Hackers outwit online banking identity security systems

Discussion in 'other security issues & news' started by Daveski17, Feb 2, 2012.

Thread Status:
Not open for further replies.
  1. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    no, users allow themselves to be outwitted. again
     
  3. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    My bank has its own email system, the bank says its secure but I think it must be just like the rest of they're web site....full of holes. They're dropped pages everywhere pages that lead to unfinished pages. Then stone walled when you complain.
     
  4. wat0114

    wat0114 Guest

    No, customers have to stop being stupid.
     
  5. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Expose the situation to the Internet! Provide the evidence and they shall not deny your greatness! :D
     
  6. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    I'm just glad that I don't bank online ... yet.
     
  7. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    not a great article.
    does not explain what this new super malware does !
     
  8. MikeBCda

    MikeBCda Registered Member

    Joined:
    Jan 5, 2004
    Posts:
    1,627
    Location:
    southern Ont. Canada
    I've never (yet) run into this one, but hopefully it'll conspicuous enough of a change from my normal online-banking routine to catch my attention.

    And no email to or from the bank should be an engraved-in-stone rule. In my case, the only exception is that I'll forward to their security dept. a copy of any particularly well-crafted phishing email I receive (usually caught and quarantined by my ISP anyway), since they like to investigate those.

    (Edit, almost forgot) My bank, TD Canada Trust, is one more which guarantees reimbursement for loss to online fraud.
     
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    What do you expect from a news website? How is this new anyhow?
     
  10. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Yes, this is the BBC News, after all. I just thought it might be interesting.
     
  11. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    I've been banking online since 2003.
    Really not new but par for the Beeb.
     
  12. Daveski17

    Daveski17 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    8,030
    Location:
    Lloegyr
    Do you get a little virtual piggy bank for long-time customer service?

    "While the tactic is understood in security circles, it is doubtful that many consumers are aware of it, so the BBC Click investigation is welcome in helping to publicise the issue."

    Auntie Beeb strikes another blow against the bad guys!
     
  13. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    884
    Location:
    Triassic
    I watched the TV program and it went into a lot more detail than the news article that appears on the BBC/UK tech site and on the click site. There was a lot in the program to be concerned about. It was not just another irresponsible user and a hacker waiting in the shadows for the idiot to take the bait.

    On the TV program they set up a couple of PCs to test a legitimate online banking site being used by an online banking client who falls victim to the zeus trojan. The client's PC also had an up-to-date well known anti-virus program running. The anti-virus vendor was present for the test. The AV did not recognize, intercept or stop any of the user's activity. The trojan delivered account details and passwords to the hackers PC and the client's accounts were accessed. Money was transferred. Online statements were spoofed so all looked OK. The user was totally unaware as to what was actually happening, so was the bank and the AV vendor while the transactions were taking place.

    It was noted that the bank's back-end security would have flagged this activity as abnormal, but in the test it did not take any action. It would have been up to the client to approach the bank with proof that the account had been hacked. It was explained that the bank's security monitors abnormal activity, but it does not take any real-time action on behalf of the client. It doesn't even contact the client to call the bank.

    What I found the most telling was the long list of AV vendors that also failed their test (big names) ... which you can only see in the TV program. They list them all. I think there were only 4 AV houses that prevented the user from entering their banking information. They too are listed. At the end of the program they recommend that all users should have an AV installed. Puzzling! Guess you have to make a note of what side of the test your AV landed to take this recommendation seriously.

    For myself, I do my banking over a land line. I have seen online banking apps being made available for smart phones, but with cell security as it is, I think that would be even more insecure. It is the banks that are pushing these applications.
    NB: Trustee also failed the test (an application provided at the host and on the client's PC by some banks).
     
  14. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Is this quote "After logging in to the bank's real site, account holders are being tricked by the offer of training in a new "upgraded security system"." from -http://www.bbc.co.uk/news/technology-16812064- expanded on in the TV program?

    What does this mean: "The threat does not strike until the user visits particular websites."?

    One has to visit a presumably "related" site in order for the game to play out? Wouldn't that describe "a hacker waiting in the shadows" and an "idiot to take the bait"?
     
  15. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    884
    Location:
    Triassic
    Yes the above is expanded on in the TV program. These hackers stalk only ligit banking websites where the user must access their account either by typing in their ID and password or by using a bank supplied PIN machine. The user is on a secure website before the man-in-the-browser trojan is activated from the browser (it is dormant until triggered). I think the user feels that they are now in a safe place and that all communication is now between them and the bank. They have to re-enter their PIN or banking password ... this is the redirect but there is no indication that they are on a 'related' site. I think this is why this has become such a successful ruse.
    It is a bit of a stretch to call someone who falls for this, an idiot. Careless, reckless or maybe too trusting is more appropriate.
     
  16. vasa1

    vasa1 Registered Member

    Joined:
    May 1, 2010
    Posts:
    4,152
    Okay, and thanks! But it seems that their browser has already been compromised?
     
  17. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    884
    Location:
    Triassic
    Yes, you are correct. The browser is their way in.
     
Loading...
Thread Status:
Not open for further replies.