re:Disappointed in you /.ers (1)

thePowerOfGrayskull (905905) | more than 7 years ago | (#17686000)

In Soviet Russia, the joke is on you.

Re:Disappointed in you /.ers (1)

zesty42 (1041348) | more than 7 years ago | (#17686580)

In Russia, spam fighting application downloads you!

...and your money, too.

Good for banks with a conscience (1)

biggomez777 (948763) | more than 7 years ago | (#17685670)

I'm guessing that few of you have had money stolen from accounts before. It is a huge pain, involves lots of paperwork, and is generally not a pleasant experience. I had a good deal of money(for me at the time) transferred out of my account in the United States and sent to Turkey. Nothing stolen online, we figure it was a dumpster diver. Money is still gone, and it still took weeks to clear. I, for one, am happy that the bank re-reimbursed the account holders for their losses. For everyone here that says "learn security!!!!", what if it wasn't the account holder who placed the trojan there? Would you then blame the person for having "stupid" people using their computer, i.e. significant others, who bank at the same place? You can't educate everyone.

Re:Good for banks with a conscience (0)

Anonymous Coward | more than 7 years ago | (#17685864)

That's right. They reimburse the account holders because everything else would be a total disaster. Calling the customers as idiots would be a big bank suicide and then other swedish banks such as Handelsbanken, SEB and Swedbank would have a lot of new customers.

Small change compared to what might happen. (0)

Anonymous Coward | more than 7 years ago | (#17685708)

What the Russians did is small change compared to what might happen if the data from this heist http://money.canoe.ca/News/Other/2007/01/18/340157 9-cp.html [canoe.ca] becomes available to the wrong crowd.

Use private cryptography ! (1, Interesting)

Anonymous Coward | more than 7 years ago | (#17685754)

I happen to have an account at a swedish bank (S.E.B.), and they give this wonderfull little box they call a "digipass". When you want to log on, they give you 8 numbers, which you have to type in your digipass, which then gives you another little sequence of number, which is the password you have to use to login. It's kinda challenge-response authentification, but with the private key safely saved outside of the computer, and out of reach to the client themselves in fact... Just don't lose your digipass, your pincode and your account number all at the same time ! :+)

Re:Use private cryptography ! (0)

Anonymous Coward | more than 7 years ago | (#17685876)

s/numbers/digits/

It's a Windows trojan (1)

HangingChad (677530) | more than 7 years ago | (#17685772)

The sender encouraged clients to download a "spam fighting" application.'"

The trojan in question only runs on Windows [symantec.com] .

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

I'm not knocking Windows, the users contributed by not running antivirus software and not being terribly bright. But this is why I don't ever access any of my banking or investment accounts with Windows.

Just makes it that much harder to automate installation of a keylogger.

I wish that they had not paid the victims. (1)

WindBourne (631190) | more than 7 years ago | (#17685984)

What they just did was tell users that they can run insecure OSs, do nothing about it, and still not be held responsible for their actions. What these victims did was to buy a straw house, then leave the door wide open, and are now being compensated for stolen money. When will it end.

Re:I wish that they had not paid the victims. (1)

swb (14022) | more than 7 years ago | (#17686646)

Nice blame the victim mindset. I suppose you tell women who have been raped to stay home, people who have their cars ripped off to buy more theft-proof cars, and so on.

The better choice is for the banks to recognize that client systems are highly vulnerable and make their own security more immune from these problems. If I was a bank, I would also strongly consider blackholing IP space outside of their normal service area. More of an irritant to serious criminals that a real deterrent, but it might make it irritating enough to prevent smaller time theives.

If the trojan was targeted to a specific list (1)

artifex2004 (766107) | more than 7 years ago | (#17686002)

If the trojan was targeted to something like a specific list of account holders, instead of wildly blasted around, that could indicate a different breach of security at the bank. In that case, the bank has a lot more cleaning up to do behind the scenes. I'm not saying that definitely happened, but I am given pause.

Brazilian bank - $350m (1)

OriginalArlen (726444) | more than 7 years ago | (#17686276)

Annoyingly I've not been able to google it up, and I can't remember where I read about it, but I read somewhere that a Brazilian bank went bankrupt following fraud enabled by hacking attacks which lost them (IIRC) over $300m. Please, someone, spare my sanity and find me a link? It would have been an Infosec story on the net -- I thought CryptoGram at first, but apparently not. Help! :)
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?