Organized computer criminals yanked more than $200,000 out of the online bank accounts of a Missouri dental practice this month, in yet another attack that exposes the financial risks that small- to mid-sized organizations face when banking online.
Dentists working at the Smile Zone, a Springfield, Mo. based dental practice that caters specifically to the needs of children, weren’t exactly all smiles on March 22. That was the day unidentified crooks sent at least $205,000 of the practice’s money to nearly a dozen individuals around the country.
Eric Hudkins, the office manager and husband of one of the dentists at Smile Zone, said the money was taken in 11 different transfers, including three large wires. Once again, it seems the attack was carried out with the help of money mules, willing or unwitting individuals hired through work-at-home job schemes over the Internet and lured into helping the attackers launder the stolen money.
“I’ve got the names, account numbers, and phone numbers for most of them, and have even looked some of them up on Facebook,” Hudkins said of the co-conspirators. “The bank talked to two of the [mule] account holders and asked them why they opened the account, who it was for, that kind of thing. Both of them said they’d had their resumes out on careerbuilder.com or monster.com and that someone they’d never met contacted them and offered to help them make some money.”
Hudkins said he contacted the FBI, and that the agent he spoke with told him the FBI wouldn’t open a case on the theft unless it was over $500,000 in losses. As it stands, he was told, his case would be lumped into a group of similar investigations that is being run out of an FBI task force in Omaha, Nebraska. It also appears there is little appetite for prosecuting the money mules, he said.
“The FBI said prosecuting these [mules] for doing anything wrong is near impossible,” Hudkins said.
Meanwhile, Smile Zone’s bank — Springfield, Mo. -based Great Southern Bank — maintains it is not responsible for the loss, according to Hudkins, although he said the bank is still trying to reverse some of the transfers. I spoke briefly with a representative of Great Southern on Monday, but received the standard “we don’t discuss our customers activities” reply.
Businesses do not enjoy the same protections afforded to consumers hit by online fraud. With credit cards, consumer liability is generally capped at $50. Consumers who report suspicious or unauthorized transactions on their ATM or debit card, or against their online banking account within two days of receiving their bank statement that reflects the fraud also are limited to $50 in losses. But waiting longer than that can costs consumers up to $500 (the liability is unlimited if a consumer waits more than 60 days to report the fraud).
Businesses have no such protection from fraudulent transfers. Generally speaking, banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by this type of online banking fraud.
Hudkins said Great Southern required only that customers provide the proper user name and password to access their accounts online and to move money. The bank does require customers to correctly answer one or challenge questions if it detects a customer is logging in from an unfamiliar Internet address. Still, Hudkins said his bank told him the transfers were made using the company’s regular Internet connection.
Smile Zone is still investigating how the thieves compromised the account. But in case after case I’ve reported on involving this type of fraud, the attackers hacked the victim’s computer networks using a Trojan horse program known as Zeus or Zbot, which allows the criminals to tunnel back through the victim’s PC in order to log into the target account without raising red flags or additional security mechanisms.
Hudkins said that a few days after the unauthorized transfers, Great Southern sent him a security token to complement the bank’s existing customer-facing online security mechanisms (user name + password + occasional security question).
“They just sent me a security token in the mail last Friday, and suggested I use that,” Hudkins said.
Unfortunately, the thieves that hit the Smile Zone have had little trouble defeating security tokens as well, as I have documented in several recent victim cases.
Due to the liability exposure that businesses face when banking online, I’ve long urged business owners to build and use a dedicated system strictly for online banking and nothing else — no Web browsing, checking e-mail, nothing. An alternative — and far more secure — approach is to use a Live CD (or a Mac) when banking online.
A Mac may be more secure than a windows machine but it’s not as secure as a read-only OS like a live CD. With a CD simply reboot and any changes made are erased (well, until the malware starts infecting device firmware and such). With a Mac all it takes is one 0-day exploit.
Even with a LiveCD, files can be loaded into memory and ran.
“Even with a LiveCD, files can be loaded into memory and ran.”
Well, sure. But the main Microsoft Windows bot problem is infection: once the drive is infected, the bot comes back on every session. Infection can happen to anybody without them knowing. There is no tool to certify that Windows is not infected and so is good for banking.
With a LiveCD, we boot a clean system and then do the banking before any dangerous browsing or email. If later we are playing around and something seems strange, we just restart the computer and once again have a clean system.
Brian, as an alternative to a Live CD for use when banking online, a bootable USB flash drive can be used. Tips on how to make one can be found on How-To Geek’s website (http://preview.tinyurl.com/yc6p2xt )….
Henri
The problem with a bootable flash drive is that it is still writable while you are using it.
That means that exploits could still be installed and activated on the flash drive. This is impossible with a live CD, since it is a read only device.
