Password reuse bot steals creds from weak sites, logs in to banks The perils of password re-use have been laid bare with the discovery of a botnet dedicated to finding account credentials on websites and testing the logins it finds on banks. The work is clever since it avoids tripping botnet detection and brute force rate limiters in place at most security-savvy banks, but absent across the …
This post has been deleted by its author
When does a website specifically tell a user not to re-use the password when creating an account or updating a password?
You do have a point, actually, because usually the account creation form is baked into the system and not easy to change. I must do some digging in WP and Joomla to see what I can do there - at present I don't run sites where others can log in and all of then run SSL and two-factor, but it is on the cards in the next few months so I might as well start looking into this.
Actually, not for WP - I'm not even sure we'll continue with that platform. We have it running on FreeBSD and changed the admin URL which seems to confuse the heck out of script kiddies, but I have already seen the "long, slow burn" variety of probes from test sites we didn't publish - you can see in the 404 log the idiots hitting a server 50 or so times in a second with the same query (which is the very definition of insanity), but intermingled with that is steady automated plodding through known vulnerabilities at about 1 a minute or less - only when you sort the server logs do you see just much they have been trying.
The good news is that that creates some certainty around an IP address not being up to much good, so I'll have to cook up a way to auto-blacklist those, maybe even permanently. Maybe we'll just keep a couple of WP sites around to act as early warning system :).
Being almost totally disabled, to get to the bank requires that I set aside five hours in addition to the actual transaction time due to the way HandyRide operates. Given that, the only time I actually suffer the waits involved is on payday. Online banking is rather nice.
Sadly, my least secure password is due to stupid length and character requirements of my bank. I do keep a very close eye on those accounts. Oh, and no, changing banks is not an option.
"I'm just wondering what frigging bank needs only a username and password?!"
Santander and Co-op, to name the two that I know of. Santander actually needs two passwords (a 5 digit PIN and an actual password), but I really hope they don't think that's what two factor authentication means. Co-op needs password and the answer to one of 5 or so "secret" questions. They also both give you a username rather than allowing you to choose one (Santander is a string of numbers, Co-op users your account details). So it's not quite as bad as it sounds since although they both just have username/password combinations with no two factor security, neither should be vulnerable to credentials scraped from other sites.
Edit: Also worth noting that both do use two factor authentication for setting up new transactions, so even if someone manages to get in and see my accounts, the worst they'd be able to do would be give money to someone I've paid before, they wouldn't be able to steal it for themselves.
Capital One online credit card servicing requires just your username and 3 randomly-selected characters from your password, not the whole password. Which means if an intruder uses something like a "top-100 most common passwords" list he can eliminate multiples from the list for every 3-character guess he tries. I'm not sure they could make it any easier to brute force. Oh yes, if you tick the "remember me" box your username gets stored plaintext in a cookie.
Indeed. After the LinkedIn thing the other day I've been reviewing and changing passwords, and I must admit I have *never* found an online finance application of any sort that doesn't require "three factor" authentication, with one of the three being either "enter 3 randomly selected characters from factor 3" or "enter the one time code on the (RSA) dongle".
Telco billing sites (BT, Vodafone) now seem to use SMS verification codes, and Lloyds does this for verification of transfers, so for that specific, and most dangerous, online banking action they are effectively requiring four factors, one of which is possession of the relevant mobile SIM.
So on that basis I reckoned that my bank sites were the least likely to get hacked by password guessing.
Of course, because El Reg only uses username/password, you have no way of knowing this is me ;-)
Ok lets assume someone could get into my account. What good could they do with it, when they still need the physical Chip & Pin Card + an external Card Reader to generate the correct (RNG) TAN, which will be needed to complete any transaction.
Its also down to the same limitation, as to why I haven't done any On-Line Baking in yonks, since I obviously, never invested the +60€ needed into such a Device.
Ok lets assume someone could get into my account. What good could they do with it
Jeremy Clarkson had a similar thought when he published his bank account number and sort code in his newspaper column. Some joker quickly signed him up for a direct debit to a charity. Just because you can't think of something another person might do, doesn't mean they can't either. There's a lot more information than just account numbers available to someone who can get into your account.
Trouble with that is, your account number and sort code are sort of "out there" anyway. Any organisation with whom you've ever signed a Direct Debit, or anyone whom you've ever sent a cheque has those details.
The thing with DDs is the Direct Debit Guarantee https://www.directdebit.co.uk/DirectDebitExplained/pages/directdebitguarantee.aspx should, in theory opffer some protection. That assumes that you check your account details regularly!
It is now time to do that chore you have been putting off for so long:
1) List all the websites and accounts you use which require a password
2) Assess their risk to your general wellbeing, if compromised
3) Assess the probability of their being compromised (seems to be rising)
4) Start changing all your passwords to new, unique passwords (starting with the high risk, high probability accounts)
5) Lather, rinse, repeat. You might even unsubscribe from a few dodgy sites along the way.
And surf wisely, grasshopper. Always remember that security is a journey, not a destination
For some of us.
For others (raises hand) we practically invented hacking, and so are preternaturally aware of the basic risks (which are the same as always).
If you have a friend who always uses the "wrong" password when logging in or using an ATM, that's what they are doing .....
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
