Comments on: Crooks Crank Up Volume of E-Banking Attacks http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/ In-depth security news and investigation Sat, 11 Feb 2012 19:29:31 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: James R. ("Jim") Woodhill http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-4286 James R. ("Jim") Woodhill Sat, 20 Mar 2010 15:10:47 +0000 http://www.krebsonsecurity.com/?p=1476#comment-4286 Brian, At RSA 2010 an old-timer mentioned that it is really easy to hack your typical home or small- and medium-sized enterprise router remotely to set its DNS server IP address to whatever you want. I don't know if the router is addressable from the general Internet or whether one must run something in the user's browser to turn around and address the device. But note that this is an attack upstream of the PC and downstream of the ISP that no trace of its presence needs to be left anywhere where a malware scanner would find it. While I appreciate that all the losses you know about involve permanently compromised PCs, the fact that there are attacks at least *possible* upstream (known, unknown, and "unknown unknown") just reinforces you point that the financial services institutions need to follow the "X-Files principle" (TRUST NO ONE. (But the Truth Is Out There.) Brian,

At RSA 2010 an old-timer mentioned that it is really easy to hack your typical home or small- and medium-sized enterprise router remotely to set its DNS server IP address to whatever you want. I don’t know if the router is addressable from the general Internet or whether one must run something in the user’s browser to turn around and address the device. But note that this is an attack upstream of the PC and downstream of the ISP that no trace of its presence needs to be left anywhere where a malware scanner would find it.

While I appreciate that all the losses you know about involve permanently compromised PCs, the fact that there are attacks at least *possible* upstream (known, unknown, and “unknown unknown”) just reinforces you point that the financial services institutions need to follow the “X-Files principle” (TRUST NO ONE. (But the Truth Is Out There.)

Like or Dislike: Thumb up 2 Thumb down 0
]]> By: Mike http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3900 Mike Tue, 16 Mar 2010 12:28:26 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3900 The banks didn't have any trouble figuring out how to add fraud detection to credit card accounts (it wasn't built in from the beginning there, either). The difference? They had liability for the fraudulent card activity, and have nothing to lose if their commercial customers are wiped out due to online banking/wire transfer fraud. Until the banks are required by law to protect the assets of their commercial customers, they simply will not care about fixing this problem. (They generally do offer fraud guarantees to their consumer online banking customers, presumably because the amounts involved are small enough that they can cover the loses without having to actually fix the underlying vulnerabilities.) The banks didn’t have any trouble figuring out how to add fraud detection to credit card accounts (it wasn’t built in from the beginning there, either). The difference? They had liability for the fraudulent card activity, and have nothing to lose if their commercial customers are wiped out due to online banking/wire transfer fraud. Until the banks are required by law to protect the assets of their commercial customers, they simply will not care about fixing this problem. (They generally do offer fraud guarantees to their consumer online banking customers, presumably because the amounts involved are small enough that they can cover the loses without having to actually fix the underlying vulnerabilities.)

Like or Dislike: Thumb up 4 Thumb down 1
]]> By: AlphaCentauri http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3893 AlphaCentauri Tue, 16 Mar 2010 05:33:14 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3893 I think you're right in most cases: Mules are people who are very naive about money and fraud. They hand their own identity to thieves in a scheme where they can't hope to hold onto the profits once they are found out. They should be suspicious about jobs that pay too much for too little work, but who hasn't wondered what the top business executives do for their $3 million/year salaries? It's not like the boss is doing work that is more physically demanding or more unpleasant than the work done by the lady that cleans the toilets all night. Free market principles don't seem to apply. So the little guy tends to think that getting salaries an order of magnitude higher than anything he's ever received is a question of getting a lucky break, not a question of needing special skills for high-paying jobs. But there are mules that sign up just before leaving the US, such as students graduating and returning to their home countries. Sometimes they manage to get out of the US before anyone comes to claim the stolen money. Those mules may well know what they are doing, as it seems unlikely they would sign up for something that would deposit their money in a bank in the US just before they leave, given the possibility that a SNAFU would delay the deposit until they no longer have access to the bank. I think you’re right in most cases: Mules are people who are very naive about money and fraud. They hand their own identity to thieves in a scheme where they can’t hope to hold onto the profits once they are found out. They should be suspicious about jobs that pay too much for too little work, but who hasn’t wondered what the top business executives do for their $3 million/year salaries? It’s not like the boss is doing work that is more physically demanding or more unpleasant than the work done by the lady that cleans the toilets all night. Free market principles don’t seem to apply. So the little guy tends to think that getting salaries an order of magnitude higher than anything he’s ever received is a question of getting a lucky break, not a question of needing special skills for high-paying jobs.