Jeff, a USB drive can be protected with a password, but you, of course, are right ; if someone else gets their hands on it, a read-only CD is safer, albeit less handy, than a pen drive. As in everything else, a trade-off….
Henri
Typically, if you put a Live Linux distro onto a bootable USB stick, it’s mounted read-only, so it’s still safe. The trend is to supplement this with persistent storage (usually a file that you can put on a different partition f the same memory stick), but this feature is not required. Knoppix 6 asks you if you want to create this kind of storage when booting; Puppy Linux saves to its persistent storage when you request it – or every x minutes (and you can set x to zero, which disables the automatic save).
“Typically, if you put a Live Linux distro onto a bootable USB stick, it’s mounted read-only, so it’s still safe.”
To think that OS software can protect a file system from malware requires a pile of unwarranted belief: We must believe that malware which somehow managed to defeat the OS and start running, is nevertheless unable to subvert the OS to get at the drive, despite running code inside that OS, and with online real-time code and control from the botmaster. That seems quite unlikely.
As a general rule, when malware manages to penetrate an OS, the OS will be subverted and no protections in it can be relied upon. Subverted software simply cannot provide believable device protection. Only hardware protection can be trusted against malware.
One form of hardware protection is removal: We might remove a USB flash drive after booting, BUT should only do it if the drive will “unmount.” In Puppy Linux, hard drives are not required and can be removed completely. All drives present during operation are vulnerable to malware running in the OS, although that need not lead to infection if the OS is not booted from that drive.
>This is impossible with a live CD, since it is a read only device.
Right, but you have a RAM drive or some type of temp storage. Malware can execute in there just fine. CDs are security through minor obscurity and hardly a fix-all.
“CDs are security through minor obscurity and hardly a fix-all.”
LINUX AVOIDS BEING THE TARGET. Modern malware is about making a profit, and most attacks come upon a computer at random. About 93 percent of browsing occurs under Microsoft Windows, while only 1 percent occurs under Linux. So attacks aimed at Windows are about 93 times more likely to hit their target than attacks aimed at Linux. We thus depend upon the economic self-interest of the attackers to encourage them to target Windows instead of Linux. A decade of experience has shown this reasoning generally to be valid, however it will break down for attacks specifically targeted at individuals, groups or companies.
A DVD STARTS CLEAN AND AVOIDS INFECTION. Most computers boot from a hard drive, and when malware first runs in memory (e.g., from an exploited OS fault, email Trojan or PDF Trojan), it tries to infect the hard drive. That means it will try to change the OS or run-up sequence on the hard drive to start the malware along with the OS. Infection is a huge security problem because hard drives are “once infected, always infected” until the OS is re-installed. While successful attacks can occur occasionally from OS faults or user errors, infections are *always* active in every subsequent session. Even a writable CD is vastly more difficult to write to than a hard drive, thus making infection both difficult and easily corrected.
LINUX IS NOT “SECURITY BY OBSCURITY.” Security through obscurity is a term-of-art from Cryptography, describing the situation where a cipher design is not published in the hope that this “obscurity” will prevent attacks and so improve “security.” The problem is that ciphers must be distributed to be used, so the design eventually will escape, and the advantage will be lost.
That seems very different than using an OS which represents an economic disadvantage to attackers, who then choose on their own to target something more profitable. The advantage is not transient obscurity but continuing economic self-interest. We can expect the advantage to continue until there is a massive change in the market.
LIVE CD’S ARE AVAILABLE NOW. In politics it is sometimes said, “You cannot beat somebody with nobody.” Similarly, one cannot beat a Live CD now with exotic dreams of the future. The Live CD is by far the best of the existing realistic alternatives for secure on-line banking.
I’d say using a live cd (or ofcourse a Mac) will still eventually become a problem. The basic idea is that if any of the endpoints is compromised, online banking becomes unsafe. There’s all that cool research such as bootkits and so on that would eventually be abused if it makes sense for the attackers.
This is quite a hard nut (and an expensive one) to crack. Your idea of dedicated devices sounds excellent to me and I can imagine that working out in theory, if cheap enough.
Great article btw – terrible situation.
I have been recommending the Live-CD approach to my friends and clients for some time. Several have started using it. I like Live-CD from Ubuntu… (https://help.ubuntu.com/community/LiveCD)
On another note, I think there is a real opportunity for one of the commercial bank to step up to the plate and offer their clients better protection and terms.
Thank you for that link!
American banks are going to have to step up to the plate and give their customers effective protection from fraud and cover losses when they don’t.
There are a great number of relatively small regional banks in the US; if they don’t stand by their customers and share the pain there won’t be many left in 5 years time.
Many people log into their banks to upload and download transaction data to their bookkeeping software rather than directly interacting with a program on the bank’s website. Do any Windows accounting programs run when logging in using a live CD?
That is an excellent question.
