Comments on: e-Banking Bandits Stole $465,000 From Calif. Escrow Firm

By: self-defeating assumption?

self-defeating assumption? — Thu, 23 Dec 2010 01:31:46 +0000

“No online banking authentication system works unless it starts with the premise that the customer’s machine is already compromised by malware that gives thieves complete control over the customer system”
IOW, bank server must assume the client browser is not controlled by the customer. In which case, the only rational choice for the bank server, is to block the client ip.
Seriously, if the bank assumes all customer interactions are fake/hijacked/impersonated, the bank and customer should give up while they’re ahead.

I don’t see how bank can be responsible for customer’s equipment, unless the bank leases dedicated “untamperable” package (like cable tv box, or creditcard swipe and approve gizmo, postage meter, dsl modem, etc.) for customer’s location .. a personal atm? Embedded os? Biometric ‘dongle’ strategy? (But, “if you have to ask ‘how much’, you can’t afford it”)

Like or Dislike: 0 0

By: -

Thu, 23 Dec 2010 01:06:44 +0000

Crime victims aren’t at fault for crimes they suffer. (Though blaming the victim has become a popular ‘meme’ in this “brashly” offensive/antagonistic era of conservative political correctness.)
However, crime exists, so people are better off defending themselves.
Community college business curriculum should add security methods, though this solution assumes “struggling” business people take business courses.

Like or Dislike: 0 0

By: -

Thu, 23 Dec 2010 00:54:44 +0000

i’ve experienced atms that rejected simple (not mine) passwords, with no explanation.
just try another day.

Like or Dislike: 0 0

By: curiousity exploited the pc?

curiousity exploited the pc? — Thu, 23 Dec 2010 00:52:18 +0000

retail customers should just avoid online financial activity.

businesses with multiple daily transactions need to learn to do their job. the pc’s security shouldn’t have loaded the trojan.

Like or Dislike: 0 0

By: -

Thu, 23 Dec 2010 00:47:15 +0000

1. backup documents and bookmarks (and whatever similar). 2. fresh install

Like or Dislike: 0 0

By: David McCullough

David McCullough — Sun, 11 Jul 2010 22:59:00 +0000

Compromise is a matter of degree. I think the point is that there is no perfect solution. However, a Live CD banking session is far safer than an un-patched Windows XP installation since the latter is the attack vector of least resistance right now.

To eliminate the risk, businesses would have to start physically visiting their banks again and sever all online capability. That is something that most businesses probably won’t consider unless they become a victim and possibly show up on Brian’s blog.

But, based on the tricks Brian reported on here, the thieves are getting cleverer all the time. It could be a matter of time until they can bypass the business and steal directly from the bank.

So, I doubt that banking will ever be completely safe in the modern cyber-world. That’s not comforting to me as one of those small business owners.

Like or Dislike: 0 0

By: Phil Cooper

Phil Cooper — Thu, 08 Jul 2010 21:48:04 +0000

I LIKE operating in that 1% crowd. The fact that my **** OS is only 1% of the market makes it an unattractive target for hackers and crackers. I’ve encountered malware sites that tried to take control of the browser and install .exe files on my system, but failed. It’s a little unnerving to actually watch an attack in progress, but with my **** system all it takes is a couple of mouse clicks and the offender is gone.

Like or Dislike: 1 0

By: Tomato

Tomato — Wed, 07 Jul 2010 21:02:52 +0000

“The things that make you go hmmm…” Peter’s ridiculous statement reminds me of what a silly customer of mine said to me recently. Something to the tune of, “I recently got hacked while surfing the net via my ISP that I pay good money to each month, and felt that they should cover the costs of rebuilding my computer since they allowed me to get hacked by letting that garbage through in the first place. Even after a good 30 minutes and two managers, they wouldn’t as much as allow me to skip a single bill! In the future, how can I force them to pay me for your work so that I don’t lose any money when it happens again?” He thought I had to pickup my lower jaw because they didn’t pay him…is it ethical not to tell him the real reason why?

Like or Dislike: 1 0

By: McLovin

McLovin — Wed, 07 Jul 2010 20:02:24 +0000

Last sentence was meant to say, “wouldn’t they have worked to stop the tunnel that was described?” Very interested in comments about such software, and if they wouldn’t work for some reason.

Like or Dislike: 0 0

By: McLovin

McLovin — Wed, 07 Jul 2010 19:58:52 +0000

xAdmin made some very interesting statements about the PEBCAK error at the root of the problem. The article eludes to two people needing to perform the transaction, and it seems both were duped by a simple email attack that all of us are hit with on any given day were they not? This may be a stupid question given someone will spout off with (ZERO-DAY!), but where were the anti-virus program and anti-spyware programs in all of this? Did they even have any of this protection, as it sounds like they were foolish enough to have none. Or, did they win the lotto and land the zero-day vunlerability (which is doubtful)?? Even if it was a zero-day, some anti-spyware and software lockdown and block anything from infecting and changing the computers settings, so why wouldn’t they be using something like that on so critical a system(s)? Black-Ice and programs of such nature block anything outbound, so even if a Trojan got in, wouldn’t they work to tunnel that was described?

Anyone?

Like or Dislike: 1 0