Online Banking Trojan Stole Money From Belgians

hankwang writes "Belgian authorities uncovered an international network of online banking fraud (Google translation; Dutch original), which has been going on since 2007. The fraud targeted customers of several major banks, which used supposedly secure two-factor systems that require the customer to generate authorization codes from transaction information (random code and amount or recipient's account number) that is manually keyed into a cryptographic device (Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe. The worrying part is that many cases were never reported to the police, because the bank preferred to refund the money to the victim rather than risking its reputation. The extent of this type of fraud is unknown." The article mentions in passing that similar crimes are occurring in Germany and Sweden.

sweden???

[lordholm]

The article does not even mention the word Sweden or Zweden. It does however mention Denmark, which is not equal to Sweden.

Re:sweden???

[MadKeithV]

Yeah, but why NOT Sweden, it has some lovely lakes?

We apologise for the fault in the Post

[BrightSpark]

You failed to mention the wonderful telephøne system and mani interesting furry animals. Those responsible for that post have all been sacked. signed : JUTTE HERMSGERVORDENBROTBORDA http://www.smouse.force9.co.uk/monty.htm [force9.co.uk]

People

[Anonymous Coward]

Regardless of the effort or complexity, every security system has one inherent flaw.

Re:

[smallfries]

The article doesn't say that the trojan was written for Windows either. Are you under the mistaken belief that there are no trojans out there for OSX or Linux?

Re:

[vtcodger]

Of course you can write a trojan -- or any other sort of malware -- targeted at Unix. Unix has the same architecture and pretty much the same vulnerable technologies as NT based Windows. But so far, few people have bothered. But for the time being, security through obscurity -- plus the difficulty of writing low level code that works reliably with seventy or so different Unix distributions -- protects Unix users.

That won't last of course.

Prediction: First we'll see malware targeting Ubuntu. Then malwar

Re:

[speculatrix]

Unix has the same architecture and pretty much the same vulnerable technologies as NT based Windows.

WTF? sure, they both run on computers (usually x86) but there's fundamental differences in everything from the kernel to the drivers!

Re:

[should_be_linear]

There is fundamental cultural difference in way people are installing apps on both platforms. I am taking here Ubuntu as representative for Unix/Linux world, because it is. On Ubuntu BFU installs app by selecting it in verified repository. On Windows, BFU search web for various utilities and then starts downloading from any web that contain what apears to be install files.

Re:

[smallfries]

You seem to be lagging behind in your predictions somewhat. There have already been several stories this year about OSX trojans being discovered in the wild. This [osnews.com] was the first hit on Google just now, there are many others.

OS-X has much bigger market-share than any of the linux distros so it makes sense it would be the first target. Once more of these are established I would expect more linux distros to be targeted, and then finally the emergence of unix-wide trojans.

Re:

[abigsmurf]

There's no reason why a trojan like this couldn't be installed on Linux or OSX. You don't even need admin rights to install something that could log their key presses.

Pay attention

[Anonymous Coward]

This should still be impossible if The user pays attention. The user could be tricked to re-enter the amount or the recipients account number repeated times. But for the attack to be successful, the victim has to be tricked into entering the attackers account number at some point. Before, the login procedure could be hijacked (since it required challenge of a random number) but these days that should be a recognizable number, for example starting with a specific digit.

Re:

[MadKeithV]

I use the system mentioned in the article, and I've never noticed the log-in random challenge to have any recognizable number, nor do I recall any communication from my bank (Dexia) that this is so. If this is actually the case, it wasn't made clear to users.

Potentially even more worrying is that this system is now also being applied to online payments using my Dexia VISA card, which is more vulnerable still because it originates at the merchant's site, and isn't always so easy to verify.

Re:

[StoneOldman79]

Entering some extra recognizable info in the 2-way factor authentication is indeed "the way to go".
Account number is not that user friendly (and which number to enter if you have multiple transfers in one go?)
My current online bank requires me to type in the amount of money to transfer as an extra fail-safe.
This should be "good enough" for the near future.
Sadly, many online banks do not have anything like this. Not implementing proper security and paying to "robbed" customers is apparently still the

Re:

[Anonymous Coward]

Each (new) account number should be challenged.

