Monday, September 28, 2009

IT is Official: Online Banking Security Weak

When the worm turns -  September 29, 2009

I decided to dedicate the day to proving that online banking is drastically broken, (see the day's previous posts)  I thought it prudent to bring to your attention another article, which came out today in Australia's newspaper.  The Age.  Here are some excerpts: 

IT is said to have infected 10 million computers running Microsoft Windows XP and Vista. Some reports call it ''the largest threat of cyber crime'', a label others dispute. The Conficker worm was first detected in November 2008 but gained prominence recently because of attacks on some important government and commercial websites in Britain, the US and Europe. It appears to be spread through websites and emails it infects - and there it waits for an unwary user to download or click on.

It is one of the more famous examples of malware (malicious software) on the internet today.  (Editor's Note:  Others say Zeus, other's say Clampi...but what about 6 months from now?) 

The latest malware attack on financial institutions is called Clampi (also known as Ligats or Ilomo). It was first detected in the US in July but has since spread to thousands of computers around the world, mainly in English-speaking countries, including Australia.

It is a Trojan horse because it carries a hidden threat. Internet security companies say the organized criminal groups using Clampi and its clones are monitoring at least 4500 finance-related websites on the internet.

Any computer visiting an infected site becomes infected by Clampi, which lies dormant until the user logs on to one of the banks or other financial websites the criminals have on their list. Clampi captures the victim's log-in and password details and sends them to a server operated by the criminal gang.

With access gained to the victim's bank or credit card account the gangsters can transfer money to accounts they own or to third-parties, known as mules, who will launder the stolen funds or use stolen credit card details to buy goods.

Worldwide, Clampi's victims number in the thousands and the criminal harvest is in millions of dollars...

Editor's Note:  I guarantee that It would be immensely cheaper put a clamp on this Trojan horse (and Zeus...and Conficker...and whatever they come out with in the next few months) to give away HomeATM's to online banking customers to avoid further losses.  Banks online banking customers could authenticate themselves the same way they do when they withdraw cash from ATM's.  (sans skimmers and hidden cameras!)

There is also a thriving, almost open trade on clandestine online bulletin boards for the information that malware obtains - bank, credit card and online casino account numbers, user names and passwords - and

in the hire of the digital robots that trawl the net looking for victims, Scroggie says.

Editor Further Notes: The web is broken.  Online Banking is not only not safe.  It is downright dangerous. Why?  Because "the WEB" is teeming with threats.  Again, there is only one way to secure authentication procedure. "Outside the Browser Space!"   Clearly that has never been clearer than it is now.  Want more clarity?

Continue Reading the article at "The"
 more thing before I sign out for the day. In case I haven't effectively proven my point that we are in the midst of an online banking blowup!  In order to provide even more clarity that online banking is busted...I'll point you in the direction of Brian Krebs latest article in the Washington Post today.

Looks to me like there is another (couple of) lawsuit(s) in the making.Ironically it will be "Kids vs. the Banks." I guess you could say that the security of online banking is so weak, that it's provides hackers with the equivalent of "stealing candy from a baby."

Here's a blurb from Security Fix:

"On Sept. 9, crooks stole $30,000 from the Evergreen Children's Association (currently doing business as Kids Co.), a non-profit organization in Seattle that provides on-site childcare for public schools. Kids Co. chief executive and founder Susan Brown said the attackers tried to send an additional $30,000 batch payment out of the company's account, but that her bank blocked the transfer at
her request.

"Now we're in this battle with our bank, because my staff accountant checks the account every day, and we notified the bank before this money was stolen and the transfer still went out," Brown said. (ooh...the bank will have a hard time defending that move)

Then last week, criminals targeted Medlink Georgia Inc., a federally qualified, not-for-profit health center that serves the uninsured and under-insured. The thieves stole the user name and password to Medlink's online banking account, and used that access to send more than $44,000 to at least five different "money mules," people wittingly or unknowingly recruited via online job scams to help criminals launder stolen funds. The mules typically are told to wire most of the funds they receive to the criminals abroad (minus a small commission).

