Subscribe to RSS
Follow me on Twitter
Join me on Facebook
A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.
Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm’s bank account had been emptied the previous Friday. McCarthy said she immediately called her bank – Cherry Hill, N.J. based TD Bank – and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business.
“She was told to go to the branch next day, and she did, and the people at the branch were very nice, apologetic, and said, ‘Whatever happened, we’ll replace it,’” Karen McCarthy’s husband Craig said. “She called them up on Wednesday, and they gave her the runaround. Then she finally got to talk to someone and they said ‘We don’t see the error on our side.’”
Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.
Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.
Karen McCarthy said TDBank has dug in its heels and is now saying it has no responsibility for the loss.
“They feel that because [the thieves] compromised my computer that it’s my responsibility and that I should look into my insurance, but I don’t have insurance,” McCarthy said. “I had a company that was interested in purchasing us, but they’re not going to do that now. I’m basically looking at bankruptcy, because I have very little money to operate on now.”
Krebsonsecurity spoke briefly with John G. McCluskey, vice president of TDBank’s corporate security and investigations. McCluskey referred all questions about the incident to the bank’s marketing department, which hasn’t returned calls seeking additional information and comment.
As Mrs. McCarthy found out the hard way, businesses do not enjoy the same protections that consumers have against online banking fraud. Most banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by cyber fraud.
McCarthy said she never would have done online banking for her business if she had understood how precarious it was for her business.
“I go to the bank and I see everywhere signs that your money is insured up to $250,000, but maybe they should have a little asterisk next to that saying ‘except for businesses,’” she said. “If I had understood that, I wouldn’t have been banking online.”
McCarthy said a $41,240 wire was sent to a company in New York called Asbury PHH; two wires totaling nearly $80,000 were sent to a man in North Carolina; and a $28,640 wire was sent to a Kimto LLC in California. Efforts to track down any individuals tied to those entities were unsuccessful.
The fifth wire was sent to a 59-year-old Kennesaw, Ga. resident named Pamela Biagi, who said she got the money after signing up for a work-at-home job over the Internet. Biagi said her employer called itself Adams Interiors, and used the Web site name interiors-a.com (that site is no longer online).
As it happened, that Web site essentially hijacked the good reputation of an interior design firm in Brooklyn, N.Y., claiming it was one and the same and pointing to the firm’s stellar reputation with the Better Business Bureau. Biagi said this was part of the reason she felt good about accepting the job offer.
“I did an online and phone interview with them. They wanted to hire me to be a financial agent, and to help their subcontractors who were going around the country doing interior design work,” Biagi said.
Then, on Feb. 12, she received a wire transfer of $14,875 with instructions to wire the money to another individual in Georgia. Suspecting fraud, Biagi’s bank promptly froze her account.
“The guy I was supposed to send the money to kept calling me…he was real nervous and kept asking me if I’d sent the money,” Biagi recalled in a phone conversation with krebsonsecurity.com. “I told him, ‘No, I’m sitting here with police officers and people from the bank because of all this.’
When confronted with the news of where the money had come from, Biagi said she was “horrified.”
“This has been an absolutely horrible experience for me, and I feel terrible for [Little & King],” she said. “I’m really glad they stopped it when they did. To think that I have been participating in something so horrendous like this is awful. It’s a black mark on my soul.”
Tags: little & king, tdbank, zeus
Thanks for being the one beacon of light on this issue, Brian. It’s getting increasingly painful to read about here, and I’m betting that you’ve turned tracking these incidents into a full-time job.
I continue to go back to the premise that the banks need to be held responsible for this. While I accept that the user has some level of fault due to ignorance, it’s the business financial transaction business processes that are broken here. In my mind, the banks are failing to even provide the limited security of checking one’s government-issued ID when they walk into a branch to withdraw money. That’s a failure to provide due diligence that a transaction is valid, and they should be held liable for it.
Well-loved. Like or Dislike:
40 
15
This is another good reason for anyone using online banking to have a dedicated computer that is only used to online banking, no web browsing, no email, no storage of sensitive or critical business data, etc. Yes, this is an additional cost, but I think any reasonable person can see it is much cheaper than the alternative!
Well-loved. Like or Dislike:
10 
0
Nice work Brian. Yet another example of a small business being victimized (and perhaps destroyed) by these bad guys.
As bad as this is, what really concerns me is when people start dying because of these frauds. What if the victim company is in the medical field and a PC that was used for online banking also contains vital medical records? If the bad guy uses the ‘KOS’ option after doing his nastiness, all kinds of valuable data could be lost.
As for the banking industry, there is a deafening silence on this entire issue. They love the efficiencies (and thus increased profitability) that comes with moving all their business customers to online banking….but they’re not saying much in public about these compromises.
Hopefully, there’s a great deal of panic behind the scenes and some improvements are coming…but I fear it may be too late to prevent wholesale looting of accounts belonging to dozens of other companies.
In the meantime, this article discusses another fraud on which you have reported and the wider issue of liability
http://www.bankinfosecurity.com/articles.php?art_id=2227
cheers
Nick
Well-loved. Like or Dislike:
12 
1
Thanks for the link, Nick. What concerns me is that the case could hinge on whether the authentication method was a reasonable control. In general, people don’t understand technical cause-and-effect and thus tend to focus on the technology as either enabling protection or failing to protect when it comes to IT-oriented cases. But, this problem is a business process issue, not an IT issue. It wasn’t that the authentication system failed, it’s that the identity verification process failed. I think that establishing that paradigm shift will be the only way for courts to really be able to address the liability.
Well-loved. Like or Dislike:
13 
2
Michael, distinguishing between an “authentication system” and “the identity verification process” may not help much. Once a computer is infected, the malware sits between the user and the bank. The bank could make the user provide a retina scan, and the malware still could just pass it along.
No form of online authentication can be trusted in an infected environment, including digital certificates and off-line security dongles. But real authentication does exist. For example, the bank might phone the account holder to approve on-line transfers. The difference is an “out of band” communication which (hopefully) cannot be changed by malware.
When a malware infection is present, nothing the computer does can be trusted, and it should not be used for banking. The problem is that users will not know about the infection. Antivirus scanners cannot detect all malware. Microsoft provides no facility to certify a Windows installation as uninfected. When common tools cannot detect infection, of course users will be banking with infected computers.
We have a decade of experience to inform us that the current hardware designs and scanning tools cannot prevent infection. Complete protection of current PC’s with their native OS simply is not possible, even with the best equipment, practices and training.
Once the OS is infected, it stays infected day-after-day, week-after-week, until the OS is re-installed. Consequently, when security counts, we may be forced to consider every Windows machine to be infected. That may be a general banking issue, because about 93 percent of browsing occurs under Microsoft Windows. Secondary platforms like Mac (5 pct) and Linux (1 pct) generally do avoid malware simply by not being the primary target.
For a safer and free banking alternative on a PC, it is possible to boot a clean OS from DVD and so avoid any existing Windows infection. For more on free Puppy Linux for PC banking, see
http://www.ciphersbyritter.com/COMPSEC/
Well-loved. Like or Dislike:
8 
4
Is this the first ZeuS attack that was totally US-based? We always hear about money going to Romania or Ukraine, not to other points in the US. There could actually be some useful follow-up this time.
Unless, of course, the US points were merely stopovers on the money’s way overseas.
Like or Dislike:
3 
1
I think it’s rather likely the mules are almost always based in the same country as the victim. I’ve seen similar reports from other countries and that seems to be the pattern. For good reasons undoubtedly.
Well-loved. Like or Dislike:
5 
0
It’s funny that the mule’s bank took action to freeze the money coming into the account, but Little & King’s bank didn’t see any problems until two days after the money transfer. TD Bank has to share some of the responsibility. I wonder what actions TD Bank will take to help other businesses that bank with it. If I banked at TD Bank, I would immediately move my money elsewhere.
Well-loved. Like or Dislike:
17 
4
TD Bank might not have to share anything if things are already in the contractual agreement.
Well-loved. Like or Dislike:
6 
2
Maybe not, but with a couple of lawsuits, bad press is bad press. The bank may not need to share information or change its contracts, but at least work with their existing small business clients. This happened so they need to take some steps, even if Little & King suffers.
Well-loved. Like or Dislike:
5 
1
Most likely this person physically went into the bank to attempt to wire the funds. In this case it is the bank employees job to ask questions as to the origin of the funds that are to be transferred. This is most likely how it was caught.
The bank should have impemented some sort of uthentication method that would not allow someone to access an account from multiple locations. It may be annoying to have to call the bank when you want to switch from using your home computer to your work computer, but if it saves you the heartache then that is what should be in place. My bank does just that. Wire transfers are seperate part of the internet banking system that requires a cookie, if you try to access that portion of Internet Banking from any other computer you have to call the bank and verify your identity before they will reset the cookie allowing you to access internet banking on a different computer.
Like or Dislike:
2 
1
Zeus steals that cookie.
With Zeus, if necessary, the attacker can perform ALL transactions THROUGH your computer. Your IP, your cookie, your certificate, your token.
I don’t know if that is what happened in this case, but with Zeus it is possible.
Well-loved. Like or Dislike:
5 
0
This stuff is pretty complicated, but I do not see how the approach solves the problem.
“The bank should have impemented some sort of uthentication method that would not allow someone to access an account from multiple locations.” That might solve the problem if all malware just collected passwords for later use from some other computer, but not all malware is like that.
“Wire transfers are seperate part of the internet banking system that requires a cookie,…” But if botnet malware is resident, it is already in the right machine. It will have the cookie. It can make the transfer. The bank cannot know that malware is doing it. If the bank asks for authentication, the malware will pass that request on to the user, and then return the correct response.
No form of authentication whatsoever can solve this problem because authentication is not the weakness being exploited. The weakness is that malware can take over and “pwn” (own) the computer. Current computers are particularly vulnerable because they can be infected (that is, OS boot files can be changed by malware to re-install itself upon restart). And once infected, always infected (unless the OS is re-installed). When a customer computer is infected with serious malware, game over. There is no certain way to certify a computer as not having active malware or not being infected. Since the problem is inside a customer computer, the bank has no way to control it, other than by encouraging the customer to use a less-vulnerable system. Thus we see the really serious nature of the malware problem.
Well-loved. Like or Dislike:
8 
0
I linked to much of your research in a broader piece I posted on my own blog regarding mounting cybercriminal activity. I had a feeling it was only a matter of time before a company was this adversely affected. This after literally months of you trying to raise awareness.
We need to collectively start making this known to the financial sector broadly. Clearly nobody is taking this to heart at the banks. In my opinion, after the first few incidents, at least one of the banks should have been sending out warning messages to their customer en masse. hey could send letters to their clients saying, essentially, “We have been made aware recently of numerous unauthorized transactions taking place, so to protect you we offer the following advice and protections,” continuing to outline that business account holders should be watching their accounts like a hawk, and immediately (like: within the same day) notifying the bank of these transactions.
Or, more appropriately, temporarily disallowing online transfers of anything higher than $5,000.00.
Seriously: why hasn’t one single bank done either of these things?
I hear from Twitter the second they notice a single phishing attack, and they are extremely proactive about nipping this activity in the bud, and they aren’t even a fundamental service. Banks aren’t even doing 1/10th this in light of what is arguably a crisis situation. Why?
I think the key is that a banking or financial blogger, or more importantly a mainstream financial news org, should be picking this up, not merely a cybercriminal or tech blogger. (No offense, Brian, you do phenomenal work. But all of the victims of this activity were decidedly non-tech-savvy, and would never have tripped across your postings.)
SiL / IKS / concerned citizen
P.S. Did you mean Georgia the country? Or Georgia the state? (I assumed state.)
Well-loved. Like or Dislike:
10 
2
All it will take is for the banks to take on the liability for fraud like the credit card companies already do. Last weekend while gassing up with my Discover card I chose the wrong pump, canceled the transaction and moved one pump over. BOOM the card was declined and I had to go inside.
Later, at the grocery store, the card was declined (lots of credit room), I came home to an email stating my card was flagged for suspicious activity and I needed to call. All this within an hour, in the same zipcode, and for less than $200 total.
The mechanisms are available, the paradigm already established, it just needs for the banks to WANT to implement it.
Well-loved. Like or Dislike:
23 
1
I hear it often, that banks are responsible for credit card fraud. They are not. The vendor loses money on fraudulent transactions, not banks. I wish banks were responsible; we would have less fraud then.
Like or Dislike:
1 
1
While I certainly agree that banks should be doing something better I don’t see that notifying customers or putting a $5,000 cap on transactions is a valid solution. IE you instantly alienate and infuriate large business customers who regularly deal in transactions greater than that.
The only real solution I see at the moment is for banks to implement risk based transaction monitoring for each individual customer account. But there aren’t a whole lot of commercial solutions out there that provide this. And for most banks, developing a custom risk based solution is out of the question. This leaves banks with tokens, password based authentication, and out of band authentication for customers.
Aside from risk based transaction monitoring the only remotely feasible option for banks to employ “better” security, would be to provision laptops with some non-windows OS on them, and then in a very locked down state, to their customers.
In almost all of these cases of fraud/theft, a core component is that the clients security/credentials were compromised and the bank didn’t react fast enough. Ultimately banks need transaction monitoring systems in place today, to better assist their customers. And business customers specifically need to re-evaluate their internal practices for online banking to make sure they do their part to maintain their safety.
Well-loved. Like or Dislike:
8 
2
That’s the second line of defence. The first line of defence is to not let Zeus or any of those Greek gods get at you. And Brian’s already outlined how simple that can be. Now I gotta break off as we’re flying to Egypt tonight so we can see who’s swimming in the river. It’s a flight but it’s a long journey and as in all things that matter, long journeys begin with a first step. Cheers.
Hot debate. What do you think?
9 
12
Mike, the problem isn’t that the “bank didn’t react fast enough”, it’s that the banks aren’t responsible at all. As it stands now, businesses are responsible for monitoring their account activity and they have less than 24 hrs to notify the bank to stop a fraudulent transaction. All of the burden is on the business owner and none is on the banks.
Part of the problem is that the banking institutions and the FBI have colluded to suppress widespread knowledge of this particular banking exploit.
Clearly, the security model for online banking is both insufficient and insecure.
Well-loved. Like or Dislike:
12 
7
“Part of the problem is that the banking institutions and the FBI have colluded to suppress widespread knowledge of this particular banking exploit. ”
Really? That is a lot of tinfoil hat stuff there.
Well-loved. Like or Dislike:
10 
6
Actually bob, it’s not “a lot of tinfoil hat stuff there.”
Please take a look at BK’s earlier post on the issue:
“Buried Warning Signs”
http://www.krebsonsecurity.com/2010/01/buried-warning-signs-2/#more-206
Well-loved. Like or Dislike:
5 
1
Reading this story on wire fraud reminds me of a meeting I had with some “treasury” folks and the daily totals for the total amount of cash being wired was in the billion range, I asked how long it would take for them to notice if I wired 250K in my personal account and immediately a flurry of whispering started across the table and the senior director replied “60 to 90 days”. I found out later that even if the amount would have been up to 5 million it would have not raised any alarms for about a month.
The problem is much worse than you can imagine.
Well-loved. Like or Dislike:
6 
0
‘We need to collectively start making this known to the financial sector broadly.’
They already know. They just don’t care because they think they have the situation under control. Of course this brilliant wave of Zeus attacks might force them to think through matters again, but big ships take a long time to turn.
‘Seriously: why hasn’t one single bank done either of these things?’
You’re right. Look what Twitter do as soon as they see anything funky going on. But there’s a difference between web-based startups and suits sitting in a bank conference room running a business that just won’t make it into the Internet age.
“I hear from Twitter the second they notice a single phishing attack, and they are extremely proactive about nipping this activity in the bud, and they aren’t even a fundamental service.”
Exactly. They have several accounts one can follow and they tell you by yesterday. Yes that’s proactive and yes that’s great. That’s the way it should be done. Yet I think it’s the bottom line. Twitter want to keep a good reputation; the banks think they’re in the driver seat.