Like I said earlier, the biggest problem was the login challenge, but using a fixed prefix (not shared with any account numbers) is enough to avoid the login from being used to get the correct response from the attackers account number. I don't think this news is about a technical weakness but rather about customers using a system they haven't quite understood.

Re:

[emj]

Each (new) account number should be challenged.

There are devices that ask you questions like: "Do you want to transfer 100 Crowns to the account of Emj", they just cost a lot more (like $10 more?). Your scheme is already being used on most devices I've seen, but users don't understand that they even miss that they are not using and encrypted connection.

Re:

[jonbryce]

An amount of money is not good enough, because the attacker just needs to see what amount you want to transfer and steal that amount for himself.

Re:

[ZeroExistenZ]

This should still be impossible if The user pays attention

Well, you cannot expect the user to take this responsibility of "checking for a specific digit", they'll go to the competition if the procedure is too "complex". Why is Apple booming? Not because of feature-gallore.

You cannot imagine how many emails I get of "regular users" who entered their login details on some random webpage resulting in a email to all contacts in a format "follow this link to see [facebook-style test results]" to be prompted to l

Re:

[Anonymous Coward]

My bank simply states during the login that the login challenge number always starts with the digit 9.

Unless I don't pay attention to that I could be on a fake site displayed by a trojan that challenges an attackers account number. There is no peactical way to prevent that. The system is "safe enough" even with ignorant users, and really safe with attentive users. It has worked for 15 years without big problems. To put things in perspective, ATM fraud and card skimming probably steals more money every minut

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Sabriel]

"the victim has to be tricked into entering the attackers account number at some point"

If a trojan has control of your browser, what it sends to the bank doesn't have to be what you typed into the account field...

Re:

[Anonymous Coward]

If a trojan has control of your browser, what it sends to the bank doesn't have to be what you typed into the account field...

No, the user types the recipient's bank account number into his Digipass device in order to generate an authentication code.

During a legitimate transaction, the website will tell you

Enter the challenge code 138427, then the amount in euro 5600, then the recipient bank account number 98765432 into your card reader and enter the authorization code in the field below.

However, a trojan could transform that into:

The authorization code was incorrect. For extra security, enter the the following three challenge c

Re:

[SharpFang]

If the device requires only the last digit of the account number, you need a total of 10 money mules to capture money from all infected people.

Re:

[Mattpw]

This is the problem with putting complicated user action into the transaction authentication process, if you control the browser you can request the user do just about anything in the name of a test or error as related in the article. My Passwindow method encodes the transaction information (ie destination account) into the challenge from the server so the user must only visually check the information, because this information is cycled alongside the authentication digits they are forced to inspect it and c

Not unique to Belgium

[arivanov]

There is a similar scam doing the rounds in the UK targeting nationwide which uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).

The scam apparently asks you to "resync" your challenge device. If you do you end up sending a sum of money to a money mule.

Re:

[Mattpw]

Do you have a link to any articles?

Re:Not unique to Belgium

[arivanov]

No, but Nationwide has been using nagware banners that tell the customers that they NEVER ask them to resync the device for a few months now. From there on to deduce what the scam is is fairly trivial. Even if the scam was not around when they started the hint contained in the warning is sufficient for anyone clued up enough to design the relevant trojan by now.

Re:

[AlexiaDeath]

Around here banks have limited the transactions for such "two factor" signing schemes to near nothing in favor of RSA based digital signing schemes that require you to use a pass-coded certificate on a chip card, that is also your national ID card, or a certificate on your cellphone SIM linked to the ID-card one.

Re:

[js_sebastian]

Around here banks have limited the transactions for such "two factor" signing schemes to near nothing in favor of RSA based digital signing schemes that require you to use a pass-coded certificate on a chip card, that is also your national ID card, or a certificate on your cellphone SIM linked to the ID-card one.

So? That doesn't solve the problem. You still have to enter the amount and destination account number onto an external device which then does the signing.. otherwise how can you be sure what you are signing, if your PC is compromised and anything on your screen could come from attackers?

And, you have to be educated to what the numbers you enter mean, so that you cannot be scammed into sending money to someone else.

Re:Not unique to Belgium

[Rich0]

Agreed. I'd envision the secure "credit card" of the future having the following mechanism of operation:

1. You interface the card with a computer (via USB, acoustic modem for phone, one-wire, etc).
2. The remote party sends the card a packet with who is to be payed (in the form of a bank certificate), and how much, and whether any kind of recurring transaction is authorized (with details on that if applicable).
3. The card displays the transaction info on a display built into the card.
4. The user approves the transaction by hitting an approve button and typing in a PIN using a keypad on the card.
5. The card generates a certificate and sends it back to the remote party.
6. The remote party confirms successful receipt of the certificate to the card.

The remote party and the card communicate by SSL (using bank-signed certificates), so no MITM, although the algorithm should be fairly invulnerable to MITM anyway.

If there is a transmission error the remote party just asks for a retransmission any time until step 6. The card and the bank would both spot likely duplications. You couldn't spoof the merchant name (Gooogle Innc) or anything like that since it comes via a bank certificate. Nothing is trusted outside the card itself, so no risk of trojans/etc.

All it needs is a credit card with a battery, display, keypad, and small CPU optimized for crypto. I can't imagine that these are more expensive to produce than the cost of bank fraud.

You could even have cards that function as digital wallets, handling multiple banks, government IDs, etc. All it takes are some standards, and the right CAs for the right data items.

Re:

[jawtheshark]

And, does it work with Linux? In my country they want to do the same thing, but I'm not going to play along if I require to run Windows or Mac OS X.

Re:

[AlexiaDeath]

The cellphone part is system agnostic. Works anywhere, but it costs a small monthly fee. The smart card part is also system agnostic, it sucks everywhere. In theory it works in Linux, windows and Mac OS. In practice, the signing part works in Linux only if you are really lucky and your bank is not an asshat, ID part works quite well however. In windows it only works stably and sanely with IE6. Never got tit to behave with IE 7 or 8. In all fairness there is work twoards updated software that should improve

Re:

[AlexiaDeath]

It aims to be all of these things. Its just not quite there yet because the whole thing involves integrating different browsers on several platforms with actual hardware and times do move on, hence the push for new software that is going to be opensource. It actually works fine with Firefox on windows to my surprise. Once you find a setup that works, its easy to use and and safe. My father, who is turning 70 next year, uses it daily.

Re:

[AlexiaDeath]

Oh, and requires is a bit srtongly said. The option to use a cellphone is fairly recent.

Re:

[geminidomino]

uses a rather predictable 2-factor (the amount of money and last digits of destination account are used as a challenge).

What's the second factor?

How long until.....

[CastrTroy]

How long until we move to using dedicated terminals to access our online banking. A device that only did banking could be really cheap [cgi.ebay.ca]. Load a custom, hardened version of Linux on there, that only displayed a web browser, and only went to the bank's website, and you'd probably go a long way to stopping this, and many other kinds of fraud.

Re:

[phantomfive]

Sounds like an excellent plan. One you can implement personally for yourself right now (I personally discourage all my family members from doing online banking from a windows computer). You can have your own personal terminal at your house that you use to connect to the bank. If you think it is an idea people will like, you can start a business setting up similar terminals for other people.

As for you question, how long: banks will not start sending out terminals to all their clients until the cost of p

Re:

[Zocalo]

Why would you need a dedicated device? You could quite easily do the same thing using a bootable, non-writable memory USB stick, and even combine the same device with a one time pin generator if you wanted to have a few extra security bells and whistles. I doubt we'd see such a device for any other platforms apart from those that are x86 compatible though, and even then it's not going to help against MitM attacks, DNS poisoning or any of the other attack vectors that don't target the end user's system, bu

Re:

[Anonymous Coward]

You can't prevent DOS type attacks, but you can prevent man-in-the-middle attacks (or at least make them useless) by strong end-to-end encryption. However, the encryption key would not be safe it it was on an USB stick... unless the USB stick in turn is encrypted with a password that the user must enter. Ok, that would work. Unless the attacker patches the BIOS to insert a keylogger or something.

Re:

[Lexical_Scope]

Surely an even better idea would be some kind of read-only VMWare Appliance (or similar). User clicks a link on their desktop which launches a program that checks the VMWare image hasn't been tampered with (CRC and md5 or something like) and then boots a basic Linux VM which opens a kiosk-mode browser that goes straight to your online banking. Couple that with a proper two-factor hardware token and that should be good enough for most things. If the VM/Browser had draconian checks on things like SSL certific

Re:

[js_sebastian]

Surely an even better idea would be some kind of read-only VMWare Appliance (or similar). User clicks a link on their desktop which launches a program that checks the VMWare image hasn't been tampered with (CRC and md5 or something like) and then boots a basic Linux VM which opens a kiosk-mode browser that goes straight to your online banking. Couple that with a proper two-factor hardware token and that should be good enough for most things.

When you click the link on the desktop, how do you know it is really booting the kiosk-mode image, and not just pretending to? This is not a solution, you would need some kind of trusted boot process, and a reboot. Honestly a little cheap, offline device with a key in it and a little screen and keypad for entering the transaction to sign (or at least a screen to display the transaction) seems simpler and safer.

VM?

[nten]

I'm too lazy to think this through, but intuition says running a safe guest inside a compromised host isn't going to protect you. Motherboard firmware is already being tampered with too as another poster pointed out. I really do think a stand alone machine with dedicated hardware, locked down to do that one thing is in order. Final user wouldn't even have root (sounds kinda like an i-anything). I'd not do the read-only thing so that signed security updates can be installed from the creator. Its a weak-

Re:

[arivanov]

Rebooting the machine to do just banking? Joe Average User is not going to do that.

Also, what exactly makes you sure that you have booted your USB stick directly and not in a VM? The technique of loading a hypervisor first before loading the supposedly hardened machine has already been demonstrated a while back. A small hypervisor + control software is the ultimate super-trojan. Works with Windows, works with Linux works with anything. It is not that difficult to implement either. Each drive has reserved sp

Re:

[Mattpw]

Banks wont run the IT tech support required, and theres also the liability issues. Even if you could guarantee the software had no security bugs the user can just as easily fall victim to phishing type scams and then sue the bank, this is essentially the same problem with the bootable linux LiveCD concept which does guarantee no trojans getting into it but fails to prevent simple phishing. The tech support for all the different drivers and other things a person might use the terminal for would kill the bank

Re:

[antifoidulus]

Actually what you are more likely to see is more people switching from the web to dedicated smartphone apps published by the banks and officially blessed by the smartphone manufacturer(apple,google,rim etc). Not perfect but closer to a standalone terminal and much more likely to see widespread adoption.

Re:

[emj]

dedicated smartphone apps [..] blessed by the smartphone manufacturer(apple,google,rim etc).

There goes software freedom, there is no room for user created software on a phone that is used to identify you to your bank.

Re:

[SharpFang]

There is a system that is currently (AFAIK) uncrackable. Details of the transaction you sign are sent back to you through SMS with authorization code. So you know the transaction has been hijacked if the SMS contains wrong data. The code is one-use, generated by bank upon submitting the transaction for authorization.

(of course this may still fall victim to people not reading the SMS beyond the auth code...)

I guess it could be hackable if the attackers could hijack the owner's phone (make a clone of the SIM

Re:

[Mattpw]

The simple way they get around the SMS without just putting a trojan on the phone like they do with a terminal is to just phone up the telecommunications company and say please transfer all my calls to xxx number, the girl asks what is your birthday (you google it) and the crime is done. The telecommunication companies cant increase the difficulties of authenticating users because of anti competition legislation which some used to lock in customers.

Re:

[SharpFang]

Nope, the girl asks what is your phone account management code. This is how it works with all operators in my country. If it's a birthsday in your country, it's completely retarded.

Re:

[Mattpw]

If this is the case in your country I would just ring you up (or get an autodialer like they do with this scam in USA) and say "Hi im from (telecom company) we have some important information about your account but first I need to confirm your phone account management code". Actually I read about another version of the scam where the trojan would detect when the transaction was done and then they would would just ring up the number and say, "hi im from bank and we need to confirm a transaction you just di

Re:

[SharpFang]

1) Please send it to my mailing address. I have requested over and again that I do NOT consent to ANY telemarketing.
2) Well, please do. I just performed it. I can give you the number I just used (it's been used up and it can only confirm that particular transaction anyway). I don't really see them being able to obtain anything of use to them.
3) So they can DoS the transaction by cancelling the codes I receive. They still don't get me to sign transactions they want to perform.

The possible scenario for hijack

Re:

[js_sebastian]

This has happened in a spear phishing case in south africa. A woman went to the cell phone provider's shop pretending to be the man's wife and that he had lost the SIM-card, and managed to convince them to give her a replacement SIM-card, which was then used to receive the authorization code.

And of course a legal battle started over liability between the bank and phone provider (not sure how or if it ended). Sure, the phone provider should not have given the SIM-card out, but does it follow that they ar

Re:

[hankwang]

There is a system that is currently (AFAIK) uncrackable. Details of the transaction you sign are sent back to you through SMS with authorization code.

In Netherlands, ING uses this system, but for some reason, the SMS includes only the total amount and not the recipient's identity. A trojan could simply wait until you try to transfer a large sum, and then make you sign for the same amount to the money mule.

Apart from that, if your phone gives you access to your bank account, then you have to treat it as a credit card: never lend it out, always immediately have the SIM card blocked if you lose the phone.

Re:

[SharpFang]

Agreed, the amount alone is nowhere near enough. A hijacker can just replace target account number while retaining the amount. This one gives 4 first and 4 last target account number digits, so it's quite impossible this could be hijacked.

Using SMS to control the bank account requires a separate PIN, different than anything else.

Re:

[laron]

The next best thing would be a dedicated live-CD for online banking. There is Bankix http://www.heise.de/ct/projekte/Sicheres-Online-Banking-mit-Bankix-284099.html [heise.de], but afaik only in German.

Re:

[knarf]

A device that only did banking could be really cheap

Will the bank also charge $54 for 'shipping'?

Don't fall for these eBay scam prices. They advertise low low prices with exorbitant 'shipping' charges to a) fool you into thinking this is a really good deal and b) pay lower eBay fees (which are based on a percentage of the purchase price, not the 'shipping' fees).

Re:

[fuzzyfuzzyfungus]

The "ebay-low" price is probably a scam(or just a link to something that is early in its bidding lifecycle/not going to hit reserve this round); but the real world cash-and-go price for those horrid little WinCE based 'netbooks' is $80-$100. Not quite as rosy as 24.99; but still fairly cheap and falling.

Re:

[tlhIngan]

How long until we move to using dedicated terminals to access our online banking. A device that only did banking could be really cheap. Load a custom, hardened version of Linux on there, that only displayed a web browser, and only went to the bank's website, and you'd probably go a long way to stopping this, and many other kinds of fraud.

You could do it right now. Netbooks are cheap and easy things to get, just install your favorite Linux and you're done. Nota s cheap as your dedicated banking terminal, but

Re:

[discord5]

How long until we move to using dedicated terminals to access our online banking.

What? You mean like those things you see at a bank?

Dutch original?

[tpgp]

I'd say if it was Belgium, rather than the Netherlands, then the language in question was Flemish.

Re:Dutch original?

[mrvan]

Flemish is a dialect of the Dutch language. I know, dialect is generally a political rather than a linguistic term, but:

- The official languages of Belgium are Dutch and French (and German...), not Flemish and Walloon
- The written languages are identical (except for some idiom)
- People can understand each other without effort (except for heavy local dialects, which is the same in most languages)
- Anecdotally, I think the within-country dialectal differences (e.g. standard Dutch versus Limburgs, Twents; "standard Flemish" vs. West-vlaams etc) are as great as or greater than the between-country differences.

you should see Dutch and Flemish the way you see British English and American English, minus the spelling differences.

