Comments on: Big Bank Mules Target Small Bank Businesses

By: TJ

TJ — Fri, 01 Feb 2013 07:05:49 +0000

Instead of trying to freeload off of Brian’s blog, why don’t you do the ethical thing and buy some ad space.

By: Mike A.

Mike A. — Thu, 31 Jan 2013 21:37:44 +0000

SoundPass removes the human element from the total Login, therefore preventing any Trojan real-time Keyloggers from stealing the virtual SoundPass credential dynamic token. This solution is better than any existing solution available at any major Bank protecting massive volumes of users. Besides being more secure, it is also more user friendly and more affordable.
Yes it uses a Java applet to generate a new virtual token for every Login because Java is the stronges program language online. Today’s Java vulnerbilities would not allow a Hacker into a SoundPass protected account. The Hacker would have never gotten into the online bank account in the first place if it were protected by SoundPass. For a major online banking provider to make the comment that user’s must watch their own backs will not hold up in court of law, as we have already seen. Banks are responsible for providing best possible security per the FFIEC.
Banks could implement Smartcards to properly protect their online banking members but Smartcards are more expensive, difficult to deploy to massive volumes of users and they are cumbersome for the users. By the way, SoundPass was designed from a Smartcard. So their are strong solutions available and these types of breaches DO NOT have to keep happening over and over again!

By: George

George — Thu, 31 Jan 2013 15:54:51 +0000

Why isn’t more attention paid to the mules? Perhaps the banking industry should sponsor TV ads that advise the public about what a mule does and why it is part of an illegal enterprise.

Negative publicity about the mule profession could make it more difficult to find people to do that job.

By: Wonderer

Wonderer — Thu, 31 Jan 2013 14:20:33 +0000

Sorry for offtopic,

Here is some relatively fresh information about Chronopay case in Russian court.

http://www.compromat.ru/page_32949.htm

This site has many articles on “controvercial” stories and cases.

By: Jon

Jon — Wed, 30 Jan 2013 13:11:15 +0000

Isn’t a separate verification really just a form of “out of band” authentication?

The issue is MITB manipulating sensitive data elements (like routing # and account #) on the wire while displaying what was entered on the screen.

Only some form of out of band is an effective control against this, something that prevents MITB, or an insurance type solution.

By: Jon

Jon — Wed, 30 Jan 2013 13:08:34 +0000

How would you make payments to employees and vendors without a Bank? Cash? Seems like using a Bank is pretty much required if you are going to be more than a sole proprietor. Even if your Bank fails, you’ll hardly notice it (while the taxpayer, certainly does). The failed bank gets a new name and off you go on Monday morning.

By: JCitizen

JCitizen — Wed, 30 Jan 2013 01:14:47 +0000

Very true Neej;

But once a client gets onboard with me, the only things they catch are usually something a boot scan with a rescue disk can take care of. My Hiren’s USB stick ain’t bad either – usually a small job if they do what I tell them. I only have one stick in the mud, and I continually threaten to end support if she doesn’t wake up. She knows going elsewhere will cost her dearly!

Some of the good tools like Combo Fix have been bypassed by the malware as well. This is why I like a good HIPS, where there are no signature updates or obsolete technology like that. Keeping most of the junk OFF the machine in the first place goes a LONG way! B-)

By: Neej

Neej — Wed, 30 Jan 2013 00:56:46 +0000

Heh … bad as MSSE is comparatively your probably still going to be cleaning up a lot of crap regardless of AV if your dealing with less savvy users. Not that I’d recommend using it.

By: aknowldge

aknowldge — Tue, 29 Jan 2013 22:14:33 +0000

goeastern europe go !!! well done

By: DD

DD — Tue, 29 Jan 2013 19:24:38 +0000

JimV, I completely agree with you, but who does that?

I’m sure these people will do that…now. But prior to a major breach in security, what business spends the extra time and money to implement smart controls. They don’t, they won’t.

What they will do is say “What’s the risk?” Translation: How can you pin that on me? Even in that scenario I’ll still collect my pension, 401k, drive a new SUV and make my house payments because I’m a Payroll Manager, I’m not in charge of security. While if I add in two factor authentication or any other control that might inconvenience me (mainly by increasing my budget) that actually might impact my ability to put my kids in private school this year.

I think an interesting form of new legislation would be to require all companies, private and public to disclose how much of their overall budget goes towards information security.