Gary Franklin, MedLink Georgia's chief financial officer, said the company's bank reversed some of the fraudulent transfers, but that it looks like transfers to two of the mules - worth $15,000 -- may never be recovered.

Also last week, unknown hackers stole nearly $200,000 from Steuben ARC, a Bath, N.Y., based not-for-profit that provides care for developmentally disabled adults. The fraudulent transfers were sent in two batches to at least 20 different money mules around the nation. Steuben's bank blocked the second batch, for a total of $103,000, and a portion of the $93,000 worth of bogus transfers from the second batch.

Steuben's director of finance, Anita Maroscher, said the company is still trying to recover some $42,000 in stolen funds.

Bob Haley, Steuben's director of information technology, told Security Fix that the thieves were able to steal the company's online banking credentials through a keystroke logging piece of malware disguised as a shipping invoice that was sent via e-mail to one of Steuben's accountants.   "It went through this lady's computer, there was a file called '' that she mentioned having opened while checking her Web mail at work," Haley said. "She said there wasn't anything she recognized in [that invoice], but there was a Trojan horse in it."

The Trojan horse in question was none other than Clampi, by many accounts one of the most sophisticated pieces of malware in distribution today. (Editor's Note:  Don't underestimate Zeus) Clampi is so complex and clever that some of the smartest security researchers out there are still trying to decode all of its functionality and features. Researchers at Symantec last week just posted what they say will be the first in a series of write-ups discussing various aspef Clampi.

Continue Reading at Brian Krebs -  Security Fix

Reblog this post [with Zemanta]

Another Lawsuit Against Weak Online Banking Authentication

Is this the beginning of the end of Usernames and Passwords?  Hope So!

Brian Krebs writes for the Washington Post and tells of another lawsuit filed claiming that poor online banking authentication and security protocols led to financial losses on the part of the consumer.  Who will be held liable?  Is this the beginning of a a flurry of lawsuits aimed at poor online banking log-in procedures?

There IS a better way.  The same way banks trust the withdrawal of cash in real time.  As of March 17th, 2009, there became one device in the entire  world which has been PCI 2.x certified and has the capacity to do exactly that in both an online banking AND e-commerce environment. 

Oh, did I mention that employing our solution is exponentially cheaper than the attorneys fees needed to defend against this and a "host" of other lawsuits that will crop up.  And that they (lawsuits) will!   Just as you can bet your bottom dollar that an NFL coach throws the red flag with 2:01 left to go in a game when their team needs a reversal.  They got nothing to lose and everything to gain.   Now that I think about it,  our solution is exponentially less expensive than the hit a bank would take to their reputation should they lose a case like this.  Oh, and now, I'm thinking of the hordes of customers flocking to a competitor, one who initiated a more secure online banking authentication platform.

Genuine Authentication must take place outside the browser space.  It must be done in such a way as to instantaneously encrypt the log-in details and use existing bank rails which coincide with KYC and AML requirements.  HomeATM has such as solution.  Here's a couple excerpts (in black)  from Mr. Krebs article:
Maine Firm Sues Bank After $588,000 Cyber Heist

A construction firm in Maine is suing a local bank after cyber thieves stole more than a half million dollars from the company in a sophisticated online bank heist.

On Friday, Sanford, Maine based Patco Construction Co. filed suit in York County Superior Court against Ocean Bank, a division of Bridgeport, Conn. based People's United Bank. The lawsuit alleges that Ocean Bank did not do enough to prevent cyber crooks from transferring approximately $588,000 to dozens of co-conspirators throughout the United States over an eight-day period in May.

People's United Bank spokeswoman Valerie Carlson declined to comment for this story, saying the company is aware of the lawsuit but does not discuss pending litigation.

According to the complaint, the fraudulent transfers began on Thursday, May 7,
when thieves who had hijacked the company's online banking credentials initiated a series of transfers totaling $56,594 to several individuals that had no prior businesses with Patco. The company alleges that this pattern of fraud continued each day of the following business week, during which time the thieves made additional batches of fraudulent transfers totaling $532,257.

Here's the crux of the matter (as I see it) in the legal case:

Commercial banks are governed under the Uniform Commercial Code, which holds that institutions must take "commercially reasonable" steps to protect customers against fraud.

For most banks, the bar for what is considered reasonable for online banking authentication was set by a 2005 document issued by the Federal Financial Institutions Examination Council,...

Editor's Note:  2005?  That's 100 years ago in terms to the progress made by hackers since then. Heck, online banking malware has INCREASED BY  - (4995%) SINCE 2007! and I don't know if they (password stealing trojans) even existed in 2005.  Look at the chart on the right (click to enlarge) to get an idea of the increase in web vulnerabilities since 2005 when the FFIEC last considered what was  "reasonable."   

...which concluded that banks should employ what's called "multi-factor authentication," which involves
requiring the customer to log in with a user name and password (that's bad) "in combination" with some other form of authentication, such as a single-use password or code generated by a token the customer has in his or her possession, or a special code sent via text message to the customer's mobile phone.

Editor's Note:  "requiring the customer to log in with a user name password" along with another form of authentication.  Well, we know that user name's and password's are not safe, so how does that even "count" as part of the "multi-factor" authentication?  So, those two being absolutely 100% useless, renders the next form of authentication as being the one that counts the most. 

Another "password" is useless, including "One-Time Passwords" because they can be keylogged in real time. (for all we know,  they can be Trojanned in real  time as well)   The fact remains, and there is a preponderance of empirical evidence proving that "anything" done to protect a user in a web browser is absolutely useless. 

Therefore, based on the evolution of hacking since 2005, combined with the fact that the FFIEC hasn't "REVISITED" their document SINCE 2005, I don't see how that business can be held liable.  2005?  C'mon, as I stated, that was 100 years ago compared to the progress hackers have made with Trojans such as Clampi, Zeus and a host (pun intended) of other ways to obtain online banking credentials.    If I'm the attorney, the graphic above is Exhibit One.  Do I need another?  Look at the dates and project 2005...the last time the FFIEC updated their document.  Now compare it to the first 6 months of 2009. 

If I'm Judge Johnny and I can B. Frank, I find for the plaintiff.  $588,000 plus interest, plus attorneys fees.  $0 in damages.  The real damages are going to be the loss of customers endured by banks who continue to put their customers into a position where their card information is swiped by the bad guys instead of by the consumers themselves. 

Continuing with Mr. Krebs story:

"Patco's lawsuit claims the bank failed to offer any form of token-based authentication, and that its multi-factor approach amounted to little more than requiring the entry *typing of yet another password. (which could be easily "swiped" by a Trojan)

The company said that for any transfer of more than $1,000, Ocean Bank commercial customers initiating ACH transfers are required to answer two "challenge" questions.

"Because almost every transfer Patco made exceeded the $1,000 threshold, Patco employees had to answer the challenge questions practically every time they initiated a direct deposit payroll via ACH transfer," the company charged in its complaint. "Because the low thresholds meant the challenge questions were used so often, the questions provided little to no additional security and were effectively no more than extensions of the employee's passwords."  (ooh...good argument dude!)

In addition, the suit alleges that while the bank represents to clients that it monitors customer online accounts for signs of unauthorized access, all of the fraudulent transfers were initiated from Internet addresses that Patco had never before used to conduct online banking. (ooh...two more points!)

"The statute we deal with in Maine is very specific and mentions a whole host of factors that the bank needs to have in place, and in this case we don't think the bank had in place commercially reasonable security procedures," Mitchell said.