You can use a USB device or a partition on the hard drive to load the account data from the bank. You then reboot into your (ab)normal OS to run your accounting program and load the data.
Bill, are there easy-to-follow instructions for that process? Accounting programs like Quicken have made it possible for people with no technical skills to computerize their bookkeeping, but those folks can’t handle anything that requires much more than double clicking an installation icon.
The more I think about it, the idea of using a dedicated machine for online banking is problematic. That means the bookkeeper can’t even copy/paste totals from one program into another. People aren’t going to find that practical, and if that kind of limitation is imposed on them by their employers, they will start looking for ways to defeat it. Small businesses like that don’t have layers of managers to enforce restrictions, either — they rely on the individual employees to just know their jobs and do them to a much greater extent than a large business. They don’t have the luxury of having additional employees whose only job is to check up on what the other employees are doing on their computers.
For the average medical practice shopping for practice management software, the ideal program would integrate the online banking, the bookkeeping, the billing, the patient demographics and the appointment scheduling, so medical providers could dedicate more resources to taking care of patients instead of pushing paper around. But now we’re talking about this unified program also being used by the same low-tech staff who have to check insurance coverage at their workstations via Navinet — which only works with Internet Explorer. With all those folks making IE their primary web browser, I’m surprised we’re not hearing about more problems.
I agree. I’ve been chatting with a lot of folks on this issue lately. In fact, at a recent small security conference, I had a conversation with a gentleman at lunch one day that he said “made the conference.” (Of course, I point everyone to BK for more information.) But, the verdict on using a LiveCD is still out. I’m just not convinced that it will work in a business context because of all of the software integration components that are involved. It basically solves a fraction of many problems, and without a comprehensive solution, then business people just won’t accept it.
It sounds like some thing as simple as dual authorization might have prevented this one. If the attacker only had access to one set of credentials requiring two people for each transfer may have stopped it. Of course this requires people access their online banking site from different computers.
It also seems odd that the token wasn’t in place to start with. A small business account with these kind of balances would seem to rate the added expense of a token. I understand tokens aren’t full proof but they do require a higher degree of sophistication from the attackers. Therefore I think they should be used more often for small business accounts.
CLARIFICATION –
I keep forgetting some banks only require tokens for a log-in challenge. The sophistication required to defeat tokens used in that manner is no greater than any other exploit. (Given the cost of tokens it’s amazing banks bother with this.)
I am referring to the sophistication required to defeat a banking site using integrated tokens such that customers are required to enter token generated PIN’s frequently for different actions like accessing some services, adding new payees, transmitting money, etc. Defeating this type of site requires the bad guys to mock up the site more completely which is more likely to be noticed by the actual customer.
I live in the UK and my bank requires me to use a device that generates a code everything I log in to online banking. I also have to use it if I want to add another payee so I guess it would stop money being sent to new payees.
There is one overlooked method of stopping this fraud taking place – go the bank and carry out transactions there. I know it may be difficult for some, but if things go the way they are, online banking may take a dive in popularity, or some banks may find they lose customers because their security is not up to scratch. Maybe one day we will all go back to using cash only.
If one chooses to use a live CD, he doesn’t an OS on the hard drive. That should enhance security as well as reduce cost.
Using a live CD is ok as long as none of the hard drives in the pc are mounted. If they are they could still be written to. Perhaps a PC with a CD drive only? With a USB memory stick for saving any data that does need to be saved, that is scanned on another standalone with a virus scanner?
I use Linux as my OS so I feel safer, although that doesn’t mean that it is completely safe. It may only be a matter of time before viruses, trojans etc are written for Linux. It will just be harder. There are plenty of tools available such as tripwire, clamav and others that help detect anything untoward on your Linux PC.
As they say, prevention is better than cure.
Quote “I’ve long urged business owners to build and use a dedicated system strictly for online banking and nothing else — no Web browsing, checking e-mail, nothing. An alternative — and far more secure — approach is to use a Live CD (or a Mac) when banking online.”
What an idiot to suggest that Macs are any safer from these types of attacks… (oh yeah Macs don’t get viruses either.. HAHAHA) If you are going to suggest a solution suggest one that more then likely will continue to remain safe such as a live CD. Just because Macs are not the current targets only inspires false security by telling people “use a Mac.”
Mac users are a natural target.. typically more money then brains when it comes to computers. They would rather sacrifice power and money for a computer that doesn’t require to think as much as any other OS (such as un*x, windows, etc..)
Yes, I know OS X is a flavor on un*x, but you know Apple just did like they normally do, take someone else’s work and through a cute GUI on it and call it theirs.
I would probably have put the point more diplomatically, but I too marvel at the number of times I hear and see readers dismissing solutions for the mere possibility that criminals might one day start attacking those as well.
Just because an alternative solution might one day become a target doesn’t make it any less of a sensible and safe alternative to using a platform that is today’s target of choice.
