Rule No 1
Don't bank on the Internets
Black hat hackers have created a new strain of Trojan that rewrites online bank statements to disguise fraud. Victims of the URLZone Trojan would only realise their bank account has been looted after they check their balance with a bank branch or via an ATM. Cybercriminals distribute the malware by booby-trapping websites ( …
Certain banks are making a push for paperless statements; under the guise of increased security, convenience and the "Green" angle. Raally it's to cut costs for them. This would hopefully make some people think twice. The online statements still work, but at least you know when your account gets cleared out, you'll find out at the end of the month!
"going under the radar from the victims and banks alike," said Yuval Ben-Itzhak, CTO of Finjan. "With the combination of using sophisticated Trojans for the theft and money mules to transfer stolen money to their accounts, they minimize their chances of being detected."
Cutting out the Middleman will have Bankers Supplying the Trojan Element Direct with Slush Finance to Usurp and Vanquish/Trump Disruptive Trojan Actions with ReAlignments and ReAssignments in HyperRadioProActive IT and NEUKlearer Energy...... IntelAIgent Server Provisions for Special Supply Services. And Virtual TelePortation of Magic Credit and Currency to the Full Orchestral Tune of Toxic Asset Waste, would be their Honey Pot Unlimited/DELimited Money Suppy Source, which makes IT Filthy Rich and Well Endowed with Perfect Tools and Flight Manuals for Sublime Operational Sorties.
cc Threadneedle Street, formerly known for something completely different and reactionary and hexplosive.....[so sayeth Wiki]
And I suppose this is better of my chest too ..... Go with the Flow in a Banking Tsunami or Perish against Obstructions and Immoveable Objects/Monumental Relics is Sound Clear MetaDataPhysical Advice for Practical Observation/Personal Realisation/Self Actualisation in Virtual Reality Spaces/Parallel Thought Dimensions with Controlled Actuality via Shared Input and Output Maximising Throughput and BreakThrough to the Magical Bridge of Psis for ITs View of Heavens with Perfumed Gardens of Mythical and Mystical Beings. Nymphs and Satyrs of Delight Delivering AforeSight with the Passion of their Being Phormed and BroadBandCasting .....EMPLoding for Irregular and Unconventional Duties/ESPecial Ops and AIMissions IMPertinent.
Ah Yes, That feels a lot Better. Ok, where were/are we? :-)WTFAWe?!.
One of the banks I deal with has as part of its logon procedure the need to supply a one-time-key issued by a display device so that only I (or at least someone in physical possession of the device) can log in. The only way that this can be improved is if the device were USB Connected and was automatically interrogated every time any payment was scheduled/made. Thus would require that a Trojan Infection work in real time since exposure of the UserID/Password for later use would not work.
It's called a strike list, and has been the default for every Swiss bank until now.
At present a number are making the switch to solutions like mTAN (mobile Transaction Authorisation Number - you get an SMS with transaction details and confirmation code) or other stuff like the AXSionics Internet Passport (only one bank AFAIK, it's a bit more sophisticated to set up). The main idea is to confirm transactions out of band, which means hackers will have to control two different sets of communication at the same time.
This is where the whole story about second hand Nokia 1100s being expensive came from: it has been alleged they're easy to reprogram, thus allowing the receipt of the mTAN SMS. I'm not convinced, because it (a) requires to know a lot about the user (well, OK; easy in the UK, just find the nearest gov-provided CD ) and (b) requires very precise, targeted manipulation. The return on investment of something like that strikes me as too low.
It remains a war..
On-line banking is pretty good, userid is easy enough to get, but pin number and password are entered as 3 digits of each, randomly requested and in a random order (basically, you'd need to be logging the whole page for a while to ensure you got the whole thing).
Once in, they can look at whatever they like and can even transfer money - but only to people already set-up on the system. To add a new recipient, you also need a little calculator looking thing and your Maestro card.
There may be a way round it, but simply hacking my PC's web access ain't gonna do it.
>command and control server hosted in the Ukraine.<
Start bombing the country until the government finds those responsible and hands them over to the international community who can then put them in stocks and let people pelt them with rotten fruit - and cut their hands off (and tongue so they can't use Dragon Dictate) humanely of course.
>Do we have to stop internet banking completely now? Or shall I install a linux machine at home solely for banking purposes?<
Heh, that's exactly what I've done, Ubuntu at the office (about to try my luck with Wine and Dreamweaver - only win program I can't find decent Linux replacement for), Windows at home for surfing and games only (still running Bitdefender and weekly Malwarebytes scans).
Obvious paragraph warning: Also, change all financial passwords regularly (inc Ebay, Paypal etc) and different passwords for each not saved in the browser (if you must keep a record have a physical copy of random words in your wallet - not like a customer of mine who had a text file on her desktop called passwords.txt). Check your funds on a regular basis, not just online but by physical checks and or telephony, and never ever click on links in emails or surf with noscript. None of these are 100%, but every little helps.
But in reality, the situation is becoming untenable and banks need to reassess their security protocols. I'd rather have it be a pain logging into financial transactions and feel safe than sail straight into an account knowing Blackhats can do so as well.
@ A man from Mars: Are you saying this is all the banks doing? I hope not because that would mean I've begun to understand you and should probably commit myself immediately. <smiley>
One time pads (strike lists?) are all very good, as are challange/response hardware and it does take the fight to the next level, but I've yet to see a solution to a man in the middle attack. This is where the user is redirected to a fake bank web site and it simulates whatever they are trying to do, but actually passes auth from the real web site to the end user, instead of doing what the user wants it syphons their account dry.