How the Eurograbber Attack Stole 36M Euros 57
Orome1 writes "Check Point has revealed how a sophisticated malware attack was used to steal an estimated €36 million from over 30,000 customers of over 30 banks in Italy, Spain, Germany and Holland over summer this year. The theft used malware to target the PCs and mobile devices of banking customers (PDF). The attack also took advantage of SMS messages used by banks as part of customers' secure login and authentication process. The attack infected both corporate and private banking users, performing automatic transfers that varied from €500 to €250,000 each to accounts spread across Europe."
SMS for Security (Score:5, Interesting)
whoever thought that was a good idea deserves a special hell.
sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?
Re: (Score:3)
Re: (Score:3)
You've obviously never dealt with banks.
They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.
Re: (Score:3)
You've obviously never dealt with banks.
They have some pretty shitty concepts of digital security. Try all your personal details (everything needed to steal your identity) sent in the clear (or on PDF) over email as practice.
You're overgeneralizing. This never ever happened to me. There are obviously different banks out there. Whenever any bank sends me an email, they mention my name, nothing else. Not even the account number. They don't even send me the URL of their secure web site. It would look suspicious (to me, at least) if they did.
Any sensitive stuff comes either by snail mail (like TANs; this is apparently where other banks save money), or I download it actively from their site.
Re: (Score:2)
Try getting a mortgage.
I dealt with several major banks here in the US, and ALL of them figured that this was a "good idea".
Re: (Score:2)
in the US
<jamiewyneman>There's yer problem!</jamiewyneman>
Most UK banks tend to have halfway-sane privacy procedures.
Re: (Score:3)
Boy is this the truth. My mortgage banker (and her company) were so ignorant of the risks of what they were doing that they couldn't comprehend why I was being such a difficult customer. I offered to come in and do some 'pro bono' security consulting for them after the deal closed but they had no interest.
Don't hold your breath expecting changes anytime soon either. After talking to quite a few people in the industry I'm learning that 99.999% of their customers just don't care. They (sign and) send what
Re: (Score:1)
You're undergeneralizing.
Hardly anyone gets security (Score:2)
If it's not obvious, the above is actually no more secure than emailing the unencrypted document (since you effectively get that in a single message only with a bit of time to waste at both ends), and far less so if the person reuses passwords.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
1999 called and said have a filter that works (Score:2)
I really don't understand why some software vendors think they can trust criminals to nicely use standard file extensions, and also why they are locking out one of the most useful formats for tran
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Someone stealign your phone would still need login and password info to the bank.
The sms security is actually quite a good idea which is both secure and convenient, and things usually don't go wrong.
If you read the article maybe you'd know that the problem was users getting duped into both installing a trojan on their phone and computer.
Re:SMS for Security (Score:5, Interesting)
Unless the thief gets both the phone and online-banking user-id, password and single-use key-lists the phone won't help them any. Unless the implementation in question is severely broken, the phone/SMS acts only as an extra factor in authentication. How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.
Now I'm no fan of the SMS-authentication, mostly because it makes things too slow, but one has to admit it increases security. Only way I am screwed is if I keep my user-id, password, key-list and phone at the same place, and then I would be screwed whether there were SMS authetication or not.
Of course, it's already possible to buy all kinds of services and rake up phone-bills with a mobile phone, so it's a bad idea to lose one either way. Not too long some thief stole a mobile phone, used it to buy every bottle in a soft-drink vending machine, poured the bottles empty and returned the empty bottles for bottle recycling fee. He sure didn't make a lot by hour, but the point is there already exist actual security issues with SMS that have nothing to do with banks.
Re: (Score:2)
How it works for me for example is I log on the online banking site, authenticate with extra-long user-id (which in itself acts as a password), a pin I've memorized, and check a number from a key-list just to log on. If I try to transfer money, they will send an SMS to my phone telling to enter n:th number on my keylist on the online banking site.
This is indeed secure - but a static predistributed key-list is a major pain. You always need to have access to it, before you can do anything. So, you can do Internet banking, but only from home (or where you store your key-list).
Re: (Score:2)
Re: (Score:2)
whoever thought that was a good idea deserves a special hell.
It's not a good idea, but it's still an improvement over letting users choose their own passwords.
Giving the users something better like a OTP dongle or a challenge response system that uses their bank cards is expensive and users won't understand it.
Re: (Score:2)
whoever thought that was a good idea deserves a special hell.
sure, lets rely on the most stolen personal object as a security measure, what could possibly go wrong?
Well, the problem here is not that it's stolen, it's that the phones are being compromised.
SMS for security was a great idea when the phones where dumb.
And to reply to your point, while it's true that phones are often stolen the fact is also immediately noticed so the SIM cards are cancelled and replaced. Compare that to for example one of those cards with a grids of number (please enter number E4...). If I took one from your wallet (and nothing else) you probably wouldn't notice until it was too late.
Re: (Score:2)
Re: (Score:1)
Actually this is a pretty good way to do two factor authentication. In theory, you need possession of the login credentials as well as possession of the phone to do the transaction.
RSA SecureID with the "number that changes once a minute" is another two factor authentication system that is in wide use, and if I understand the attack vector would be just as easy to compromise with a trojan in the PC. Just have the Banks WWW site ask for the securID token for some innocuous thing (sync the securID for examp
Re: (Score:1)
Re: (Score:3)
I have to wonder where you're living that you consider Europe high-crime. In particular, US comes always near top on any crime rate surveys. Specifically, with the exception of Belgium and Spain the rest of the Europe is virtually safe: http://www.civitas.org.uk/crime/crime_stats_oecdjan2012.pdf Certainly it's also true a small town will be safer than a big city anywhere on this account.