I’m with you here, Brian ! Absolute security is a chimera, but for this reason to reject *better security* is absurd….
Henri
“Just because an alternative solution might one day become a target…” Might some day? Ummm.. It is already a target of root kits, viruses and zero day attacks as well. I was only pointing out the solution you are providing is already being exploited. Granted short of walking into the bank personally (which can be spoofed, but not as easily..) ALL SYSTEMS have weak points and can be exploited. I just see the live cd a better, quicker and cheaper solution then “getting a Mac.”
Well Mr. West,
Until something better comes along, a small business conducting its online banking activities with a Mac or Live CD is a much better idea. Deal with the issue, if I was losing money today, I would take action today, not wait for what’s going to happen down the road, in the future.
If a $1000 Mac is safer — FOR NOW — it’s better than losing $205,000! Switching to a Mac is clearly a much better idea, especially when your bank tells you that it is NOT going to replace the money stolen by the crooks.
A better solution is ALREADY available, it is a live cd (FREE)on which is used ONLY to go directly to a bank website. Of course the nay-sayers will say “…BUT that can be exploited as well using a DNS poisoning attack..” Once again, it is the best current solution that would tend to be also the best longterm solution as well.
To claim that spending $1500 is a better solution then losing $200K implies that ALWAYS doing that will ALWAYS protect your money. It is that kind of ignorance that allows these crooks to pwn users by making them think one static decision is going to proect them from a dynamic form of theft.
To imply that people are currently NOT exploiting Macs TODAY is pure ignorance of the facts.
http://threatpost.com/en_us/blogs/apple-mega-patch-covers-88-mac-os-x-vulnerabilities-032910
Mr. West,
You’re absolutely right to some extent, but that doesn’t change the reality that Macs are currently a much more secure platform in regards to virtually all forms of present day malware, including and especially the ZeuS Trojan featured in this article.
In fact, 3 time Pnw2Own winning hacker, Charlie Miller, explained the security distinction quite well in a DailyTech interview last year:
“It’s harder to write exploits for Windows than the Mac, but all you see are Windows exploits. That’s because if [the hacker] can hit 90% of the machines out there, that’s all he’s gonna do. It’s not worth him nearly doubling his work just to get that last 10%.”
More secured or more ignored? Do you think you would see any LESS attacks on Macs if their were the dominant pc choice now? I argue the security is no better on the Mac platform, their just less of an incentive to exploit… Less base equal less return. If you keep sending people to the Mac base, then one day the tide will turn…. and we will see how secure the Mac really is or is not.
Guys and Gals,
You’re getting lost in the technical details with all the livecd etc solutions.
The truth is if the endpoints are compromised, you’re owned. Livecds.. or whatever do not solve compromised endpoints. Think bootkits, think hacked firmware (keyboards have firmware, network cards and graphic cards too ;-), think backdoored bios etc. It doesn’t matter and it’s all technically possible.
If livecds or similar solutions become mainstream, they will be targeted just like the security tokens are.
Therefore you need endpoints (i.e the client in this case) that are considered secure, not a general purpose computer that will happily run malware alongside your banking solution (usually the web browser).
Ofcourse, problem with such a solution would be the overall cost of such a solution. And it only solves one of the (admittedly main) problems to do with online banking. So the question really is, is it worth it?
cheers,
sandro
“Livecds.. or whatever do not solve compromised endpoints.”
To a large extent, a “LiveCD” DOES solve the compromised customer computer “endpoint.” The problem we have now is hard drive infection, which is cured by not booting from a hard drive. We can act against this problem now, with existing equipment. In the future, we may need new equipment.
I would like to see any evidence that someone using a Live CD has ever fallen victim to the ZeuS Trojan because they had a Windows partition mounted in the Live CD. I’m not claiming that it’s impossible or improbable. I just think it’s currently a theoretical risk at best. And as Brian’s article SpyEye vs. ZeuS Rivalry attests, that capability would carry a significant new premium. Moreover, the ZeuS author has just now gotten around to adding Vista and Windows 7 support , both of which have vastly more market share than any version of Mac OS X or Linux, so I seriously doubt much effort has been made recently to exploit the minuscule number Live CD users.
Per Brian’s the article SpyEye vs. ZeuS Rivalry:
Zeus plug-ins that offer additional functionality raise the price even more. For example:
-Windows7/Vista compatibility module – $2,000
-Backconnect module (lets criminals connect back to victim and make bank transactions through that PC) – $1,500
-Firefox form grabbing (copies out any data entered into a form field, such as a user name and password) – $2,000
-Jabber notification (a form of instant message) – $500
-FTP clients saved credentials grabbing module – $2,000
-VNC module — $10,000 (like GoToMyPC for the bad guys, reportedly no longer being sold/supported)
Hi Tom!
