June 2, 2010

David Green normally only accessed his company’s online bank account from his trusty Mac laptop. Then one day this April while he was home sick, Green found himself needing to authorize a transfer of money out of his firm’s account. Trouble was, he’d left his Mac at work. So he decided to log in to the company’s bank account using his wife’s Windows PC.

Unfortunately for Green, that PC was the same computer his kids used to browse the Web, chat, and play games online. It was also the same computer that organized thieves had already compromised with a password-stealing Trojan horse program.

A few days later, the crooks used those same credentials to steal nearly $100,000 from the company’s online accounts, sending the money in sub- $10,000 and sub-$5,000 chunks to 14 individuals across the United States.

Now, Green’s firm — DKG Enterprises, a party supplies firm based in Oklahoma City — is wrangling with its bank over who should pay for the loss, said Joe Dunn, the company’s controller. So far, DKG has managed to recover just $22,000 of the $98,000 stolen in the April 27 incident.

Unlike consumers, businesses that lose money as a result of stolen online banking credentials usually are left holding the bag. As such, I’ve frequently advised small business owners to avoid banking on Windows systems, since all of the malicious software currently being used by these criminals to steal e-banking credentials simply fails to run on anything other than Windows. What’s more, the tools these crooks are using — mainly the Zeus Trojan — almost always outpace anti-virus detection at least by a few days, and by then it’s usually too late.

But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.

“He knew better than that,” Dunn said of his boss’s logging into the family Windows machine. “The thing about it is this wouldn’t have been able to happen if the security had been place that is currently in place, which means he can only access the bank’s site from his Mac. We no longer allow access from any other computer other than his.”

Dunn said that not long after the fraudulent transfers were sent out, he heard from one of the money mules that were sent the firm’s money and asked to wire it overseas to the fraudsters.

“This guy, he went to go use his debit card to fill up his car at a gas station and his card was declined,” Dunn said.  “He was trying to figure out what had happened, so he researched where the money came from, went online and called the first number he could find and of course he got me. All I could do is refer him to the FBI. I think he’d figured out by that point what had happened.”

Dunn added the company’s bank is disavowing any responsibility for the incident, but that there is a small silver lining.

“Our take is we weren’t provided the utmost security to prevent this from happening,” he said. “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”

Further Reading: Target: Small Businesses


204 thoughts on “Using Windows for a Day Cost Mac User $100,000

  1. Daniel

    What is needed is one time keys like the RSA keys, this would have prevented the issue quite nicely. If the attacker got the password, unless they made a transaction within one minute, they would have been shutdown by the rolling key. As an added layer of security the bank could be monitoring what IPs you are logging in as. See two IPs within a minute? something is up… See two IPs in one minute with a large distance between them? Something is really up! This isn’t a Windows vs. Mac thing. This is just proof you should never use an untrusted machine for any of these services. A mac machine is just as likely to have a keylogger as anything.

    1. BrianKrebs Post author

      Thank you, Daniel, for lobbing that conversational hand grenade.

      Couple of points about RSA keys and one-time tokens. They used to be quite a hurdle for the bad guys. Now, they’re more akin to speed bumps. Look through the stories at the Target: Small Business category to the right and you’ll see plenty of real life examples of companies getting hit even though the were forced to use RSA keys and token devices.

      The other thing to keep in mind is that in many cases, the attackers are using a feature built into Zeus called “backconnect,” which means they log in to the bank’s site using the customers *own machine* and IP address.

      Finally, I’d take strong exception to your blanket statement that Macs are just as likely to get a keylogger as anything. ALL of the victims I’ve interviewed (>100) were Windows users. Seeing a pattern here?

      1. Russ

        Brian, have you analyzed how many of the 100+ were the wife’s machine? Perhaps wives are to blame. Looking beyond snark, my point is that without full statistical analysis you’re making assumptions. It could be that Mac users may not report these as IT security issues because they believe their precious iGadgets are impregnable and surely a jilted ex-employee or corrupt bank teller is to blame.

        Or Windows is buggy hole-ridden software, all things are possible.

        1. BrianKrebs Post author

          See my reply to Alan. So many people take this as a personal affront or a perceived Windows-vs-Mac face-off. Put down your fanboy flags for a moment, folks, and try to put yourselves in the shoes of a small business owner that just saw a year’s worth of earnings walk out the door because of a *single Trojan infection.

          1. Russ

            I’ll note that posters on this blog are probably amongst the more sympathetic to these horror stories you’ll find. But the criminals at the root of these attacks are pragmatists. They are going to notice the growing number of Apple devices, the greater penetration of OSX in the market, and the myth of immunity that is basically self-perpetuating at this point.

            It is a critical security point that users must accept that the safety of OSX requires the same diligence as any other OS to maintain security: timely patching, software & browser hardening, and defensive browsing habits. That is advice that is platform independent.

            It is ominous that SANS just recently posted about new Mac malware Onionspy:
            http://isc.sans.org/diary.html?storyid=8890

          2. Rick

            ‘It is ominous that SANS just recently posted about new Mac malware Onionspy’

            It’s not ominous at all. It’s not even a hack. It’s pure social engineering. You can own any system if you convince the sysop to give away the keys. It’s a non-story.

          3. Rick

            Oh and it’s not ‘Onionspy’ either. It’s ‘OpinionSpy’. Research is really tricky, innit?

          4. Haakon

            “So many people take this as a personal affront or a perceived Windows-vs-Mac face-off. Put down your fanboy flags for a moment, folks, and try to put yourselves in the shoes of a small business owner that just saw a year’s worth of earnings walk out the door because of a *single Trojan infection.”

            This might be true, however, Apple fanboys *did* start this, namely that banking guy or whatever.

            When someone says “It’s sad in this day and age, and we’ll probably have to take it as a hard lesson learned. On the bright side, though, the owner’s wife now has a new Mac.”, then I can sort of understand why the Windows people raged. I mean seriously?

            You can’t be annoyed at “fanboys” when you just implied that Apple shall fix all thine problems.

          5. Joel

            This clearly is an attack on Windows and is Apple fanboy propaganda because the title says “Using Windows for a Day Cost Mac User $100,000”

            It could have said something along the lines of “Using an Unknown, Unsecured Computer Cost Business Owner $100,000” which is more true to the situation presented in the article.

        2. John Kramarz

          “they believe their precious iGadgets are impregnable and surely a jilted ex-employee or corrupt bank teller is to blame.”

          well, yes. Very close, but it seems jealous infected Windows users like to use absolute words like “impregnable”.
          When you say “iGadgets” I think of iPad, iPhone, iPodTouch, etc. Software and media for those devices is available only through iTunes Store, where everything is checked out for security. Problems still might happen, but VERY less likely.
          It certainly is one solution, and one they take a lot of grief for.
          We’ll have to wait and see if any Android programs end up being security issues.
          Also, for a mac user, $100k might not be a big deal to be noticed ; )

      2. Shane

        Brian, I enjoy your reports but following up to Alan’s comment, what are you going to suggest in 5 years when everyone is a Mac user and the same cyberthugs are cranking out maleware that exclusively targets and exploits Mac’s — switch to Linux or back to Microsoft? These incidents happen because of poor user actions/practices tied to vulnerabilities in web servers and client side mobile code. If you secure even one of the three you greatly reduce the attack surface. The OS just happens to be the current target based on ROI. Why would cyberthugs target a low density OS especially in this day of automated exploits when you can get a much better return on the OS of the day?

          1. Robert Lee

            OSX, Windows, Linux, etc all allow for discretion to the end-user. They are all equally (in)secure.

            These systems all have security mechanisms as defined in the Controlled Access Protection Profile (http://www.commoncriteriaportal.org/files/ppfiles/capp.pdf).

            The security for these systems is meant to be effective in “cooperative, non-hostile environments”. Clearly, the security of these systems is not meant for use on the internet.

            To say one is more secure than the other is misguided.

        1. Terry Ritter

          “what are you going to suggest in 5 years when everyone is a Mac user”

          1. Most Windows users can still use Windows, just not online.
          2. This is not about OS “code quality” per se, but instead about market share. In general, malware is about profit, and encounters machines at random. When is it going to be more profitable to attack Macs or Linux if 91 percent of browsing occurs under Windows? Will the situation change if Windows becomes “only” 80 percent, or even 60 percent, or even less?
          3. 5 years gets us 5 years down the road. Maybe Microsoft or Intel will wake up. Maybe we will get real hardware and software fixes. Maybe we will be dead. Problem solved.

