×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Banks, Wall St. Feel Pinch from Computer Intrusion

Soulskill posted more than 5 years ago | from the only-going-to-get-worse dept.

Security 90

An anonymous reader writes "Financial institutions and companies in the securities/futures business are reporting sizable increases in the amount of losses and suspicious activity attributed to computer intrusions and identity theft, says the Washington Post's Security Fix blog. The Post obtained a confidential report compiled by the FDIC which analyzed Suspicious Activity Reports from the 2nd Quarter of 2007. SARs are filed when banks experience fraud or fishy transactions that exceed $5,000. The bank insurance agency found that losses from computer intrusions averaged $29,630 each — almost triple the estimated loss per SAR during the same time period in 2006 ($10,536). According to the Post, 'The report indicates that the 80 percent of the computer intrusions were classified as "unknown unauthorized access — online banking," and that "unknown unauthorized access to online banking has risen from 10 to 63 percent in the past year."' Another set of figures analyzed by The Post looks at similar increases affecting the securities and futures industry."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

90 comments

Well, this is good ... (4, Insightful)

ScrewMaster (602015) | more than 5 years ago | (#22535922)

maybe this will force these idiots to upgrade their infrastructures and take network security seriously. That would probably help all of us in the long run.

Re:Well, this is good ... (3, Informative)

Frosty Piss (770223) | more than 5 years ago | (#22535944)

The problem is, user easy verses security. At a certain point of "security" people will choose not to because it's way too much of a hassle. And, there will always be a way around it.

Re:Well, this is good ... (3, Insightful)

ScrewMaster (602015) | more than 5 years ago | (#22535998)

True, but I'm not necessarily talking about the end user ... there's a lot of money that could be well-spent on just securing their networks. Banks have money but like most corporations tend to be cheap when it comes to security. Hitting them in their pocketbooks like this may be just the kick in the pants they need to take the proper steps.

There are probably some ways that security could be improved from the end-user's perspective as well. I understand that in some countries (I don't know if any U.S. banks do this) users of Internet banking services have a hardware device that plugs into their PC to identify them. I don't know how well that works, never having used anything like that myself, but if implemented correctly it would at least cut down on password phishing schemes.

Re:Well, this is good ... (3, Interesting)

Creepy Crawler (680178) | more than 5 years ago | (#22536076)

And that kind of technology would invariably lead to "Works only on Windows".

I'd rather have a separate "channel" of information to verify against. If one would use internet banking, then a txt msg containing pertinent info would be sent, with a reply "$dollar amount and yes" as confirmation.

Phones can be deactivated rather fast when it comes to stolen" and such things. It would provide extra security and very little hassle.

Re:Well, this is good ... (1)

radu124 (871406) | more than 6 years ago | (#22545728)

The nicest authentication system i've seen and I currently used is by ABN-AMRO / Netherlands.

Your (debit) card has a crypto-chip on it and you have some universal device like a pocket calculator. I call them universal because they are not tied to a particular account/card. The authentication is done using a normal browser that supports shttp, and it is of the challenge-response type with the human component in the loop.

On the bank login page you receive a number. You slide your card into the device, you type in your PIN and the number on the login page and the device produces a number that you type back into the page. The login procedure has to be repeated to confirm transactions.

I like this better than the devices that produce a key valid for only some time (like 30 seconds). Those are tied to your account so you cannot replace them in a convenient manner, and also have the bad habit of desynchronizing.

Re:Well, this is good ... (2)

TheRaven64 (641858) | more than 5 years ago | (#22539638)

I understand that in some countries (I don't know if any U.S. banks do this) users of Internet banking services have a hardware device that plugs into their PC to identify them
It doesn't plug into the computer, that would leave it vulnerable if the machine were compromised. It looks like those pocket calculators that everyone was handing out for publicity in the '80s and implements one-time passwords. Inside is a ROM chip with a secret number in it. The bank's site gives you a number, you enter it into the keypad, and then read the result of some permutation on the secret value and the number from the bank and enter it into the site. You can then access the site and anyone who has control over your computer at that moment can steal your money. If they are just logging, then they get nothing usable because that pass code won't be valid again for a long time.

The MoD has been using this kind of thing for a long time. They're starting to trickle down to the consumer now. You can also use something similar on *NIX systems using opie and a bit of custom code on a programmable calculator.

Re:Well, this is good ... (1)

nurb432 (527695) | more than 5 years ago | (#22536160)

Except i don't think we are anywhere near that point, as today we are still at the 'pretty much insecure' point.

The banks can at least try ...

Re:Well, this is good ... (5, Interesting)

CastrTroy (595695) | more than 5 years ago | (#22536252)

I call BS. There's a lot they could do to increase security for banking. How about actual 2-factor authentication. Something you know, and, something you know is not 2 factor authentication. Try something you know (your password), and something you have (those little RSA tokens). If they implemented those RSA tokens that spit out a new number every 60 seconds, they could stop almost all the phishing scams. Yet they refuse to do anything to actually even offer the more secure option. I'd pay for the RSA token out of my own pocket if it meant my money would be more secure.

Re:Well, this is good ... (0)

Anonymous Coward | more than 5 years ago | (#22536584)

etrade does this. That's why I use them.

Re:Well, this is good ... (3, Informative)

cetialphav (246516) | more than 5 years ago | (#22536600)

If they implemented those RSA tokens that spit out a new number every 60 seconds, they could stop almost all the phishing scams. Yet they refuse to do anything to actually even offer the more secure option. I'd pay for the RSA token out of my own pocket if it meant my money would be more secure.
Actually, some banks do this. ETrade [etrade.com] , for example, provides the RSA tokens. If security were really that important to customers, the banks would respond. But most customers are not security savvy enough to even know what to ask. The mere concept of the RSA token goes completely over the head of most people. What the banks need to do is to take the lead in trying to educate consumers about security issues so that consumers can make more informed choices, but that is a difficult, thankless task that most of them don't want to do. The bottom line is that customers are not leaving banks in droves to go to competitors with better security even though there actually exists competitors with better security. Or to put it another way, providing better security provides only a marginal business advantage, whereas better interest rates provide a huge business advantage.