“I would like to see any evidence that someone using a Live CD has ever fallen victim to the ZeuS Trojan because they had a Windows partition mounted in the Live CD.”
I guess I am missing something. With a Live CD we are running Linux. If malware gets in and runs, it must be Linux malware. Then, if it “infects” the hard drive, it would seem to be adding Linux malware to a Windows drive.
Adding a Linux infection to a Windows boot drive may damage Windows booting and so crash during Windows runup, or it may do nothing at all. It does seem a reach to imagine that the Linux malware will know about Windows and include a Windows infection, but anything is possible.
Once Linux malware is in and running, as a general rule it can do anything the user can do. If the user can mount the Windows drive, the malware can do that also. So even unmounted drives are vulnerable.
Saundro,
I work with enclave networks, and the answer to your question is decidedly “no” with respects to most end-users. Hardware, physical security, line encryption and other necessary implementations necessary for a secure line to the bank and other sensitive sources of information would be ridiculously expensive.
As with any risk/mitigation, there is a cost/benefit relationship. Here, we are talking about a horde of exceedingly common exploits being undercut for absolutely FREE. That solution (livecd, properly configured USB, etc) seems well worth the cd or USB stick it’s written on.
For those who would like to spend a little money, I’ve got an Asus P5E3 motherboard in a machine I built a few years ago that allows me to boot into a small, write-protected linux environment without mounting any hard drives. Look it up.
Building a dedicated pc would be an excellent idea. No hard drives, just a CD-ROM drive with a live cd such as Ubuntu. I am using this now on my wifes pc and it does not mount the hard drive so I would be happy with that. I am sure it would be easy enough to tweak the CD image to remove any programs not needed. Her PC has problems with the internet at the moment so it’s going to be a rebuild tonight. Quicker than trying to find the cause.
Even if these businesses just use the CD in a pc they have now, how much will it cost them? Price of a blank CD and a bit of time downloading the image and burning it to the CD. Compare that against the cost of losing 1000’s of dollars, it’s a no brainer. In fact I may start using this method for internet banking, just to be extra safe.
I work in the Internet Banking field and I think Live CDs are a great idea. I wish I could recommend them to all of my business customers, but there are a couple of issues that get in the way. First, a good chunk of my business customer base are not computer savvy enough to be able to create their own Live CDs. I could, of course, create the Live CDs myself and distribute them to my customers, but that leads me to issue # 2. In today’s legal climate, if I provide a CD and tell my customers that that’s what they need to use to protect themselves when performing online banking, I am essentially providing a bank endorsement of the Live CDs. If the customer improperly uses the CD or still gets infected and suffers a loss, they’re going to expect the bank to reimburse them for that loss.
Additional point: In most comments that I read here on krebsonsecurity, banks are taken to task for not having more security measures in place. For the most part, I agree. As an industry, we should be doing more to protect our customers (consumer AND business). However, we are often handcuffed by our technology vendors. Most banks do not have the resources in house to create and manage the Internet banking channel. Most of us have to use a third party vendor like S1, Fiserv, Jack Henry, Digital Insight, etc. and we are at the mercy of those providers to add these additional security features. As an example, I know of one vendor that just started supporting hardware tokens less than a year ago. Basically, by the time they were supported, the criminals had already figured out a way around them!
Unfortunately, as much as it pains me to say it, the only solution I see to the problem is to have a new government mandated regulation that forces both banks and (especially) technology providers to offer / require the latest security features. This did happen, to some extent, back in 2005 with the FFIEC’s Multifactor Authentication guidelines (compliance required by year end 2006). Unfortunately, most vendors and banks did exactly what was in the guidance and not an iota more. Furthermore, these guidelines came out 5 years ago and have not been updated!
When you do not feel comfortable or are even afraid to make a recommendation… Easy… just point the customer to an article from an “expert” supporting your opinion. It sad that people have to be so gun shy of being sued that they can’t do what is right to help protect their customers and fellow citizens.
Funny you should mention Jack Henry.. This particular scam occurred at a bank backended by Jack Henry. Jack Henry’s main HQ is not more then 20 miles from the dentist’s office. I live about four blocks from this dentist. Small world.
On bank-supplied liveCDs, I would argue that there’s really no added liability. Current defenses (username, password, pass image, pass phrase, security questions, dongle) are all bank-supplied security tools, a liveCD’s just another tool. There’s no need for banks to say use-liveCD-and-be-safe – they don’t say it for current bank-supplied tools, why say it for liveCDs?
LiveCDs can(?) be very limited in capability so users can’t get in trouble – bank-site-only browser, block non-bank scripts, no email, no Adobe Reader, can’t run/install other software from a USB stick, etc. (am non-geek so assume all this can be done). Can a liveCD be made to self-destruct if user/trojan/anything tries to hack it?