 It will certainly be interesting to watch.  I will say this.  There is only one way for banks to win.  That is to provide a genuine two-factor log in procedure trusted by consumers. 

Until then, banks lose no matter what, because even if they win the lawsuit, they will scare the living bajeezes out of their existing online banking customers, who will flock to the bank that offers a log-in procedure that consumers trust.  I don't think there is ANY denying they have grown accustomed to "swiping their card" and "entering their PIN" whether it's to conduct a PIN based transaction at a retail location, or withdraw money from an ATM.  Fact is, it's the "MOST PREFFERED" way to pay, and if it's trusted by banks to dispense cash, we've got a winner here.

It's the way it's got to's the way it will be...because it is the way it already is. 

Banks Are Known as Issuers for a Very Simple Reason:

Banks Issue Cards

Banks Issue PINs  
The time has come for them to complete the process and

Issue Card Reader/PIN Entry Devices for Online Banking/Transactions

  • Costs less than than the Useless Promotions Currently Conducted

  • Exorbitantly Cheaper than Losing 49% of Their Online Banking Customers

  • Significantly Cheaper than Hiring Attorneys  and Defending Against Lawsuits

  • Exponentially Cheaper than Losing these Lawsuits

  • Immensely Cheaper than the Costs of Ongoing fraud

  • Ridiculously Cheaper than Having Their Reputation Tarnished/Damaged

When a bank announces a requirement for their customers to accesss their online banking with the same security trusted by banks and consumers, the end result would be more than Image Enhancing and Customer Retention Driven..

it would also serve as a Customer Acquistion Magnet.

Customer Acquisition and Retention Top Priorities

Marketers’ top priorities for 2010 will be customer acquisition and retention
, followed by thought leadership, according to a survey by virtual events provider Unisfair.

Six in 10 marketers polled said Acquiring (A) new customers would be critical in 2010, while 48% would focus on Retaining (R) current customers—a particularly important effort in the recession.  (Editor's Note:  Let's do the math:  60% say Acquiring  and 48% say Retaining new customers is critical.  Total R&A:  108%!  So I would think banks would want to give 110% of their marketing efforts when it comes to putting together an R&A plan.

So, let's review:  Online banking is now the preferred by consumers according to the ABA, but according to ACI Worldwide, 49% would blow that pop-stand if they or someone they knew were victims of fraud, yet according to eMarketer, 2010 is the year to focus on customer "R&A."

Now, for fun...lets see if we can combine all three of these variables and connect the dots to create a marketing plan for these banks.  But first...there is one more important element in this equation.

Another Lawsuit...this one from the "consumer side."  It won't be the last one...

Court Allows Suit Against Bank Based on Poor Online Banking Log-In

The plaintiffs claim that by only requiring user names and passwords to authenticate customers at log in, Citizens failed to maintain state-of-the-art security standards. 

"At the beginning of this month, a US District Judge refused to grant summary judgement in favour of the financial institution, clearing the way for the court case to take place, stating in her judgement:

"In light of Citizens’ apparent delay in complying with FFIEC Security Standards, a reasonable finder of fact could conclude that the bank breached its duty to protect Plaintiffs’ account against fraudulent access”
Reblog this post [with Zemanta]

Online Banking Passwords at Risk - Chances to Fight it...SLIM and NONE!

If you've been following the blog, you have probably seen a few stories featuring Zeus...the "online banking" data stealing Trojan. 

I don't want to make Clampi feel left out.  So here's a few excerpts from a story written by the Daily Mail in the UK. 

First...a couple quotes about Clampi, in order to properly introduce the threat it poses:

"The best strategy to defend against Clampi is to use separate machines for Web surfing and funds transfer" 

"It's too dangerous to do transactions on the same machine you do for Web surfing," he says. "You can't have any crossover between them."

- Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks.

Editor's Note: Thank you Mr. Stewart! We've been making that case for 15 months and it's gratifying to hear industry experts echo our mantra.