Re:

[rapiddescent]

- The official languages of Belgium are Dutch and French (and German...), not Flemish and Walloon

french - but with differences, well 17 for one.

you need to understand the derivation

[circletimessquare]

although true of all the low countries, belgium is yet more cold and clammy and humid than the netherlands. this means people generally have a lot of mucus build up in their airways. so in belgium they speak their dutch with a more gutteral, throaty idiom

thus, they speak "phlegmish"

Re:

[theNAM666]

Actually, no. It's not that simple. American English and British English is a terrible, terribly deceptive comparison. A working class person who grew up in Gent 60 years ago, cannot necessarily understand someone from Antwerp-- and that's just Flemish/Flaams.

For that matter, at least 20-30 years ago, a Genterner might have some serious difficulties with what was spoken in the surrounding villages. (Hint: hij, zij, jij are not entirely Genterner).

There are plenty of arguments that Flaams is a se

Re:

[PastaLover]

All those are just dialects of Dutch. The official language of Flanders is Dutch (Algemeen Nederlands) and the version that is used in official communication (i.e. law texts) is not sufficiently different from the Dutch spoken in The Netherlands to call it a different language (which is the point the GP was making). The dialects you're talking about are never spoken between people from different cities (i.e. if someone from Ghent tries to communicate with someone from Antwerp, they'll use the Dutch they wer

Re:

[tpgp]

Thanks for the clarification - I can't believe quite how wrong I had that.

Re:

[Anonymous Coward]

No, Belgium has three official languages: Dutch, French, and German (the first two account for the bulk of Belgian people). There are three dialect families of Dutch in the Dutch-speaking part of Belgium: Flemish ('Vlaams'), Brabantic ('Brabants'), and Limburgish ('Limburgs'). Sometimes all of these are lumped together under the nomer of 'Flemish', which is not really accurate.

Anyhow, Flemish is certainly not a different language, and the language you find in written communication, such as the newspaper art

Re:

[Anonymous Coward]

<homer>stupid Flanders.</homer>

Re:

[theNAM666]

Bent u Flaaams?

Belgium is a political entity which may not exist in six months, a fact that has something to do with all of these questions.

The situation is thus quite more complex, as the cultural and linguistic lines are not quite so easily found-- and because Dutch is a historical imposition and the people whom the Dutch colonized were, after all, speaking their own languages before people showed up and put swords to their throats.

Equally, the "French speaking majority" (itself a colonized group) wa

Note the fraud dates from 2007

[Anonymous Coward]

The fraud dates from 2007, but it didn't go unnoticed for 3 years. The investigation took 3 years to complete because in Belgium the police does its job properly.

Re:Note the fraud dates from 2007

[Hognoxious]

For sufficiently small values of "properly".

http://onlyinbelgium.eu/belgiums-finest/no-biggie-really [onlyinbelgium.eu]

http://ellisctaylor.homestead.com/belgiumpaedophilescandal.html [homestead.com]

http://onlyinbelgium.eu/belgiums-finest/sure-help-yourself [onlyinbelgium.eu]

Money-Mules

[gweihir]

I can at least attest that the search for money-mules is getting more and more aggressive and annoying here. Everybody thinking of making some easy money that way should think again. If the original target goes to the police, the money-mule will have to refund the full amount of money lost and likely will get punished. The reason is that courts typically rule that the fraudulent nature of the job was obvious and hence the money-mule is an accomplice.

Re:

[turtleshadow]

Brian Krebs [krebsonsecurity.com] is the go-to guy for backstory on the mules. Mules have to look "honest" to a banking system so they are really the tech-savy unemployeed being exploited by mafia.

In a more depressing story the cost of Online fraud [krebsonsecurity.com] is charting to be almost 1B USD in a few years

Nobody is reporting that this is not being shown on the balance sheets ... where are the Untouchables [fbi.gov] when we need them.

Really good Flash demo

[noidentity]

(Flash demo from one of the banks; manufacturer's website). Trojan horses that were planted onto the victims' computers would generate a fake error message and request that the victim re-enter the authorization code.

That's an excellent Flash demo. For some reason it asked for my account number and password. It's on a safe site so I went ahead and entered it, but it gave some kind of error.