An opportunity for banks to control users’ banking environment shouldn’t be missed – just think of the marketing crap banks can cram down users’ throats! A new revenue stream!
One potential problem I can think of is an attacker could open an account, get a liveCD and … ? Obviously, a “new” defence has to be thoroughly thought through before adoption.
I been told by several bankers recently that the Rapport product from Trusteer protects against man in the browser attacks and it doesn’t require the online vendors to do anything. It seems this product can be implemented by the banks without any additional help.
My understanding is that the mules suffer some sort of of civil or criminal damage. Is this not the case?
The currently don’t have to resources to prosecute and PROVE the intent of all the mules. Ignorance IS bliss when your a mule and you do not KNOWINGLY participate (or admit to it) in blantant crime.
By the time money is actually being transferred into their accounts, the mules have proven their lack of comprehension of what they are doing by the fact that they have handed over their identities and access to their bank accounts to criminals. Unlike the masterminds of the scam, they will be easily identified as soon as the theft is discovered. There is zero chance the mules will keep their percentage of the money unless they skip the country. There is no way any permanent US resident would participate if he/she actually understood what was going on.
Moreover, the victim’s bank will try to recover the funds from the mule’s bank. If the funds are no longer there, the mule is personally liable for the whole sum. Not only will they not keep the commission, they will have to repay everything — a severe penalty for the average mule, most of whom were having financial problems. Bankruptcy anyone?
If the bad guys are controlling the victim PC; then can’t this be mitigated by using an external firewall appliance which allows only outgoing connections.
Sadly, no.
Connections on the Internet are two way, it’s true that someone has to initiate the connection, but once you’re connected you both send and receive. By convention web browsers (http user agents) normally make a tiny “request” (get me a resource) and then get back a larger “response” (the picture/file/web page), but with hackers it’s usually more like:
victim[client]: “hello”
hacker[server]: “request”
victim[client]: {larger response}
hacker[server]: “thanks”
This can be done as a single connection using http-keepalive.
The next question people typically ask is “can’t we limit requests to certain ports, like http[s]?” The problem is, again, that only conventions govern what is used by a port, so a hacker is likely to use ports which are not likely to be firewalled and as such they’re likely to use http[s] (80/443). Of course, if the bad guys are using an off the shelf product, they’d probably choose to use SSL (443) because they wouldn’t want someone else to sniff the passwords/creditcard information that they’re stealing! At this point, the victim’s computer is just making a normal https connection to the normal port (443) and since there’s SSL, a firewall can’t see what the content looks like to determine if it’s proper https content or not — If the firewall could, then SSL would be broken and we’d have bigger problems….
Note that http can be used to proxy anything, so a hacker could either use the port for raw commands or properly encode things using http (the client response would be in the form of a HTTP POST — the same way that you upload a picture to Flickr or an attachment to Gmail).
Brian
Once again you have presented an Issue of major concern to both we (consumers) and (Business Owners) alike and while the tech chatter is both informing and entertaining the problem is still staring us right in the eye…a dedicated machine is a good solution for starters. But the other suggestions are just as good depending on the application good security measures and one’s overall security health( if you have no security in place) then you are hopelessly compromised maybe not now but it is just question of when!
“a dedicated machine is a good solution for starters.”
If the “dedicated machine” boots from easily writable storage (like a hard drive), the boot data can be infected by just a single user error, without the user knowing. Infections mean that bots will start on every new session, and after that, even being a smart user cannot help. Of course, most bots are targeted at Microsoft Windows, but any such system is still an infection risk.
Instead of buying a new system, learn to make and use a Linux “Live CD” at almost no cost. That will load a clean operating system into the existing machine, even if it already has an infected boot drive, A clean system will start out without any bots. Just do your banking before any dangerous browsing and/or email and so avoid the bots.
A Live CD is a good solution for protecting against banking bots, but perhaps not the best solution for doing business banking the way it has been done. Somebody has to decide what is important.
I’ve watched us go back and forth over the same arguments to the point that I think we’re having a typically unproductive religious war. What’s worse is that we’re not even really addressing the problem. We need to do better as a community.
The problem isn’t as easily addressed as saying LiveCD or Mac (or some other more secure end-point). AlphaCentauri alluded to that in talking about the need to support financial software. I’ve worked with a small company that has a complicated financial software suite that interfaces with a variety of internal business processes and eventually spawns a need to pay someone, mark the payment as having been made, and then collects a confirmation from the bank that gets entered into the financial system. Using a LiveCD solution would likely add too much complexity to the accounting business process of most companies to be acceptable. Using an alternative system with no email and external web surfing is my preferred alternative because it allows the best opportunity to integrate with existing business processes, but it is still a susceptible end-point that can only be protected by policy.