When Mr. Stewart says: "the only way" to protect against Clampi is to use two separate machines," we wholeheartedly agree. I would like to make one clarification. Clampi is but one of the reasons to use a separate piece of hardware to conduct financial transactions. Take into account all the "pre-existing" Trojan malware, add in the keylogging, the phishing, and more. The threat is not Clampi as much as it is "the wicked web the hackers have weaved.

The web is the equivalent of a village made of straw houses, where 10% of the inhabitants are full-time arsonists. (I loved that quote from the previous post) This blog and HomeATM has been, is and will forever be on the record stating that people should use "separate machines" for Web surfing and financial transactions. And we will prevail so the hackers do not!

That's the entire basis behind why we created the HomeATM product line....and the slim is many times cheaper than having to purchase another PC! The fact that our device is both PCI 2.x and TG-3 certified only strengthens the case for choosing it. The best way to defend against the myriad threats is easy. Surf the web on one machine (the PC) and conduct financial transactions on another (the HomeATM)

You Have Only Two Choices When it Comes to Fighting Fraud and Keeping Your Card Holder Data out of the Hands of the Hackers! "SLIM" and None!

A security researcher has discovered a Trojan that is designed to extract account data from as many as 4,600 of the world's most popular and wealthy businesses.

In "one of the largest and most professional thieving operations on the Internet," a Trojan called Clampi (also known as Ligats, llomo, or Rscan) has spread across Microsoft networks in a worm-like fashion, and may already have infected hundreds of thousands of corporate and home PC users, according to SecureWorks researcher Joe Stewart, one of the world's foremost authorities on botnets and targeted attacks.

"We weren't all that worried about Storm, and we weren't all that worried about Conficker," Stewart says. "This one you need to worry about."

IBM: Unprecedented State of Web Insecurity - No Such Thing as Safe Browsing

Internet security is busted, said researchers at the Black Hat conference in Las Vegas today

Oh!  Here's a couple excerpts from that story I was talking about...and don't forget to check out the "related stories" if you have any doubts about what I'm saying in this post.  The Web is Broken and we Aim to Fix It!

Online Banking Passwords at Risk!

Daily Mail Reporter

"Computer hackers have created a new trojan virus which could mean a security headache for hundreds of thousands of online banking customers.

The Clampi virus, which is spreading quickly across the United States and Britain, infects computers when they visit a site which contains the attackers' code. The virus then sits dormant until a user visits the website of a bank, credit card company or other financial institution, whereupon it captures security information such login and password.

The virus collects personal security details when a user logs on to a banking website and sends them to waiting hackers .  The stolen details are then sent back to the hackers who use them in online fraud scams.

The virus monitors over 4,500 financial websites, including British High Street banks, along with online casinos, email providers, shopping sites, utilities and mortgage lenders.

The Clampi virus has already caused chaos for some schools and businesses in the U.S. with hackers completing fraudulent electronic transactions worth thousands of dollars. Despite being around in various forms since 2005, researchers say the new strain seems to be spreading more aggressively.

Read more:

Reblog this post [with Zemanta]

Web Malware: Is the Net Burning?

By Mary Landesman, ZDNet UK

"While discussing the rapid growth of Web-delivered malware, an industry colleague commented that the Web is like a city where everyone lives in straw houses and 10 percent of inhabitants are arsonists."

That parallel is uncomfortably close to the truth. According to researchers at PandaLabs, an average of 37,000 new malware samples are discovered and processed each day.  Over half--52 percent--of that malware will be reconfigured within 24 hours of its release in an effort to evade signature-based scanners. Those who had their systems infected in the first 24 hours of the malware's existence will continue to have an active, functioning infection. At the same time, the malware itself has become far more sophisticated and insidious in both its payload and its intent.

According to ScanSafe Stat research, Web-delivered data-theft Trojans have increased 4,955 percent since 2007 and 1,424 percent just over the past year.

Continue Reading at ZDNet Asia

Reblog this post [with Zemanta]

Russian Cybergangs Make the Web a Dangerous Place

Russian cybergangs have established a robust system for promoting Web sites that sell fake antivirus software, pharmaceuticals and counterfeit luxury products, according to a new report from security vendor Sophos.

One way to do so is to infect computers with malware either through spam or other means. The malware can tamper with a computer's DNS (Domain Name Server) settings in order to direct the user to a fake Google search engine site, which meshes real search results with ones that lead to, for example, a site selling fake antivirus software.

Another trick is called black hat SEO (search engine optimization). It involves creating a Web site, then using a variety of tricks mostly forbidden by search engines to get those Web sites high in search rankings. Methods include incorporating the most recently used search terms, often listed by search engines such as Google's Trends, into a Web site.
Continue Reading at PC World

Reblog this post [with Zemanta]

Online Banking Trojans Infesting the Web

Evidence Clearly Points towards Need for more Secure Online Banking Log-in.

Why not replicate what consumers and banks already trust to dispense money at ATM's?  Swipe Your Card, Enter Your PIN.  We've got it backwards.  Right now the only ones doing the "swiping" are the Hackers. 

There has been a mind-boggling "4995% Growth in Data Stealing Trojans since 2007"...1424% Growth in the Past Year! 37,000 New Ones Everyday!  You are aware that hackers can redirect users to "a PERFECT COPY" of the bank web site they are "EXPECTING" to see. Problem is, when log-in details are "typed/entered" they are sent to the hackers providing them with the information they need to steal you blind.

A PandaLab research that says that approximately 37,000 malware samples are discovered every day - and more that half of them are modified during the first 24 hours to bypass anti-virus programs.

Other research shows that the number of data-stealing Trojans has increased 1,424 percent in the past year (and a whooping 4,955 percent since 2007!).

The focus? Online Banking...

"Security experts have warned that the on-line banking Trojan known as Zeus or Zbot could become one of the most challenging yet, confirming the malware often goes undetected by popular anti-virus packages.

Trusteer Inc, has reported (click here for the PDF) the Trojan could already have infected as many as 1% (3.6 MILLION) of all US PCs and stands as the world’s number one botnet. The company said in tests based on data collected from consumer PCs during one day in September it found that 55% of machines were infected with the Trojan, despite 71% of the machines having to-date anti-virus systems"

Zeus, which is also known as Zbot, WSNPOEM, NTOS and PRG, is the most prevalent financial malware on the internet today, the company said.

About Zeus

Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time.  (sorry One-Time Password Phans)  Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc. 
Translation: Zeus can modify web pages from the genuine bank's servers in the user's browser and create whatever they want you to see.  Of course,  if you didn't type it...they couldn't swipe it!  

Zeus uses some rootkit techniques to evade detection and removal. Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. approximately 1% of the PCs in the US), according to a recent report.  This is backed by Trusteer’s field figures as well, as can be seen on the pie chart (left) of relative financial malware distribution: 

If the bad guys are focusing on how to steal username's and passwords, isn't it time for the good guys to focus on a better way to authenticate an online banking session.  Can you think of a better way than one which is already trusted by banks and consumers alike?  Swipe your card...enter your PIN.  HomeATM manufactures the worlds ONLY PCI 2.x PIN Entry Device designed to do exactly that.  I could MAYBE see the argument FOR username/passwords in 2002..BEFORE what we knew what we know now.  But shouldn't we KNOW BETTER?

Let's be realistic here.  A 4,995% increase in data stealing trojans since 2007?  A barrage of phishing attacks? Lawsuits against banks? The threat of losing 49% of your customers?  In my mind, requiring that consumers access their online banking session the same way they access cash at an ATM is a no-brainer... If the methodology is trusted enough to dispense CASH in real-time, it's got to be good enough to be trusted to log-in to your banking session. 
where am I wrong here?

Reblog this post [with Zemanta]

Disqus for ePayment News