          “these incidents happen because of poor user actions/practices”

          4. In many cases users do enable an attack. But no matter how much you know or who you are, you will still occasionally make human errors. And when a single error can cause a massive failure, it is time to get humans out of loop as much as possible.

          “Why would cyberthugs target a low density OS especially in this day of automated exploits when you can get a much better return on the OS of the day?”

          5. Exactly! But the real problem is infection, and current Mac designs can be infected like Windows boxes. If we all switch to another infectable OS, we can expect similar results, eventually. But if we switch to booting from DVD, or get a new hardware protection level to prevent infection, that is a different issue. That is not just moving to a new OS, that is solving the problem.

        2. Anthony Youngman

          Saying that it’s more profitable to attack Windows because “there are more of them out there” is simply ignoring the contrary evidence of web servers.

          Apache outnumbers IIS two to one.
          *Cracked* IIS outnumbers cracked Apache *four* to one.

          Okay, we know that IIS is plagued by the underlying flaws in Windows, but if you’re going to claim that its the majority player that’s most at risk, then why aren’t there more cracked Apache boxes out there (Oh – and to ram the point home even more, what few Apache exploits I’ve heard of recently have all targeted add-ons, not base Apache, so the majority player must be pretty solidly armoured against attack!)

          Cheers,
          Wol

          1. Terry Ritter

            “Saying that it’s more profitable to attack Windows because “there are more of them out there” is simply ignoring the contrary evidence of web servers.”

            Actually, the argument is that malware development, distribution and operation are motivated by profit. We confirm that goal from articles on this blog.

            Malware attacks generally find computers at random, and then must function in whatever environment is found. Since Microsoft Windows supports about 91 percent of browsing, malware can either be ready for Windows and able to run 91 percent of the time, or ready for the Mac and run 5 percent of the time, or Linux at 1 percent overall (and even less for particular Linux distributions).

            All things equal, malware is 91 times more likely to run and produce profit on Windows than on Linux. But even if Windows had just 40 percent of browsing and 3 competitors each with 20 percent, while only 40 percent of Windows malware insertions could run, that would still be better (and probably more profitable) than the alternatives.

            However, suppose some OS manages to develop, patent, and field some sort of virtually complete malware protection. Those users might quickly outnumber others, and yet still be less profitable for malware to attack. The game is profit, not numbers.

            Web servers are a different ballgame: They are not attacked to reveal credentials or take over open accounts, but to distribute malware and spam. In that role they have a certain worth to justify the attack investment, but comparing server attacks with user attacks is comparing apples and oranges.

            “if you’re going to claim that its the majority player that’s most at risk, then why aren’t there more cracked Apache boxes out there”

            Because the name of the game is profit, not winning more boxes, unless that somehow delivers the most profit.

            “what few Apache exploits I’ve heard of recently have all targeted add-ons, not base Apache,”

            Attackers have real goals and real costs. When an attacker can get the same benefit more easily by attacking add-ons, we can predict they will do that. It is just that simple.

        3. Rick

          Cranking out malware that targets other platforms? What malware is that? Unix was built with security in mind (and as a high priority) from the get-go. Windows wasn’t. Windows is a hardware interface more than an operating system. The tipping point is where it is profitable for organised crime to stay off the streets and hack away instead. Unix just makes the whole proposition harder by several orders of magnitude. This isn’t news. It’s been out there for years. Buy a clue.

          1. john

            Rick, I would add that Unix system administrators and users are typically going to be more vigilant than Windows users and administrators. I know that I am more conscious of the security weaknesses of the Apache servers that I had to set switches and compile, than the IIS servers I’ve used.

          2. Rick

            John, cheers, Unix admins are way more educated. Most of them are familiar with Windows (who isn’t) but Windows admins aren’t generally familiar with Unix.

            (If they were then they wouldn’t be on Windows, would have advised against it, would have established draconian security procedures if they couldn’t get management’s ear, or just gone out and got a better job.)

            But playing the security game with Unix makes sense. You can work with it. Security is not a pipe dream – it’s a real possibility (and therefore a responsibility). Unix shops (the good ones) work on an entirely different premise.

            Windows shops don’t really attack security issues in the same way because they know they’re actually dealing with an impossible situation. They play ‘ketchup’ instead. Try to stay within striking distance of the bad guys – which means a few miles behind.

            They go through the motions only. They know AV can’t protect them and yet they take all the patches and updates… But for what? It’s hopeless.

            You can’t really care about security in a Windows shop because you’ll be tearing out your hair and screaming bloody murder all the time. You can’t help but care about security in a Unix shop because Unix is a cornerstone of Unix and you can’t blame Microsoft if your network gets hacked. Unix *can* be secured (and should be). Windows is beyond hope.

            It’s both educational level and knowing whether real security is possible. Even the people from Microsoft in this comment thread know it to be true.

          3. Rick

            … because *security* is a cornerstone of Unix… DUH. Security was built into Unix from the ground up, from the get-go. Individual accounts, granularity in privilege levels, privilege escalation with authentication, full comprehensive file permissions… Windows is Unix in single user mode. Everything else – the Keystone Kops.

      3. Nicholas Weaver

        What is required is a separate trusted PATH to the user, either a hardware dongle which can authenticate TRANSACTIONS (eg, we describe one possible design and the rational http://www.icsi.berkeley.edu/cgi-bin/pubs/publication.pl?ID=002790 ), or a totally separate path (eg, like the SMS-based verification that some banks overseas are using).

        ANYTHING that relies solely on the computer to authenticate a transaction after a user is authenticated can’t work.

        1. dc0de

          1. Someone mentioned using two factor SMS. Well, that’d be great, if I couldn’t intercept it. It’s not encrypted, and is readily available to anyone with a Ham Radio License. (While it is against federal law to decipher it, it still is received by your radio set.)

          2. The fact that most US banks don’t want to move to 2-factor auth tokens, because they don’t want the overhead and infrastructure is criminal. Even PAYPAL, who isn’t a bank, has 2-factor security available, and YOU the user pay $5 for the key. Hello banks, why can’t YOU do this?

          3. Like I said earlier, it’s not an OS issue, or an Open-Source v.s. Closed Source discussion. It’s about the fact that there is “No patch for stupid”.

          4. I completely agree, that in this case, the user went to a different machine, with different controls and expected the same security. Sorry, that’s a User Failure.

          5. See Pebkac 101.

          1. Carlos

            Actually, SMSs as pretty much all GSM (or newer) traffic *are* encrypted. But that’s not the point. Hackers can’t intercept SMSs because they don’t actually know who they’re hacking nor do they know when and where the unsuspectinc victim is going to log into his bank.

          2. Rick

            Damn straight it’s user failure. It’s user failure for expecting a Windows box to be secure, for not understanding how incredibly much spin Microsoft have put into the market (and by populating blog comments) etc. It’s ‘blame the user’ again – the mention of which got you to mod Brian himself down.

            You people seem to have been tasked to do your damnedest to never let anyone blame Windows for anything. Oh so much money at stake – damn the torpedoes and damn the Internet! We need the cash! It’s our market!

            Seriously – isn’t it time you told your boss you don’t want to do this dirty job anymore?

      4. Danny

        Ever consider the reason that this occurs more on windows based PCs is because they dominate the market share?

        Not exactly a Apples to Apples comparison I’m afrid…

    2. Shane

      Better yet, let’s focus on Out Of Band Authentication or some other method to digitally “countersign” or confirm these type transactions. Why in the world we allow money to be transferred out of accounts with just a click of a mouse button is beyond me… For all the billions we lose annually through cyberfraud, banks could have engineered and put into place a global banking OOBA solution that would provide another layer of security using one of the most common devices – a telephone.

      1. Terry Ritter

        “let’s focus on Out Of Band Authentication or some other method to digitally “countersign” or confirm these type transactions.”

        1. The “let’s” part of this involves influencing, coercing, or forcing a bank, and then all banks, into changing the way they do business. They love that. So all we need is a dictator “to get the trains to run on time,” er, I mean “to address malware.” But long before that happens, we can each take action, right now, today, and be running safe machines in a few days (or weeks, if we need a DVD writer and some DVD+RW discs). Waiting for things to be improved is not a great idea.