Re:Well, this is good ... (1, Interesting)

CastrTroy (595695) | more than 5 years ago | (#22536674)

Isn't ETrade just for trading? Do they have standard chequing accounts. Do any North American banks offer RSA SecurID for chequing accounts?

Re:Well, this is good ... (3, Insightful)

cetialphav (246516) | more than 5 years ago | (#22537160)

ETrade is both a brokerage house and a bank. I don't know if other American banks offer RSA SecurID tokens. I'm a happy ETrade customer so I haven't investigated that. A quick google search makes it look like other banks offer this, too.

Re:Well, this is good ... (2, Insightful)

jdigriz (676802) | more than 5 years ago | (#22538118)

2 seconds of googling would have revealed ETrade Bank in addition to their brokerage. I just saved you those 2 seconds. You're welcome.

Re:Well, this is good ... (0)

Anonymous Coward | more than 5 years ago | (#22539426)

Some banks would, if they were allowed to. If the banks' regulators (or more accurately the staff they pay to tell them what all that computer gobletygook means) says "setting a telnet password on your router is security enough"; that's all that will happen. The banking industry has to go with what their oversight knows, even when the overseers are wrong.

Re:Well, this is good ... (0)

Anonymous Coward | more than 5 years ago | (#22536706)

You can "call" whatever you want. But you sound like you're in the 9th grade.

I have one of those RSA tokens (4, Insightful)

xkr (786629) | more than 5 years ago | (#22536774)

I paid $5.00 to paypal, including shipping. The little device fits on a keychain and generates a new six-digit code every 30 seconds. I simply add the six digits displayed to the end of my password when logging in. What is great, from the view of the web owners, is that there is no change to the visible user interface. It still looks like two fields: user-name and password.

This is genuine "two mode" authentication. Sure, if someone stole my computer AND my keychain the security is compromised. Or, if someone puts a gun to my head. But still, compared to current web login security, this system is a vast improvement.

All a bank has to do is say, "Here, this gizmo is free. And by the way, you have to use it if you want to do online banking." Managing these devices isn't any harder than managing ATM cards. Which people lose every day, and its not that big a deal.

Re:I have one of those RSA tokens (2)

Rick17JJ (744063) | more than 5 years ago | (#22538792)

I have one of those $5 PayPal security keys on my keychain. To pay by PayPal or access my account, I am asked first for my password and then asked for the current six-digit code from the security key. The six-digit code changes every 30 seconds.

As for on-line banking, I have never signed up for that because of my concerns about security. If a local bank ever started using two-factor authentication with a security key, I would gladly give on-line banking a try. Until then, I am not interested.

I frequently receive fake email messages claiming to be from PayPal, Amazon.com or various banks. They typically say someone has been added to my account and ask me to click on the link and log-in and check on the details. When I hold the cursor over the link without clicking, it shows me a complicated looking URL from a foreign country at the bottom of the screen. I have never actually clicked on the link to go to to their fake websites.

As for on-line banking, personally, I would prefer to not do it from a heavily used family Windows computer which is used by children and teenagers. It is likely to have already been compromised from lots of heavy careless use. I prefer the idea of using a separate lightly used, but well maintained, Linux or Mac OS X computer just for that purpose. I am a middle aged Linux user myself, by the way.

PayPal Security Key [grc.com]

Re:I have one of those RSA tokens (1)

bytta (904762) | more than 6 years ago | (#22547888)

They have a similar (but probably less secure) gizmo that's MANDATORY for online banking in Iceland. At a press of a button it spits out a pseudo-random 7 digit passnumber (First 2 are always 01, so it's really only 5 digits).
Logging on with a number invalidates it, and any older ones you wrote down.

The only "altenate login" is via SMS (not free) so 98% of Icelanders with bank accounts carry this junk on their keychains. The other 2% regularly punch a bunch of passnumbers into a google doc/online email draft, and use it as a fifo buffer, or just don't use online banking that much.

Does nothing for man in the middle attacks ... (2, Interesting)

Pinky's Brain (1158667) | more than 5 years ago | (#22536992)

My own bank uses such a device, but they have been hit by bank specific trojans which simply let you authenticate a different transaction while you thought you were authenticating your own.

The only solution is a separate device less easily owned than a PC which displays all the transaction details. Mobile phones would work (would be nice if they used better cryptography, but even without it's a lot more difficult to exploit on a large scale without physical presence).

If you read the article (2, Insightful)

joeflies (529536) | more than 5 years ago | (#22537108)

The article says that this is fraud commited by internal access to systems. It does not account for any fraud from access external to the business, i.e. phishing.

An RSA token is a terrible way to handle internal security for anything other than a VPN. Imaging typing in a one time password every single time you lock your computer, access an application, etc. It would drive most people to just leave their computers unlocked all the time and logged in.

Mobile phones can be used for two-factor - no HHAD (1)

waveman (66141) | more than 5 years ago | (#22538136)

A number of banks have implemented two-factor authentication using mobile phones. When a transaction is initiated, the bank send a number by text to your nominated mobile phone. You then enter the number in the screen. No need for expensive HHAD devices. And it really seems to work very well. In theory you can defeat it via man-in-the-middle attacks but these are a lot harder to implement than normal phishing.

See for example http://nab.com.au/Personal_Finance/0,,84176,00.html [nab.com.au]

Tim

Re:Well, this is good ... (2, Informative)

timeOday (582209) | more than 5 years ago | (#22538840)

My work implemented 2-factor authentication for remote email access. Everybody I've spoken with agrees with me that it has drastically reduced their amount of remote email access. In other words, greater security at the cost of productivity. This is why you should not let network security make their own decisions in a vacuum - they will choose security at the expense of everything else. These studies that state losses from computer security are worthless without equally credible studies of the losses from more draconian security, in terms of direct expenses and lost productivity, and annoyed customers that go somewhere else.