“I think the key is that a banking or financial blogger, or more importantly a mainstream financial news org, should be picking this up, not merely a cybercriminal or tech blogger.”
Agreed again. Readers at WaPo used to pick it up a bit but now there’s KoS instead. Mainstream PC fanzines won’t pick it up because some advertisers (ahem) will fight it tooth and claw. They know it’s safer and more profitable to post articles about new touch screens and cellphones and…
Well-loved. Like or Dislike:
10 
4
Good point. And actually my bank does this and also warns me about transactions that look suspicious and either gives me a chance to cancel them or holds them until I OK them. Unfortunately, I can’t name the bank as the last time I named a registrar which does an excellent job of screening fraudulent applications they were hit the next day with a flood of bogus requests. I don’t want the same thing to happen to my bank.
Well-loved. Like or Dislike:
6 
0
Is it possible to disrupt the recruiting of these people as money mules? If you are sophisticated enough to do an online wire transfer, then you should be able to understand the consequences of being an accessory to grand theft.
Can wire transfers to specific countries, the usual suspects, if you will, be subject to some kind of 72-hour “hold”? A hold on wire transfer attempts would allow time for automated pattern analysis at the victim’s bank, and “alarm bells” to ring.
Can sudden flurries of wire transfer activity be likewise subject to telephone confirmation at the client’s phone number of record, by a designated person?
Of course, one consequence of such measures being put in place would be that it would clearly become the bank’s failure if they are defeated, and then you have liability.
No, none of this is foolproof, but each would incrementally drive up the degree of difficulty some! Make the thieves move on to easier targets. And if extra work is involved at the financial institution to harden security, then a suitable fee might ease their pain. And if they are unwilling to commit to making simple efforts to protect commercial clients, then perhaps some competitor might!
A final idea, and somehow this one seems wonderful to contemplate: Full-page local newspaper ads in huge headline type by victimized businesses: “______ BANK LOST OUR MONEY!!!”
Well-loved. Like or Dislike:
13 
0
The full page spread sounds like a good idea but your ad has to offer some solution. Merely getting people to panic won’t advance things. Add something like ‘get a live CD’ and you may have something.
Like or Dislike:
3 
1
I think most banks already are aware of measures to reduce this fraud. They need an incentive to take them. What managers call “reputation management” may be the incentive they need, both for banks and registrars.
Well-loved. Like or Dislike:
6 
2
Ads cost money. That you just got robbed off (both by the crooks and your bank – only difference is, banks are legalised crooks and get government loans).
I was thinking of your 72-hour hold as well – any transaction above some treshold is delayed – within that period you get notifications plus you need to finally confirm it.
Right now the transfer is ‘instant’, yet the other party receives it still 1 or 2 days later… so where is the money in that 48 hours? Yup, you guessed it, funding their pyramid schemes that brought down Wall Street – and the rest of the world.
We now have bank-issued (not free, of course) ‘identifiers’: you enter the code from the screen and then have to enter the code that the device displays – is that any bit safer? Anyone knows more about that system?
Like or Dislike:
3 
1
After yesterday’s story about Cynxsure I went and looked at some of the larger banking sites (banks in the top 50) to see what, if anything, some of them said about these issues.
A few have devoted some valuable real estate to make sure we know about their commitment to security. It is not clear on any of the sites whether or not the banks require customers to use any of the measures mentioned. I suspect most of the measures are voluntary.
Alarmingly, a few of the banks tout how much freedom customers have to control their own set-up. This type of control goes far beyond what consumers are able to do. A corporate customer that is allowed to set up other users, other administrative users, services for other users (wires, ACH, etc.) and assign accounts to other users is inherently hard to protect. Since some banks grant customers this type of administrative control and other do not I can only assume there are competitive market forces at work pushing the two approaches.
Even with layers of security on the bank side and vigilant users on the customer side, a model that grants corporate users every bit of administrative capability available is problematic. I don’t see these banks (big banks remember) implementing stricter security measures without being forced to do so.
Well-loved. Like or Dislike:
7 
1
“I don’t have insurance”
Why not? Is there no such thing as insurance against this? If there is, did her agent not tell her about the product? Or did she just not bother?
I suspect that, if insurance companies start having to cover these sorts of losses, then you would start to see serious regulatory reform.
Well-loved. Like or Dislike:
19 
2
Agreed. It’s the ‘pass the buck’ syndrome. I don’t know but I suspect the reason protect individuals is their bank accounts aren’t overflowing with cash and are not targeted by the Zeus people. And that’s of course the reason the banks won’t protect businesses – too much money to lose. And the companies insuring the banks have probably had it up to their balance sheets with such shenanigans and the banks know they’re up the creek because of that. They’ll protect you as long as you have nothing to lose, nothing that will cost them anything. That’s very generous of them.
Hot debate. What do you think?
5 
6
Keep hitting them where it hurts! It’s still totally amazing mules can be unaware of what is going on. Authorities seem to have a benign attitude towards them. But what kind of financial agent has to only keep transferring money to other accounts? What company would really need someone to do that? And why would they ever need anyone to do that?
I feel sorry for the lady at the promotions company but come on: she wants to be swallowed up by a bigger company and she doesn’t even have insurance? And she’s never heard of the dangers of online banking and Windows?
At the very least she should read this blog a lot more. Something almost everyone would benefit by.
Hot debate. What do you think?
9 
12
Maybe it is a naive question but:
why are there no TANs or so used, i.e. transaction authentication numbers valid only for one transaction?
At least in Germany most banking transaction have to be ensured by a TAN additional to your banking PIN. Most german banks provide their customers with (at least) indexed TANs or for some additional security TAN generating tokens or RSA-chip card based authentication methods.
It certainly does not prevent fraud but makes it certainly much harder than just a simple PIN authentication.
Well-loved. Like or Dislike:
9 
1
TANs prevent certain attacks, not all.
If you have a man-in-the-browser attack going on, you can be making legitimate looking transactions on your side, but the bad guys are doing something else on the bank’s end. They would just take the TAN and pass it on.
Perhaps the strongest would be some out-of-band system like a smart phone that gives you transaction details, then prompts you for a TAN to approve each one.
Part of this problem is a lot of the businesses being hit are relatively small, and they will take a short term view when they owner is stressed out with everything else having to go through a multi-step authentication process.
It seems for now we view these as auto accidents that are acceptable and ho-hum, not as aircraft accidents that raise holy heck. And let’s be honest — we’d save a lot more money if we cut TSA’s budget in half and gave it the states to step up highway safety patrols. Security isn’t always rational.
Well-loved. Like or Dislike:
10 
0
Sorry about a bad editing job, let’s try this sentence again:
We’d save a lot more lives if we cut TSA’s budget in half and gave it the states to step up highway safety patrols.
Like or Dislike:
4 
1
Agree – but it would reduce these unnecessary I-just-need-the-account-ID-and-rob-everything-in-multiple-transactions cases I guess.
I guess that certain authentication systems are quite usable for individuals like mTAN s, i.e. your bank sends you for each of your transactions a text message to your mobile phone with a summary of the transaction and a TAN valid exclusively for this transaction. But for companies with some more transactions each day it could get ‘unhandy’.
Of course man-in-the-middle-attacks are also possible but are certainly harder.
For larger volumes of transactions there are solutions available since years — in Germany ‘HBCI’ is quite common (with RSA-authentification-card terminals – which are more or less independent of your OS – and which have, in the higher price regions (~100 Euros), also displays showing transaction summaries etc.)
Like or Dislike:
3 
1
Is it possible to put a black box type warning about these money mule scams at job sites like career builder and monster.com and also, in newspapers in the classified ad section? This woman seemed truly heartbroken at what she was unwittingly doing.
Also, wouldn’t it have seemed unusual for this small company to be wiring such large transactions? Shouldn’t that have sent up red flags for the bank? Is there some way to put a dollar limit or cap on daily transactions so that small business owners can see and approve of what went on during the day before it becomes time to declare bankruptcy? And finally, haven’t the antivirus vendors figured out a way to spot and stop the zeus trojan yet? This is just so sad.
