Comments on: Hackers Steal $150,000 from Mich. Insurance Firm http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/ In-depth security news and investigation Sat, 11 Feb 2012 19:29:31 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: life insurance provider http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-7091 life insurance provider Fri, 25 Jun 2010 05:38:05 +0000 http://www.krebsonsecurity.com/?p=1087#comment-7091 Good luck getting people behind this one.  Though you make some VERY fascinating points, you are going to have to do more than bring up a few things that may be different than what we ve already heard.  What are trying to say here?  What do you want us to think?  It seems like you cant really get behind a unique thought.  Anyway, that's just my opinion. Good luck getting people behind this one.  Though you make some VERY fascinating points, you are going to have to do more than bring up a few things that may be different than what we ve already heard.  What are trying to say here?  What do you want us to think?  It seems like you cant really get behind a unique thought.  Anyway, that’s just my opinion.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: Cris http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2560 Cris Tue, 23 Feb 2010 12:04:15 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2560 In Spain, I work with a bank called "la Caixa". You have a username/password plus a second password. Every time you make a transaction that is noy just a query, asks for the second password. How does the second password work? There are two ways: - a card with 40 four-digit numbers, it asks for one of them - a numeric random password you get at your phone There is a virtual keyboard on-screen that is different everytime, and you have to use your mouse to point-and-click over the virtual keyboard to enter that number. It is not annoying at all, asking that second pin everytime. In Spain, I work with a bank called “la Caixa”. You have a username/password plus a second password. Every time you make a transaction that is noy just a query, asks for the second password.
How does the second password work? There are two ways:
- a card with 40 four-digit numbers, it asks for one of them
- a numeric random password you get at your phone
There is a virtual keyboard on-screen that is different everytime, and you have to use your mouse to point-and-click over the virtual keyboard to enter that number.
It is not annoying at all, asking that second pin everytime.

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: The Italian Honey Project » Zeus Steal $150,000 from insurance inc. http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2552 The Italian Honey Project » Zeus Steal $150,000 from insurance inc. Tue, 23 Feb 2010 08:57:22 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2552 [...] via Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security. [...] [...] via Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security. [...]

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: IT Firm Loses $100,000 to Online Bank Fraud — Krebs on Security http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2546 IT Firm Loses $100,000 to Online Bank Fraud — Krebs on Security Tue, 23 Feb 2010 06:08:38 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2546 [...] week, I wrote about criminals using ZeuS to siphon roughly $150,000 from a Michigan insurance company. The attackers in that case sent the money to 15 people across the United States that had no prior [...] [...] week, I wrote about criminals using ZeuS to siphon roughly $150,000 from a Michigan insurance company. The attackers in that case sent the money to 15 people across the United States that had no prior [...]

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: David Stillwell http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2544 David Stillwell Tue, 23 Feb 2010 04:54:27 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2544 One thing is certain, no one is afraid of getting caught. http://fprison.wordpress.com/2009/11/09/federal-prison-camp It's a 24/7 party on the tax payers dollar. One thing is certain, no one is afraid of getting caught.

http://fprison.wordpress.com/2009/11/09/federal-prison-camp

It’s a 24/7 party on the tax payers dollar.

Like or Dislike: Thumb up 0 Thumb down 1
]]> By: bobdodgit http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2543 bobdodgit Tue, 23 Feb 2010 04:22:16 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2543 actually you can use software modems. ubuntu's karmic koala recognized mine. when i started up it asked me if i would like to download the drivers for it. actually you can use software modems. ubuntu’s karmic koala recognized mine. when i started up it asked me if i would like to download the drivers for it.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: Nick http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2542 Nick Tue, 23 Feb 2010 04:16:21 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2542 One thing to note is the source of the regulations that require the use of strong-auth technologies in the first place. For those that want to see the actual compliance standards that banks are required to use, see the FFIEC document entitled "Authentication in an Internet Banking Environment". What's very (horrifying|amusing) to see is how the concept of "multi-factor authentication" has been mangled by the industry. Many vendors I know of consider a challenge questions+password system to be multi-factor, and market their enhanced-security login products accordingly as "MFA" products. This bastardized definition has even snuck its way into the OFX v2 standard. (Shame on Intuit&Microsoft - they should know better.) What's even more interesting/depressing is to compare this snippet from the FFIEC's document regarding the need to continually review security for high-risk transactions with real-life industry practice, "[the guidelines] require that an institution's information security program be monitored, evaluated, and adjusted as appropriate in the light of changes in technology, the sensitivity of customer information, internal and external threats to information ..." I know there are banking geeks on this blog: Anyone out there getting any response from their vendors on this issue? I know our "MFA" solution is essentially a dead product with little ongoing maintenance, let alone a chance of a rewrite to better protect against Zeus et al. One thing to note is the source of the regulations that require the use of strong-auth technologies in the first place.

For those that want to see the actual compliance standards that banks are required to use, see the FFIEC document entitled “Authentication in an Internet Banking Environment”.

What’s very (horrifying|amusing) to see is how the concept of “multi-factor authentication” has been mangled by the industry. Many vendors I know of consider a challenge questions+password system to be multi-factor, and market their enhanced-security login products accordingly as “MFA” products. This bastardized definition has even snuck its way into the OFX v2 standard. (Shame on Intuit&Microsoft – they should know better.)

What’s even more interesting/depressing is to compare this snippet from the FFIEC’s document regarding the need to continually review security for high-risk transactions with real-life industry practice, “[the guidelines] require that an institution’s information security program be monitored, evaluated, and adjusted as appropriate in the light of changes in technology, the sensitivity of customer information, internal and external threats to information …”

I know there are banking geeks on this blog: Anyone out there getting any response from their vendors on this issue? I know our “MFA” solution is essentially a dead product with little ongoing maintenance, let alone a chance of a rewrite to better protect against Zeus et al.

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security « Ye Olde Soapbox http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2536 Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security « Ye Olde Soapbox Tue, 23 Feb 2010 03:13:02 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2536 [...] Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security. [...] [...] Hackers Steal $150,000 from Mich. Insurance Firm — Krebs on Security. [...]

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: InfoSec Daily » Episode 71 – Illusory Superiority http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2440 InfoSec Daily » Episode 71 – Illusory Superiority Sat, 20 Feb 2010 01:01:36 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2440 [...] News item 2: http://www.krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/ [...] [...] News item 2: http://www.krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/ [...]

Like or Dislike: Thumb up 0 Thumb down 0
]]> By: InfoSec Daily » Episode 70 – “Stego A Go Go” http://krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/comment-page-1/#comment-2367 InfoSec Daily » Episode 70 – “Stego A Go Go” Fri, 19 Feb 2010 01:30:49 +0000 http://www.krebsonsecurity.com/?p=1087#comment-2367 [...] News item 5: http://www.krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/ [...] [...] News item 5: http://www.krebsonsecurity.com/2010/02/hackers-steal-150000-from-mich-insurance-firm/ [...]

Like or Dislike: Thumb up 0 Thumb down 0
]]>