Re:Well, this is good ... (1)

grumling (94709) | more than 6 years ago | (#22540696)

I've used the old SecurID system (rotating pseudorandom number on an LCD display), login/PW, and now a printed grid system. I didn't find it any more difficult to authenticate with the grid, but the SecurID device would get out of sync every few days, which led to a phone call to the IT department for a resync. This was in the mid 1990s, so hopefully the tech has progressed a bit.

Some people moan about the various authentication schemes, but I don't think they are all that big of a deal (but I understand why they are in place).

Re:Well, this is good ... (0)

Anonymous Coward | more than 6 years ago | (#22547092)

You have hit upon a point that none of the Big Companies I have worked for in the past 5 years understand.

Hardly ever does anyone ask: "What is the cost going to be of implementing new procedure X?"
Where Procedure X is some hoop to jump through in order to prevent some mistake that someone made that may or may not have had any significant effect on the business, but CYA syndrome dictates that "steps are put in place to ensure it never happens again."

At one large bank this was particularly ignored issue, to the point where getting code in production was now at minimum a three week affair, requiring at least a developer man-day to coordinate with the various QA groups and such. One-liners and other small fixes became such a pain to push, we would batch them all at once in a monthly- bimonthly cycle to reduce the administrative costs. At this particular bank, I was part of a group that was acquired from a much smaller company, and previously pushing a business-demanded fix required only a few hours of real-time and maybe 20 minutes of a developer's time.

You hit the nail on the head. I have an RSA keyfob thing that I need to log in to work from home. I used to check work email fairly often, but its just too much of a hoop to jump through, and totally forget me logging in if I am in bed w/ my laptop and I realized my keys are in another room. If sh*t is hitting the fan in London or Tokyo, its more or less up to them to call me now. Of course the cheap bastards could just give me my blackberry back as well, but its all just as well.

Once upon a time, it used to be large companies that had competitive advantages related to economy of scale and being able to invest capital in systems to make their per transactions cost cheaper than upstarts. Nowadays, the startups have the upper hand because they don't have the layers of bureaucracy to go through to get stuff done for their customers!

Re:Well, this is good ... (1)

Lord Ender (156273) | more than 5 years ago | (#22539092)

You are paying for it. That savings account that gives you 1% interest? The bank actually has the money invested in bonds which yield 4%, and they are keeping 3% for free. Sure, they could send you tokens in the mail. They could even put X.509 certificates on the smartcard chip on your ATM card... That's 2-factor.

But they don't. Only SALES pay out bonuses, so why invest in anything other than sales gimmicks?

Re:Well, this is good ... (1)

caluml (551744) | more than 5 years ago | (#22539132)

Sod carrying around yet another thing. I carry a device capable of Out Of Band communication with me already, and I would imagine that 99.9% of the online-banking users in the UK do to. It's called a mobile phone.
Just register my number with the bank, and when I log in, I first enter my username and password, and then, on a second screen, the 6 digit code that has just been texted to my phone. Voila. Ivan Hacker who has a keystroke logger on my Linux box can't use the username and password anyway, and the mugger that snatches my phone from me in the street will only have it for a few minutes/hours until I cancel it. Plus, he'll just sell it for crack.

Re:Well, this is good ... (1)

mork (62099) | more than 6 years ago | (#22544150)

Sorry, but 2-factor authentication isn't good enough. Both one-time pads and RSA tokens can still be abused by knowledgeable twerps.
In the EU, most banks have 2-factor authentication, and there are still successful phishing trips made against the banks.
The attacker targets one bank and scripts the attack accordingly. Email is sent (spammed) and some of the banks users end up with the malware. The attack occurs next time the user logs in to their bank, the malware detects the bank transaction and snaps up the confirmation code. The malware performs a transaction with the original code, while the users sees a fake page asking for a second confirmation code so they can perform their original transaction. The user has no idea that two transactions have actually been made unless they look at the transaction log in their bank.

Re:Well, this is good ... (1)

rcw-home (122017) | more than 5 years ago | (#22537002)

At a certain point of "security" people will choose not to because it's way too much of a hassle

Yeah, I mean, if writing a check to someone meant that they knew they'd actually get the money, then retailers would definitely stop accepting checks. If writing a check to someone meant that they didn't get reusable routing and account numbers, then consumers would definitely stop writing them. I mean, who in their right mind would use something so difficult?

Re:Well, this is good ... (3, Informative)

abigor (540274) | more than 5 years ago | (#22536044)

Actually, the article gives some examples of how the thefts occur, and it's normally not from network intrusions - rather, it's from things like a coworker in an office installing trojans on people's machines and stealing their passwords when they go to do online banking during their lunch hours or whatever.

How do you protect against this sort of thing? The banks have certain heuristics that deal with detecting fraudulent transactions, but this really seems like one of those cases where what you know (passphrase) + who you are (biometrics) would go a long way towards a solution.

Re:Well, this is good ... (1)

scamper_22 (1073470) | more than 5 years ago | (#22536222)

Yep.
Banks have stalled on smart chip cards for long enough. And why don't you need a password for credit cards yet :P

Even for online banking, it would be a good think if laptops/computers came with a built-in smartchip reader.. So even if someone steals your password, they still need your physical card to do banking...even online banking.

But of course, they're waiting for the cost of fraud to be greater than the cost of deploying the new systems.

Re:Well, this is good ... (2, Informative)

abigor (540274) | more than 5 years ago | (#22536410)

I think some European banks actually have systems a bit like what you describe. My friend has an account with a Dutch bank, and he has this little device that generates a unique passcode each time he wants to do any banking. I'm not really sure how it works, but its one-time-padness makes end user fraud a lot more difficult - you'd have to physically steal the device, its PIN, plus his actual banking password.

Re:Well, this is good ... (1)

J0nne (924579) | more than 5 years ago | (#22537248)

My Belgian bank (Dexia) has the same thing too. They used to rely on a password and some java crap in your home directory (which is relatively secure, unless you have a trojan), but now they switched to something made by Vasco [vasco.com] , which is secure even if your box is compromised (an attacker would be able to see all your account data after you logged in, but you need to key in a newly generated code to confirm transactions).