Well-loved. Like or Dislike:
6 
1
Marine, I like your questions. With regard to the “money mules”, warnings might cause some folks to re-consider, yet they might attract others — who knows? The criminals will just find ways and means of recruiting money mules other than the ones that they currently use.
Banks can do the things that you implicitly suggest, but such measures take personnel, time and money to implement. Unless there is a Return On Investment, nobody wants to do anything, even with regard to securing their information systems. ROI is often difficult to calculate when the goal is to avoid potential losses, in contrast to decreasing cost and increasing profit. As it stands, the banks don’t lose much, if anything, and their commercial customers lose everything.
At last report, there were at least 350+ variants of the ZeuS banking trojan, and they are easily produced. There has also been an enormous increase in the number and variety of malware. So, these two things combined makes signature-based detection alone practically worthless. So most AV vendors are developing other methods of detecting malware. It doesn’t seem to me, though, that the ones of which I’ve become apprised are likely to stop ZeuS.
Like or Dislike:
3 
0
These “money mules” need to start being prosecuted – and doing jail time – as criminals/accomplices, since they are in the same class as “drug mules” and “money laundering”. Only then will the (unwitting?) like Pamela Biagi think twice about signing up for “work-at-home financial agent” jobs over the Internet.
This won’t stop the criminals from continuing to rob banks using computers, but it would likely cause them to seriously change tactics. Also, it would make this form of crime/bank robbery more public when someone like Pamela Biagi goes to jail (hopefully all over the news), instead of just claiming ignorance and simply apologizing for being an accomplice to bank robbery.
Like or Dislike:
2 
3
“Is it possible to put a black box type warning about these money mule scams at job sites like career builder and monster.com and also, in newspapers in the classified ad section?”
Sure it’s possible… But they’d just reword their ads and use different types of social engineering to get their mules.
Hot debate. What do you think?
5 
3
I’m not sure why everyone wants to focus on prosecuting mules or educating people so they do not become mules. There’s plenty of people that would knowingly do this anyway…
Lets go a step back to where the bank allowed large unusual transactions out of the customer account.
I refuse to believe that some basic logic can’t be used to restrict, hold, or flag certain transactions or series of transactions based on prior history the same way they do for Credit Card transactions.
If the bank couldn’t write off the money, file an insurance claim, or have us bail them out, and they had to pay back the customer and eat that loss, THEN there would definitely be something in place to reduce this type of activity.
Well-loved. Like or Dislike:
13 
1
An SMS sent after every transaction as confirmation would help ensure that business owners would be able to get onto any problems within 24 hours. Some banks already do this in Australia.
Simple. Cheap. Effective?
Like or Dislike:
3 
0
Brian, you seem to know quite well where the money mule jobs are getting advertised. Did you ever consider to get yourself a couple of GoogleVoice phone numbers and invented names, volunteer as “mule”, and conduct a “man in the middle” attack right into the heart of this fraud scheme? I’d say the time has come to replace honeypots with Honey-Mules (tm:) and to make recruiting of “real” mules more hazardous for the bad guys! Let’s give them a couple of fake mules to contend with!
Like or Dislike:
2 
0
I think there are law enforcement agencies already doing this. The problem is the “heavy hitters” in the scam are outside their jurisdiction.
Like or Dislike:
4 
1
Anybody know why a major paper won’t pick up Brian’s investigations? A paper like the WSJ, for example, that a good number of small business owners might read.
Well-loved. Like or Dislike:
14 
0
I enjoyed reading the story and browsing your site Brian. Thanks for taking the time to share it with us.
It’s really amazing how many folks don’t realize the dangers that are lurking around the Internet. I’ve personally seen Information Technology professionals fall victim to phishing attacks, so how can we secure the general public if IT folks are falling victim?
Cheers!
Like or Dislike:
1 
1
If the banks won’t take action don’t use their internet facilities for business transactions.
Have your bank assign “read only” status to your accounts.
Yes, you will have to do transactions over the counter, but as banks don’t want customers in their bank it will become a bigger problem for them than you.
Just don’t forget to tell the bank staff why you won’t do online transactions.
Eventually they will get the message.
Like or Dislike:
3 
0
I really don’t understand how American banks can escape liability while being unwilling to implement basic security measures such as multi-factor authentication for online banking.
Here in The Netherlands, all banks are using tokens or other additional measures to implement multifactor authentication due to which theft of credentials cannot be used for fraudulent wire transfers.
I hope that this company and other victims will sue their banks, and force them to take action. Why doesn’t the American government force the banks to secure their payment systems instead of outsourcing risk to the customer ?
Well-loved. Like or Dislike:
6 
1
I assume that tokens are in place for the account. Why would you assume tokens are not used?
Like or Dislike:
2 
0
@Rob, “Why would you assume tokens are not used?”
I can’t speak for the OP but speaking for myself it would be because my resume includes some time spent working in Information Security for a part of that bank.
It was a couple of years ago but based on that firsthand knowledge of their environment, internal plans, status and capabilities I’d be very surprised if they have even started moving toward implementing tokens, let alone have them deployed.
Like or Dislike:
2 
0
Infosec_pro -
They acquired CBNJ a few years back and CBNJ has used tokens since the early 2000′s. I guess it depends where the account was held or opened.
It would be interesting to know for sure. If this crime took place while the user was not logged in and tokens were in place it would be the first case I heard of.
Like or Dislike:
1 
0
I do feel really bad for these victims because the advertised perspective is “look now easy is is with the Internet”.
I don’t expect the general public to be readers of “Computer Risks to the Public” ( http://catless.ncl.ac.uk/Risks/ ) but people should be aware of the dangers.
Along that line of thinking, isn’t it time for a court test of Microsoft responsibility and their EULA ?
Like or Dislike:
2 
2
If we really want to swim up-stream….tell Adobe, MS, Apple, etc.., etc… to not deploy buggy code that enable exploits like Zeus.
Problem soloved
Hot debate. What do you think?
4 
4
Any thoughts on this:
http://www.networkworld.com/news/2010/022310-virtualised-usb-key-beats.html?hpg1=bn
Like or Dislike:
0 
0
Interesting…
Not sure whether or how many major banking players adopt this technology or something similar…but whatever happens, the status quo is not an option!
The banks probably fear that if they start asking their customers to use it, the customers’ first question will be “…Why – are your current systems not secure??”!
Like or Dislike:
2 
0
Yes- we do ask that question. My bank recently instituted a policy where transfers overseas required an SMS code to be sent to the bank account owner’s phone. That’s great, but I was O/S at the time they instituted it and my phone didn’t have int’l roaming. so Icouldn’t pay someone for another week and a half.
Yes the bank did hear about it, not that they cared. Granted this was a personal account, but the more these technologies are available for this, the more businesses may ask why they aren’t implemented.
Like or Dislike:
1 
0
Attention enterprising attorneys!!!
A new market is opening for YOUR services–Lawsuits against banks which sell online banking to businesses without full risk disclosure. They’ll fight you tooth and nail. Make sure that you demand jury trial(s). Then make sure to select for people who don’t like banks. Given banks’ current popularity, it’s a (nearly)* foolproof business model.
*Manufacturer supplies no warranty, implicit or explicit.
Well-loved. Like or Dislike:
5 
0
Notice where in the chain a bank acted immediately? The unwitting mule’s account was frozen and the police were called because it was an individual’s account and they would be liable for the full amount. If business banks (TD Bank) were held to the same liability, there would finally be action against the thieves.
Well-loved. Like or Dislike:
7 
0
You are absolutely right. I was wondering why some of the mules had apparently been instructed to set up LLC’s. Bingo. You just answered the question.
If the “mule” is an LLC, banks don’t care.
Like or Dislike:
1 
0
OK. You have documented the problem quite nicely.
Next step: Propose a solution.
What specific steps should a company use to avoid these problems?
I can imagine having a single machine dedicated to all wire transfers, that does nothing else (i.e., to avoid all contact with non-bank websites or email). Doesn’t sound very convenient, but would be more secure.
Even if the banks were liable, what specific measures would they take to avoid these problems? Keychains? Great, but they’ve been cracked. Biometrics? Fine, until someone rips off the digital image of your finger [retina, whatever]. SSL with pre-loaded cert’s? Nice, until someone rips off your private key.
