Comments on: N.Y. Firm Faces Bankruptcy from $164,000 E-Banking Loss

By: cheeseman

cheeseman — Fri, 02 Jul 2010 18:13:09 +0000

Sounds like the bank is aiding and abetting criminals with grand larceny. I would find a good lawyer.

Like or Dislike: 0 0

By: Eli Talmor

Eli Talmor — Mon, 28 Jun 2010 13:11:48 +0000

Gartner analysts published in December 2009 that all existing means of strong authentication are inadequate to protect transaction integrity for simple reason that Trojan horse malware resident on our infected PCs circumvent these means. Nearly 50% of PCs worldwide are infected with some sort of malware. The vulnerability exploited is called Man in the Browser. Man-in-the-Browser, is a trojan that infects a web browser and has the ability to modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities is virtually undetectable to virus scanning software.In an example exchange between user and host, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Therefore US regulators and FBI recommend that all financial activities will be performed only from dedicated computers. Obviously this is a short-term solution. It has been demonstrated that Out-of-band transaction confirmation , such SMS sent over mobile phone , merely adds complexity to the process and is still vulnerable to targeted attack .The need exists for malware-resilient solution to the problem.
Our solution is a 2-stage process including signing of web form by user and signed form authorization by the service provider. No transaction will be authorized without both stages fully completed. In order to use our Software-as-a-Service end-user must download our client software, register his PC and enroll his Biometrics VoicePrint, the whole process takes less then a minute. Signing software includes data verification module that ensures that What you See is What you Sign, Strong Authentication module that ensures the identity of the person signing transaction and Advanced Electronic Signature module that ensures transaction integrity in transit and at rest.
The following flow highlights the signing process for medium-sensitivity transaction. End-user signs web-form for third-party money transfer. Our software prompts end-user to confirm transaction integrity and verify the data. Finally end-user is prompted to enter his 4 digit PIN. It takes about 15 sec of end-user time to sign filled web-form. Meduim-sensitivity transaction is signed using 2-factor strong authentication, including proprietary PC ID (something you have) and PIN (something you know). Higher-sensitivity transactions may be signed using 3-factor strong authentication by adding Live Voice Biometrics (something you are)..
Signed web-form includes 2 parts: end-user attributes and transaction details. It complies with the definition of Advanced Electronic Signature. Both end-user and service provider will keep the same signed web-form for future audit. Service provider may access this signed web-form through our API. This solution is malware-resilient, does not require any dedicated hardware and does not add complexity to the business flow. This solution is generic and is applicable to Banking transfers, E-commerce purchases, Insurance claims, Healthcare prescriptions, E-Gov voting.

Like or Dislike: 1 0

By: Clarification

Clarification — Mon, 17 May 2010 01:21:30 +0000

I hear it often, that banks are responsible for credit card fraud. They are not. The vendor loses money on fraudulent transactions, not banks. I wish banks were responsible; we would have less fraud then.

Like or Dislike: 1 1

By: Jay

Jay — Fri, 16 Apr 2010 14:13:40 +0000

Interesting ‘concept’: http://www.srware.net/en/software_banking_browser_2008.php

A stripped browser, for banking only: no Java, Flash. Also, shielded against other installed browsers.

Seems more practical than a separate box for banking only.

In German – and, unfortunately, not updated since 2008, so I can’t tell how secure it is

Like or Dislike: 1 0

By: Sean

Sean — Thu, 08 Apr 2010 19:59:27 +0000

“Adobe should be fined for their poor security”

Every user that downloads Adobe software enters into a binding legal contract stating that Adobe is not responsible for any consequential damages, direct or indirect, and there is no warranty. Nearly every software package in existence has this language in their license agreement.

Does Adobe security suck? Yes, probably.

Have they done something illegal? No, absolutely not. They warned you upfront and you choose to ignore the warning and take the risk.

You can’t “fine” people for doing something that is not illegal.

