A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.
Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm’s bank account had been emptied the previous Friday. McCarthy said she immediately called her bank – Cherry Hill, N.J. based TD Bank – and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business.
“She was told to go to the branch next day, and she did, and the people at the branch were very nice, apologetic, and said, ‘Whatever happened, we’ll replace it,’” Karen McCarthy’s husband Craig said. “She called them up on Wednesday, and they gave her the runaround. Then she finally got to talk to someone and they said ‘We don’t see the error on our side.’”
Immediately before the fraud occurred, Mrs. McCarthy found that her Windows PC would no longer boot, and that the computer complained it could not find vital operating system files. “She was using it one day and then this blue screen of death just came on her screen,” said a longtime friend who was helping McCarthy triage her computer.
Later, McCarthy’s friend would confirm that her system had been infected with the ZeuS Trojan, a potent family of malware that steals passwords and lets cyber thieves control the infected host from afar. ZeuS also includes a feature called “kill operating system,” which criminals have used in prior bank heists to effectively keep the victim offline and buy themselves time to make off with the cash.
Karen McCarthy said TDBank has dug in its heels and is now saying it has no responsibility for the loss.
“They feel that because [the thieves] compromised my computer that it’s my responsibility and that I should look into my insurance, but I don’t have insurance,” McCarthy said. “I had a company that was interested in purchasing us, but they’re not going to do that now. I’m basically looking at bankruptcy, because I have very little money to operate on now.”
Krebsonsecurity spoke briefly with John G. McCluskey, vice president of TDBank’s corporate security and investigations. McCluskey referred all questions about the incident to the bank’s marketing department, which hasn’t returned calls seeking additional information and comment.
As Mrs. McCarthy found out the hard way, businesses do not enjoy the same protections that consumers have against online banking fraud. Most banks will work with commercial customers to try and reverse any fraudulent transfers, but the chances of that succeeding diminish rapidly after the first 24 hours following unauthorized activity. What’s more, banks are under no obligation to reimburse commercial customers victimized by cyber fraud.
McCarthy said she never would have done online banking for her business if she had understood how precarious it was for her business.
“I go to the bank and I see everywhere signs that your money is insured up to $250,000, but maybe they should have a little asterisk next to that saying ‘except for businesses,’” she said. “If I had understood that, I wouldn’t have been banking online.”
McCarthy said a $41,240 wire was sent to a company in New York called Asbury PHH; two wires totaling nearly $80,000 were sent to a man in North Carolina; and a $28,640 wire was sent to a Kimto LLC in California. Efforts to track down any individuals tied to those entities were unsuccessful.
The fifth wire was sent to a 59-year-old Kennesaw, Ga. resident named Pamela Biagi, who said she got the money after signing up for a work-at-home job over the Internet. Biagi said her employer called itself Adams Interiors, and used the Web site name interiors-a.com (that site is no longer online).
As it happened, that Web site essentially hijacked the good reputation of an interior design firm in Brooklyn, N.Y., claiming it was one and the same and pointing to the firm’s stellar reputation with the Better Business Bureau. Biagi said this was part of the reason she felt good about accepting the job offer.
“I did an online and phone interview with them. They wanted to hire me to be a financial agent, and to help their subcontractors who were going around the country doing interior design work,” Biagi said.
Then, on Feb. 12, she received a wire transfer of $14,875 with instructions to wire the money to another individual in Georgia. Suspecting fraud, Biagi’s bank promptly froze her account.
“The guy I was supposed to send the money to kept calling me…he was real nervous and kept asking me if I’d sent the money,” Biagi recalled in a phone conversation with krebsonsecurity.com. “I told him, ‘No, I’m sitting here with police officers and people from the bank because of all this.’
When confronted with the news of where the money had come from, Biagi said she was “horrified.”
“This has been an absolutely horrible experience for me, and I feel terrible for [Little & King],” she said. “I’m really glad they stopped it when they did. To think that I have been participating in something so horrendous like this is awful. It’s a black mark on my soul.”
Zac, can you provide a link to that software – couldn’t find it….