An extra advantage is that it works on any platform, as it's basically a website, and the little device that generates the code isn't hooked to your computer.

Re:Well, this is good ... (1)

Profane MuthaFucka (574406) | more than 5 years ago | (#22536572)

What about something you have? A key fob? A piece of paper with little codes on it that you use once and scratch off? Plenty of solutions to this problem. If the banks choose the solution "eat the losses" I don't really care as long as it's banks eating losses and not me.

Re:Well, this is good ... (1)

oldbamboo (936359) | more than 5 years ago | (#22537070)

Yep, tfa is focused on trojans and phishing, which have had a great year, both in increased sophistication and effectiveness. However, I suspect that a fairly large number of these SARs would be from people who have purposely infected their systems / defrauded themselves to get money. I wonder how easy would this be? You'd need to have an extra account to which you cannot be tied, or an accomplice in a different country... Fact is, most people expect to be re-imbursed by their banks when their account is defrauded, provided the bank cant prove complicity, and what bank is going to spend timely expert resources on uncovering a 25,000 fraud. Provided the numbers stay low (compared to mortgages and cheque fraud they are a drop in the ocean) then the banks wont aggressively investigate. When the numbers get high, I imagine they will get a few instances in the press where they successfully identify complicity on the part of the account holder, and use this to justify a change in terms and conditions on their accounts which will shift the responsibility massively on to the customer. What I don't see is them investing more in security (bar a bit more 2 factor auth when it gets dirt cheap)

First things first (1)

Pinky's Brain (1158667) | more than 5 years ago | (#22537082)

A key is a lot better than either of those, people understand what keys do, they understand what they should do if they get stolen or lost. Digital keys are almost impossible to copy, while passphrases are trivial to intercept and fingerprints are trivial to copy ... two things a lot of people don't understand!

An extra factor is fine, but start with what works best. What you have.

Re:Well, this is good ... (1)

jafiwam (310805) | more than 5 years ago | (#22537466)

Over a cup of coffee I could come up with at least a dozen ideas for how to protect against every scenario mentioned so far in this thread.

A server that calls your cell phone, and makes you punch in a number before letting the web user log in all the way would stop 95% of all fraudulant transactions. You could do that with credit cards too.

Making this shit works is SIMPLE. Getting through the "we don't see a reason to spend money on that" blockage in the average banker-PHB is the problem. Make the fraud losses come out of their salary, or make them criminally accountable as accessories to a crime and it'll get fixed right quick.

Why the hell I didn't start a life of crime is beyond me, I could have made millions by now.

Re:Well, this is good ... (5, Informative)

Crafack (16264) | more than 5 years ago | (#22536046)

I'm in IT Operations for a bank in EU.

We spend a sizeable amount of both time and money securing systems against outside access.

The problem as reported in TFA is in the end-user zone. Malware, trojans etc. are used to steal identities og businesses or persons.

True, most of these problems could be mitigated (for now) if the banks switched to some kind of one-time-pad system, but apparently for now the cost of the system are greater than losses due to attacks. /Crafack

That's a fucking dangerous gamble (1)

Pinky's Brain (1158667) | more than 5 years ago | (#22537252)

If a really capable hacker just decided the next time a windows worm is discovered to trojan all the transactions for a large number of banks the damage he will be able to cause is going to be huge, if he wants to be nasty he could use the online transaction history to make the transactions look legit too to maximize the amount of money he could pump around before you guys simply shutdown online transactions entirely.

He'd be able to make his money off put options rather than directly stolen money ...

The banks chose their beds (1)

Colin Smith (2679) | more than 5 years ago | (#22538038)

Isn't this largely because you are basically running fundamentally insecure systems? Systems which simply cannot reasonably be operated without giving the end user the authority to install "Malware, trojans etc. are used to steal identities og businesses or persons."

What do you want now? Sympathy or praise for choosing expediency over security?

The problem is not and never has been the end user. We have know for decades that a significant proportion of end users are thieving sociopathic scum. We've had systems designed with this in mind for about the same amount of time. The problem is that nobody is being fired/prosecuted/sued for negligence.
 

Re:Well, this is good ... (0, Flamebait)

jotok (728554) | more than 5 years ago | (#22538706)

No. The configuration of the office system allows and invites this kind of abuse. Secure network design would mitigate a lot of these issues, but it requires security to be a priority.

Generally speaking, "IT guys" know nothing about security and get quite belligerent when you try to tell them how to do their jobs (e.g. advising them to institute allow-by-exception policies). It's the techs and the CIOs more than the CFOs who make this a problem.

Re:Well, this is good ... (2, Insightful)

caluml (551744) | more than 5 years ago | (#22539156)

Use a mobile phone to text the user the second part of the authentication code. It's so simple, so easy, so cheap - and very effective.

Re:Well, this is good ... (1)

VanessaE (970834) | more than 6 years ago | (#22540784)

I'll be watching the mail for my phone then. Please send two, as my husband will also need one, and don't forget to set up service. I assume you also plan on paying for said service also?

Re:Well, this is good ... (1)

caluml (551744) | more than 6 years ago | (#22544422)

In the UK, everyone and their dog has a mobile phone. Pretty much. Well, of the people who do online banking here, I'd guess 99.9%. Sorry about your backwater. Wouldn't you also agree that it's a lot cheaper to use something that $huge_percentage of people already have, and supplement those people who don't with an alternative? Also, I carry my phone with me anyway - I don't want to have to carry an RSA token around just in case I need to make a payment when I'm not at my home.
And to the other person who replied - SMSes on my network are pretty much 100%, and immediate.

Re:Well, this is good ... (1)

Crafack (16264) | more than 6 years ago | (#22543514)

Standard SMS services guarantees delivery of your message within 24 hours, if recipient phone is active on a network. Not usable.

The best systems I have seen in use, are either electronic dongles (eg. http://rsa.com/node.aspx?id=1156 [rsa.com] ), or paper-based one-time pads with challenge-response pairs.