Aside from making every one of these people read your column and get hip to the idea that security is necessary, going out and getting really trained, then auditing their app’s. What are these folks going to do that saves their money?
Like or Dislike:
2 
0
SOLUTIONS: For a technical malware solution, the most important step is to not use Microsoft Windows when on line. Using a single machine for wire transfers does not offer nearly the same advantage.
No form of personal authentication, including keychains, biometrics and digital certificates, can possibly stop a modern malware after infection. The problem is that malware is the man-in-the-middle between the user and the bank. Anything the bank requires can be passed through. Once the account is open, the malware can do anything a user can do.
Absent some sort of out-of-band communication, banks cannot identify or stop malware running on user systems because the result looks like a user. A technical bank response might be to distribute some sort of easy “live” CD and then refuse to connect to a Windows system, or perhaps offer loss insurance only to non-Windows users. Marketing-wise, customers might consider improved banking security to be an advantage. Or the bank could just call and confirm all wire transfers.
Our current computer systems are “once infected, always infected” by design, for which training only goes so far. The consequences of even a single mistake can enable an infection which will remain until the OS is re-installed or a clean OS image recovered. But humans will always make mistakes, even after training. Current hardware and software systems simply were not designed to deal with malware infections.
What someone can do is to load a clean OS from DVD immediately prior to banking. That does not require a dedicated machine.
Professional solutions may not be quite there yet, and may not be until bank losses get much larger. Currently, for those who really want to throw money at the problem, buy a Mac. Otherwise, learn to run a simple free Linux as a “live” DVD when on-line. For help, see my articles:
http://www.ciphersbyritter.com/COMPSEC/COMPSEC.HTM
Like or Dislike:
1 
1
I really feel for the business owner because this loss is not easy to take. But it is their fault for not protecting their computer adaquately. They probably don’t even have an IT staff or adaquate controls around the equipment or their procedures. By controls, I mean that the business should have at least had dual control over the money moving functions. This means the owner plus at least another person, using different machines and different credentials, would create and approve money moving transactions. The attacker would have had to compromise multiple pieces of equipment and credentials to get the money.
It is a given that the major computer software makers are not making their software secure from these types of malware. Zeus (or any other malware) does not make it on the computer without help. The business owner was probably “admin” on their machine because it was convenient, but that convenience also makes it easy for the attackers.
Like it or not, my opinion is that the businesses have an obligation to protect their assets, including computers used for financial transactions. They take the tax deduction on it, manage their books on it, and receive their email on it. Computer owners are notoriously possessive of their machines (especially office users). Why suddenly put the blame on someone else when malware is on it? The financial institution did not put the malware on the computer did they?
Who is to blame if a business left the store doors unlocked after closing time, left the valuable inventory on the loading dock, or did not shread employee records and simply let them get transmitted to an identity thief? I think we would all agree that the business owner is responsible and accountable for the loss.
So should businesses who don’t protect their access credentials or their machine/access equipment be allowed to pass the blame to the bank (or any other financial institution)? I think not.
Basic steps any business should take:
1. Don’t be “admin” (default) of the machine. Be “user” on the machine.
2. Separate financials from other uses. The losses suffered in one incident covers the cost of a separate machine many times over.
3. Separate custody and control. If you create a wire or send payroll, you should not also be the approver using the same credentials and same machine. Ask the institution for another set of credentials and buy yourself a second machine to do the approval task. Sounds stupid if you are the only person in the office, but I’m thinking this business owner who is going to be bankrupted is thinking the inconvenience would have been worth the $400 for a netbook or other low-end machine. Obviously, it is a lot cheaper than an insurance policy and a lot lower than the loss she is taking.
These are my opinions as a business owner and “family IT guy” for the contaminated machines I have been asked to work on over the years.
Like or Dislike:
5 
2
I also feel really bad for this business owner.
But, in a vein similar to your comment, the business owner admitted that she opted to take the risk and not purchase insurance for her business. I did that too during the first few years of my business. Then I “grew up” as a business owner, and started paying out $200/month to insure my business against lots of different calamities.
Like or Dislike:
1 
0
It’s really ironic that TD is the bank that has no sympathy for a client who has a problem with her computer. They were the same bank whose own computer system melted down last September during a merger, turning people’s account balances into negative numbers and making it impossible for depositors to do any online banking for several days.
You can’t expect a small business to have a dedicated IT staff person. A “small business” may be a single individual working from home. That person can’t divide job functions among different employees.
If in the process of setting up business clients for online banking, banks gave explicit instructions, “Purchase a separate dedicated computer, don’t run Windows on it, don’t run as administrator, check your balance every day instead of once a month, hire an IT consultant if you don’t know what these instructions mean,” etc., then you might hold the naive small business user responsible for neglecting security. But these folks are following all the instructions the bank gave them. If they don’t even know there is anything wrong with those procedures, why would they know they need an IT person to come in to fix them?
Like or Dislike:
4 
1
I want to say i feel bad for the victim, but this situation is kind of funny. It’s all the computer’s fault really. Maybe they should punish the computer along with the criminal.
Like or Dislike:
2 
4
Adobe is at fault for exploits that cause the malware infections to begin with. I would wonder if their programmers were hired to leave intentional bugs in the code by cybercriminals lol
I completely agree with bobs post. the problem is… software has vulnerabilities that people never patch (e.g. adobe reader, adobe flash, quicktime). user browses to a website. user gets infected with zeus.
80% of malware infections in 2009 were from Adobe exploits
Adobe should be fined for their poor security
and yes
use a separate liveCD OS for your online banking.. problem solved
If you are interested in detecting ZeuS botnet traffic to known command and control servers, check out my DeepTide Malware IDS program on deeptide.com. And yes it is safe; I also have it on download.com
http://download.cnet.com/DeepTide-Malware-IDS/3000-18510_4-10977292.html?tag=mncol
Like or Dislike:
0 
3
“Adobe should be fined for their poor security”
Every user that downloads Adobe software enters into a binding legal contract stating that Adobe is not responsible for any consequential damages, direct or indirect, and there is no warranty. Nearly every software package in existence has this language in their license agreement.
Does Adobe security suck? Yes, probably.
Have they done something illegal? No, absolutely not. They warned you upfront and you choose to ignore the warning and take the risk.
You can’t “fine” people for doing something that is not illegal.
Like or Dislike:
1 
0
I agree that it is the users fault, not the banks, for not protecting their computer. The customers need to do more to protect themselves. The bank can only do so much. This problem can’t go on forever: someone needs to take responsibility. Regarding Zeus, looks like I am infected too. deeptide Malware IDS found my PC connecting to a zeus IP. I just downloaded malwarebytes antimalware and it removed the infection though luckily.
Like or Dislike:
0 
2
Hi, i have been in IT for nearly 11 years now and generally know my way in and out of computer software, cryptography, and general security. I agree with Heidi that the combination of people not using enough security and the bank’s negligence will only cause more of these scenarios. I am usually a little suspicious but i used “Information Security Professional’s” program to detect the ZeuS trojan and it worked efficiently: fast, easy, and free of spyware. Finding the trojan in about three minutes, I highly reccomend the program
Like or Dislike:
2 
3
Zac, can you provide a link to that software – couldn’t find it….
As mentioned before, I too use Malwarebytes: http://www.malwarebytes.org/
Also, run the scan from Secunia: http://secunia.com/vulnerability_scanning/online/?task=intro (*)
And, here you can download a free tool to check versions and updates: http://filehippo.com/updatechecker/ (*)
(* note: they scan your pc for installed software so for some that might be too invasive)
To kill rootkits: http://www.greatis.com/security/
Seems there is no one-stop solution: you need several tools/sites for regular maintenance.
Like or Dislike:
1 
1
My bad, I misinterpreted Zac’s post – as he was referring to IS Pro’s post….
Another tool: http://www.ccleaner.com – deletes all temp files, cookies etc. For regular maintenance – not for protection or removal of serious stuff.
Like or Dislike:
1 
1
Time and again speaking with bankers and suggesting they implement stronger authentication controls for high risk accounts (most commonly RSA tokens or similar) and the bankers 9 times out of 10 point to one preventing factor: The service providers.