Like or Dislike: 1 0

By: Sean

Sean — Mon, 05 Apr 2010 22:49:54 +0000

I also feel really bad for this business owner.

But, in a vein similar to your comment, the business owner admitted that she opted to take the risk and not purchase insurance for her business. I did that too during the first few years of my business. Then I “grew up” as a business owner, and started paying out $200/month to insure my business against lots of different calamities.

Like or Dislike: 1 0

By: Sean

Sean — Mon, 05 Apr 2010 22:45:51 +0000

You are absolutely right. I was wondering why some of the mules had apparently been instructed to set up LLC’s. Bingo. You just answered the question.

If the “mule” is an LLC, banks don’t care.

Like or Dislike: 2 0

By: si-borg

si-borg — Thu, 01 Apr 2010 02:07:25 +0000

An SMS sent after every transaction as confirmation would help ensure that business owners would be able to get onto any problems within 24 hours. Some banks already do this in Australia.

Simple. Cheap. Effective?

Like or Dislike: 3 0

By: Michael Businger

Michael Businger — Wed, 31 Mar 2010 16:35:22 +0000

This is another good reason for anyone using online banking to have a dedicated computer that is only used to online banking, no web browsing, no email, no storage of sensitive or critical business data, etc. Yes, this is an additional cost, but I think any reasonable person can see it is much cheaper than the alternative!

Well-loved. Like or Dislike: 10 0

By: Henry Hertz Hobbit

Henry Hertz Hobbit — Wed, 17 Mar 2010 22:25:49 +0000

Brian:

Good article. Now you know why I spend so much of my time trying to foil ZBot at SecureMecca dot com. There are several points I feel need to be made.

1. These people really need to consider getting off of Microsoft Windows. I had a Windows newbie that was using my PAC filter basically accuse me that I had made it so that he was going to have to format his drive to get rid of the PAC filter. I don’t know if the instructions I gave him in a personal email placated him, but if he had just read the Uninstall.txt file he would have been good to go. In fact, he could turn the PAC filter on and off at will. The registry changes are just to make it possible for it to function at all. He could also have deleted the rule in the PAC filter that caused problems for him. Even a little bit of extra protection is better than none. I just installed Thunderbird on Sauron running OpenSUSE 11.2 Linux . I had to deduce that renaming the unbzipped folder (thunderbird —> thunderbird-3.03.) was in order along with creating a symlink (thunderbird —> /usr/local/lib/thunderbird-3.0.3). Altering the thunderbird startup script was also necessary to handle the future update changes, which I hope slow down from a torrent to a trickle. What am I saying? These people need to take some of the responsibility on themselves so that this doesn’t happen. Ergo, if you want the easy route off of Windows pick Macintosh. The hard route via Linux takes more work but these people need to ask themselves just one question. What if this attack had been made on me and I was using a Macintosh or Linux? Attack foiled. I was talking to a relative that had suspicious charges on their credit card. Their machine is pwned. How many are like this? A lot more than people think. Hackers have already found ways around the UAC.
I must hasten to add that I don’t use them, so the UAC gets in the way of auto updating the PAC filter. It is only useful with XP or Windows 7 Professional or Ultimate. I would suggest using the Web Of Trust, but that doesn’t help in a spear phishing attack.

2. Banking regulations need to change. The financial institutions need to assume at least some of the responsibility for this. The complete draining of a company’s assets should never have happened. Legislative bodies primarily in the U.S. but all over the earth need to provide the protection that is being used to protect idiots that are using Windows whether they are just personal or small business. They are already doing it for the individual. The regulations were written with a large corporation in mind and it just isn’t enough. Small businesses do not have the resources and in many cases the personal acumen to make themselves safer.

3. Security comes in layers. One of these layers is step 2. The other is step 1. Another layer is to use some common sense – do NOT click on the links in emails, especially if it is saying it goes to NACHA, FDIC, or some other place like that. Invariably, that is NOT where they go.

Like or Dislike: 1 0