/Crafack

Re:Well, this is good ... (0, Flamebait)

TheRaven64 (641858) | more than 5 years ago | (#22539682)

Name and shame time:

Egg, in the UK, offer a 'Money Manager' service. This runs as an ActiveX control. This means that, in order to be able to use it, you have to be using IE, on Windows, with ActiveX enabled, which is about the least secure computing configuration possible.

Re:Well, this is good ... (1)

houghi (78078) | more than 6 years ago | (#22544570)

Many banks in Belgium provide such a device. Some you need to enter your bank card, others you need to enter a code. The trend is to go towards machines that only come up with a nu,ber and are not connected to the PC.

So one is something you know (your code) the other is something you have (the number on the device) Your code for the website must be 6 characters long. The devices asks for 5 and your code for your card is 4.

What people often think is that longer passwords are more secure. That is only true if you have to remember just one password.

However I have at least 15 different logins and passwords to rememeber and I can imagine many people here have even more.

Re:Well, this is good ... (0)

Anonymous Coward | more than 5 years ago | (#22537366)

I work for a company that does bank security. The attacks discussed here are related to online banking, and that is generally managed by some outside provider. Very few banks host their own websites for this very reason. The infrastructure systems and procedures used inside the bank are regulated by the government and regularly audited.

What we need is better developers of online banking software. How are we to know how well their code is written? Could some stupid code injection wipe out my bank account when somebody else used a worthless password on their account? We need better auditing here.

The bank doesn't know or care about which security measures are used on the site. They just want it to be "safe enough." I have a feeling every salesperson for online banking out there will tell the bank that their product is the most secure in existence, but how is the bank to know whether that is true if nobody is allowed to do vulnerability assessments on the online banking provider?

Also, as others pointed out, username/password in a web form is a pretty lame authentication method in the way it is implemented a lot of times on these online banking sites. It would probably be much less expensive in the long run to issue authentication tokens of some sort.

Re:Well, this is good ... (1)

socz (1057222) | more than 6 years ago | (#22542890)

some people said it's not just the banks fault...

while i agree that it isn't always their fault, i'm pretty confident it's mostly their fault.

I've mentioned before that i worked for a bank. They had THEE worst computer system. It didn't work right and the end of say was always off! But the next day everything was ok! hahaha

Anyways, as some may recall me saying to the assistant manager, "this computer system has a lot of bugs" and she said "what would you know about computers?" hahaha yes!

So eventually this bank closed down! I don't know when nor why. But being the worlds 3rd largest bank in the world at the time... closing down in los angeles can't be something you brush under the corporate rug.

Interestingly now, i work in another bank but as a contractor this time. They run a windows only environment. Its a POS but it has lots of security, not that it works all the time, but it's better than what i had to work with as a teller!

p0wnd! (2, Funny)

Anonymous Coward | more than 5 years ago | (#22535926)

No shit baby! Time to switch back to FACE TO FACE. what a concept.

Re:p0wnd! (3, Insightful)

Hatta (162192) | more than 5 years ago | (#22536018)

Face to face is sometimes even less secure. All my credit union wants from me is an account number and name and they'll give me all the cash in my account. Not even a password or photoid. Of course, I'll take the risk of getting ripped off at a credit union over the guarantee of getting ripped off at a bank any time.

Re:p0wnd! (1)

Foobar of Borg (690622) | more than 6 years ago | (#22541738)

Face to face is sometimes even less secure. All my credit union wants from me is an account number and name and they'll give me all the cash in my account. Not even a password or photoid. Of course, I'll take the risk of getting ripped off at a credit union over the guarantee of getting ripped off at a bank any time.
???

You might need to switch to a new credit union or bank. Both places I bank with require me to show an ID just to check the frigging balance. The *only* thing I can do without an ID is deposit money into the account.

Re:p0wnd! (0)

Anonymous Coward | more than 5 years ago | (#22536116)

But can even these FACEs be trusted?
No, as with Adam Smith's Invisible Hand, they cannot.
We must instead give everything to an all-powerful State, which will spare us the evils of capitalism, the uncertainties of markets, and the hell of materialism.
Karl Marx ueber alles!

beancounters and shortcuts (5, Insightful)

galaad2 (847861) | more than 5 years ago | (#22535934)

That's what you get when you put beancounters in charge of computer security, a WHOLE LOT of shortcuts in the name of cost savings which lead ultimately to insecurity.

Re:beancounters and shortcuts (4, Interesting)

zappepcs (820751) | more than 5 years ago | (#22536068)

It's not just bean counters. Many businesses went into the computer services side of their business with either no knowledge of the risk, went into it before the risks were known, or simply made bad decisions. Now, they have to have the computer side of their business to compete and they are finding out what dangers lie inside pandora's box, even as they try to put the lid back on.

Intrusion detection systems are how old? Who really is the enemy as far as the computer system can tell? If you don't know, or are not sure of the answer, you have something in common with the people that have to make decisions with the security of your financial information. I'm not saying that it's a total lost cause, but think about it, have you heard of CSO CIO or CISO? These are the guys that are supposed to make such decisions. Does your bank have any of those positions? Oh wait, is it really the bank that is fully to blame? Did your login get compromised by some software on the 'build-a-better-model-airplane' website?

Better yet, did the bank's EDI software get compromised because one of their partners has an IT guy that watches porn at work during the grueling month-end process?

The truth is that a secure system cannot trust anyone or anything. Getting to your money in a secure system will not be easy, and will be a deterrent to using computerized banking. That is just how it is. Ever since there were banks, people have been trying to rob them. Security issues should not be news. What is news is that the banks and financial institutions are reporting that they are having trouble with security in a time when just about the entire industry has been hurt by the sub-prime issue? I smell a kind of rat here.

Re:beancounters and shortcuts (2)

wbean (222522) | more than 5 years ago | (#22536988)

One thing that Chase does that might help a little bit is if you login to your online banking site from somewhere not already verified (different IP address) they will make you send an activation code to your Cell Phone or your registered account e-mail address before they will let you logon and do anything.


