Online Banking Trojan Stole Money From Belgians

hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.

Re:Pay attention

[StoneOldman79]

Entering some extra recognizable info in the 2-way factor authentication is indeed "the way to go".
Account number is not that user friendly (and which number to enter if you have multiple transfers in one go?)
My current online bank requires me to type in the amount of money to transfer as an extra fail-safe.
This should be "good enough" for the near future.
Sadly, many online banks do not have anything like this. Not implementing proper security and paying to "robbed" customers is apparently still the cheapest option.

Re:Pay attention

[ZeroExistenZ]

This should still be impossible if The user pays attention

Well, you cannot expect the user to take this responsibility of "checking for a specific digit", they'll go to the competition if the procedure is too "complex". Why is Apple booming? Not because of feature-gallore.

You cannot imagine how many emails I get of "regular users" who entered their login details on some random webpage resulting in a email to all contacts in a format "follow this link to see [facebook-style test results]" to be prompted to login with your credentials and continue the chain.
(I've given up on educating and sending a reply explaining how their credentials have been comprimised").

And why wouldn't those people?

It is simular as Microsofts' passport or the facebook implementation on webpages which is pushed everywhere as a "ease of use" and "seemlessly integration everywhere". (which, if with malicious intent, could hijack your accounts as well and get to your emails, banking details or get creative and infect someone)

Re:How long until.....

[phantomfive]

Sounds like an excellent plan. One you can implement personally for yourself right now (I personally discourage all my family members from doing online banking from a windows computer). You can have your own personal terminal at your house that you use to connect to the bank. If you think it is an idea people will like, you can start a business setting up similar terminals for other people.

As for you question, how long: banks will not start sending out terminals to all their clients until the cost of paying for fraud becomes higher than the cost of sending out terminals. Individual users will not start using them until the cost of not using them becomes great enough to overcome the laziness and annoyance of acquiring/using a separate terminal. If banks continue to pay them off like they did in this case, it is not likely to happen.

Re:How long until.....

[Mattpw]

Banks wont run the IT tech support required, and theres also the liability issues. Even if you could guarantee the software had no security bugs the user can just as easily fall victim to phishing type scams and then sue the bank, this is essentially the same problem with the bootable linux LiveCD concept which does guarantee no trojans getting into it but fails to prevent simple phishing. The tech support for all the different drivers and other things a person might use the terminal for would kill the bank. The other problem is banking rarely happens in a vacum, a user wants their account program, their files etc and so locked devices become good for security demonstrations but impractical in real life.

Re:Not unique to Belgium

[Rich0]

Agreed. I'd envision the secure "credit card" of the future having the following mechanism of operation:

1. You interface the card with a computer (via USB, acoustic modem for phone, one-wire, etc).
2. The remote party sends the card a packet with who is to be payed (in the form of a bank certificate), and how much, and whether any kind of recurring transaction is authorized (with details on that if applicable).
3. The card displays the transaction info on a display built into the card.
4. The user approves the transaction by hitting an approve button and typing in a PIN using a keypad on the card.
5. The card generates a certificate and sends it back to the remote party.
6. The remote party confirms successful receipt of the certificate to the card.

The remote party and the card communicate by SSL (using bank-signed certificates), so no MITM, although the algorithm should be fairly invulnerable to MITM anyway.

If there is a transmission error the remote party just asks for a retransmission any time until step 6. The card and the bank would both spot likely duplications. You couldn't spoof the merchant name (Gooogle Innc) or anything like that since it comes via a bank certificate. Nothing is trusted outside the card itself, so no risk of trojans/etc.

All it needs is a credit card with a battery, display, keypad, and small CPU optimized for crypto. I can't imagine that these are more expensive to produce than the cost of bank fraud.

You could even have cards that function as digital wallets, handling multiple banks, government IDs, etc. All it takes are some standards, and the right CAs for the right data items.