PassWindow could have prevented this

[Mattpw]

My Passwindow method could have prevented this and cost practically nothing to implement too, the transaction verification method employed by the electronic tokens which do the transaction signing as explained in the article have the fatal flaw in that it requires user action for the transaction verification part. ie entering the website generated challenge and then their transaction destination account number etc (a very laborious process for the users). With passwindow the transaction information is encod

Re:

[hankwang]

My Passwindow method could have prevented this and cost practically nothing to implement too,

I suppose you mean http://www.passwindow.com/index.html [passwindow.com] ?

As far as I can tell, there are two problems with this:

• A Trojan could intercept enough data to reconstruct the mask. The whitepaper claims that you need to capture between 30 and 1000 transactions. That doesn't account for the fact that the trojan does not need to be 100% sucessful (probably the user can try 3 times).
• Unlike an embedded EMV chip, the mask is trivial to copy; the owner will not notice that his passwindow card is missing. With a tele

Re:

[Mattpw]

Yes, when the whitepaper was done and PassWindow was initially featured on Slashdot it was a static challenge with several digits in the static challenge, these were interceptable in say 30 interception so a month or 2 worth of normal use. However since then weve had some major breakthroughs beyond just switching to the purely animated cyclical method, weve been able to easily achieve interception rates of 10K plus with very little usability obfuscation. A side benefit of this new method is the analysis doe

Re:

[Mattpw]

There is no simulation, it is a real airgap, the PassWindow is just printed onto an ordinary piece of plastic card just like any barcode. There is no electronics, or software or hardware. The challenge is just an animated gif it works on any device regardless of the situation. The transaction information is encoded into the gif so the trojan only has one avenue of attack which is a long term statistical analysis but we assume every terminal is already compromised like this so we do our own analysis at key g

As Zaphod would have said

[Hozza]

Oh. Belgium!

Belgian police does not care about online crime

[Anonymous Coward]

I'm from Belgium, i rather big websites and i reported fraud a couple of time, they replied to me with this:

> We can't keep ourself occupied with 'things like this'.

So the part about it being unreported might just be "undocumented".

Fancy authentication protocals

[david_bandel]

"The problem with beauty is that it's like being born rich and getting poorer."

I don't know.

[ColaMan]

I'm torn between pity and some sort of vague feeling that justice has been served upon the Belgian public.

On the one hand, nobody wants to see someone taken advantage of, and on the other, they *do* share a border with the Dutch.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Mattpw]

Dont forget me with my PassWindow :)
*Works on any device irrespective of OS or software.
*Doesnt matter if a trojan or malware is present on the device, assumes malware is present.
*Costs practically nothing to implement.
*Not vulnerable to phone based extensions of the above attack where users are called and socially engineered out of their authentication keys.

Re:

[Vegeta99]

*Not vulnerable to phone based extensions of the above attack where users are called and socially engineered out of their authentication keys.

Most cards say "Property of the bank, must be returned on demand" yadda yadda on the back. That given:

Dear Bank User,

As per the Terms of Services* in effect on your account on the date you signed up, we must request your bankcard be returned to the following address for security purposes.

Please fill out the attached form, including PIN numbers and mail it to the addre

Re:

[Mattpw]

Your right, someone could ask for the person to mail their card and they would also need to include their online username and password but for my liking this is getting too close to a rubber hose attack. It would only take one of the billion people who get such a letter to report the physical address to police and the whole scam goes down and also the attacker must start physically injecting himself into the scam which generally isnt the reason they got into online fraud in the first place.

Still its an in

Re:

[Vegeta99]

Late reply, I know.

When I was young, a carder conned me in to being a mule for a single shipment.

He had me find an empty house near myself, and post a note on the door. "UPS, I've moved, but I'm still in town. I forgot to update my address with $computer_company and accidentally had my order shipped here. Please put it on the back deck. -$victim."

I grabbed a box of about a dozen Lite-ON CD-RW drives and reshipped 11 to random addresses. Never heard from that guy again.

Thank god I was like 13. Looking back,

typical bank behavior..