As mentioned before, I too use Malwarebytes: http://www.malwarebytes.org/
Also, run the scan from Secunia: http://secunia.com/vulnerability_scanning/online/?task=intro (*)
And, here you can download a free tool to check versions and updates: http://filehippo.com/updatechecker/ (*)
(* note: they scan your pc for installed software so for some that might be too invasive)
To kill rootkits: http://www.greatis.com/security/
Seems there is no one-stop solution: you need several tools/sites for regular maintenance.
My bad, I misinterpreted Zac’s post – as he was referring to IS Pro’s post….
Another tool: http://www.ccleaner.com – deletes all temp files, cookies etc. For regular maintenance – not for protection or removal of serious stuff.
Time and again speaking with bankers and suggesting they implement stronger authentication controls for high risk accounts (most commonly RSA tokens or similar) and the bankers 9 times out of 10 point to one preventing factor: The service providers.
Very few regional and local banks run their own online banking systems- they outsource to one of a half dozen or so vendors and of those most provide limited resources for any form of strong authentication. It’s not ALL the vendors fault though…
The FFIEC circular that required “multiple-factor” authentication was vaguely worded and insufficient to provide direction for mitigating controls around online banking authentication.
Strong authentication seems like an attractive goal, but does not address the real problem, which is malware acting as a “man-in-the-middle.” Strong authentication is NOT POSSIBLE through a man-in-the-middle, no matter what technology is used, including “multiple-factor” with RSA tokens. Authentication IS possible with simple “out-of-band” phone calls, but privacy requires getting rid of the man-in-the-middle.
It is IMPOSSIBLE for antimalware scanners to find all malware, especially when run inside the infected system. Sadly, Microsoft offers no tool to certify that a Windows installation is uninfected. When ordinary tools cannot find all malware, of course people will be using infected computers for banking. That result has nothing whatsoever to do with authentication.
When malware is found on a Windows machine, the Windows OS should be re-installed. Yes, that is scary, tedious and can lose data, but the alternative is to take the chance of living with hidden malware.
Currently THERE IS NO WAY to detect all possible malware, and running even 40 different scanners does not change things. This awkward situation is why malware is not just a casual problem, but one which demands more effort than most people are willing to invest. The situation exposes fundamental design flaws in our hardware and software systems. Old computer concepts are not enough. Software patches alone probably cannot fix this.
On current systems, users can and should learn how to use a simple Linux “live” DVD for banking. Help is widely available, and there are details on my website.
Darned good point! So, when will the third-party service providers get it? Insecurity threatens their prospects for survival. This is an opportunity to do better, beat their competition, and make better profits. Which one will be up to the challenge? Or rather, will any of them be up to it?
The bigger banks go through an elaborate process to choose a vendor. Security is usually an entire section of the RFI/RFP document. If they do a poor job making a decision I think they should shoulder that blame. Those top 6 or 10 vendors do offer additional choices.
Also, TD is one of the country’s biggest banks. If they wanted something I think they could get it. I agree they may ask, get a price they don’t like, and then not act.
Thank you for exposing this “white collar crime” that appears to be on the rise…My daughter just out college was on ‘craig’s list” and you know the rest. The amounts were much smaller but as we have heard said time and time again, there is no such thing as “FREE ANYTHING”…..Home network security has to be the next wave of computer hardware and software development……
This has been an outstanding thread, imho.
Not being a programmer, I will ask the question which only a non-programmer would likely ask!
Why is Windows so damnably intertwined with the applications that a reinstall wrecks all the applications? Why, with all Microsoft’s expertise, cannot the OS be written to allow a simple wipeout of a compromised Windows installation, leaving each of the applications behind in a compartmentalized state, ready to run just fine as is, with all data files intact, after reinstalling the OS? Is this not just as utterly stupid in its own way as the old DOS memory limitations, etc?
I for one dread the very idea of a reinstall of the OS, in that HP, in it beneficence, did not give me any way to just do that! I have a nice three-year-old HP Pavilion notebook with a damned system image restore disk!
So, if I had a suspect or even known infected Windows install, I would try any way I could to get along without reinstalling Windows.
… In South Africa banks are using dongles – which are physical devices (usually locked in the safe) that generate “access codes” based on a ( secret) secure algorithm.