        2. All of this authentication stuff is much trickier than it looks. The root problem is a bot infection which is resident in the customer computer and can act as a “man in the middle” between the customer and the bank. The bank does not have access to that machine. No on-line authentication of any sort, including RSA digital signatures, 2-factor and external dongles, can force security on a running bot.

        3. Even off-line authentication by phone can be tricky. Most phones do not connect by secure wires to a central switch anymore. Nowadays many phones run on VOIP broadband, and are not particularly secure. Nor are cells, nor is texting. And of course none of the phone authentication can go back through the infected computer. So the bank must be forced (see 1, above) to take tedious voice approvals, along with accepting responsibility for knowing the correct voice or have yet more authentication.

        4. Banks can enforce controls on where money is sent, but the mules are in the US, and the amounts are split.

        5. Even in the best possible situation, having a resident bot eliminates secrecy. Your financial records belong to the bot-herder. There exist no tools which guarantee to expose such a bot. So even finding some sort of working authentication protocol does not really solve the problem. The real problem is the bot infection in the customer computer which possibly nobody can detect.

        6. By booting from a DVD, you can avoid existing infection, which really does solve that problem. Yes, such a system can get malware, but only until it is restarted. Conventional hard-drive-boot systems remain infected until their OS is re-installed.

        1. Anthony Youngman

          In the UK I have a personal pin reader. When I set up a transaction, the web site sends me a security code.

          I put my debit card in the pin reader, enter the security code, then enter my pin. The reader gives me an authorisation code, which I give back to the web site.

          If my banking credentials are stolen, an attacker can’t generate the authorisation code, because it relies on me holding the (stand alone) reader and my debit card in my hand. (Actually, I think I can use ANY reader – what matters is the debit card.)

          Cheers,
          Wol

          1. Matt

            CAP readers are better than nothing however its not true transaction authentication. The trojans hijack the browser and then either wait for you to login or do another transfer and reroute their own session challenge response digits to you while they are authenticating their own transfer in the background. If the trojan is setup right it can even get a few transactions out of you by giving you a failed message please try again, and since it owns the browser when you do login to check your balance they inject html with the original balance before their outgoing transactions so you dont even know youve been robbed.

            Originally the plan was for the big 3 banks in the UK to be able to interchange their users cards with each others readers so there would be a cost saving, actually thats how the system was originally sold with the idea that a household could share one CAP reader but typically banks implemented slightly different standards which prevent the cards being interchanged so readily.

        2. dc0de

          “2. All of this authentication stuff is much trickier than it looks. The root problem is a bot infection which is resident in the customer computer and can act as a “man in the middle” between the customer and the bank. The bank does not have access to that machine. No on-line authentication of any sort, including RSA digital signatures, 2-factor and external dongles, can force security on a running bot.”

          Please explain how you can clear out my account, if I’m using two factor authentication. Even if you install a trojan horse with 100% control of my desktop, you’re not going to get the key off of my RSA Token, without coming into my house and putting a gun to my head. (please note; I’ll probably meet you 1/2 with with my own.)

          2-factor authentication is NOT difficult, as proven by Taiwanese Banks, some UK banks, and Paypal.

          As your bank to support true 2-factor authentication. I have, and continue to ask, and if we have enough voices, perhaps the banks will actually provide the services that WE THE CUSTOMERS are requesting.

          I for one, am now looking for a Credit Union on the West Coast, that will support 2-factor with a physical token.

          1. Matt

            The problem is in the language, 2FA encompasses alot of authentication types. To break it down simply OTP (One Time Password) 2FA is broken and regularly being broken by the trojans. Let me explain how they do it.

            There are 2 primary ways, first the oldschool phishing method (no trojan needed) once the user believes they are interacting with their real banking website they simply enter the OTP token code which gets instantly sent from the attackers fake site to the attacker for a login from the attackers session. The attackers simply added jabber instant messenger clients to their fake sites code to get the OTP codes back to them within the 30 second windows.
            The second method is the same idea but via your real browser which a trojan has hijacked, (there are modules for all the different browsers) so now the address bar looks correct but everything including the OTP codes are being sent to the attackers automated session. You asked how they would get you to do this, essentially they just wait until you need to do it and detect that https connection or with phishing they give you an email saying you need to log in right now for some reason. Now the next part is where most people dont think much. Most banks using OTP tokens (including my own) request another OTP when you go to make an outgoing transfer or add a new outgoing account. The trojan / phishing site cant show the user this but they need another value after the initial login to do this. Their solution is simple, the user gets a “session expired… please login again” which actually happens to me all the time when im internet banking so im not suprised everyone falls for it. You are shown a new login page and you enter another OTP value thinking you are logging in, but in the background the attacker has just used that new OTP login value to authenticate his outgoing transfer.

            An this is the essence of the problem which needs to be addressed not 2FA so much but 2FA with TRANSACTION AUTHENTICATION. The generic random numbers of OTP give no information to the user as to WHAT they are authenticating. This allows the trojans to play all sorts of games in the background well beyond simply key logging. The user needs to be able to see for themselves on the separate device exactly what they are authenticating for 2FA to be really secure. Only a very few of the electronic tokens can do transaction authentication, I am constantly outlining them and anyone else is free to chip in, they are ZTIC from IBM (a USB device) Tokens with transaction authentication built in (identifiable with an added keyboard on them not just a single button) and my own non electronic method Passwindow.

          2. Terry Ritter

            @dc0de:

            “Please explain how you can clear out my account, if I’m using two factor authentication.”

            I had thought the concept of having an active bot in the customer computer as a man-in-the-middle between user and bank was pretty clear, but apparently I was wrong (again!). Fortunately, various other sources describe the problem in more detail:

            “Once pitched as an additional layer of security for E-banking transactions, two-factor authentication is slowly becoming an easy to bypass authentication process”

            http://www.zdnet.com/blog/security/modern-banker-malware-undermines-two-factor-authentication/4402

            “Trojan-based, man-in-the-browser attacks are circumventing strong two-factor authentication”

            http://www.gartner.com/DisplayDocument?id=1245013&ref=g_fromdoc

            The reality that a resident bot can “defeat” 2-factor has been known for some time. So my question is: How does the “2-factor is the silver bullet for online banking security” meme keep rising from the dead? Who is pushing this thing? Are we actually seeing propaganda from the attackers?

            “2-factor authentication is NOT difficult, as proven by Taiwanese Banks, some UK banks, and Paypal.”

            Perhaps, but the PayPal football does not protect against bots. So it may be “NOT difficult,” but it also does not work.

            One reason the banks are not doing more is that it is no longer clear what they could do. The bot is in the customer computer, and there is no tool or set of tools guaranteed to expose it.

            In my view there is currently just one option for secure online banking, and that is to load the OS from CD or DVD. Ultimately, no OS which boots from a conventional hard drive (or writable flash) can be considered secure. No OS can be secure on its own, because all large, complex systems have flaws.

    3. Rick

      ‘a mac machine is just as likely to have a keylogger as anything’

      Goes into the Hall of Fame as one of the all-time best magic tricks ever.

      1. Ben

        Hey i could code one right now if u wanted!

  2. Alan

    I have become a big fan of this blog but I do think you need to address the suggestion that using one operating system rather than another was the primary issue in this case.

    In terms of one having a larger market share Windows is associated with greater risk, but in terms of their technical merits there probably isn’t much difference. If anything Microsoft has been much more aggressive about developing secure development procedures, releasing patches, and utilizing technologies like ASLR in recent years just because their exposure is greater.

    User behavior is a much much more significant factor. The money was lost because he used a home computer used by children to play games etc. And my guess probably running with admin privileges, not kept up-to-date with OS and application patches, etc. Sure there’s less malware for OS X but there are Trojans for OS X as well (e.g. the OSX/OpinionSpy Trojan that’s in the media at the moment) and a lot of PDF and other exploits will work on OS X.

    Telling people to use OS X instead of Windows is a bit like saying if you drive intoxicated at 90mph and swerve in and out of traffic better do it in an Mercedes because your chances of survival will be better. That may be true but the real problem/solution isn’t the model of car.

    1. BrianKrebs Post author

      Thanks for your comment Alan. I want to be *crystal* clear about something. My advice about Windows vs. live CDs or Macs, or whatever alternative has always been in the context of online banking, and I’ve been clear that I’m even saying this is mainly a big deal for business owners banking online.