But there are mules that sign up just before leaving the US, such as students graduating and returning to their home countries. Sometimes they manage to get out of the US before anyone comes to claim the stolen money. Those mules may well know what they are doing, as it seems unlikely they would sign up for something that would deposit their money in a bank in the US just before they leave, given the possibility that a SNAFU would delay the deposit until they no longer have access to the bank.

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: AlphaCentauri http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3892 AlphaCentauri Tue, 16 Mar 2010 05:07:13 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3892 From what I understand, if the bank required an authentication for each transaction, it would at least limit these. The attackers make multiple transactions under the $10,000 reporting limit, sending them to multiple money mules. If the user has entered only one transaction and is asked to authenticate additional ones, he/she will likely get suspicious no matter what the browser says. From what I understand, if the bank required an authentication for each transaction, it would at least limit these. The attackers make multiple transactions under the $10,000 reporting limit, sending them to multiple money mules. If the user has entered only one transaction and is asked to authenticate additional ones, he/she will likely get suspicious no matter what the browser says.

Like or Dislike: Thumb up 1 Thumb down 0
]]> By: Cliff http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3872 Cliff Mon, 15 Mar 2010 20:52:14 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3872 as long as the bank didn't use the term "provisional credit" this means they can take your money back as they did with our loss, the "provisional credit" makes you feel good for a couple of days then they pull the rug out from under you again. as long as the bank didn’t use the term “provisional credit” this means they can take your money back as they did with our loss, the “provisional credit” makes you feel good for a couple of days then they pull the rug out from under you again.

Like or Dislike: Thumb up 1 Thumb down 1
]]> By: Matt http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3850 Matt Mon, 15 Mar 2010 05:17:11 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3850 Yes you’ve got it, the concept is radically different to any other authentication system out there but once you understand it is very simple. Actually I like to think the security is in the simplicity because by eliminating electronics, standard cryptography and injecting a simple human physical/visual action, the normal cat and mouse authentication failures don’t apply. There is just no way an online attacker no matter how complex is going to hack into a plain printed key pattern and steal the key. In the demonstration for transaction authentication I usually use Pxxxx for the password and then Axxx for the last 3 account digits and then just loop it around but there is many ways it could be done and it is entirely flexible on the amount of digits used or characters to reference, T could = total for example. The only possible angle of online attack is statistical analysis by the trojan of the screen challenge and the associated keylogged user response. Every time a user authenticates it does actually lose a tiny bit of predictable probabalistic information about the key so we’ve done lots of research on this sole attack. The results are great with it being very easy to put the necessary number of interceptions by the trojan well over 10000 or even higher magnitudes by changing simple aspects of the challenge picture, so lets say a user authenticates into their account once a day the trojan would need to wait around for 28+ years worth of authentication data by the user to correctly analyse the users key. Considering most cards are replaced every few years I don’t consider this attack feasible. This interception amount isnt set in stone either there are a number of basic multipliers which don’t affect usability at all and can easily multiply this interception rate but it seems unnecessary. From a personal (in person) attack angle I like to think the security is pretty strong too. Being kept in your wallet instead of a hardware token floating around your desk seems much more secure and user friendly. Discreet photographic attacks (as in a hidden camera around your office) are pretty remote too with a simple transparent tint effect printed around the key pattern the attacker literally needs to get the card out of your hands and into a specialized photographic setup with a backlight. This seems as unlikely as me lending my house keys to a stranger. There are a lot of cheap open methods to protect the visual key pattern from transflective laminates to electro chromatic pressure activated cells, depending on the level of paranoia. Anyway thanks for taking the time with a new idea, I am putting all this out here as a solution to the problem and it’s great to get any feedback. Yes you’ve got it, the concept is radically different to any other authentication system out there but once you understand it is very simple. Actually I like to think the security is in the simplicity because by eliminating electronics, standard cryptography and injecting a simple human physical/visual action, the normal cat and mouse authentication failures don’t apply. There is just no way an online attacker no matter how complex is going to hack into a plain printed key pattern and steal the key.
In the demonstration for transaction authentication I usually use Pxxxx for the password and then Axxx for the last 3 account digits and then just loop it around but there is many ways it could be done and it is entirely flexible on the amount of digits used or characters to reference, T could = total for example.