As Sandro Gauci infers, business owners are very mindful of the costs involved in operating their businesses. While being a victim of this attack represents a huge impact on the individual business owners, the number of businesses getting hit still isn’t perceived large enough to really convince the business owner that they have a significant risk of being attacked. So, they just aren’t willing to assume the additional cost of equipment or the pain of changing established business processes.
I suggest that we get a bit more innovative in identifying solutions. From a technical perspective, perhaps using a thin-client paradigm would enable greater segmentation. For example, if you run email and web browsing in one virtual desktop and accounting stuff in another, then you would be able to protect the end-point better as well as gain a stronger separation between business processes. From a business perspective, perhaps outsourcing all money matters to a trusted agent (or a bank) that also insures the activities would be a reasonable control.
There are not perfect solutions just as absolute security is an idealistic and impossible objective. But, I think that most folks agree that we cannot protect the end-point. So, I challenge the community to think of ways to make it matter less.
This exact same thing happened to my business with the same bank but fortunately we had dual control to send wires and we caught the wires before they were sent.
I talked to a Cyber Crime Agent with the FBI and she told me we were real lucky. She recommended not using the Internet to send or ACH money in and out of business accounts. Even with the “Go Tags” Great Southern gave us still are breakable. She recommend sending wires the old fashion way. Fax the wire over and have the bank call back to confirm. I thought this was riskier than using the Internet, but she said it is not. She said the bad guys will not use the telephone.
The bad guys WILL use the telephone. How do you think they scammed people for the wide spread use of the internet… before the internet it was the fax, before the fax it was the phone, before the phone it was the post office. What makes a succesful bad guys is the fact they are willing to do the same things to obtain your money as you are (with one exception… having a legal job) Phones are not as traceable as television and the movies would portray them. The phone company has hundreds of diagnostic loops that can be used for call back or outgoing calls. Tracing them does no good, since they are virtual.
Luck had some thing to do with your outcome but I would argue that a common sense approach to security had more to do with it. In my earlier (unpopular) post I alluded to this very deterrent. Dual approval is an excellent layer of security that apparently saved your company from the same fate as Smile Zone. It is obviously a functionality the bank’s vendor was able to provide and all the big vendors can.
It is unfortunate the bank didn’t require dual approval for all customers. It might have prevented this incident.
Anyone with that much money in the bank should insist on
one time token type authentication in addtion to their standard username, password, and challenge question. Period.
Ebay has been offering one time token based challenge logins for at least a couple of years. A cheap alternative would be to print a list of disposable tokens on each monthly statement that expire within 30 days of issue.
“Anyone with that much money in the bank should insist on one time token type authentication”
Sadly, that is not enough, and here is why: The problem is a bot infection which sits in the customer computer between the user and the SSL link to the bank. The bot simply takes from the user all the authentication the bank requires, and copies it to the bank. Once the account is open, the bot can access the account during that session.
The problem is the bot. Since the bot runs in the customer computer, the bank has no direct control over it. The best solution is to not have a bot, but even a single human mistake can allow a bot to come in which then infects the hard drive until the operating system is re-installed. One way to avoid infection is to use an operating system which does not boot from a easily-infectable hard drive or USB drive.
Brian, thanks for all the great articles around the danger of online banking for small businesses.
Do you know if there are a list of best practices for small business online banking posted anywhere? Something that recommends both what the business should do on their end (dedicated machine, etc) and what options they should be looking at on the bank side (requireing transfer approval from two employees, multi-factor authentication, etc).
Thanks,
“Do you know if there are a list of best practices for small business online banking posted anywhere?”
We are past the point where common technology can automatically protect us. Stronger technology may be harder to use, may impact current business practices, and may need training or experience to operate. Some sort of new technology malware training may be important for *every* online user, with even more training for anyone doing online banking.
Having spent considerable time and effort looking for an easier way, here are some suggestions and comments:
1. Use an operating system (OS) other than Microsoft Windows when on-line.
2. Use an OS which boots from CD or DVD instead of a hard drive.
3. Use Firefox with security add-ons. Use long, random passwords and a password manager.
4. Most types of multi-factor authentication will NOT prevent bots from stealing. Nor will 1-time passwords or external security dongles or bank codes via cell phone. A bot in the consumer machine can just pass user authentication to the bank until the account is open, then the bot has full access.
5. Some sort of agreement with the bank needs to prevent sending funds to new payees, or at least delay while sending an alert (to a different account and computer!). Or perhaps the bank could phone to authenticate each transaction, but then the account phone numbers need to be locked down. If the bot can change notification phone numbers or email addresses, bank notification will not help much.
***
The reason for (1) is that about 93 percent of all browsing occurs in Windows. As a consequence, the general business of malware mostly aims at Windows, and avoids Mac or Linux. However, targeted attacks on a particular person, company or group may well exploit Mac or Linux.