The trouble with this is that your IP address changes all the time when your are travelling and there are lots of parts of the world where my (international GSM) phone doesn't work.

Re:beancounters and shortcuts (1)

SleepingWaterBear (1152169) | more than 5 years ago | (#22536328)

It's worth keeping in mind that security isn't an end in and of itself. If the cost of improving security in terms of time and money is greater than the loses you're taking, it makes absolutely no sense to implement that security - which is a fact a lot of the security minded on slashdot seem oblivious to. The beancounters should be in charge of the final decisions for security since they're the ones who have the information to judge whether a security measure is worthwhile. That said, obviously the decision should be based on cost assessments made by the security people who actually know what they're doing, and if they're smart, the beancounters will listen to them.
Probably with the upswing in losses, the banks are going to be willing to cut less corners in security, since economically that's going to start to make sense.

Re:beancounters and shortcuts (1)

bgspence (155914) | more than 5 years ago | (#22536854)

And, the bean counters add the cost of their overhead to a $5 intrusion to bring the cost to $30k.

Its the same as a multimillion dollar bust when you figure things at 'street value' to pump your stats for the budget bean counters.

Maybe... (1)

Belial6 (794905) | more than 5 years ago | (#22535982)

Maybe it they would stop trying to force people to carry an ATM card that does not require a password, this wouldn't be such a problem.

Example of identity theft (2, Funny)

Anonymous Coward | more than 5 years ago | (#22536014)

Whoever found cos(s + t) = cos s cos t - sin s sin t didn't protect his identity and now it's all over the web. Sickening.

Re:Example of identity theft (1)

JamesRose (1062530) | more than 5 years ago | (#22536648)

Thank you so much. I have an exam tomorow and need to remember that identity, beleive it or not that was a huge amount of work.

The problem is the user, not the security (4, Insightful)

ironwill96 (736883) | more than 5 years ago | (#22536056)

The reason that these are going up is because of stupid users who see an e-mail from their bank (supposedly) that says "Alert, your account has been disabled until you login to this site and enter all of the information that we, as your bank would already know!". I think if we can focus on user education about phishing, and how banks will NEVER ask you for your username and password and account information via an e-mail, the number of fraudulent transactions would go down significantly. Since the main type listed was related to unauthorized online activity, it is because users are being stupid and giving out their username and password to phishing sites.

Now, you may say, "Just add more questions that only the user will know to their online banking logins!". The issue is, the phishers will just pull those same security questions from the banking site. I've even seen ones where they will have you do the initial login then they will login to your banking site and pass the actual security questions to you to answer, allowing them to completely bypass any security measures that your bank has setup. One thing that Chase does that might help a little bit is if you login to your online banking site from somewhere not already verified (different IP address) they will make you send an activation code to your Cell Phone or your registered account e-mail address before they will let you logon and do anything. This might help a little bit, but i'm sure the scammers will find a way around it. Also, those type of security measures are only implemented by large companies, leaving the smaller banks (and their customers) out in the cold when it comes to security.

So basically my point is, we shouldn't focus so much on network security measures as we should on user education. Network security is great, but when your users can be tricked into giving away their most personal information no amount of network security is going to protect them from themselves.

Re:The problem is the user, not the security (1)

Creepy Crawler (680178) | more than 5 years ago | (#22536112)

Yeah, anti-phishing teaching might work, but what have you when I craft an attack that uses the "reverse unicode" character..

www.chase.com/(reverse)1.0.0.721

Hmm. Or I could even use the % code for the dots. Jumble it up even further..

Re:The problem is the user, not the security (1)

vertinox (846076) | more than 5 years ago | (#22536284)

[quote]I think if we can focus on user education about phishing, and how banks will NEVER ask you for your username and password and account information via an e-mail, the number of fraudulent transactions would go down significantly.[/quote]

What are the banks going to do? Send thousands if not millions of their customers to security education classes? That might cost more than then phishing attacks themselves.

It would be more prudent if banks got more hostile with large transactions and who does what with it. Obviously someone has to withdraw the money somewhere or it stays in a bank account somewhere. If a notices (like the article says) a $5,000 or more transaction that is unusual then there needs to be some safety checks to simply prevent that from happening and demand the money be returned or the bank holding the money or let a phisher withdraw it get punitive damages in the form of the money lost.

I personally wouldn't mind going into a bank to verify large transactions. I have never written a single check over $5,000 in my life except ones involving mortgages and I had to go to the bank for that anyways. Now, I'm sure there are people out there that do deal with that situation, but perhaps they can get special options flagged on their account so that the vast majority of persons simply have limits to direct withdraws can happen (even those initiated by the user through their own online account).

Just think of it as taking away admin rights of the bank's customers by default and if they really want to make damn sure they are who they say they are.

Re:The problem is the user, not the security (1)

gmuslera (3436) | more than 5 years ago | (#22536360)

Where you must draw the line in "user education" to make this safer?

Fake bank web sites is just one of the dangers, as isnt the only (main?) way to give away your login info. Trojan/Keyloggers are far more dangerous, as you dont need to do anything "unsafe" like putting your id/password in an untrusted/unsecure site, but identify as usual in your current safe/certified/encrypted site, and you could be giving away not just your user/password, but also where you are using them.

How you educate an average windows user to really avoid becoming part of a botnet, or installing trojans, giving the amount of ways you can become infected, or how they are disabling detection methods lately?

Re:The problem is the user, not the security (2, Interesting)

Detritus (11846) | more than 5 years ago | (#22536444)

That doesn't do a damn thing to protect people from zero-day exploits and compromised web sites that try to take advantage of vulnerabilities in user's systems. Part of not getting infected is education and keeping systems updated, but part of it is dumb luck. You can do everything right and still get infected.

I would like to see operating systems that offer the option of only executing code that has been digitally signed. Banks should give their customers authentication devices. This can be as simple as a sheet of paper with a table of authentication codes.

Re:The problem is the user, not the security (1)

porpnorber (851345) | more than 5 years ago | (#22536652)

It is very hard to believe that a bank will not ask you for a username and password via email when you know from experience that they will cold call you and ask you to authenticate with them while treating you like a complete lunatic if you ask them to prove who they are. Combined with the fact that they all want to know my mother's maiden name (something anyone could simply look up), presumably with the idea that any employee of any institution I deal with should be able to impersonate me....

Of course, there are things you can do. You can compute your 'mother's maiden name' from the name of the institution (which works until it is acquired or changes its name, which seem to happen at least annually nowadays) to prevent them sharing passwords, and you can deliberately give incorrect authenticators and listen to their reaction to find out if they really have your record in front of them. But we should not be required to stoop to such cleverness.

Here's a thing to think about: every single website that asks you for a password must be presumed to be attacking your identity. Why? Because they know that only one person in a hundred will generate a fresh random password for each site. The entire web is a distributed phishing engine. Until we are routinely running active authentication systems, with open source software, on independently tested hardware, that we own—and until the financial institutions admit that our need to authenticate them is as urgent as their to authenticate us—there's little hope.

Not because we truly need that level of paranoia to have a functioning financial system, but because we need the corresponding level of awareness. Humans are clearly not in the habit of asking themselves how other people know things.

Re:The problem is the user, not the security (1)

glitch23 (557124) | more than 5 years ago | (#22536798)

So basically my point is, we shouldn't focus so much on network security measures as we should on user education. Network security is great, but when your users can be tricked into giving away their most personal information no amount of network security is going to protect them from themselves.

User education is needed but you can only teach those who want to be know or are willing to accept the responsiblity once they are given knowledge. This is still part of the bigger issue of users not knowing enough about something they buy and want to jump right into using it (computer) without having any knowledge of it. I think we are getting the point where it would be real nice to require users of a computer (even a home computer) to have a license to actually use it. It is getting dangerous to use one almost as much as driving vehicle (financial losses are occuring, luckily no deaths, yet) and yet we require tests to be taken before a person can drive a vehicle. A Continuing Education exam should be used every year or so so that the users don't get dumb again. Yeah I know, this is a pipe dream.

SPASM!! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#22536248)

PERVERTED ARSE-FUCKING LECHERY JESUS

asddj slksld sf;leaod a;ljR; asd ad df g hs a WDA FADFGDFG g ggf hdfgh dfh s dj ghsfghfgh

You asked for this (1)

JamesRose (1062530) | more than 5 years ago | (#22536570)

They tried to give you ID cards- but you wanted freedom instead. Now prepare for a long media campaign of disasters to convince you ID cards are the only option. You beleive the french are cowards, you beleive castro was an evil man, you WILL beleive ID cards are there to protect us.*

*When I say you, I mean the american population, even if you never beleive, milllions will.

Re:You asked for this (0)

Anonymous Coward | more than 6 years ago | (#22543264)

Huh? I have an ID...two of them actually, what's your frigging point?

Cheap, Good, Easy to Use Security is possible .... (1)

OldHawk777 (19923) | more than 5 years ago | (#22536654)

Cheap, Good, Easy to Use Security is possible, but who would pay for it, and who would mandate it?

Banks, Insurances, Id-Thefts, Medical, Personal, Professional ... all make or lose money in a commercially profitable way.
Silly, Id-insurance you pay for, because governments, credit companies, banks ... allow your personal information to be stolen, then blame you for all the damages. Why would government put some businesses out-of-business to prevent Id-Theft/Insurance (one of many catch-22 scams)?

The only bank/financial business to provide me a little better security structure with a cron-token has been etrade. the most frequent notices I have received indicating whoops Id-Theft of personal information has been the government. This tells me many business (1) do not know when theft happes, or (2) Will not tell me anything about an Id-Theft.

Id-Theft is an expensive personal problem caused by government and/or business (should be criminal) negligence. If some one uses your name, SSN, and other personal information to get a line of credit/loan, then government or business is providing approval for the theft. I live in the same house for 5 to 20 years, government and businesses/financial companies all know or can easily obtain my personal information and call or ask local/fed tax offices where I am filling. So, someone in another state using my personal information should set off all kinds of alarms/alerts.

I want a voice/bio eSig for financed financial transactions, but in the USA ... I expect it will be another 10 too 20 years, even though the Cheap, Good, Easy to Use Security "Open" technologies/platforms and "Open" standards are all available today on the commercial market (but only for governments, businesses and wealthy it appears).

Id-Theft remains a personal problem, a business write-off/tax deduction, a new business for protection services, a government responsibility abdicated to provide tax dollars for more corporate welfare, and allow whoever (including criminal) to make money off the general public. Communist-economics (exploit the worker) by any spin/name still stinks ... the USA no longer has a capitalist-economy.

Only a USA problem? (5, Informative)

25albert (874307) | more than 5 years ago | (#22536708)

Isn't this problem limited to the USA because their banks use only user/password for authentication?

I know the procedures for 5 or 6 banks in 3 different European countries, and all of them require a lot more to authenticate me.

The 3 procedures are:

* Bank 1 (the simplest, and first system I have seen, some 10 years ago).
- authenticate with user id (unrelated to name or account number) and password
- be prompted to enter a one-time number from a list which I received by postal (registered) mail (it asks for the number at row x, column y)

All other banks have long moved to something like the 2 others:

* Bank 2.
- put a special card received from the bank into a special calculator also received from the bank and enter password
- enter user id (unrelated to name or account number) on bank web site
- receive a one-time 6 digit number and type it into the special calculator
- the calculator gives an 8 or 10 alphanumeric one-time password to enter into the web form

* Bank 3.
- I can't remember the details, but as with bank 2, there is a special device and procedure to follow involving password, user id, device id and one-time numbers exchanged between the device and the bank's site.

- On top of that, the bank sends me an email every time I connect, with the date, time, the IP address from which I connected, and the money operations performed if any.

Re:Only a USA problem? (3, Interesting)

TheRaven64 (641858) | more than 5 years ago | (#22539718)

- On top of that, the bank sends me an email every time I connect, with the date, time, the IP address from which I connected, and the money operations performed if any.
So, when I phone them up after intercepting this email, and they say 'please can you confirm the last transaction on your account' to get them to give me a new phone banking password, I'll know the answer. Actually, my US bank asked me this as a question. I didn't know the answer (that was why I was phoning them) so the helpful person told me the answer and then transferred me to someone else who would ask the same question. I was astonished, and very glad I don't keep much money in the US.

Re:Only a USA problem? (0)

Anonymous Coward | more than 6 years ago | (#22547974)

You're unknowingly referring to "two factor" authentication. See: http://www.codinghorror.com/blog/archives/000785.html [codinghorror.com]

Basically, and I can't find a reference for this right now, in the US, the laws got buggered, and "two factor" became "two password", where the second password is entered with a virtual keyboard on screen, rather than the real one. This is a farce, but is so much cheaper to implement, that wala, that's all we've got.

How??? (0)

Anonymous Coward | more than 5 years ago | (#22537260)

Every time I read an article regarding someone hacking into a bank system or account. I always wondered... how do you take the momeny without being caught? I mean I can understand that for small amounts, you can probably wired it to an account you've setup with fake details. Then take cash out. But what about large amounts?

I understand that my question is a bit sensitive. Please delete if it's inappropriate for this site.

Make ssn more secure! (2, Interesting)

Tmack (593755) | more than 5 years ago | (#22537262)

The fact that simply knowing someone's ssn (for US peoples, of course) can expose them to all sorts of credit fraud is dumb. Granted, the system was created back before any of this online stuff was even imagined, but it is well overdue for a revamp. First, expand it past the 3-2-4 digit number. With the current population, 33% *should* be in active use by live people right now. Numbers are probably already being re-issued, and will soon lead to numbers being shared if its not expanded, which will only complicate things further.

What is needed, if they want to keep the system at least a little similar, is to simply add a PIN. Keep the pin separate, never printed, just like a PIN for a bank card. The PIN must be used for opening any account or using the SSN in any manner an ID thief might. For general use only ssn is required, same as it is today. This alone would cut back on ID theft, as it would break the current method of "ssn + name = free$$" by requiring a PIN that only the original holder of the SSN should know, rather than requiring a simple to find number and some info thats publicly available.

Tm

Tm

Re:Make ssn more secure! (2, Insightful)

sydbarrett74 (74307) | more than 5 years ago | (#22538906)

Or how about legally forbidding use of SSN's for anything other than claiming social security benefits?

How about stock market "insider" info? (1)

ard (115977) | more than 5 years ago | (#22537480)

It's not just the banks that need to have tight security, it also applies to all companies listed on the stock market.

Scenario 1: As Company C prepares its year-end report, hacker H sniffs the CEO/CFO mail conversation and sees that market expectations will be greatly exceeded or greatly dissapointing. He thereafter invests in suitable warrants and profits.

Scenario 2: If the hacker has penetrated the network well, he could seriously disrupt stock market value by releasing trade secrets, destroying servers, causing online business downtime (think amazon gone for a day), etc. Combine with an investment in warrants, and there is an easy profit.

Banks are AWOL on this (1)

xtronics (259660) | more than 5 years ago | (#22538142)

A major detail left out of the story, is that payment card industry (PCI) data security standards are written to place all the burden on the merchant while the banks do nothing meaningful to upgrade the 1960's technology.

Technology exists today where every time you would use your card at a data connected store - your use number would change. The number would be visible on a super thin LCD or E-paper display on the card.

Thus every time you use your card, except on phone or web purchases, the number changes. If you chose, one could also add biometric info to the card.

The silly system in place today, makes simply copying the numbers off a card all that is needed to commit fraud.

Visa/Mastercard etc are pretty powerless, it is the banks that control the system and they don't want to make the needed investment.

Please stop using Title Case in headlines :-( (0)

Anonymous Coward | more than 5 years ago | (#22538602)

Title case makes my brain mis-parse the headlines. I don't understand who this new Saint Feel is, and why he needs to pinch intruders.

How'd they get it? (0)

Anonymous Coward | more than 6 years ago | (#22540650)

'The Post obtained a confidential report compiled by the FDIC'

Maybe they hacked into the banks' systems to get it?

Purge the net of russians, that is defence! (0)

Anonymous Coward | more than 6 years ago | (#22543814)

Wisdom follows, pay attention!

The defence is easy: no online transfers to anywhere in the former Soviet Union (the so called CIS states). No transfers to companies or persons that have slavic-sounding names. The vast majority of hackers and virus writers are russians, that is undeniable fact. No transfer to Brazil, because most of banking data stealing trojans are authored in Sao Paolo.

If customer wants to deal with ex-soviet or brazilian partner, kindly inform him/her to turn up in person at the counter to do the transaction or and submit an attorney counter-signed waiver that he/she is aware of risks and takes full reposibility for any losses.

Any pending transfer request to people or firm hispano-sounding name should be routed to client support and the alleged sender should be called and asked to veriy if he/she really wanted to do that. If you have manpower, do the same with communist china-bound transactions, because a lot of trojans are mad in PRC.

This protects the most basic right to have private property, and to be free of theft. Therefore racial discrimination is allowed, because having private property is a more basic right embedded in the Constitution, while racial issues were legislated only between 1860s to 1960s.

Let's face it, the russian hackers are as fierce in their war against USA, as the red commies of Stalin and Khruschev were. They want to ruin you and when you are in ruins they come to occupy and rape your sisters, like they did in the Baltic and Hungary in 1945, not a single female was left intact, virgin or not. Vodka smelling ruthless barbarians. What's more there is ample proof that russian hackers are controlled by Putin's Kremlin, US DoD contractor Secure Computing Inc. recently testified for that in court.

Ideally, the former Soviet Union should be purged and cut off from the net. Online crime would drop 2/3rd that very minute according to all statistics. What do russians contribute to the net? Nothing! All we need is their oil and natural gas shipments. You don't need anything beyond a fax machine to trade with them. Purge them from the net!
Check for New Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...