Very few regional and local banks run their own online banking systems- they outsource to one of a half dozen or so vendors and of those most provide limited resources for any form of strong authentication. It’s not ALL the vendors fault though…
The FFIEC circular that required “multiple-factor” authentication was vaguely worded and insufficient to provide direction for mitigating controls around online banking authentication.
Well-loved. Like or Dislike:
4 
0
Strong authentication seems like an attractive goal, but does not address the real problem, which is malware acting as a “man-in-the-middle.” Strong authentication is NOT POSSIBLE through a man-in-the-middle, no matter what technology is used, including “multiple-factor” with RSA tokens. Authentication IS possible with simple “out-of-band” phone calls, but privacy requires getting rid of the man-in-the-middle.
It is IMPOSSIBLE for antimalware scanners to find all malware, especially when run inside the infected system. Sadly, Microsoft offers no tool to certify that a Windows installation is uninfected. When ordinary tools cannot find all malware, of course people will be using infected computers for banking. That result has nothing whatsoever to do with authentication.
When malware is found on a Windows machine, the Windows OS should be re-installed. Yes, that is scary, tedious and can lose data, but the alternative is to take the chance of living with hidden malware.
Currently THERE IS NO WAY to detect all possible malware, and running even 40 different scanners does not change things. This awkward situation is why malware is not just a casual problem, but one which demands more effort than most people are willing to invest. The situation exposes fundamental design flaws in our hardware and software systems. Old computer concepts are not enough. Software patches alone probably cannot fix this.
On current systems, users can and should learn how to use a simple Linux “live” DVD for banking. Help is widely available, and there are details on my website.
Like or Dislike:
1 
1
Darned good point! So, when will the third-party service providers get it? Insecurity threatens their prospects for survival. This is an opportunity to do better, beat their competition, and make better profits. Which one will be up to the challenge? Or rather, will any of them be up to it?
Like or Dislike:
2 
0
The bigger banks go through an elaborate process to choose a vendor. Security is usually an entire section of the RFI/RFP document. If they do a poor job making a decision I think they should shoulder that blame. Those top 6 or 10 vendors do offer additional choices.
Also, TD is one of the country’s biggest banks. If they wanted something I think they could get it. I agree they may ask, get a price they don’t like, and then not act.
Like or Dislike:
1 
0
Thank you for exposing this “white collar crime” that appears to be on the rise…My daughter just out college was on ‘craig’s list” and you know the rest. The amounts were much smaller but as we have heard said time and time again, there is no such thing as “FREE ANYTHING”…..Home network security has to be the next wave of computer hardware and software development……
Like or Dislike:
1 
1
This has been an outstanding thread, imho.
Not being a programmer, I will ask the question which only a non-programmer would likely ask!
Why is Windows so damnably intertwined with the applications that a reinstall wrecks all the applications? Why, with all Microsoft’s expertise, cannot the OS be written to allow a simple wipeout of a compromised Windows installation, leaving each of the applications behind in a compartmentalized state, ready to run just fine as is, with all data files intact, after reinstalling the OS? Is this not just as utterly stupid in its own way as the old DOS memory limitations, etc?
I for one dread the very idea of a reinstall of the OS, in that HP, in it beneficence, did not give me any way to just do that! I have a nice three-year-old HP Pavilion notebook with a damned system image restore disk!
So, if I had a suspect or even known infected Windows install, I would try any way I could to get along without reinstalling Windows.
Like or Dislike:
1 
1
… In South Africa banks are using dongles – which are physical devices (usually locked in the safe) that generate “access codes” based on a ( secret) secure algorithm.
Other option is a so called “one time password” – which is sent via SMS to the previously (non – online arranged) cell number.
Both services are free ( …ok , “free” in a bank way
Not a bulletproof system – but involving a physical device – makes the thief much more difficult ( unless you have an insiders in the banks)
Like or Dislike:
1 
1
Dongles and other “one time” passwords are designed to prevent a “replay attack.” A “replay” is where an attacker can snoop your password entry and then try to re-use that password later. When possible, replay is effective even against very strong long, random passwords.
However, dongles are NOT designed to prevent malware “man-in-the-middle” attacks, where the MITM is effectively inside your machine. Any one-time value of any sort can be passed along by malware to open the account. Or maybe the malware just stands back until the account is open. Once opened, the account can be manipulated by the attacker. Many variations are possible.
Even an SMS “out of band” communication may not be sufficient. When the user enters the one-time value in the infected computer, malware just passes that value along to open the account as usual, and then the attacker takes control.
For users, the main problem is that we have no tool which can certify that no malware is present.
Those concerned about security can and should learn to use a simple Linux “live” DVD for online banking, one of which I describe on my website (click on my name).
Like or Dislike:
1 
0
No one is disagreeing with you Terry. Using a Live CD will prevent malware and MITM attacks just as you describe. Bankers, however, will loose customers if that’s the “only safe way” to bank online and do nothing further to protect themselves and their customers. Because of that banks and service providers need to provide both technical and administrative controls that reduce the threat of fraud and results in the lowest level of residual risk.
A real world solution would be a combination of both: tokens to authenticate to the site and then re-authenticate the transaction (with a refreshed key) and call-back verification for transactions over pre-set limits.
Instructing banks and consumers that they must rely on a process of booting to an operating system that is foreign and unfamiliar to them does a disservice to both.
Like or Dislike:
2 
1
But Eric! A “real world solution” must actually work!
Digital certificates (“tokens”) are universally available in SSL, and we expect SSL to be used in online banking. That works, but the user end of the security guarantee stops inside the computer, and does not extend out to the human.
When malware is in control, any on-line action to “re-authenticate the transaction (with a refreshed key)” is easily passed through by the MITM and so cannot improve security. It does not work.
Having the bank phone the customer to confirm banking orders should make banking safer, but of course does nothing to keep private information away from the internal malware and attacker.
“Instructing banks and consumers that they must rely on a process of booting to an operating system that is foreign and unfamiliar to them does a disservice to both.” Really? The point of this discussion was to see how to prevent the damage described in the original article. If we use your solution, the only part that works is the phone call from the bank. In contrast, booting Puppy Linux from DVD actually does work, even without phone calls. Which approach is the real “disservice?”
Like or Dislike:
1 
0
Not mentioned so far in article or in any comments:
The mentioned scam website interiors-a.com is registered to someone in Moscow, Russia, according to the WHOIS database. A name, telephone number, and e-mail address are in this data.
I can only hope this lead is being followed by someone. The ones ultimately responsible for the theft are the thieves themselves.
Like or Dislike:
0 
1
In reading many of these comments I realize that people are apparently a bit uninformed.
First of all for anyone who wants a good primer on Zeus and its capabilities, google for “zeus king of the bots” and read that paper.
Zeus is a real game changer. It doesn’t matter what security controls the bank has in place. RSA token, 1 time password pad, etc. Zeus will bypass it.
Once you are infected with Zeus, it is a man in the middle attack, the bank doesn’t have ANY way to effectively verify you. Very different from a phishing attack.
A few banks have looked at products like Trusteer Rapport that are supposed to be able to defend against these types of attacks, but this still relies on the user having it installed for it to be effective. The customers who voluntarily install additional security products are typically in the lower risk category for getting infected with Zeus in the first place.
The closest analogy to the brick & mortar world would be if your wife were to walk into your bank, close your joint account and takes all of the money, moves to Mexico, never to be seen again. Is it the bank’s responsibility to detect that she was leaving you?
Business process based controls are a difficult option as well. Dealing with a system where individual business customers send out thousands of wire transfers every day. Within this scope an individual <$50k wire transfer is equivalent to a micro-deposit that PayPal uses to verify your bank account.
Assigning bank liability on commercial accounts? So if Adobe has a system compromised and a hacker transfers $50MM out of their payroll account, does it become the bank's responsibility to cover that? I don't think this is a realistic option.
Likewise, what if the bank were to suspend a company's payroll transfers on Friday payday because of suspicious activity? Sure, if there *is* a compromise they will be a hero….otherwise they will likely lose a customer. The business risks of false positives are sometimes too large.