More than that I'm wondering what's your point with the cheap phone. It won't help any if your phone gets stolen. I suppos
Re: (Score:2)
Separate Channel (Score:1)
RSA Security tokens compromised (Score:1)
Sadly the earlier second token system was compromised by some damn carelessness at RSA:
http://www.wired.com/threatlevel/2011/06/rsa-replaces-securid-tokens/
Re: (Score:2)
Some 2 months ago Danish Jyskebank had their authentication system breached by means of a Java vulnerability so for a weekend they shut down their system for updates.
When they came back up you only noticed the log-in applet was not showing, it required a call to the bank to be told you needed to update to the latest version of Java.
Then after log in they show links to documents explaining the changes, in Adobe pdf and Flash...
Also no
Re: (Score:2)
I was offered 2 online-banking systems while I still lived in DK.
Both turned out to use known-flawed Java 1.1 (or 1.2?) security routines.
When I asked the banks, I was told "We know nothing about this computer thing, try our provider" (scary)
When I asked one of the provider, I was told that, yes, they know it is flawed, but if they use anything more secure it will be too much work for people to log in (hint: Windows, at the time, came with the flawed version of Java).
Since then I've flat-out refused to use
Just look at the "paper" trail (Score:3)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
You are missing the obvious "fiscal paradise" (not confuse with corporate havens, thought closely related) part of any good big moneytaking. Transfers to places like Cayman Islands means they won't get the name of the owner.
For who doesn't know what I'm talking about, check wikipedia artcle on Offshore bank.
Re: (Score:2)
Is the compromised PC necessary? (Score:5, Interesting)
When the user visits a banking website, it probably has the username, password, bank url from the key logging. It adds javascript to the web page dished out by the bank asking for the mobile device number. But this javascript phones home dumping the info to the attacker.
Then the attacker sends in a trojan to the mobile device. User installs a trojan in the mobile device. Technically mobile device is not hacked. User is tricked into installing a software. At this point there is no security left. The attacker can do anything.
Now, the attacker can just the trojan to the mobile device directly, but it would be difficult to persuade the user to install it. All the compromised PC is doing is, giving account numbers, and details about last few transactions etc to make it look authentic. But if such info is available from other sources, or if not all that much is needed to persuade the user to install that trojan, it is game over. The key to the whole thing is sneaking the trojan past without arousing suspicion of the user into the mobile device.
Re: (Score:2)
They need the user ID and password from the PC. They only need this once, though, as it doesn't change.
There are mobile apps for banking that only require a password (sometimes limited to a numeric code, gah!), but those are often limited in their functionality, for any sane bank
Dumb users (Score:2)
I RTFA and while the whole system is quite sophisticated with keylogging trojans etc, in the end it works on the few dumb users who will press an SMS link that says "To install the free cryptographic software on your phone, use this link".
Clicking a link on an unsolicited message and especially one that contains the words "Install" and "Free" means you should not own a smartphone, and probably neither a PC with a browser or email client.
In the end all that hard work from fraudsters gave them access to the m
Re: (Score:2)
The problem is that your bank-verificator does not include all transaction-critical data (all amounts, all bankaccounts) when signing a transaction. Until then a man in the middle attack is possible. Never trust your computer.
Re: (Score:1)
I might qualify for this stupid (dumb user), although I tend to be more paranoid than the average person. My bank does not use this type of stuff but I guess that is not the point. I can see how someone might be "dumb enough".
As far as I understood, you need to log in to your online banking through your PC. There you get the question asking for your mobile phone number etc. This is inside your standard banking application you just logged in to and have learned to trust. Now, after giving your phone number i
Re: (Score:2)
Not that dumb, actually:
Before even considering their cell phones, victims' computers are infected (by way of a drive-by exploit kit, e.g. Blackhole) with a variant of the ZeuS trojan. Upon their next log in at their e-banking site, ZeuS injects HTML and JavaScript into their browser. In this case, it'll inject a prompt for the victim's phone number and operating system. Since that prompt is shown within the (trusted) e-banking application, green address bar and all, it may look somewhat legitimate.
Only aft
Crypto challenge using amount and bank account (Score:1)
Belgium doesn't seem to appear on the list: we're quite a small country but at least our banks seems to take security a bit more seriously.
Here you MUST enter both the amount and the bank account number of the recipient as part of a cryptographic challenge: you need a special device (every customer gets one and they're all identical) into which you put your bank card and enter your PIN a first time.
If you're wiring to a new account (one you never wired any money too) or if you're wiring an important sum (ev
No electronic access option (Score:2)
I wish that there were a way to tell your bank that all electronic access is to be essentially read-only. I would like to make my bank login only allow viewing account balances and transferring money among that bank's accounts, and not even allowing seeing a full account number. For anything else, I can go into a physical branch.
Such a scheme would reduce attacks to someone annoying me by emptying my checking account into my savings account, causing overdrafts. A lot better than someone stealing my money
Eurograbber infects online customers? (Score:2)
What raises a red flag... (Score:2)
...is WTF the bank app would need to install *ANYTHING* on their phone. SMS is supposed to work on my "dumb" Nokia 6015i http://www.cellphones.ca/cell-phones/nokia-6015i/ [cellphones.ca] I can't install stuff on it. The whole point of SMS autentication is that you use a separate device (cellphone) to authenticate a transaction entered on your PC. Of course, the people who do their banking via mobile phone apps have zilch security.
Why work? (Score:1)