[hesaigo999ca]

This is typical banking behavior when it comes to investigating fraud, they can not really prove THE CLIENT's COMPUTER was at fault...
so once they see the problem being fraud in another country when the person is still here, they just block the card and refund whatever money they lost, and still the banks are showing all time high profit margins....go figure....make's you wonder just how much they really need to up their services charged for transactions all the time....!

Trojan horses...

[Mikey48]

"Trojan horses that were planted onto the victims' computers..." and no one noticed the horses? Mike

English article

[De Lemming]

This is from the news site of one of the mayor Belgian television/radio groups (VRT), they have a selection of articles in English.

Belgian investigators expose fraud
http://www.deredactie.be/cm/vrtnieuws.english/news/100724_bank_fraud [deredactie.be]

Battle.net

[AkaKaryuu]

Good to know that the company that makes these authentication keys are also the same as Blizzards and one more reason to opt out of Real ID.

Encrypted demo?

[bl8n8r]

overschrijvingen ondertekenen?
C'mon, someone please post an un-encrypted version of the flash demo.

Re:

[Anonymous Coward]

Are you saying that there is another land outside America? That America is not the one and only inhabited ground on this planet, and that anywhere else there are not just aliens or eventually oil but also other human beings?

That's impossible. Another lie of those freaky evolutionists.

Re:

[rve]

Stop acting so self important about the name of your country in other languages. Do Germans complain that their country is called Germany in English or Allemagne in French instead of Deutschland? Are Russians upset that their capital is called Moscow in English instead of Moskwa? Are Americans upset that you call their country Vereenigde Staaten? No, they couldn't care less. Your collective loathing for / envy towards one of your provinces is your own business, don't expect anyone else to care about it. The

Re:

[dave420]

That's embarassing. The Netherlands is the name of the country. Holland is the name of two of its 12 provinces (North Holland & South Holland). So no, comparing it to Germany not being called Deutschland in English is flat-out wrong. It would be like someone calling the US "Carolina", and then insisting that they're right.

Re:

[emj]

Calling the Netherlands Holland only shows ignorance and arrogance, deal with it.

Most dutch people I've asked don't really care, and in many of the surrounding countries Holland is per definition the same as Netherlands.

Re:

[rve]

Pffff, somebody pissed in your cheerios this morning, jeez.
It is the same when we say America and then you counter that with The United States of America since America is more than North America alone.
And we technical people like to be technically correct, so the AC is 100% correct.
Calling the Netherlands Holland only shows ignorance and arrogance, deal with it.

Well no, the Dutch name is Nederland, not 'The Netherlands'. To be absolutely 100% pedantic, 'The Netherlands' refers to a region, not to a country. There is no basis whatsoever for pouncing on every single mention of the word 'Holland' on the internet and telling English speakers to prefer one word over another in their own language!

Do English speakers tell you to say 'Wat zeg je?' instead of 'wablief'? The whole concept is ridiculous.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[HopefulIntern]

For clarification, "The Netherlands" is the whole country, "Holland" is a region, but often used to denote the whole of The Netherlands. Not to be confused with "nether lands" or any variation as such. "The Netherlands" is an english "translation" of Nederland, just as many other languages translate some placenames, even if they are proper nouns. Examples: Spanish for London is Londres, England is Inglaterra. Norwegian for Russia is "Russland", Belarus is "Hviterussland" (literally "white russia" which is w

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[rve]

but when on vacation in the US, very few people could identify that as a city in the Netherlands. (Let alone realized that "Holland" and "the Netherlands" are - incorrectly - synonymous.)

Who'd have known I'd defend stereotypical US ignorance, but as a German, I didn't know the distinction between Holland and Netherlands, either. Both names are pretty much used as synonyms around here.

Anyway, a few Wikipedia articles later I now know the distinction. I'm a bit surprised that Holland isn't actually the name of the country. Then again, I knew what Benelux stands for, so that should have been a clue.

There is no distinction. The poster is trying to elevate a very minor, petty, internal cultural grievance between the south and the north of their country to an issue of international importance.

The tiresome OP's cliche about the 'stereotypical American ignorance' is the only reason I even replied. How many Europeans can point out Columbus, Ford Worth or Jacksonville, you think? Why would you expect Americans to know much about a city of similar size in on another continent?