I'm not saying that the bank should or should not take care of this particular customer. That becomes a customer relationship, business decision. I do think banks need to do a better job of explaining to small businesses the REAL risks of money losses when using commercial banking, many businesses may think they need these features when they really do not.
In fact many commercial accounts require 2 separate users to approve a new payee. Unfortunately when a small business like this is compromised, even if dual-control is in place, there is only 1 computer that is used, so even dual control won't protect
To answer some other confusion I've read in the comments…
Money mules are often NOT sophisticated individuals. Some don't even have online banking access. The hacker transfers money into their account, sends them an email, they drive to their bank withdraw cash or cashiers check, walk down to the street to the western union and wire the cash to another country.
There is no "waiting period" on a wire transfer. When it is gone, it is gone, just as if you had dropped cash in an envelope and placed it in a mailbox.
In my opinion, money mules involved in these scams need to be held more financially liable.
For these hackers to move large volumes of money, they typically break them up into smaller chunks to multiple parties to avoid detection. Because of this, there is a wider pool of people who could be held jointly responsible for the losses.
There are no easy answers to this problem.
Like or Dislike:
3 
1
For technical insight, I suggest “When and Where Strong Authentication Fails” (by Avivah Litan):
http://www.gartner.com/DisplayDocument?id=1245013
For banking malware solutions, start with the 3 main actors:
1. The bank cannot solve it because the malware is in the customer system, not the bank. However, a bank could distribute Linux “live” CD’s and prevent Microsoft Windows users from logging in. Banks should refrain from recommending on-line banking unless they are willing to accept the risk of loss.
2. The customer is unqualified to solve it, at least the way things are now. But users can be educated, provided they are motivated, and banks need to provide motivation. Unfortunately, tools necessary for using Microsoft Windows for safe on-line banking simply do not exist, so some sort of alternative OS is currently required.
3. Microsoft has the biggest stake and the best capabilities, yet somehow takes the least blame. Both the banks and users should be demanding better products far beyond Windows patches:
3a. Microsoft could develop tools to certify a Windows installation as clean for use in on-line banking.
3b. Microsoft could develop a fast OS re-install to clean up any infection.
3c. Microsoft could supply a new “live” on-line banking OS.
3d. Microsoft could support hardware re-design to prevent infection.
Users who want actual on-line security now should man up and get their own Linux “live” CD. I prefer Puppy Linux from DVD, and describe it in my ciphersbyritter.com articles. (See, for example:
http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM )
After the Puppy DVD is set up, most user time is spent in Firefox, and my non-technical wife likes it.
We should be gratified that any real alternative exists. Getting companies to respond to user needs is vastly harder and slower, and out of our control. Doing nothing may seem easier, but only if nothing bad happens, and just hoping for the best is no solution at all.
Like or Dislike:
2 
1
Cr@n1um comments demonstrate a good grasp of technology but a fuzzy one of the issue. The analogy of a wife leaving her husband and taking all the cash with her is false. Assuming that the wife is a joint owner of the account, she would be acting within the law to take any amount of money out the account at any time she wished for any purpose. She would in no way be “victimizing” her husband. She would be exercising her marital rights. For the husband, life will go on.
It is the responsibility of the bank to verify that the woman standing at the counter is in fact who she says she is. Failure to do is negligence. By definition negligent behavior always has consequences. Those consequences are what banks are seeking to escape, and right now, they are succeeding.
Man-in-the-middle attacks of this kind are crimes–felony theft perpetrated by third parties who have no standing and no right to the money. For the victim of this crime, Little & King LLC, life will not go on. That’s the issue.
Like or Dislike:
1 
0
Would anyone here buy the automobile that exploded most often? That was the easiest to steal? Oddly, though, the most people who answered “no way!” to the questions above insist on using the Windows OS and Internet Explorer – the single most hacked software combination available. Why put yourself at risk when other options are available?
Like or Dislike:
3 
1
there’s a hell of a good universe next door; let’s go
– ee cummings
Terry Ritter has missed the point, too, and with a flourish of technical machismo to boot. Before we “man up” and vault to Linux, consider the situation in its historical context.
How often have we heard that “Windows is the culprit. Too many holes. Too much malware. Microsoft doesn’t care.”
Solution: Switch to a Mac.
But: Oops. Now we have malware infecting OS X.
Why? Because the Bad Guys are not stupid. They go where the money is, like flies go for dung.
Man-in-the-middle attacks are “platform-independent.”
If millions of online banking users switch to Linux, it won’t be long until the Bad Guys hack that, too.
Let’s put aside our hobby horses and puppies and look at another approach. I queue up some banking transactions online. Before they are executed, a human being at the bank calls me on the phone to verify that the transactions are legitimate. Until I’ve identified myself to our mutual satisfaction and verified the transactions, my money stays where it is.
This model is based on human beings sharing responsibility. It’s a time-honored way to get business done well. The bank has some responsibility, and I have some, too. We are working together to make sure the right thing happens–and only the right thing.
What’s the objection? It’s predictable. Making those phone calls will cost money and detract from the bottom line. Now consider this. That bottom line has been artificially inflated by engaging in the risk of making instantaneous, anonymous, online transactions.
There’s cheap, good and fast; you can have any two of them. Cheap + fast = no good. And as it is, apparently no one is responsible for the bad. The tech heads who blame Microsoft or Apple today may live to blame Red Hat, Open Source, Unbuntu, etc. tomorow, but no software developer–with or without a halo–has ever written a check to a victims’ compensation fund.
Like or Dislike:
2 
0
I think what we may see from banks in due course is some kind of NAC implementation.
http://en.wikipedia.org/wiki/Network_Access_Control
When a customer attempts to access their account for the first time after implementation, the back-end will quickly scan the connecting PC for vulnerabilities in the O/S and commonly exploited apps like Adobe Flash, Adobe Reader, Java, Quicktime…etc.
If old & vulnerable versions are found, the assumption will be made that the PC is infected with malware of some description (not an unreasonable assumption) and users will be sent to a remediation site and advised on how to patch the outdated apps. Only when the PC is detected is ‘clean’ will access to the online account be granted.
Will this eliminate this kind of fraud? No, certainly not…but it could drastically reduce it.
Banks that implement this will suffer the ire of their customers as most users cannot begin to keep every app updated (see recent Secunia report) and thus will be blocked from accessing their own account online….but this could be offset by the positive news that at least they’re doing something about this huge and growing problem.
Like or Dislike:
1 
1
All right Bill,
Not even a phone call from the bank is complete protection. If the attacker can enter a new phone number for your account, or even transfer to the call to their own number, they can approve their own transfer. You do not even know until you next look at your accounts.
Microsoft Windows IS the culprit. Over 93 percent of browsing occurs in Windows. Almost all banking bots target Windows. True, IF everyone in the world switched to Linux, then Linux would have similar or worse problems. IF. Personally, I doubt that will happen. As long as the vast majority of browsing occurs under Windows, the secondary platforms (Mac, Linux) will be relatively safe. Not perfect, just much, much better than Windows.
As long as Windows is installed on tasty, easily-written hard drives, malware will be infecting those drives, possibly undetected by scanning. Once infected means always infected for every session until the OS is re-installed, and, no, customers are not going to like needing that. There are no tools to certify Windows as clean for on-line banking. In contrast, running an OS from DVD avoids existing infection, makes infection both difficult and easy to correct if suspected.
Those who need an actual technical solution now (instead of some possibly partial solution at some distant future date), need to MAN UP NOW and find a Linux “live” CD or DVD to use. I prefer Puppy Linux, see my website for articles, such as:
http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM
Like or Dislike:
0 
1
Hi Terry–
Three things.
1. I wrote: “Until I’ve identified myself to our mutual satisfaction and verified the transactions, my money stays where it is.” The operative phrase is “our mutual satisfaction.” That means the bank and I work out how I am going to identity myself satisfactorily.
2. Bank employees verify the identities of people calling on the phone every day by asking the caller questions and obtaining specific information. This has been an accepted security practice for going on 20 years because it has worked well. The number you call from doesn’t matter.