Other option is a so called “one time password” – which is sent via SMS to the previously (non – online arranged) cell number.
Both services are free ( …ok , “free” in a bank way 😉
Not a bulletproof system – but involving a physical device – makes the thief much more difficult ( unless you have an insiders in the banks)
Dongles and other “one time” passwords are designed to prevent a “replay attack.” A “replay” is where an attacker can snoop your password entry and then try to re-use that password later. When possible, replay is effective even against very strong long, random passwords.
However, dongles are NOT designed to prevent malware “man-in-the-middle” attacks, where the MITM is effectively inside your machine. Any one-time value of any sort can be passed along by malware to open the account. Or maybe the malware just stands back until the account is open. Once opened, the account can be manipulated by the attacker. Many variations are possible.
Even an SMS “out of band” communication may not be sufficient. When the user enters the one-time value in the infected computer, malware just passes that value along to open the account as usual, and then the attacker takes control.
For users, the main problem is that we have no tool which can certify that no malware is present.
Those concerned about security can and should learn to use a simple Linux “live” DVD for online banking, one of which I describe on my website (click on my name).
No one is disagreeing with you Terry. Using a Live CD will prevent malware and MITM attacks just as you describe. Bankers, however, will loose customers if that’s the “only safe way” to bank online and do nothing further to protect themselves and their customers. Because of that banks and service providers need to provide both technical and administrative controls that reduce the threat of fraud and results in the lowest level of residual risk.
A real world solution would be a combination of both: tokens to authenticate to the site and then re-authenticate the transaction (with a refreshed key) and call-back verification for transactions over pre-set limits.
Instructing banks and consumers that they must rely on a process of booting to an operating system that is foreign and unfamiliar to them does a disservice to both.
But Eric! A “real world solution” must actually work!
Digital certificates (“tokens”) are universally available in SSL, and we expect SSL to be used in online banking. That works, but the user end of the security guarantee stops inside the computer, and does not extend out to the human.
When malware is in control, any on-line action to “re-authenticate the transaction (with a refreshed key)” is easily passed through by the MITM and so cannot improve security. It does not work.
Having the bank phone the customer to confirm banking orders should make banking safer, but of course does nothing to keep private information away from the internal malware and attacker.
“Instructing banks and consumers that they must rely on a process of booting to an operating system that is foreign and unfamiliar to them does a disservice to both.” Really? The point of this discussion was to see how to prevent the damage described in the original article. If we use your solution, the only part that works is the phone call from the bank. In contrast, booting Puppy Linux from DVD actually does work, even without phone calls. Which approach is the real “disservice?”
Not mentioned so far in article or in any comments:
The mentioned scam website interiors-a.com is registered to someone in Moscow, Russia, according to the WHOIS database. A name, telephone number, and e-mail address are in this data.
I can only hope this lead is being followed by someone. The ones ultimately responsible for the theft are the thieves themselves.
In reading many of these comments I realize that people are apparently a bit uninformed.
First of all for anyone who wants a good primer on Zeus and its capabilities, google for “zeus king of the bots” and read that paper.
Zeus is a real game changer. It doesn’t matter what security controls the bank has in place. RSA token, 1 time password pad, etc. Zeus will bypass it.
Once you are infected with Zeus, it is a man in the middle attack, the bank doesn’t have ANY way to effectively verify you. Very different from a phishing attack.
A few banks have looked at products like Trusteer Rapport that are supposed to be able to defend against these types of attacks, but this still relies on the user having it installed for it to be effective. The customers who voluntarily install additional security products are typically in the lower risk category for getting infected with Zeus in the first place.
The closest analogy to the brick & mortar world would be if your wife were to walk into your bank, close your joint account and takes all of the money, moves to Mexico, never to be seen again. Is it the bank’s responsibility to detect that she was leaving you?
Business process based controls are a difficult option as well. Dealing with a system where individual business customers send out thousands of wire transfers every day. Within this scope an individual <$50k wire transfer is equivalent to a micro-deposit that PayPal uses to verify your bank account.
Assigning bank liability on commercial accounts? So if Adobe has a system compromised and a hacker transfers $50MM out of their payroll account, does it become the bank's responsibility to cover that? I don't think this is a realistic option.
