Hackers outwit online banking identity security systems

Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned.

~ BBC News Technology

'Man in the Browser' attack

Online banking fraud losses totalled £16.9 million in the first six months of 2011, according to Financial Fraud Action UK.

In the UK, banks usually refund victims of online fraud as a matter of course.

Banks and experts say customers must continue using online security anti-virus products.

 

no, users allow themselves to be outwitted. again

 

My bank has its own email system, the bank says its secure but I think it must be just like the rest of they're web site....full of holes. They're dropped pages everywhere pages that lead to unfinished pages. Then stone walled when you complain.

 

No, customers have to stop being stupid.

 

Expose the situation to the Internet! Provide the evidence and they shall not deny your greatness!

 

I'm just glad that I don't bank online ... yet.

 

not a great article.
does not explain what this new super malware does !

 

I've never (yet) run into this one, but hopefully it'll conspicuous enough of a change from my normal online-banking routine to catch my attention.

And no email to or from the bank should be an engraved-in-stone rule. In my case, the only exception is that I'll forward to their security dept. a copy of any particularly well-crafted phishing email I receive (usually caught and quarantined by my ISP anyway), since they like to investigate those.

(Edit, almost forgot) My bank, TD Canada Trust, is one more which guarantees reimbursement for loss to online fraud.

 

What do you expect from a news website? How is this new anyhow?

 

Yes, this is the BBC News, after all. I just thought it might be interesting.

 

I've been banking online since 2003.

Really not new but par for the Beeb.

 

Do you get a little virtual piggy bank for long-time customer service?

"While the tactic is understood in security circles, it is doubtful that many consumers are aware of it, so the BBC Click investigation is welcome in helping to publicise the issue."

Auntie Beeb strikes another blow against the bad guys!

 

I watched the TV program and it went into a lot more detail than the news article that appears on the BBC/UK tech site and on the click site. There was a lot in the program to be concerned about. It was not just another irresponsible user and a hacker waiting in the shadows for the idiot to take the bait.

On the TV program they set up a couple of PCs to test a legitimate online banking site being used by an online banking client who falls victim to the zeus trojan. The client's PC also had an up-to-date well known anti-virus program running. The anti-virus vendor was present for the test. The AV did not recognize, intercept or stop any of the user's activity. The trojan delivered account details and passwords to the hackers PC and the client's accounts were accessed. Money was transferred. Online statements were spoofed so all looked OK. The user was totally unaware as to what was actually happening, so was the bank and the AV vendor while the transactions were taking place.

It was noted that the bank's back-end security would have flagged this activity as abnormal, but in the test it did not take any action. It would have been up to the client to approach the bank with proof that the account had been hacked. It was explained that the bank's security monitors abnormal activity, but it does not take any real-time action on behalf of the client. It doesn't even contact the client to call the bank.

What I found the most telling was the long list of AV vendors that also failed their test (big names) ... which you can only see in the TV program. They list them all. I think there were only 4 AV houses that prevented the user from entering their banking information. They too are listed. At the end of the program they recommend that all users should have an AV installed. Puzzling! Guess you have to make a note of what side of the test your AV landed to take this recommendation seriously.

For myself, I do my banking over a land line. I have seen online banking apps being made available for smart phones, but with cell security as it is, I think that would be even more insecure. It is the banks that are pushing these applications.
NB: Trustee also failed the test (an application provided at the host and on the client's PC by some banks).

 

Is this quote "After logging in to the bank's real site, account holders are being tricked by the offer of training in a new "upgraded security system"." from -http://www.bbc.co.uk/news/technology-16812064- expanded on in the TV program?

What does this mean: "The threat does not strike until the user visits particular websites."?

One has to visit a presumably "related" site in order for the game to play out? Wouldn't that describe "a hacker waiting in the shadows" and an "idiot to take the bait"?

 

Yes the above is expanded on in the TV program. These hackers stalk only ligit banking websites where the user must access their account either by typing in their ID and password or by using a bank supplied PIN machine. The user is on a secure website before the man-in-the-browser trojan is activated from the browser (it is dormant until triggered). I think the user feels that they are now in a safe place and that all communication is now between them and the bank. They have to re-enter their PIN or banking password ... this is the redirect but there is no indication that they are on a 'related' site. I think this is why this has become such a successful ruse.
It is a bit of a stretch to call someone who falls for this, an idiot. Careless, reckless or maybe too trusting is more appropriate.

 

Okay, and thanks! But it seems that their browser has already been compromised?

 

Yes, you are correct. The browser is their way in.