      I’m not saying people should abandon Windows because Macs or LiveCDs will make the world sing in harmony. I’m merely saying if you’re a business, and you bank online, you should *strongly* consider doing at least the banking part from a non-Windows machine.

      We can argue about whether Windows is getting a fair shake if you like. I tend to side with the little guy here who doesn’t give a rat’s behind about how Microsoft or Apple feels about all this. They just want to be able to continue existing and not having to worry about a single virus infection wiping out their entire business.

      1. Alan

        Brian,

        Fair enough, but if the focus is commercial online banking the solution isn’t whether you use this operating system or that operating system. Focusing on which operating system is a security distraction.

        The solution is using a LiveCD. A LiveCD probably means a Linux variant but it’s not the brand of OS as such that makes it secure but that it’s an OS on read-only media that used strictly for online banking and no other purpose. May even have firewall rules pre-configured to only allowed access to/from bank’s IP addresses.

        If you want security you shouldn’t be doing online banking from a Windows, OS X or a Linux PC (from home, no less!) that is also used for other purposes such as browsing the Internet, online games, etc.

        Alan.

        1. BrianKrebs Post author

          Here’s the most important line from this story:

          “But the advice about banking on a dedicated, non-Windows machine only works if you follow it all the time. As this incident shows, it does no good for small business owners to use a Live CD or a Mac or some other approach only some of the time.”

          So, if you choose to use a dedicated Windows system for online banking, great. Going the LiveCD route? Perfect. But be consistent. At the risk of…er..stretching the analogy, it’s kind of like condom use: It does no good to use them only *some of the time*.

          1. Alan

            Brian,

            I think we’re largely in agreement. My gripe is just that the “Using Windows…” framing is misleading because it isn’t the fact that he used Windows that caused him to lose $100K. He lost $100K because he used a machine–a home computer used by kids to browse, chat and play games online–he should have realized wasn’t suitable for doing online banking transactions.

            Alan.

          1. SpamIsLame

            I’d like to point out something that was a pretty widely read tech item yesterday, Alan.

            Financial Times: Google ditches Windows on security concerns

            The directive to move to other operating systems began in earnest in January, after Google’s Chinese operations were hacked, and could effectively end the use of Windows at Google, which employs more than 10,000 workers internationally.

            “We’re not doing any more Windows. It is a security effort,” said one Google employee.

            “Many people have been moved away from [Windows] PCs, mostly towards Mac OS, following the China hacking attacks,” said another.

            New hires are now given the option of using Apple’s Mac computers or PCs running the Linux operating system. “Linux is open source and we feel good about it,” said one employee. “Microsoft we don’t feel so good about.”

            Google, a company with 10,000 employees around the world, is officially ditching Windows. This has to be seen as pretty tangible proof that Google, as a company, does not trust Windows to be secure in any way, shape or form. They do trust Linux and Apple, and their spokesperson in this case is willing to say so explicitly.

            Windows is, let’s be 100% frank here, swiss cheese. The average new Windows PC has about as much built-in rock-solid security as a mosquito net.

            Yes this guy should have known better, but the fact that, really, any Windows machine that he himself had never set up should always be perceived as so insecure that anything he did with it is monitored and recorded by criminals, is a pretty strong statement that Windows effectively is not secure, full stop.

            Microsoft can blame Adobe and third party programs all it wants. The reality is: any Windows machine, from day zero, is extremely susceptible to infection just by using Internet Explorer to visit a perfectly legitimate website which was susceptible to a compromise of one sort or another. This is well-documented. The criminals behind all of these thefts know this, and they are counting on the average business owner to not bother with securing it. This is the only reason this is successful.

            I quite often have to use Windows in most environments I work in. I don’t care to wave flags about one OS or another, I use all of them. Every job I’ve had over many years just by default: it’s a Windows shop. I take many extra steps to secure my machine as completely as possible. That takes a lot of extra effort which most people will not do.

            Your claim that the ‘”Using Windows…” framing is misleading’ is, in my opinion, and apparently that of Google worldwide, incorrect.

            SiL / IKS / concerned citizen

          2. Alan

            There’s no reply button for Spamislame’s post below this one but here’s my take of the Google/Windows story:

            Lots of people think the to the “Google ditches Windows for security reasons” story in the FT is silly e.g. E.g. http://www.infoworld.com/print/125722

            1. The story is very badly sourced. Google hasn’t said what it is doing or why.
            2. If Google were ditching Windows for the reasons given by the FT, which many doubt, it shows an amazing degree of clueless for a high-tech company of Google’s standing. Good marketing FUD though!
            3. Google’s recent ‘Chinese’ security issues stemmed from running a machine with admin rights, an out-dated operating system, and old software. Under the circumstances blaming Windows is disingenuous.
            4. Google is a big target so whatever OS they happen to use will attract motivated hackers so using a less commonly targeted OS doesn’t help them. If anyone thinks using OS X will make Google more secure Google “Charlie Miller Mac” or see links I posted elsewhere in this discussion.

    2. Rick

      ‘but in terms of their technical merits there probably isn’t much difference’

      Define ‘probably’. Tell us a bit about your background and how you arrived at that conclusion. Cheers.

  3. Steve Lembark

    Thank you for pointing out the pattern: I sometimes feel like a lone voice wailing in the wilderness.

    There are a few safe ways to use windows, though less convienent than most uses will tolerate. One way to use VMware in non-persistent mode and reboot after each site is accessed. Another is to burn the O/S onto a DVD and use an in-memory filesystem for all temporary storage, rebooting after each operation. The last I know is to install the system, write-lock the drive at the hardware level, and then use in-memory storage for anything temporary.

    These have proven useful when I’ve had to access sites that require windows (e.g., they use exploder-specific options).

    Then again, people could just follow your advice and buy a Mac 🙂

    1. Gord

      A question about live CDs vs Virtual Machines. I have been using virtualbox for a while (windows host). Would a linux VM running in such a scenario be immune from malware running on the windows host? Are the guests in virtual box isolated enough?

      A vm starts so much faster than a boot of a live cd…..

      1. george

        @Gord

        Such setup might be safe for the time being, but with malware getting more sophisticated as such rapid pace…will probably not be in the future. If the Host computer gets infected, a virtualization-aware trojan cannot get directly to your guest OS image (which is encrypted), but it might infect the virtualization software itself and finally infect the guest OS this way the first time you boot it. Sure, this being Linux, is a lot less likely to encounter such malware, but the risks are further reduced if the host OS is not used for any activity except running the virtualization software and you use a Windows instance as a Guest OS also.

      2. Daniel

        No, not to a key logger. You are running the “safe OS” on an unsafe OS. If there is a keylogger on the base OS, you are still done for. It may help in some instances, for example if the malware only pulls saved passwords or something similiar, but it isn’t trusted. The nice thing about a live CD is now you are booting into a fresh known trusted environment everytime. Once you start messing with it, as soon as you pull the disk… everything is reset… and the CD is “trusted” again.

        1. Robert Lee

          Trust starts at the base and works its way up. Without trusted hardware, you have no assurance that your boot CD is safe.

          http://en.wikipedia.org/wiki/Rootkit#Hardware.2FFirmware

          Furthermore, all this talk of boot CD’s is terribly clunky. It completely takes away from the point of online banking: Convenience.

          Recommending boot CD’s to solve online banking is as eloquent as telling Toyota owners to attach a mattress to the front of their cars in case the gas peddle sticks.

          Much of the security industry today has focused on trying to secure the end-user system. If we assume that the end-user system is compromised then we must develop new mitigating controls.

    2. Rick

      ‘Another is to burn the O/S onto a DVD and use an in-memory filesystem for all temporary storage, rebooting after each operation. The last I know is to install the system, write-lock the drive at the hardware level, and then use in-memory storage for anything temporary.’

      This sidesteps the fact that the Registry is basically dynamic and large parts of it are ‘volatile’ – they’re never saved to disk. And yet they determine how the system works. Your ‘current control set’ defines the use of the hardware. That’s volatile and never reaches your hard drive. That can be corrupted by intrusion code and with no need to ever go to disk.

      1. Rick

        Windows drivers are ‘layered’. [See http://bit.ly/c9WklE @ Wiki.] With proper access – which the hack will attempt to achieve – rogue code can put in a new layer to for example log keystrokes. This without getting to disk. True, the box might be OK the next time you boot that way, but you can still get infected on a CD-boot surfing expedition using Windows.

  4. Marty

    @BrianKrebs
    “Finally, I’d take strong exception to your blanket statement that Macs are just as likely to get a keylogger as anything. ALL of the victims I’ve interviewed (>100) were Windows users. Seeing a pattern here?”

    Hmmm. While I agree that your current empirical data tends to lean towards untrusted Windows computers, I don’t think – as a researcher – one can simply discount untrusted non-Windows computers. This falls into that “black swan” zone, that is, one can’t prove there aren’t black swans just because all you have found so far is white swans. The same goes here, just because all you have found so far are untrusted Windows computers, doesn’t mean there are no untrusted non-Windows computers.

    It has been shown that non-Windows computers are susceptible to malware, and I think that we are just currently seeing the statistics of market share (there are just a lot more Windows computers being used than non-Windows computers).

    1. Rick

      ‘I agree that your current empirical data tends to lean towards untrusted Windows computers’

      ‘Tends’? Absolutely phenomenal.

  5. Steve Lembark

    Q: How many of these exploits work at all with Opera on Windos or OS?X?

    Q: How many work with Opera on Linux?

    Q: How many work with lynx on *any* O/S (maybe text browsers without embedded languages still have real use)?

    1. Robert Lee

      What’s your point? Are you saying that malware could not target those alternate software pieces, or that they just haven’t been targeted yet?

  6. xAdmin

    Nice, real nice! Blame Windows when the real issue here is the decision by Mr. Green to use a “shared” family PC! He could have used a dedicated Windows system with as much efficacy as a Mac or a Live CD. To ONLY point blame at the OS is using logical fallacy.

    The cum hoc ergo propter hoc logical fallacy can be expressed as follows:

    1. A occurs in correlation with B.
    2. Therefore, A causes B.

    In this type of logical fallacy, one makes a premature conclusion about causality after observing only a correlation between two or more factors. Generally, if one factor (A) is observed to only be correlated with another factor (B), it is sometimes taken for granted that A is causing B even when no evidence supports this. This is a logical fallacy because there are at least five possibilities:

    1.A may be the cause of B.
    2.B may be the cause of A.
    3.some unknown third factor C may actually be the cause of both A and B.
    4.there may be a combination of the above three relationships. For example, B may be the cause of A at the same time as A is the cause of B (contradicting that the only relationship between A and B is that A causes B). This describes a self-reinforcing system.
    5.the “relationship” is a coincidence or so complex or indirect that it is more effectively called a coincidence (i.e. two events occurring at the same time that have no direct relationship to each other besides the fact that they are occurring at the same time). A larger sample size helps to reduce the chance of a coincidence, unless there is a systematic error in the experiment.

    In other words, there can be no conclusion made regarding the existence or the direction of a cause and effect relationship only from the fact that A and B are correlated. Determining whether there is an actual cause and effect relationship requires further investigation, even when the relationship between A and B is statistically significant, a large effect size is observed, or a large part of the variance is explained.

    1. Rick

      ‘Nice, real nice! Blame Windows when the real issue here is the decision by Mr. Green to use a “shared” family PC!’

      You’re hurting people’s heads.

  7. Daniel

    A hurdle is a hurdle, I understand that nothing is perfect, but what I am trying to argue is that having a Mac is just one more hurdle for an attacker to overcome, which I do agree with, but so is the RSA key. Unconditional security is impossible, but putting as many speed bumps in front of an attacker will cause them to move on to the next person.

    I do know one person that had all their credentials stolen from Mac Spyware. Granted they installed something stupid, but Windows is often the same thing. Linux has been hit as well. Relying on a platform that you believe is resilient is going to bite you because I often find these users a lot more careless. I would like to see users using USB keys that are READ only that you can boot off of that just contain a web browser.

    Hurdles are good, so long as it doesn’t present a user a false sense of security. I would much rather be using something along the lines of an RSA key then relying on the MAC platform.

    I would also like to see something along the lines of banks texting you everytime there is any large transaction done of a certain amount that you define (say $1000 bucks in one week as a default, change it for your use).

    I still enjoy your blog by the way! Just a minor disagreement. I also have a bitter hatred for Windows, and use Ubuntu for my home desktop among other versions of Linux, but I feel that telling someone to use Linux to fix their problems is about the worst thing you could do.

  8. BrianKrebs Post author

    One more thought. I have often also urged people to simply use a dedicated Windows system for online banking. That is, get a cheap netbook or laptop, use it for online banking and for nothing else (not facebooking or emailing or chatting) and put it in a drawer when you’re done with it.

    The point is recognizing that the banks have put almost all of the security on the shoulders of the commercial customer. As such, it seems prudent to assume that the customer is 100 percent responsible for securing the online baking transaction. When viewed this way, using a dedicated machine or LiveCD doesn’t sound like such a drastic solution.

    1. Daniel

      “The point is recognizing that the banks have put almost all of the security on the shoulders of the commercial customer.”

      I agree 100% on this.. I also feel that businesses should have similiar protection as consumers on this issue.

    2. Jerr

      “The point is recognizing that the banks have put almost all of the security on the shoulders of the commercial customer. ”

      Yes, they have, just like the law puts driving safely on the shoulders of the driver. Try convincing a judge that you should not have to pay for the speeding ticket just because it was your car, your license plate and you were in the driver’s seat.

      Just because you’ve been driving for years or using computers for years does not eliminate personal accountability for your actions and inactions.

      If you want to drive around on bald tires and that contributes to an accident, it’s still your fault.

    3. Marty

      I think you have “hit the nail on the head” with your statement:
      “The point is recognizing that the banks have put almost all of the security on the shoulders of the commercial customer.”

      That’s the root of the problem here – banks need to accept responsibility for what is really a bank problem. They need to stop trying to shift the focus away from themselves – and we need to stop reinforcing this behavior – distracting everyone with non-issues like what OS the customer is using (Windows or Mac or Live CD or whatever).

      Brian, one of your best suggestions deserves repeating here:
      “Any solution that does not assume the customer’s machine *is already compromised by malware* stands zero chance of beating the bad guys at their own game. ”

      This must be the baseline for all online banking.

      You should be using your forum here to focus on the real issue – poor security on the bank side – not the “band-aid” solution which focuses on which OS the customer is using. With your blog posts getting linked from other sites (congratulations!), I would much rather see a link to a blog commenting on how inadequate bank security is, suggesting that banks need to seriously consider the real problems and provide better security, instead of one suggesting which OS customers should be using for online banking.

      1. Gabriel

        Absolutely!

        The banks need to provide stronger security measures. In order to cut their costs, they are happy to make everything digitally processed by the machines, while they twiddle their thumbs. The security infrastructure is inadequate. As a software architect I can think up numerous ways to enforce security that will conform with common sense and will involve not only the cyberspace but also various acute human decisions controllable by the banks and their customers with enough flexibility for the customer to tighten or relax the level of security available to them (if they are sticklers for relaxed security).

        But, the bottom line is that the banks need to provide more security. There are instances of fraud where any bozo can see the fraudulent pattern in the transactions. There are ways to identify those patterns in real-time and the banks can automatically halt such transactions and ring up a human to clear the transactions.

        The OS is a minor issue. Yes, Windows is the worst of the lot, but no OS is bullet-proof either. As it has been pointed out earlier, a completely locked down version (such as a Live CD) will do the job, even if it is Windows (e.g. Bart PE).

        1. Terry Ritter

          “The OS is a minor issue. Yes, Windows is the worst of the lot, but no OS is bullet-proof either. ”

          Abstractly, Windows security is probably *better* than the others, having been honed under attack for many years. But that does not matter as long as openings continue to be found, and while malware profits continue to be best when attacking Windows.

          “As it has been pointed out earlier, a completely locked down version (such as a Live CD) will do the job, even if it is Windows (e.g. Bart PE).”

          I have used a Bart PE, and would be interested to hear about anyone actually doing that in practice. First, the OS is big, and loading is very, very slow. But the real problem is that the browser environment necessarily changes, and there is no facility to support such changes.

          When a problem is found and fixed in a browser, just using the old version can be a serious error. We cannot just use the old OS either. Keeping up will be more work than I would do.