The only possible angle of online attack is statistical analysis by the trojan of the screen challenge and the associated keylogged user response. Every time a user authenticates it does actually lose a tiny bit of predictable probabalistic information about the key so we’ve done lots of research on this sole attack. The results are great with it being very easy to put the necessary number of interceptions by the trojan well over 10000 or even higher magnitudes by changing simple aspects of the challenge picture, so lets say a user authenticates into their account once a day the trojan would need to wait around for 28+ years worth of authentication data by the user to correctly analyse the users key. Considering most cards are replaced every few years I don’t consider this attack feasible. This interception amount isnt set in stone either there are a number of basic multipliers which don’t affect usability at all and can easily multiply this interception rate but it seems unnecessary.

From a personal (in person) attack angle I like to think the security is pretty strong too. Being kept in your wallet instead of a hardware token floating around your desk seems much more secure and user friendly. Discreet photographic attacks (as in a hidden camera around your office) are pretty remote too with a simple transparent tint effect printed around the key pattern the attacker literally needs to get the card out of your hands and into a specialized photographic setup with a backlight. This seems as unlikely as me lending my house keys to a stranger. There are a lot of cheap open methods to protect the visual key pattern from transflective laminates to electro chromatic pressure activated cells, depending on the level of paranoia.

Anyway thanks for taking the time with a new idea, I am putting all this out here as a solution to the problem and it’s great to get any feedback.

Like or Dislike: Thumb up 2 Thumb down 2
]]> By: Michael http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3849 Michael Mon, 15 Mar 2010 04:22:17 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3849 Yes, the insecure user-to-bank side of the traffic confused me as well because trojans can read/steal everything the user sends to the bank but I think I've got it now. The key to understanding PassWindow is PW makes the bank-to-user side of the traffic absolutely secure (until the user's PW card pattern is broken). The user-to-bank side of the traffic remains insecure but this doesn't matter with PW because secure bank-to-user traffic allows the bank to safely send single-use passcodes to the user that are associated with transaction details. Sent-to-bank-by-user passcodes are read by but are useless to trojans for future transactions because they are single-use (but can be used to break the user's card pattern). Here's how PW might work. The bank sends the user a PW image containing a transaction detail and passcode. For example, PW=xx3xxR789x means the user should return passcode=3 to confirm bank Routing number ending in 789 with x=unresolved. A 2nd image PW=xxxA321x5x means the user should return passcode=5 to confirm Account number ending in 321. All is safe as long as trojans cannot decode the 3 and 5 passcodes behind the user's back. The user should not return a passcode if its account detail is unrecognizable (possible mule account). It'll likely not even get this far because several PW challenges may be issued just to set up a mule account. Yup, it's a bit cumbersome but seems workable though all's lost once the user's card pattern is broken. Yes, the insecure user-to-bank side of the traffic confused me as well because trojans can read/steal everything the user sends to the bank but I think I’ve got it now. The key to understanding PassWindow is PW makes the bank-to-user side of the traffic absolutely secure (until the user’s PW card pattern is broken). The user-to-bank side of the traffic remains insecure but this doesn’t matter with PW because secure bank-to-user traffic allows the bank to safely send single-use passcodes to the user that are associated with transaction details. Sent-to-bank-by-user passcodes are read by but are useless to trojans for future transactions because they are single-use (but can be used to break the user’s card pattern). Here’s how PW might work. The bank sends the user a PW image containing a transaction detail and passcode. For example, PW=xx3xxR789x means the user should return passcode=3 to confirm bank Routing number ending in 789 with x=unresolved. A 2nd image PW=xxxA321x5x means the user should return passcode=5 to confirm Account number ending in 321. All is safe as long as trojans cannot decode the 3 and 5 passcodes behind the user’s back. The user should not return a passcode if its account detail is unrecognizable (possible mule account). It’ll likely not even get this far because several PW challenges may be issued just to set up a mule account. Yup, it’s a bit cumbersome but seems workable though all’s lost once the user’s card pattern is broken.