3. Ever seen any of the old “Move to Phoenix!” ads? They touted its virtues, like no crime, cheap land prices, low population, no traffic jams, clean air, and no State income tax. Sounded good to millions of people who moved there, and very quickly all of those virtues evaporated. The same fate awaits any “safer OS.”
Like or Dislike:
2 
0
Hi Bill!
1. “The operative phrase is “our mutual satisfaction.”” That does sound better than I expected, but “mutual satisfaction” leaves a great deal of room, not only for what I interpret, but what actually occurs. We see repeatedly how effective most ad hoc schemes actually are after the fact, even given full “satisfaction.”
Moreover, a personal authentication service cannot hope to be a general on-line banking solution. It would be pretty expensive for banks, delays would be irritating for customers, and many people would insist on the simplest and least secure process. Serious security generally is both more complex and more awkward than most people want.
3. “very quickly all of those virtues evaporated.” Although running Puppy Linux from DVD may not be a permanent solution, it is a solution RIGHT NOW. It can be implemented for free, without any special banking arrangement. The Puppy Linux solution also inherently handles multiple banks or investment accounts, and provides access for a partner in an emergency.
Someday malware may start to target Linux and more precautions will be required. But malware will have to go some to infect a DVD as easily as it infects Microsoft Windows hard drives. One of the big problems we have with Windows is its “once infected, always infected” property, since we may not even be able to tell that we are infected.
Anyone who wants more on booting Puppy Linux from DVD can find articles on my pages.
Like or Dislike:
0 
1
Hi Terry–
Mutual satisfaction is a concept in business law that describes a contractual agreement. I have not proposed anything ad hoc, rather that banks and their depositors reach as a matter of course an agreement as to how each party will prove to the satisfaction of the other that they are who they say they are every time a transaction is to occur. All such agreements are subject to revision as conditions change. This a strategy to fix the problem, not another tactic aimed at propping up a broken system.
All strategies require additional time and additional expense, but also a fundamental change in thought and approach. It does not appear that change is going to come from the banks–not as long as they can offload responsibility onto their depositors. If banks were motivated to do what they are supposed to do (i.e., act as trustees of their depositors’’ money), this problem would have been fixed a long time ago.
When IT people got involved in banking, they applied the same “quick and dirty” authentication technique that they’d used elsewhere: requiring a username and a password. That was OK (and just OK) for securing email (some years ago). No rational, well-informed IT professional today would uphold “single-factor authentication” as a reliable means of securing anything of value or consequence, and certainly not an online bank account.
The same IT professionals (and their successors) have to drive home to the bankers a simple fact: single-factor authentication schemes simply can’t be trusted anymore. It’s a broken system that can’t be fixed. Two-factor authentication is more secure, but as ATM thefts have shown, only marginally so. A new strategy is needed.
If the banks won’t listen to reason or face the facts, then IT professionals should ally themselves with regulators and legislators to compel banks to adopt a new strategy. Unless and until that happens, IT practitioners will be left to fight an endless series of rear-guard actions in a war that, rightly speaking, cannot be won.
Well-loved. Like or Dislike:
4 
0
Brian:
Good article. Now you know why I spend so much of my time trying to foil ZBot at SecureMecca dot com. There are several points I feel need to be made.
1. These people really need to consider getting off of Microsoft Windows. I had a Windows newbie that was using my PAC filter basically accuse me that I had made it so that he was going to have to format his drive to get rid of the PAC filter. I don’t know if the instructions I gave him in a personal email placated him, but if he had just read the Uninstall.txt file he would have been good to go. In fact, he could turn the PAC filter on and off at will. The registry changes are just to make it possible for it to function at all. He could also have deleted the rule in the PAC filter that caused problems for him. Even a little bit of extra protection is better than none. I just installed Thunderbird on Sauron running OpenSUSE 11.2 Linux . I had to deduce that renaming the unbzipped folder (thunderbird —> thunderbird-3.03.) was in order along with creating a symlink (thunderbird —> /usr/local/lib/thunderbird-3.0.3). Altering the thunderbird startup script was also necessary to handle the future update changes, which I hope slow down from a torrent to a trickle. What am I saying? These people need to take some of the responsibility on themselves so that this doesn’t happen. Ergo, if you want the easy route off of Windows pick Macintosh. The hard route via Linux takes more work but these people need to ask themselves just one question. What if this attack had been made on me and I was using a Macintosh or Linux? Attack foiled. I was talking to a relative that had suspicious charges on their credit card. Their machine is pwned. How many are like this? A lot more than people think. Hackers have already found ways around the UAC.
I must hasten to add that I don’t use them, so the UAC gets in the way of auto updating the PAC filter. It is only useful with XP or Windows 7 Professional or Ultimate. I would suggest using the Web Of Trust, but that doesn’t help in a spear phishing attack.
2. Banking regulations need to change. The financial institutions need to assume at least some of the responsibility for this. The complete draining of a company’s assets should never have happened. Legislative bodies primarily in the U.S. but all over the earth need to provide the protection that is being used to protect idiots that are using Windows whether they are just personal or small business. They are already doing it for the individual. The regulations were written with a large corporation in mind and it just isn’t enough. Small businesses do not have the resources and in many cases the personal acumen to make themselves safer.
3. Security comes in layers. One of these layers is step 2. The other is step 1. Another layer is to use some common sense – do NOT click on the links in emails, especially if it is saying it goes to NACHA, FDIC, or some other place like that. Invariably, that is NOT where they go.
Like or Dislike:
1 
0
Interesting ‘concept’: http://www.srware.net/en/software_banking_browser_2008.php
A stripped browser, for banking only: no Java, Flash. Also, shielded against other installed browsers.
Seems more practical than a separate box for banking only.
In German – and, unfortunately, not updated since 2008, so I can’t tell how secure it is
Like or Dislike:
0 
0
Gartner analysts published in December 2009 that all existing means of strong authentication are inadequate to protect transaction integrity for simple reason that Trojan horse malware resident on our infected PCs circumvent these means. Nearly 50% of PCs worldwide are infected with some sort of malware. The vulnerability exploited is called Man in the Browser. Man-in-the-Browser, is a trojan that infects a web browser and has the ability to modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities is virtually undetectable to virus scanning software.In an example exchange between user and host, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Therefore US regulators and FBI recommend that all financial activities will be performed only from dedicated computers. Obviously this is a short-term solution. It has been demonstrated that Out-of-band transaction confirmation , such SMS sent over mobile phone , merely adds complexity to the process and is still vulnerable to targeted attack .The need exists for malware-resilient solution to the problem.
Our solution is a 2-stage process including signing of web form by user and signed form authorization by the service provider. No transaction will be authorized without both stages fully completed. In order to use our Software-as-a-Service end-user must download our client software, register his PC and enroll his Biometrics VoicePrint, the whole process takes less then a minute. Signing software includes data verification module that ensures that What you See is What you Sign, Strong Authentication module that ensures the identity of the person signing transaction and Advanced Electronic Signature module that ensures transaction integrity in transit and at rest.
The following flow highlights the signing process for medium-sensitivity transaction. End-user signs web-form for third-party money transfer. Our software prompts end-user to confirm transaction integrity and verify the data. Finally end-user is prompted to enter his 4 digit PIN. It takes about 15 sec of end-user time to sign filled web-form. Meduim-sensitivity transaction is signed using 2-factor strong authentication, including proprietary PC ID (something you have) and PIN (something you know). Higher-sensitivity transactions may be signed using 3-factor strong authentication by adding Live Voice Biometrics (something you are)..
Signed web-form includes 2 parts: end-user attributes and transaction details. It complies with the definition of Advanced Electronic Signature. Both end-user and service provider will keep the same signed web-form for future audit. Service provider may access this signed web-form through our API. This solution is malware-resilient, does not require any dedicated hardware and does not add complexity to the business flow. This solution is generic and is applicable to Banking transfers, E-commerce purchases, Insurance claims, Healthcare prescriptions, E-Gov voting.
Like or Dislike:
1 
0
Sounds like the bank is aiding and abetting criminals with grand larceny. I would find a good lawyer.
Like or Dislike:
0 
0