          In contrast, the Puppy Linux system allows the boot DVD (DVD+RW) to be updated, although in restricted ways. First, the user must approve updates, which are slow and obvious. Next, it makes sense to do updates early in a session, before getting into anything hinky. And each update is added as a separate DVD “session,” which can be voided if something bad was there. It is easy to prevent DVD writes completely, simply by removing the DVD (Puppy functions completely in RAM). Of course, making a brand new DVD takes about 5 minutes if the original installation was copied and saved as a base.

          The advantage of Puppy Linux is not just being Linux, or even booting from DVD, but also in allowing the DVD to be updated in response to a continuing flow of real-world patches. The alternative is not pretty.

          1. Gabriel

            You’re right. Bart PE can be a pain to load (in fact I only tried a few times a few years ago and gave up). I am planning on exploring the UBCD4Win option. That one seems promising but I haven’t tried it yet (just throwing out another option for Windows users). And this is just because many Win users feel intimidated by Linux, and besides, familiarity with your main turf is always more welcome. Those who are bold enough to try out something different, Linux is probably the only and the best option. I haven’t seen any OS X live versions (Apple licensing would kill such efforts), and I’m pretty sure no common user would touch Unix! 😉

            I have pretty high hopes from Chrome OS (ergo Android which will merge its path with Chrome as per Google). We’ll see in due course of time.

    4. Daniel

      Sounds great, but a dedicated Mac machine is pretty expensive… I can get a cheap Linux netbook for 200 bucks! Doesn’t need to be fancy for this application. I feel like telling users this advice is a lot more likely to happen if it doesn’t put them down 1000 bucks.

      1. Terry Ritter

        “a dedicated Mac machine is pretty expensive… I can get a cheap Linux netbook for 200 bucks!”

        But a Linux LiveDVD is free. And you can use it on your existing Windows machine. There is no need for a new machine.

        Even if the Windows machine is infected, a DVD boot avoids the infection.

  9. xAdmin

    Hate to beat a dead horse as I’ve posted this in other threads. But, it is highly relevent to Mr. Green’s decision to use a PC of dubious nature. It also speaks to the suggestion of using other OS’s:

    Law #10: Technology is not a panacea

    No matter how sophisticated the hardware and software become, they’ll never replace common sense and sound security policies and practices.

    The rest of the laws are very important as well!
    http://itknowledgeexchange.techtarget.com/security-corner/10-immutable-laws-of-security

    1. Tim Towers

      Technology and human behaviour work together.

      A good technical solution will provide sufficient information or controls for the correct human behaviour to happen, but many of the attacks are impressive in their ability to bypass our mental defences.

      Brian has identified that the read-only operating system provides a significant level of technological protection and the only reason people don’t use it is either because they don’t know about this solution or that they believe it is a poor risk tradeoff in the time taken to use it compared with the liklihood of financial loss.

      Maybe this indicates that we need better technological solutions or a change in the way that the bank is comfortable about a transaction, but no solution is without cost – if additional measures add 10 minutes/week to 1 million people we may reduce the cost to a few careless invididuals at a larger cost to society as a whole.

      Personally, I have been most impressed by the ASUS Expressgate (I think) instant-on browser on my recent motherboard as a simple, quickly accessed trusted interface. It is a shame you have to reboot to access it – if they bundled a vmware player for it I would be impressed.

      1. Terry Ritter

        “Personally, I have been most impressed by the ASUS Expressgate (I think) instant-on browser on my recent motherboard as a simple, quickly accessed trusted interface.”

        Express Gate certainly sounded like a solution to me when I first heard about it. After a little research and thought, it seemed less helpful. Browsers need to be patched frequently, and add-ons are important for browsing security.

        Security updates are not so much about improved features as fixing vulnerabilities. The time has long passed when we could just use an old system and be satisfied with that. A browser which does not allow security updates becomes increasingly vulnerable.

        Then, after we get updates, we have to prevent non-update writes to the boot flash, or we are open to malware infection again. All this can be done, it just has not been done.

        “It is a shame you have to reboot to access it – if they bundled a vmware player for it I would be impressed.”

        Running vmware from Microsoft Windows is not the same as running on “bare metal” with nothing else there. The base problem is malware infecting the boot drive. When we boot Windows, that potentially puts malware in control of everything, which makes the virtual machine sandbox untrustable. The security goal should be to not boot from any easily-writable drive which malware could have infected.

  10. Hoan

    Wow. Bad article. Your point of view is very skewed. The person ultimately compromised his company by using an unsecured machine that is not even his work computer. This is as good as using a public computer for doing work regardless if it was Unix/Mac/Windows based. The title also eludes to your preference and almost blames Windows for the problem. You should really change it to:
    User’s bad online banking judgement costs company thousands of dollars.
    Don’t blame the machine. Blame the user.

    1. BrianKrebs Post author

      “Blame the user!” What a brilliant idea. I wonder why nobody has *ever* thought of doing this.

      Thanks for your comment.

      1. Daniel

        I agree with Brian on this one. The organization that has the resources and the ability to solve these problems is the banks, not the user. The burden of responsibility needs to be put on the one who has the ability to fix it. While I agree that to a certain extent the user could be blamed, we should also realize that if we always blame the user and they are always help responsible then banks aren’t going to do anything to help with this fight.

    2. xAdmin

      While it may not have been the intention, the article title and the “from his trusty Mac laptop” in the first sentence certainly come across as biased. The comments show many took it that way too. Then again, putting on my tinfoil hat, may be it was intentional to drive up traffic! 🙂

      Anyway, as to the “blame the user”, it’s not about putting all the blame on them, but to make the point that the user has just as much responsibility in securing their end of the deal. Something Mr. Green was doing until his dreadful mistake.

      It is unfair to ask the bank to assume all the responsibility when in virtually every case, the problem has been the end user’s failure to secure their end. To be absolutetly blunt, let Darwin’s theory sort it all out! Or as I like to say, “Stupid is as stupid does!” I’m sure this will be the last time Mr. Green uses an unsecured computer!

      1. Steve Parker

        “the user has just as much responsibility in securing their end of the deal.”

        That’s like saying that an owner of a Toyota has just as much responsibility for the safety of the car as the manufacturer.

        The fact is that banks have created an environment where online transactions are allowed, and even encouraged, to be originated from demonstrably unsecurable environments. That’s not a user issue.

        Automotives come with user manuals and clear simple to follow rules for safe operation. An operator that violates those rules is held responsible for unsafe operation. No such thing exists with respect to computers and the internet. I highly doubt that the bank had rules or even suggestions about not using one’s home PC to originate online transactions.

        Until banks have clear and easily implementable security rules that are enforced, banks should be held responsible for any and all fraud that occurs. Getting hit by malware that even Google can’t keep completely off their systems should not be cause to be held responsible for baking fraud.

        1. KFritz

          Circumstances alter cases. This user WAS sophisticated and knowledgeable enough to take precautions, and then hasty and careless enough NOT to implement them. All of the other instances I’ve read about on this blog, the victims were less sophisticated and knowledgeable. If I’m the judge, this guy pays some of the freight.

  11. TJD

    ‘On the bright side, though, the owner’s wife now has a new Mac.”’

    I’ll bet the kids still browse the web having auto-logged in to an administrative user. No lesson of value was actually learned here.

  12. Alan

    I don’t want to get into a this OS is better than that OS fight as I’m not sure there are significant technical advantages of one OS over and another. I really think the issue here is user behavior and procedures for accessing banks rather than the praticular brand of OS.

    But regarding OS X there is plenty of evidence that it isn’t technically more secure than Windows. Charlie Miller has no troubled compromising OS X every year an CanSecWest, Apple is notoriously slow at releasing significant security updates for Java and other apps, etc. If it made economic sense criminals would have no problems written banking malware for OS X.

    OS X is ‘secure’ because it is targeted less often. You could make the same claim for Linux. As OS X market share grows, or even if lots more businesses started using OS X for online banking, we’d see more malware exploiting OS X. OS X is only a solution in the sense that it’s security by economic obscurity (from criminal’s perspective) which isn’t really very reliable security at all.

    1. Terry Ritter

      “OS X is ’secure’ because it is targeted less often. You could make the same claim for Linux.”

      Exactly! Actually, Microsoft Windows is likely to be significantly stronger, abstractly, than OS’s which are not being exploited. But that strength is not effective until it resists exploitation and experience would lead us to believe that will never happen. Large, complex systems always have errors.

      “OS X is only a solution in the sense that it’s security by economic obscurity (from criminal’s perspective) which isn’t really very reliable security at all.”

      Well, it may gain a little time, which can be useful. But the real problem is infection, and the tasty hard drive in Macs can be infected just like Windows. If we instead move to something which is vastly harder to infect (there being no perfection in this world), we get real security, not obscurity. So boot from a LiveDVD, which for now generally means Linux. See my computer security articles and set up the Puppy Linux which I am using right now.

      http://www.ciphersbyritter.com/COMPSEC/PCSECBAN.HTM

    2. Steve Lembark

      Most users cannot pronounce “TCP/IP”; doesn’t mean that cannot or do not use it.

      *NIX system also provide a better suite of tools for security: chroot to a single-use tmpfs can be made transparent to the user (aside from a disk LED lighting up). Ditto readonly mounts. XEN and VMware are more attractive options on a *NIX platform than Windows.

      Maybe there is a real market for single-use netbooks configured for secure banking?

  13. emv x man

    The other takeaway is that time spent keeping an eye on the safety and security of our families whilst online is not wasted!

  14. george

    I’m sorry to see a trend in which the percentage of transactions successfully reversed is decreasing and that thieves are getting better in keeping more of the monies stolen. Macs are almost for sure safer, but good Linux distributions are just as user friendly and safe (and much cheaper). Besides, for users not prepared to completely jump in Non-Windows bandwagons they can easily dual-boot. Until malware gets sophisticated enough to write to ext3 filesystems from inside Windows, this should be quite safe. Yet a better way, install virtualization software and a firewall/antivirus, never use your host operating system to install anything else or to go (directly) to Internet, create a virual instance with you favorite OS for day to day use and a few OS templates, which you can deploy anew every time you want to perform any sensitive operation.

  15. Moike

    Just to reinforce – it’s not so much that the Mac is invulnerable, but that it isn’t targeted. The best solution is a banking-only system or a live-CD, no matter what the OS. Just today, there is a bulletin about new Mac malware called OSX/Onionspy

    http://isc.sans.org/diary.html?storyid=8890

  16. Matt

    So, if im browsing on my invincible MacBook with Safari’s 2-years-and-counting security hole

    (http://www.zdnet.com/blog/security/unpatched-drive-by-download-flaw-in-apple-safari-browser/6397),

    and then someone tries to drop a keylogger on my desktop, along with other spyware readily available from a Google search

    (http://www.google.com/search?q=keylogger+for+mac&sourceid=ie7&rls=com.microsoft:en-us:IE-SearchBox&ie=&oe=),

    then I won’t get exploited? I still don’t understand why people use the Mac as their golden calf.

    The Windows machine should be updated with all the patches and virus scanners just like a Linux or Mac; that is and always will be the user’s responsibility.

    And the bank should employ some better security like the ones discussed in the comments from other users above, because security will always be a speed bump. It will NEVER be a brick wall unless you unplug from the network! So why not add some more speed bumps, some bigger, some smaller? Do you use locks on your house at home? Why? Someone could come by with a lock pick with full access to your house in minutes. ADT security system? It won’t STOP someone from stealing your TV and running upstairs to snag the jewelry box before the police come. It only deters people who are not willing to go any further. If you want to secure your house, bury it underground with no windows or doors. If you want to secure your computer, don’t use the network.

    And for people who don’t want to fool themselves, keep your stuff patched, updated, and if the bank doesn’t use enough security, then find another bank. But for goodness sake, man up for your mistakes!

    Apparently Mac doesn’t take their browser flaws seriously, but if you want to just pray to your golden calf, maybe everything will be ok.

    1. Daniel

      I haven’t been involved in a flame war in a while, this is exciting, but I think after this one I need to get back to work.

      This is proof that Apple doesn’t take security seriously and in turn this rubs off onto their users. Saying that I can pop up files on your desktop by visiting a site, and Apple saying that is a feature not a bug is where the problem stems from. Their commercials making fun of PCs for malware is funny and all, but makes their users feel like MAC can do no wrong and that is there is something on their desktop they need to click on it! Apple was years late to include both DEP and Address Space Layer Randomization, and so far people who have studied it have said it sucks http://www.laconicsecurity.com/aslr-leopard-versus-vista.html. To make matters worst they only give you the feature if you upgrade (which costs money). Honestly Microsoft for all things that can be said bad about them takes security far more seriously then Apple.

    2. Anthony

      In a nutshell the golden calf, from a engineering perspective, is pretty easy to explain. The system is maintainable and isn’t trying to scale a collapsed technology.

      The Registry is evil. DLLs (not shared libraries per say) are evil. The MS security model is nothing to write home about.

      OS X is based on BSD Unix, an OS that was designed from the beginning to maintain privilege separation. Apple realized years ago it would be worth while to have a few years of pain to have a stronger OS – hence the change. MS has been polishing the same turd since the beginning. Windows was originally designed to be a basic presentation level tool and then OS level features were hacked under neath damaging its foundation so to speak. Its a fundamental difference between how Unix and MS people think – one is sustainable at a fundamental level because it depends on a modular experience and the other is not.

      I would like to say that Linux will be strong long term, but I think the lack of 3D accelerated graphics will kill it off as a workstation…

  17. Heron

    I hate it when this Mac drama takes over the blog conversation, and I agree with Marty: The banks should be doing their part to safeguard small business owners’ online accounts. Why are business accounts treated so differently than personal ones?

    1. David

      Why? Because the consumer protection laws give banks certain liability for consumer account fraud, but not for commercial accounts. You think banks and credit card companies eat consumer fraud out of the goodness of their hearts and pocketbooks?

    2. Marty

      Yes, unfortunately, the post comments have degraded into an irrelevant discussion about end user operating systems.

      To restate one of Brian’s most profound statements regarding online banking:
      “Any solution that does not assume the customer’s machine *is already compromised by malware* stands zero chance of beating the bad guys at their own game. ”

      The customer’s operating system and its malware state doesn’t matter. What does matter is what the bank is doing to protect the customer’s transactions from fraud. Where is this point being made?

      Sadly, I think that Brian has consumed some “banker’s kool-aid” :). Notice that Brian didn’t even mention the bank by name in this post? In previous posts regarding online bank fraud like this, Brian at least included the name of the offending bank and would even comment about inadequate security on the bank’s part. No mention this time, other than to include a comment from the victim that the bank is disavowing responsibility.

      The more we get distracted by discussing which operating system the online banking customer is using, the quicker the banking institutions will “win”, by convincing their customers and others – including the media reporting on the fraud – that this is all somehow the customer’s fault and not the bank’s responsibility.

      The same thing happened with “identity theft” (btw, there is no such thing as “identity theft”). Financial institutions were able to distract/convince customers that their “identities were stolen”, and as a result, the bank fraud which occured was the customer’s fault, and not the bank’s responsibility.

  18. Paul

    Love your column!

    I do agree with you that small business owners who choose to use online banking do so from a dedicated machine.

    In addition to all your other suggestions, If you use a dedicated windows PC for banking, disable the server service for additional peace of mind.

    I have to disagree with you on the impression of a Mac being safer to use than a windows machine. That is a false security blanket. That statement should be there are fewer exploits on the MAC platform.

  19. Brice

    Great job Brian! I totally agree with you. Using a dedicated non-windows OS laptop or LiveCD seems to be the answer. It just so happens that Microsoft has the big target on their back and also just happens to be the criminal attacker’s choice as the OS easiest to exploit.

    Comments are entertaining to read also.

  20. Steve Parker

    Mr. Krebs,

    Keep fighting the good fight and ignore all the nonsense in the comments. In my mind, it is criminal that banks allow this ridiculousness to happen. If the computer/internet/online banking complex were a car, there would have been recalls and congressional hearings by now. Lawyers would be lining up, and CEOs would be issuing mea culpas. It is shameful that users are being blamed for an epic failure on the part of the others.

    1. Terry Ritter

      “If the computer/internet/online banking complex were a car, there would have been recalls and congressional hearings by now.”