Like or Dislike: Thumb up 2 Thumb down 2
]]> By: Matt http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3842 Matt Mon, 15 Mar 2010 00:19:05 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3842 I agree the weak link in the banking chain is authenticating those outgoing accounts, much easier on the user than authenticating through hoops with every single transaction and usability is a key part of any security solution. I didnt mention out of band authentication primarily as I was only thinking of authentication solutions which seem to be complete solutions, not alternatives which shift the problem into different areas. The 40 digit reference is with regard to hardware tokens which can docryptographic transaction signing and their user process which I have outlined more clearly below in response to Dalmatian90, sadly they are not random digits (which would be a little more user friendly) but very specific challenge-response checksums between the device and the terminal which include transaction information. My concern with TOOBA as well as shifting to more obscure operating systems is it doesn’t provide a "secure" theory underlying it. Their phone trojans could just as easily record these conversations (which some do to an mp3 and upload out later) compared with what they are doing in the article above. A friend of mine who developed the cryptography behind a major brand of hardware token once lamented that the real security of their tokens was reduced to “knowing the user’s mother’s maiden name” because an attacker could just ring and answer this question to bypass the authentication. Constantly moving the authentication target so far has failed at stopping authentication fraud which is essentially what we are dealing with. The most widely used out of band authentication is SMS mTAN's, adopted as a lower entry cost solution by some banks however it comes with an entirely new set of problems in many ways worse than the old. For a start if a hacker can get their payloads such as Zeus into your computers running the most up to date trojan detectors then you can believe they can get a similar payload onto your mobile phone which doesnt have any protection. There is a slew of other problems with SMS listed here http://www.passwindow.com/security.html#sms As Brian said you have to assume the user’s system, be that PC, Laptop or Mobile, is *already compromised*, I would personally like to add to that with *and the attacker can control every aspect of the compromised system*. From this angle it is better to work backward from what we know is secure and then consider the other two important aspects which is usability and price, neither of which can be ignored. I know the token transaction signing and the passwindow method can’t be circumvented under this situation so we at least have a starting point, if anyone else has any ideas they are welcome to throw them in. I agree the weak link in the banking chain is authenticating those outgoing accounts, much easier on the user than authenticating through hoops with every single transaction and usability is a key part of any security solution.
I didnt mention out of band authentication primarily as I was only thinking of authentication solutions which seem to be complete solutions, not alternatives which shift the problem into different areas.
The 40 digit reference is with regard to hardware tokens which can docryptographic transaction signing and their user process which I have outlined more clearly below in response to Dalmatian90, sadly they are not random digits (which would be a little more user friendly) but very specific challenge-response checksums between the device and the terminal which include transaction information.