Likewise, what if the bank were to suspend a company's payroll transfers on Friday payday because of suspicious activity? Sure, if there *is* a compromise they will be a hero….otherwise they will likely lose a customer. The business risks of false positives are sometimes too large.
I'm not saying that the bank should or should not take care of this particular customer. That becomes a customer relationship, business decision. I do think banks need to do a better job of explaining to small businesses the REAL risks of money losses when using commercial banking, many businesses may think they need these features when they really do not.
In fact many commercial accounts require 2 separate users to approve a new payee. Unfortunately when a small business like this is compromised, even if dual-control is in place, there is only 1 computer that is used, so even dual control won't protect
To answer some other confusion I've read in the comments…
Money mules are often NOT sophisticated individuals. Some don't even have online banking access. The hacker transfers money into their account, sends them an email, they drive to their bank withdraw cash or cashiers check, walk down to the street to the western union and wire the cash to another country.
There is no "waiting period" on a wire transfer. When it is gone, it is gone, just as if you had dropped cash in an envelope and placed it in a mailbox.
In my opinion, money mules involved in these scams need to be held more financially liable.
For these hackers to move large volumes of money, they typically break them up into smaller chunks to multiple parties to avoid detection. Because of this, there is a wider pool of people who could be held jointly responsible for the losses.
There are no easy answers to this problem.
For technical insight, I suggest “When and Where Strong Authentication Fails” (by Avivah Litan):
http://www.gartner.com/DisplayDocument?id=1245013
For banking malware solutions, start with the 3 main actors:
1. The bank cannot solve it because the malware is in the customer system, not the bank. However, a bank could distribute Linux “live” CD’s and prevent Microsoft Windows users from logging in. Banks should refrain from recommending on-line banking unless they are willing to accept the risk of loss.
2. The customer is unqualified to solve it, at least the way things are now. But users can be educated, provided they are motivated, and banks need to provide motivation. Unfortunately, tools necessary for using Microsoft Windows for safe on-line banking simply do not exist, so some sort of alternative OS is currently required.
3. Microsoft has the biggest stake and the best capabilities, yet somehow takes the least blame. Both the banks and users should be demanding better products far beyond Windows patches:
3a. Microsoft could develop tools to certify a Windows installation as clean for use in on-line banking.
3b. Microsoft could develop a fast OS re-install to clean up any infection.
3c. Microsoft could supply a new “live” on-line banking OS.
3d. Microsoft could support hardware re-design to prevent infection.
Users who want actual on-line security now should man up and get their own Linux “live” CD. I prefer Puppy Linux from DVD, and describe it in my ciphersbyritter.com articles. (See, for example:
http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM )
After the Puppy DVD is set up, most user time is spent in Firefox, and my non-technical wife likes it.
We should be gratified that any real alternative exists. Getting companies to respond to user needs is vastly harder and slower, and out of our control. Doing nothing may seem easier, but only if nothing bad happens, and just hoping for the best is no solution at all.
Cr@n1um comments demonstrate a good grasp of technology but a fuzzy one of the issue. The analogy of a wife leaving her husband and taking all the cash with her is false. Assuming that the wife is a joint owner of the account, she would be acting within the law to take any amount of money out the account at any time she wished for any purpose. She would in no way be “victimizing” her husband. She would be exercising her marital rights. For the husband, life will go on.
It is the responsibility of the bank to verify that the woman standing at the counter is in fact who she says she is. Failure to do is negligence. By definition negligent behavior always has consequences. Those consequences are what banks are seeking to escape, and right now, they are succeeding.
Man-in-the-middle attacks of this kind are crimes–felony theft perpetrated by third parties who have no standing and no right to the money. For the victim of this crime, Little & King LLC, life will not go on. That’s the issue.
Would anyone here buy the automobile that exploded most often? That was the easiest to steal? Oddly, though, the most people who answered “no way!” to the questions above insist on using the Windows OS and Internet Explorer – the single most hacked software combination available. Why put yourself at risk when other options are available?
there’s a hell of a good universe next door; let’s go
— ee cummings
Terry Ritter has missed the point, too, and with a flourish of technical machismo to boot. Before we “man up” and vault to Linux, consider the situation in its historical context.
How often have we heard that “Windows is the culprit. Too many holes. Too much malware. Microsoft doesn’t care.”
Solution: Switch to a Mac.
But: Oops. Now we have malware infecting OS X.
Why? Because the Bad Guys are not stupid. They go where the money is, like flies go for dung.
Man-in-the-middle attacks are “platform-independent.”
If millions of online banking users switch to Linux, it won’t be long until the Bad Guys hack that, too.
Let’s put aside our hobby horses and puppies and look at another approach. I queue up some banking transactions online. Before they are executed, a human being at the bank calls me on the phone to verify that the transactions are legitimate. Until I’ve identified myself to our mutual satisfaction and verified the transactions, my money stays where it is.
This model is based on human beings sharing responsibility. It’s a time-honored way to get business done well. The bank has some responsibility, and I have some, too. We are working together to make sure the right thing happens–and only the right thing.
What’s the objection? It’s predictable. Making those phone calls will cost money and detract from the bottom line. Now consider this. That bottom line has been artificially inflated by engaging in the risk of making instantaneous, anonymous, online transactions.
There’s cheap, good and fast; you can have any two of them. Cheap + fast = no good. And as it is, apparently no one is responsible for the bad. The tech heads who blame Microsoft or Apple today may live to blame Red Hat, Open Source, Unbuntu, etc. tomorow, but no software developer–with or without a halo–has ever written a check to a victims’ compensation fund.
I think what we may see from banks in due course is some kind of NAC implementation.
http://en.wikipedia.org/wiki/Network_Access_Control
When a customer attempts to access their account for the first time after implementation, the back-end will quickly scan the connecting PC for vulnerabilities in the O/S and commonly exploited apps like Adobe Flash, Adobe Reader, Java, Quicktime…etc.
If old & vulnerable versions are found, the assumption will be made that the PC is infected with malware of some description (not an unreasonable assumption) and users will be sent to a remediation site and advised on how to patch the outdated apps. Only when the PC is detected is ‘clean’ will access to the online account be granted.
Will this eliminate this kind of fraud? No, certainly not…but it could drastically reduce it.
Banks that implement this will suffer the ire of their customers as most users cannot begin to keep every app updated (see recent Secunia report) and thus will be blocked from accessing their own account online….but this could be offset by the positive news that at least they’re doing something about this huge and growing problem.
All right Bill,
Not even a phone call from the bank is complete protection. If the attacker can enter a new phone number for your account, or even transfer to the call to their own number, they can approve their own transfer. You do not even know until you next look at your accounts.
Microsoft Windows IS the culprit. Over 93 percent of browsing occurs in Windows. Almost all banking bots target Windows. True, IF everyone in the world switched to Linux, then Linux would have similar or worse problems. IF. Personally, I doubt that will happen. As long as the vast majority of browsing occurs under Windows, the secondary platforms (Mac, Linux) will be relatively safe. Not perfect, just much, much better than Windows.
As long as Windows is installed on tasty, easily-written hard drives, malware will be infecting those drives, possibly undetected by scanning. Once infected means always infected for every session until the OS is re-installed, and, no, customers are not going to like needing that. There are no tools to certify Windows as clean for on-line banking. In contrast, running an OS from DVD avoids existing infection, makes infection both difficult and easy to correct if suspected.
Those who need an actual technical solution now (instead of some possibly partial solution at some distant future date), need to MAN UP NOW and find a Linux “live” CD or DVD to use. I prefer Puppy Linux, see my website for articles, such as:
http://www.ciphersbyritter.com/COMPSEC/PCBANSQA.HTM
Hi Terry–
Three things.
1. I wrote: “Until I’ve identified myself to our mutual satisfaction and verified the transactions, my money stays where it is.” The operative phrase is “our mutual satisfaction.” That means the bank and I work out how I am going to identity myself satisfactorily.
2. Bank employees verify the identities of people calling on the phone every day by asking the caller questions and obtaining specific information. This has been an accepted security practice for going on 20 years because it has worked well. The number you call from doesn’t matter.
3. Ever seen any of the old “Move to Phoenix!” ads? They touted its virtues, like no crime, cheap land prices, low population, no traffic jams, clean air, and no State income tax. Sounded good to millions of people who moved there, and very quickly all of those virtues evaporated. The same fate awaits any “safer OS.”
Hi Bill!
1. “The operative phrase is “our mutual satisfaction.”” That does sound better than I expected, but “mutual satisfaction” leaves a great deal of room, not only for what I interpret, but what actually occurs. We see repeatedly how effective most ad hoc schemes actually are after the fact, even given full “satisfaction.”
Moreover, a personal authentication service cannot hope to be a general on-line banking solution. It would be pretty expensive for banks, delays would be irritating for customers, and many people would insist on the simplest and least secure process. Serious security generally is both more complex and more awkward than most people want.
3. “very quickly all of those virtues evaporated.” Although running Puppy Linux from DVD may not be a permanent solution, it is a solution RIGHT NOW. It can be implemented for free, without any special banking arrangement. The Puppy Linux solution also inherently handles multiple banks or investment accounts, and provides access for a partner in an emergency.
Someday malware may start to target Linux and more precautions will be required. But malware will have to go some to infect a DVD as easily as it infects Microsoft Windows hard drives. One of the big problems we have with Windows is its “once infected, always infected” property, since we may not even be able to tell that we are infected.
Anyone who wants more on booting Puppy Linux from DVD can find articles on my pages.
Hi Terry–
Mutual satisfaction is a concept in business law that describes a contractual agreement. I have not proposed anything ad hoc, rather that banks and their depositors reach as a matter of course an agreement as to how each party will prove to the satisfaction of the other that they are who they say they are every time a transaction is to occur. All such agreements are subject to revision as conditions change. This a strategy to fix the problem, not another tactic aimed at propping up a broken system.
All strategies require additional time and additional expense, but also a fundamental change in thought and approach. It does not appear that change is going to come from the banks–not as long as they can offload responsibility onto their depositors. If banks were motivated to do what they are supposed to do (i.e., act as trustees of their depositors’’ money), this problem would have been fixed a long time ago.
When IT people got involved in banking, they applied the same “quick and dirty” authentication technique that they’d used elsewhere: requiring a username and a password. That was OK (and just OK) for securing email (some years ago). No rational, well-informed IT professional today would uphold “single-factor authentication” as a reliable means of securing anything of value or consequence, and certainly not an online bank account.
The same IT professionals (and their successors) have to drive home to the bankers a simple fact: single-factor authentication schemes simply can’t be trusted anymore. It’s a broken system that can’t be fixed. Two-factor authentication is more secure, but as ATM thefts have shown, only marginally so. A new strategy is needed.
If the banks won’t listen to reason or face the facts, then IT professionals should ally themselves with regulators and legislators to compel banks to adopt a new strategy. Unless and until that happens, IT practitioners will be left to fight an endless series of rear-guard actions in a war that, rightly speaking, cannot be won.
Brian:
Good article. Now you know why I spend so much of my time trying to foil ZBot at SecureMecca dot com. There are several points I feel need to be made.
1. These people really need to consider getting off of Microsoft Windows. I had a Windows newbie that was using my PAC filter basically accuse me that I had made it so that he was going to have to format his drive to get rid of the PAC filter. I don’t know if the instructions I gave him in a personal email placated him, but if he had just read the Uninstall.txt file he would have been good to go. In fact, he could turn the PAC filter on and off at will. The registry changes are just to make it possible for it to function at all. He could also have deleted the rule in the PAC filter that caused problems for him. Even a little bit of extra protection is better than none. I just installed Thunderbird on Sauron running OpenSUSE 11.2 Linux . I had to deduce that renaming the unbzipped folder (thunderbird —> thunderbird-3.03.) was in order along with creating a symlink (thunderbird —> /usr/local/lib/thunderbird-3.0.3). Altering the thunderbird startup script was also necessary to handle the future update changes, which I hope slow down from a torrent to a trickle. What am I saying? These people need to take some of the responsibility on themselves so that this doesn’t happen. Ergo, if you want the easy route off of Windows pick Macintosh. The hard route via Linux takes more work but these people need to ask themselves just one question. What if this attack had been made on me and I was using a Macintosh or Linux? Attack foiled. I was talking to a relative that had suspicious charges on their credit card. Their machine is pwned. How many are like this? A lot more than people think. Hackers have already found ways around the UAC.
