Wednesday, January 7, 2009

Got Hacked? Bank on It

In December, I posted twice about Fiserv's CheckFree Hack whereby their  domain name was "webjacked."  (see: CheckFree Not Hackfree and/or CheckFree Not Hackfree 2) 

So, for the third time (but only the first time this year) I'm covering an article written about domain name webjacking...this time from USBanker.


I'm sorry to report  that it doesn't look like this will be the last time this year, for lack of an official word,  I'll be talking about webjacking .  Some observers say they've seen signs that  these webjack attacks will become almost as common as a Gulf of Aden pirate attack.

When I wrote in the first post, "Imagine how exponentially more "effective" the "webjacking" would have been if unsuspecting users were "redirected" to what looked to be CheckFree's site vs. a blank page, I was hinting at the fact that it was most likely, only a test.   

After all, why would someone go through the hassle of bringing  CheckFree users to a blank page when they could have brought them to an exact replica of CheckFree's log-in site?   That's probably the easiest part to create in the whole scheme.   I'm purely speculating here, but maybe they were simply running a test  which gave them insight as to how they could take full advantage of  the "httbs" in the "https."  (prior to "researchers" having "let the cat outta the bag" in Berlin last week. 

I mean, who's to say that these "White Hats" (as they are also known) are always beating the "Black Hats" to the starting gate?   What if the opposite is true? Maybe these Black Hat guy's are light years, well maybe not light years, but dark years ahead of us?

One thing I am sure of...I'm sure there's a lot more "Max Vision's" out there than we are led to believe. Keep in mind, that the Max Vision's of the world are working at cracking code "full-time."  They're  hackers, not slackers.  On the flip side of the equation, most "White Hats" are hobbyists  (they used Playstation 3's for chrissakes :)    go to MIT (see: Sorry Charlie, You've Been Hacked) while others have full-time jobs, (for instance, those very same MIT students who were then hired by the MBTA as a reward for hacking into their system)...see related stories, below for more.


Black Hats not only work "full-time"  on hacking...and subsequently wreaking havoc on financial institutions/account holders but there's a bigger picture, beyond just the hack itself.  Where do you think a good portion of the money goes?  Suffice it to say, that unlike the Chicago White Sox mantra, good guys don't wear black.

That said, let's see what we're up against here...

There's unsafe web browsers  there's: webjacking, phishing, whaling, wardriving, malware, keylogging, screen capturing, skimming, pharming, spyware, botnets, worms, viruses, DoS attacks, packet-sniffers...(you starting to get the picture?)  So what is an online shopper to do?

I once again state, the best way to purchase via the internet is with your own personal card swiping device.  It could even be used to log on to your online bank.  Just swipe and enter your PIN.  

Hey...maybe the banks, whom are already at huge risk...could mitigate some of that very same risk, and at the same time, keep their customers from getting burnt.  I have a toast.  Here's to a campaign similar to the one they ran back in the 50's and 60's, only this time...they give away our personal swiping devices.   Otherwise, if this continues,  which it will, they're toast...

Sorry, kinda got off on a tangent there...here's more on "when hackers take control of a bank domain  name" with more instances to follow...I'm sure of it...(said the same thing about skimming last year) 

From American Banker publication, usbanker:


Security experts are warning financial companies of a relatively new type of computer attack in which hackers gain control of a bank's domain name.

The technique gained widespread attention last month when hackers briefly took over the domain names of Fiserv Inc.'s CheckFree bill payment unit, and observers say they have seen signs that this form of attack will be used more widely this year.

The domain name system, or DNS, attack "in late 2008 has started getting a lot of attention from attackers, as opposed to past years, when this area was pretty quiet," Amit Klein, the chief technology officer at Trusteer Ltd. of Tel Aviv, said in an interview.



"The major reason" for the trend, he said, "is that attackers found out that it's much easier to get users to browse to so-called legitimate sites rather than direct users to sites that are obviously not legitimate."

Most phishing attacks involve fake sites that replicate a bank's site but must be hosted elsewhere. In some cases, fraudsters are able to register domain names that include the brand of the site they are imitating, but people who type banks' domain names into the browser each time they visit would typically not be directed to fake sites.

Because consumers are aware of such ways to avoid false sites, "the effect of phishing, at large, is somewhat less than it used to be," which has prompted attackers to seek new methods, Mr. Klein said.

A DNS attack "does take a bit more expertise" than phishing does "but not a lot more," he said, especially since expertise can be bought. "Everything that's very sophisticated today becomes a kit within a year or two … if it's proven successful enough."










Reblog this post [with Zemanta]

Disqus for ePayment News