My concern with TOOBA as well as shifting to more obscure operating systems is it doesn’t provide a “secure” theory underlying it. Their phone trojans could just as easily record these conversations (which some do to an mp3 and upload out later) compared with what they are doing in the article above. A friend of mine who developed the cryptography behind a major brand of hardware token once lamented that the real security of their tokens was reduced to “knowing the user’s mother’s maiden name” because an attacker could just ring and answer this question to bypass the authentication. Constantly moving the authentication target so far has failed at stopping authentication fraud which is essentially what we are dealing with.
The most widely used out of band authentication is SMS mTAN’s, adopted as a lower entry cost solution by some banks however it comes with an entirely new set of problems in many ways worse than the old. For a start if a hacker can get their payloads such as Zeus into your computers running the most up to date trojan detectors then you can believe they can get a similar payload onto your mobile phone which doesnt have any protection. There is a slew of other problems with SMS listed here http://www.passwindow.com/security.html#sms

As Brian said you have to assume the user’s system, be that PC, Laptop or Mobile, is *already compromised*, I would personally like to add to that with *and the attacker can control every aspect of the compromised system*. From this angle it is better to work backward from what we know is secure and then consider the other two important aspects which is usability and price, neither of which can be ignored. I know the token transaction signing and the passwindow method can’t be circumvented under this situation so we at least have a starting point, if anyone else has any ideas they are welcome to throw them in.

Like or Dislike: Thumb up 3 Thumb down 1
]]> By: James R. ("Jim") Woodhill http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3841 James R. ("Jim") Woodhill Sun, 14 Mar 2010 19:49:55 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3841 > The only alternative protection I can think of > is the bank requiring transaction signing by a > more complex transaction signing token with > built in keypad and a series of back and forth > cryptographic checksums between the user, > device and terminal which include transaction > information such as the account destination number > however it isnt a very elegant solution often requiring > over 40+ digits by the user regardless of the > transaction amount. When the only "solution" that you can think of involves requiring a user to enter 40 random digits to secure every payment, it's obvious that the information security industry needs a new acronym! How about "TOOBA" ("Totally Out-Of-Band Authentication")? If everything that goes through Windows is insecure, then don't use Windows. Place a phone call! If you think about it, the only transaction that requires this level of security is the addition of a new payee, and that is pretty rare. The bad guys can't profit from your sending some extra bucks to someone you already do business with. Gee, whiz. The only thing that *really* has to be secured is the addition of a new payee. > The only alternative protection I can think of
> is the bank requiring transaction signing by a
> more complex transaction signing token with
> built in keypad and a series of back and forth
> cryptographic checksums between the user,
> device and terminal which include transaction
> information such as the account destination number
> however it isnt a very elegant solution often requiring
> over 40+ digits by the user regardless of the
> transaction amount.

When the only “solution” that you can think of involves requiring a user to enter 40 random digits to secure every payment, it’s obvious that the information security industry needs a new acronym!

How about “TOOBA” (“Totally Out-Of-Band Authentication”)? If everything that goes through Windows is insecure, then don’t use Windows. Place a phone call!

If you think about it, the only transaction that requires this level of security is the addition of a new payee, and that is pretty rare. The bad guys can’t profit from your sending some extra bucks to someone you already do business with.

Gee, whiz. The only thing that *really* has to be secured is the addition of a new payee.

Like or Dislike: Thumb up 4 Thumb down 1
]]> By: RichardB http://krebsonsecurity.com/2010/03/crooks-crank-up-volume-of-e-banking-attacks/comment-page-1/#comment-3835 RichardB Sun, 14 Mar 2010 14:54:56 +0000 http://www.krebsonsecurity.com/?p=1476#comment-3835 The use of a Limited user Account would have prevented the theft. Malware can not change system files when executing as a Limited User. The use of an Administrator Account for causal computer work, guarantees that malware will gain control of the computer. One drive-by Adobe Flash exploit is all that is needed. If your users are Administrators, then those users are certain to become victims of malware.

The use of a Limited user Account would have prevented the theft.
Malware can not change system files when executing as a Limited User.

The use of an Administrator Account for causal computer work, guarantees that malware will gain control of the computer. One drive-by Adobe Flash exploit is all that is needed.

If your users are Administrators, then those users are certain to become victims of malware.

Hot debate. What do you think? Thumb up 4 Thumb down 5
]]>