I must hasten to add that I don’t use them, so the UAC gets in the way of auto updating the PAC filter. It is only useful with XP or Windows 7 Professional or Ultimate. I would suggest using the Web Of Trust, but that doesn’t help in a spear phishing attack.
2. Banking regulations need to change. The financial institutions need to assume at least some of the responsibility for this. The complete draining of a company’s assets should never have happened. Legislative bodies primarily in the U.S. but all over the earth need to provide the protection that is being used to protect idiots that are using Windows whether they are just personal or small business. They are already doing it for the individual. The regulations were written with a large corporation in mind and it just isn’t enough. Small businesses do not have the resources and in many cases the personal acumen to make themselves safer.
3. Security comes in layers. One of these layers is step 2. The other is step 1. Another layer is to use some common sense – do NOT click on the links in emails, especially if it is saying it goes to NACHA, FDIC, or some other place like that. Invariably, that is NOT where they go.
Interesting ‘concept’: http://www.srware.net/en/software_banking_browser_2008.php
A stripped browser, for banking only: no Java, Flash. Also, shielded against other installed browsers.
Seems more practical than a separate box for banking only.
In German – and, unfortunately, not updated since 2008, so I can’t tell how secure it is 🙁
Gartner analysts published in December 2009 that all existing means of strong authentication are inadequate to protect transaction integrity for simple reason that Trojan horse malware resident on our infected PCs circumvent these means. Nearly 50% of PCs worldwide are infected with some sort of malware. The vulnerability exploited is called Man in the Browser. Man-in-the-Browser, is a trojan that infects a web browser and has the ability to modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. The MitB Trojan works by utilising common facilities provided to enhance Browser capabilities is virtually undetectable to virus scanning software.In an example exchange between user and host, the customer will always be shown, via confirmation screens, the exact payment information as keyed into the browser. The bank, however, will receive a transaction with materially altered instructions. The use of strong authentication tools simply creates an increased level of misplaced confidence on the part of both customer and bank that the transaction is secure. Therefore US regulators and FBI recommend that all financial activities will be performed only from dedicated computers. Obviously this is a short-term solution. It has been demonstrated that Out-of-band transaction confirmation , such SMS sent over mobile phone , merely adds complexity to the process and is still vulnerable to targeted attack .The need exists for malware-resilient solution to the problem.
Our solution is a 2-stage process including signing of web form by user and signed form authorization by the service provider. No transaction will be authorized without both stages fully completed. In order to use our Software-as-a-Service end-user must download our client software, register his PC and enroll his Biometrics VoicePrint, the whole process takes less then a minute. Signing software includes data verification module that ensures that What you See is What you Sign, Strong Authentication module that ensures the identity of the person signing transaction and Advanced Electronic Signature module that ensures transaction integrity in transit and at rest.
The following flow highlights the signing process for medium-sensitivity transaction. End-user signs web-form for third-party money transfer. Our software prompts end-user to confirm transaction integrity and verify the data. Finally end-user is prompted to enter his 4 digit PIN. It takes about 15 sec of end-user time to sign filled web-form. Meduim-sensitivity transaction is signed using 2-factor strong authentication, including proprietary PC ID (something you have) and PIN (something you know). Higher-sensitivity transactions may be signed using 3-factor strong authentication by adding Live Voice Biometrics (something you are)..
Signed web-form includes 2 parts: end-user attributes and transaction details. It complies with the definition of Advanced Electronic Signature. Both end-user and service provider will keep the same signed web-form for future audit. Service provider may access this signed web-form through our API. This solution is malware-resilient, does not require any dedicated hardware and does not add complexity to the business flow. This solution is generic and is applicable to Banking transfers, E-commerce purchases, Insurance claims, Healthcare prescriptions, E-Gov voting.
Sounds like the bank is aiding and abetting criminals with grand larceny. I would find a good lawyer.