      That is an excellent point! I suppose most people are under the delusion that everything that can be done (technically) is being done. That is wrong. A new form of hard drive could be created to protect OS code from infection. The OS code might only be updatable from a LiveCD. That could prevent online bot infection, but we do not have that, and people would have to buy it anyway. That is years away, at best.

      The problem is not just the driver, it is car and the roads as well. For example, is the Microsoft Windows product, when operating in its expected PC environment, fit for the purpose of online banking? Such issues are commonly resolved in court, and damage awards get noticed and can trigger societal change.

      Software upgrades can never offer serious protection, because when malware runs, it subverts the OS code. Only new hardware can offer an independent layer of security to prevent infection, and that is not available. Until then, booting from LiveDVD is a very good idea.

  21. mrmikel

    Flame wars!

    Maybe everyone should read the headline.

    There is no final answer in business nor is there any final answer in computers, only degrees of risk.

    This guy, having a brain ^&*R, used a computer that had way too much exposure to viruses. The Mac was not used for such activities.

    A clean operating system used for nothing but banking has a low prospect of acquiring a virus. Windows or Mac or Linux doesn’t matter.

    But the point of the article is still the same. NO NO NO NEVER any deviations.

    In that regard, that is why I use Ubuntu for my banking business, though Windows is my everyday operating system. I know when I am in Ubuntu, that banking is all it is to be used for. Email is not even set up, either. If a different operating system keeps your head on straight, then it is helpful. If it were a dedicated Windows machine for me, the temptation would be constantly there to use it just like the other Windows machine. It is obvious we can not trust the Internet and I would assert it doesn’t pay to trust yourself either.

  22. d

    I got blasted the last time you reported on this topic by suggesting the business owner moves to a Mac. Of course, the fan boys targeted me.

    We don’t live in a perfect world. While it is wise to get a dedicated system for banking, I believe the condom analogy is always going to apply. Like Mr. Green, the one-time emergency will always arise. I still believe a Mac is going to help these business owners because I don’t believe that they are that computer savvy to begin with, especially in light of the ever-rising number of cyber criminals and their evolving expertise. Learning, knowing, and applying basic computer security is not the forte of the company’s boss; he is the boss so he can do what he wants, but not in today’s world. Even though, I am not our company’s boss or CFO, I still created a LiveCD to see what it was like. If Macs ever become the number one target of these types of attacks, then I would say, switch to a Windows-based system. (…) Business owners should see a switch to a Mac as a way of staying safe and holding onto their money right now, instead of waiting to see if there is a safer and faster method down the road. Linux – most computer users still can’t pronounce the word.

    1. Bill

      You are pretty much right in what you said.

      I’m not a Mac fanboy or Linux fanboy by any means..I mean I don’t use either in at work or at home. But as security threats keep growing looking for ways to get around security threats is smart.

      Windows is a great OS. It’s a tool. And when you need a tool to do a job you use the best tool for the job. The job is online banking..and the best tool for that job is just about anything other than a Windows OS (as of right now).

  23. MowGreen

    ” Using Windows for a Day Cost Mac User $100,000 ”
    The title of this article is the problem here, Brian. Your advice for online banking is sound but if the title had stated ” Use of a Non-banking Computer Cost a Businessman $100,000 “, then it would not have set off the predictable OS debate.
    I agree that Banks need to step up and provide more protection for small business accounts BUT, Mr. Green’s choice to authorize a MONEY TRANSFER on a computer that his children use to install who knows what was beyond DUMB .

  24. Ted Lovejoy

    Simple solution, so simple and brilliant that I should go tell my bank and charge them for the idea, but… Each bank issues it’s own branded live cd with a browser that home pages to their on line banking. Make it so it reboots the system after logging out from the bank’s web site. Duh.

  25. Dirk Nannes

    Let’s not blame it on OS. Today most of the users are on windows and we are seeing Windows based Malware and tomorrow you might see Mac and Linux Malware.

    Let’s solve the problem at ROOT itself.

    The only solution for this problem is Out of Band Authentication using Mobile Phone code. But may be Zeus can beat it as well just like RSA token. Apart from this, Banks has to setup to send mobile verification code when user adds a payee or modify payee information. This should alert the customer and could solve problems.

    1. Mobile Phone authentication code for transactions

    2. Authentication code for add, edit payee information

  26. DH

    It looks as if the SEO-optimized headline did it’s job.

    Nothing to see here, move along.

  27. Franc

    @pwn2own they are still taking away Mac’s as a prize so mac is also vulnerable.
    In this case having tokens or (as i have for my private banking) a cardreader (that uses the chip on my debit card) would have stopped this attack as they would not have been able to transfer money a couple of days later.
    A lot of things went wrong here. Would a RO cd have helped? Probably but even these can be compromised (in memory) the moment the person using it would also have used it for other activities. So you would need a very narrow band cd.
    But even here you can be in trouble if you run the cd on a machine where the network card has been hacked (not very likely at the moment but who knows.
    2 factor authentication would have prevented this days after the fact theft

  28. Dan

    Since the majority of people have mobile phones, wouldn’t switching from an older password based technology to a two -factor authentication technology (like RSA SecurID, VeriSign, SMS txt, etc .. ) pretty much fix this banking identify theft issue? That’s what I see at my bank and in my enterprise corporate environment.

    1. Terry Ritter

      “wouldn’t switching from an older password based technology to a two -factor authentication technology (like RSA SecurID, VeriSign, SMS txt, etc .. ) pretty much fix this banking identify theft issue?”

      Basically, no.

      2-factor has been suggested repeatedly, and has failed repeatedly. A running bot can be a man-in-the-middle inside the computer between the user and the bank. Any authentication whatsoever can be demanded, passed through, and once the account is open, the bot has full access. It can even change displayed values to represent the old amounts. Many different approaches are possible.

      Perhaps some form of 2-factor would work, but what that might be is not at all clear. This is much trickier than it seems at first.

      The real problem is the bot infection. A hard-drive infection persists until the OS is re-installed. No tools exist which can certify a computer as clean for online banking. That leaves most of us pretty much between a rock and a hard place, unless we boot from DVD.

      1. Olgie

        What’s with this secrecy about how much money is in one’s account? Taxation office already knows what’s there (at least here in Australia). So you know how much I have in my account. Big deal. It’s not like you can get any of it. At best, you might get jealous. Or maybe you’ll have a chuckle.
        Whenever I transfer money to a new account, the bank request I get an sms with a (onetime) code to verify the account addition. That code is only valid for a short period of time and can’t be used again. Any already existing account I transfer money to don’t require validation. So you’ve got a hot bot that can get into my account and transfer everything to my electricity supplier. That company is just going to write me a cheque for a refund as I paid to much. As soon as you try to add a new account, I get an sms on my mobile. Yes, in clear text, but only I see it. How would you go about sniffing mobile phone traffic to catch that sms? The bank doesn’t know where my phone is at that point, and sms’es aren’t exactly broadcasted across a network. My phone is my lifeline so when I loose that my phone number will be blocked pretty quick.
        The bank also lets me control how much I can transfer at any one time on a day. Changing that setting requires, again, sms verification. Changing phonenumber, of course, requires sms verification on my old number first.
        Looking at what’s available, I think my bank did a pretty decent job of securing my bank account and still managed to keep my life simple.

        1. Matt

          SMS authentication is better than nothing at all which is what appears was happening in the article above however they are getting past the SMS and there was actually a story about it in the Australian news recently. The primary method is contacting your phone company and forwarding all your calls including SMS’s to a new number, their number. The authentication with phone companies is as simple as googling some basic personal information. A small Australian hacking gang was exposed doing this. Under anti competition legislation telecommunications companies are forbidden to make it difficult for a user to switch between companies (as users were being abused) and so the telecom companies cant beef up this low level authentication, nor do they really care to and pay for the extra admin. The next attack is phone trojans which are popping up designed to steal the SMS’s. There are actually a whole host of other attacks with SMS outlined on the security page of my website, too many to list here but like I said anything would have been better than nothing.

  29. Bill

    Build two bridges over a canyon.

    In the first bridge cut 5 man sized holes.

    In the second one cut 45 man sized holes.

    Which one would you rather cross? Which one is more “secure” ?

    No one is saying Mac or Linux is 100% secure. It’s just more secure than Windows. If for no other reason than it only has “5 holes” rather than “45” holes”.

    Of course the numbers 5 and 45 are random..just illustrating a point.

Comments are closed.