Personally, I boot Puppy Linux from DVD+RW, because this particular distribution gets just enough right to be a practical security advantage. While Puppy is easy enough to use, somebody probably does need to set it up for you, although my articles might possibly help:
http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM
The reason for (2) is that vulnerable hard drives support easy infection. Even a writable DVD+RW is vastly harder to write than a hard drive. If an attack gets running and cannot store itself with the OS, then after a restart we are once again clean. So do banking soon after booting the OS from DVD. If DVD infections ever become an issue, just remove the DVD from the drive after booting.
Comment (3) recognizes that no browser is as secure as it needs to be, making add-ons necessary, which means Firefox. Long, random passwords are also necessary, so we need a program to save them for us.
Comment (4) is just the way things are. The dynamic contest between attackers and defenders results in attackers teaching us what they can do as they steal our money. Normal 2-factor auth never was secure in the bot context, which made bots even more popular with criminals, who once again made us pay for our security presumptions. It is better to learn from others and avoid paying the criminals.
With (5), bank vigilance may save the money, but it will not restore the privacy. To do that, the customer must get rid of the bot inside their machine. To guarantee getting rid of the bot, someone needs to reinstall the OS (which may soon be re-infected), or boot a different OS from DVD.
This is an excellent warning, not only for dentists, but for people everywhere. I stopped banking online years ago to prevent this exact same thing from happening.
I agree with the author that the best way to safely conduct online banking affairs is via a dedicated computer used only for that explicit purpose alone. Even then there are still risks involved.
In today’s upside down world where the banks and even the FBI cannot offer you protection or recourse, Americans are truly on their own.
John Barremore
Houston, TX
There was bank fraud before the internet. The most common bank fraud has always been getting a checking account number and printing checks (Easily done, since it is printed on the checks you pay people with). It doesn’t matter if you bank online or not to hit by fraud. The only way your going to ever stop bank fraud is to not use a bank. Everytime someone convinces themselves they are content with their banking security they switch from the proactive column to the target column. As long as their are humans involved with security, it will never be perfect. This a security concern that will never to solved and one must be constantly diligent.
A dedicated machine is an absolute must in today’s business online banking world.
I have often thought it might be interesting to install software on the banking end, that had the ability to sniff out bots on the client end; or perhaps install a bot on the client end that might recognize exploits on the client end. The bot might also be required to be on the client end when attempting an online session. The bank software would require the bot to be in a specific form and react in a specific manner during each transaction. The bank might reconfigure the bot each time to have a different code for the next transaction. For that matter, there could be several bots on the client machine, each with a different task, and each dependant on one another. Why, during each online transaction, could the bank not scan the client machine with some type of intrusion system to verify the integrity of the machine; and why would the bank not insist on cleaning the client machine at least during the original online setup session. Why, at the initiation of online login sessions, could the client bots not report certain suspicious activity on the client machine to the bank. Would it be possible for the bank and client to exchange bots at log in, during session, at close of session… or for that matter at each stage of the session. For example, transferring funds might involve several unique bots, or downloading statements, checking activity, or certain keystrokes. Also, each machine has codes and ids on each piece of hardware; software configuration is unique; temperatures vary, voltage and amps vary—each of these might be used in some combination to set temporary unique codes or pass phrases during the online session—verification of bank/client session could be reverified every second while the online session is open—there is no rule that says authentication is required only at log on or log off.
My observation is that intruding bots are very interactive and proactive, whereas security utilized on the bank and client machines are static, nonreactive, nonresponsive, and defensive in nature.
It seems to me bank and client machines must actively go on the offensive and declare war against any intrusion. Most intrusions make their way into the client machines because client machines do not have proper security methods in place -and- in many cases do not have any security at all.
If banks can not, or will not step up to the proverbial plate and take on the responsibility of online banking security, then (in my opinion) it should be their responsibility to have a third party security organization handle theses issues.
It currently is too easy for banks to get off the hook because they are not liable for online business account thefts, and are only partly liable for personal account thefts. However, it is clear that a bank should know, and in most cases does know, more about security than their customers do. In addition, because online banking theft is rising, and criminals are becoming more sophisticated… banks will be expected to offer and employ more intelligent defenses to protect their customers financial assets. In my opinion they are failing to do this.
Business and consumer banking customers will eventually hire technically savvy attorneys to sue banks for their losses. These attorneys will discover several legal causes of action that well expose banks to liability for customer account losses, because: They had the knowledge and the means to have prevented online banking thefts. When that happens we can expect banks to insist on security in all areas of financial operations. client machines will for the purpose of online banking, be considered a real part of the banks security system, and will be treated as such.
Just a few thoughts following all your great posts…
Regards,
DCStrain
SecurityHawk12@gmail.com
When small businesses make up over half of the employed Americans, and small businesses, in dentistry or anything, are the soul to America, where is their coverage?
i am only using free virus scanners like avast and avira but they seem to be great tools though;~: