Online Banking Trojan Stole Money From Belgians 144
hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.
People (Score:1, Interesting)
Regardless of the effort or complexity, every security system has one inherent flaw.
Pay attention (Score:1, Interesting)
This should still be impossible if The user pays attention. The user could be tricked to re-enter the amount or the recipients account number repeated times. But for the attack to be successful, the victim has to be tricked into entering the attackers account number at some point. Before, the login procedure could be hijacked (since it required challenge of a random number) but these days that should be a recognizable number, for example starting with a specific digit.
Not unique to Belgium (Score:4, Interesting)
There is a similar scam doing the rounds in the UK targeting nationwide which uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).
The scam apparently asks you to "resync" your challenge device. If you do you end up sending a sum of money to a money mule.
How long until..... (Score:3, Interesting)
Re:Pay attention (Score:1, Interesting)
Each (new) account number should be challenged.
Like I said earlier, the biggest problem was the login challenge, but using a fixed prefix (not shared with any account numbers) is enough to avoid the login from being used to get the correct response from the attackers account number. I don't think this news is about a technical weakness but rather about customers using a system they haven't quite understood.
Note the fraud dates from 2007 (Score:2, Interesting)
The fraud dates from 2007, but it didn't go unnoticed for 3 years. The investigation took 3 years to complete because in Belgium the police does its job properly.
Re:Pay attention (Score:1, Interesting)
My bank simply states during the login that the login challenge number always starts with the digit 9.
Unless I don't pay attention to that I could be on a fake site displayed by a trojan that challenges an attackers account number. There is no peactical way to prevent that. The system is "safe enough" even with ignorant users, and really safe with attentive users. It has worked for 15 years without big problems. To put things in perspective, ATM fraud and card skimming probably steals more money every minute than this type of attack does in a year.
Money-Mules (Score:4, Interesting)
I can at least attest that the search for money-mules is getting more and more aggressive and annoying here. Everybody thinking of making some easy money that way should think again. If the original target goes to the police, the money-mule will have to refund the full amount of money lost and likely will get punished. The reason is that courts typically rule that the fraudulent nature of the job was obvious and hence the money-mule is an accomplice.
Re:Pay attention (Score:2, Interesting)
Re:How long until..... (Score:1, Interesting)
You can't prevent DOS type attacks, but you can prevent man-in-the-middle attacks (or at least make them useless) by strong end-to-end encryption. However, the encryption key would not be safe it it was on an USB stick... unless the USB stick in turn is encrypted with a password that the user must enter. Ok, that would work. Unless the attacker patches the BIOS to insert a keylogger or something.
Belgian police does not care about online crime (Score:1, Interesting)
I'm from Belgium, i rather big websites and i reported fraud a couple of time, they replied to me with this:
> We can't keep ourself occupied with 'things like this'.
So the part about it being unreported might just be "undocumented".
Re:How long until..... (Score:3, Interesting)
There is a system that is currently (AFAIK) uncrackable. Details of the transaction you sign are sent back to you through SMS with authorization code. So you know the transaction has been hijacked if the SMS contains wrong data. The code is one-use, generated by bank upon submitting the transaction for authorization.
(of course this may still fall victim to people not reading the SMS beyond the auth code...)
I guess it could be hackable if the attackers could hijack the owner's phone (make a clone of the SIM card?) and learn the password at the same time.
Re:PassWindow could have prevented this (Score:3, Interesting)
My Passwindow method could have prevented this and cost practically nothing to implement too,
I suppose you mean http://www.passwindow.com/index.html [passwindow.com] ?
As far as I can tell, there are two problems with this: