Another Business Gets Burned by Online Banking (Lack of) Security

From Softpedia



A Californian escrow firm that had $465,000 stolen from its bank account, with the help of a computer trojan, was forced to sign up for a loan to replace the missing funds.



The cybercrooks responsible defeated several online banking security measures in order to steal the money.



According to Krebs on Security, the security breach occurred sometime in March, when the owner of California-based Village View Escrow opened the attachment on a fake email about an undelivered UPS package. The file installed a banking trojan, which immediately started to record and relay valuable information, like the online banking password, back to the cybercrooks.

Owner Michelle Marisco said her financial institution at the time — Professional Business Bank of Pasedena, Calif. – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires.

This case stands out from the pile of other similar incidents that occurred in the past year, because it really outlines the complexity of these malware threats. For example, the company's bank - which, as in other cases, refused to take responsibility - told the owner that the fraudulent transactions were issued from their regular IP address. This means attackers used an advanced connection tunneling feature that trojans like Zbot have in their arsenal.



Furthermore, the fraudsters managed to disable the normal email notifications sent out by the online banking system after each transaction. This left the company totally in the dark about what was going on.



Apparently, there was also human error involved, as every transaction required approval from two distinct people in the company, the owner and their assistant. However, after failing to view information about that undelivered UPS package, the owner forwarded the malicious email to their assistant and had them check it out as well.



The crooks initiated two international money transfers of $88,000 and $94,000 directly to bank accounts in Latvia. This is also unusual behavior, because such fraudulent transfers are usually kept under the $10,000 limit and sent to accounts held with domestic banks. The rest of the stolen money was transferred to mules in the United States in order to be wired outside of the country.



The bank was only able to reverse transfers amounting to $70,000, leaving Village View Escrow short of $395,000, that were actually other people's deposits for real estate deals

Related articles by Zemanta

• Yet Another Reason Banks Should Call for the Mass Adoption of Peripheral Card Readers for Online Banking (pindebit.blogspot.com)


• Case Study: The Underground Economy of the Zeus Banking Trojan Horse (pindebit.blogspot.com)


• Man-in-the-Browser (MITB) Attacks Targeting Online Banks (pindebit.blogspot.com)


• e-Banking Bandits Stole $465,000 From Calif. Escrow Firm (krebsonsecurity.com)

Case Study: The Underground Economy of the Zeus Banking Trojan Horse

Research and Markets: Case Study: The Underground Economy of the Zeus Banking Trojan Horse

DUBLIN--(BUSINESS WIRE)--Research and Markets has announced the addition of the "Case Study: The Underground Economy of the Zeus Banking Trojan Horse" report to their offering.

“Case Study: The Underground Economy of the Zeus Banking Trojan Horse”

The banking Trojan horse ZeuS is one of todays biggest threats towards online banking. Being used to attack both companies and private individuals, this malware undergoes frequent mutations which demonstrate how technically innovative its author is.

Thanks to its technical nature and great flexibility, over the years ZeuS malware has become a major and long-term threat. First identified by researchers in 2006, this malware is a Trojan horse specialized in stealing banking credentials which directly attacks its victims web browser. The malware is also equipped with numerous high tech functions, including customer certificate theft, transparent redirection, on-the-fly rewriting of HTML pages and requested transactions, real-time notification of hackers, and complete take over of the infected machine. Identified in 2007 under the name of UpLevel, the author of ZeuS has surrounded itself with a close inner circle that is responsible for selling the malware. Numerous public versions are available at low prices or even free of charge. As these versions generally contain backdoors, they are reserved for amateur fraudsters, while private versions of ZeuS are sold for several thousands of dollars.

One group, included among the top ZeuS customers, operates a botnet comprising several tens of thousands of computers, specialized in stealing money via the ACH network in the United States.

The publisher's recommendation to banks is to adopt, if they haven't already done so, an authentication mechanism for online banking that is entirely multi-channel, meaning that no convergence point between the two channels exists. The web browsers used by banking customers must be considered first and foremost as a threat for online banking, and not merely as an opportunity to introduce new online services.

Key Topics Covered:

1 Introduction

2 An Expertise in Bank Data Theft

3 The Authors Multiple Faces

4 The Prevalence of ZeuS Infections

5 Analysis of ZeuS users

6 Analysis of ZeuS Targets

7 Risks Analysis

8 Recommendations

For more information visit http://www.researchandmarkets.com/research/685fb7/case_study_the_un

Contacts

Research and Markets

Laura Wood, Senior Manager

press@researchandmarkets.com

U.S. Fax: 646-607-1907

Fax (outside U.S.): +353-1-481-1716

Permalink: http://www.businesswire.com/news/home/20100625005559/en/Research-Markets-Case-Study-Underground-Economy-Zeus

Related articles by Zemanta

• Man-in-the-Browser (MITB) Attacks Targeting Online Banks (pindebit.blogspot.com)


• Yet Another Reason Banks Should Call for the Mass Adoption of Peripheral Card Readers for Online Banking (pindebit.blogspot.com)


• Zeus Trojan is just one of many daily attacks, says Santander boss (computing.co.uk)


• Banking Tojans (infoseccynic.com)


• Bank Trojan Zeus Takes Direct Aim At Firefox Users (lockergnome.com)


• Almost all Fortune 500 companies show Zeus botnet activity (arstechnica.com)


• Millions Snared in Web Fraud in U.K. with 3.7 BILLION Phishing Emails (pindebit.blogspot.com)


• Featured Post: Banking's BIG Dilemma: How to Stop Cyberheists via Customer PCs (pindebit.blogspot.com)


• Twitter Attack Pushes Online Banking Trojan (pindebit.blogspot.com)

PhoneFactor Launches Universal Banking Gateway

New Gateway Empowers Banks to Quickly Add Out-of-Band Authentication to Any Online Banking Platform

OVERLAND PARK, KS--(Marketwire - June 23, 2010) -  PhoneFactor, Inc., a leading global provider of multi-factor authentication services, today announced that it has extended its suite of out-of-band authentication solutions for online banking to include a Universal Banking Gateway, enabling rapid implementation with any online banking platform and no coding. The Gateway adds a critical authentication layer to secure online banking logins and transactions without requiring direct integration with the online banking application.

PhoneFactor works by confirming online banking logins, ACH, wire transfers and bill pay processes through an out-of-band phone call or text message. The user simply answers the call or responds to the text message to authenticate. Because the authentication is confirmed through the telephone network, it protects against escalating threats from man-in-the-middle attacks and online banking trojans.

The new Gateway makes it possible to add PhoneFactor authentication to online banking applications that are deployed as managed services and other cases where the application's authentication logic is not accessible to the bank. The Universal Banking Gateway is available immediately as one of the integration options bundled into the PhoneFactor platform. PhoneFactor also supports direct integration via web plug-ins for Java and .Net and a Web Services SDK, and has partnered with leading banking platform providers, such as Fiserv, to provide native integration.

"With attacks from online banking trojans growing exponentially, banks are feeling the pressure to quickly deploy the out-of-band authentication needed to protect their customers," said Steve Dispensa. "Now, it's easier than ever for banks to deploy PhoneFactor, regardless of their online banking systems. Banks can take control of the implementation timeline and quickly roll the service out to their users."

With PhoneFactor there are no security tokens, software or certificates to deploy to end users, so the enrollment process is simple and fully automated. No user training is required, and very little ongoing user support is required. Customer acceptance of PhoneFactor continues to grow in every industry, but the security and usability of the solution make it ideal for online banking. Today, PhoneFactor authenticates millions of online banking logins and transactions for leading financial institutions.

About PhoneFactorPhoneFactor is a leading provider of multi-factor authentication services. The company's award-winning platform by the same name uses any phone as a second form of authentication. PhoneFactor's out-of-band architecture and real-time fraud alerts provide strong security for enterprise and consumer applications. It is easy and cost effective to set up and deploy to large numbers of geographically diverse users. PhoneFactor was recently named to the Bank Technology News FutureNow list of the top 10 technology innovators securing the banking industry today and a finalist in 2010 SC Magazine Reader Trust Awards. Learn more atwww.phonefactor.com.

Phishers Ambush Military Credit Unions

Internet.com is reporting that "a number of bogus Web sites that appear to be the official pages of a pair of credit unions used by military personnel are actually phishing traps designed to steal soldiers' identities."



Phishing can be eliminated. What they are "phishing" for are online banking passwords and usernames. Get rid of the antiquated login process and start "really" getting serious about authentication.



Replicate the same trusted process to disperse cash "in real time" from an ATM and two-factor" authenticate the online banking session by having customers swipe their bank-issued card and enter their bank-issued PIN.  



Start doing that, and banks will eradicate the "phishing" problem...because there will be nothing left to phish phor.



The money banks spend "phighting" phishing can be spent providing their customers with a PCI 2.1 Certified PED resulting in the complete eradication of the threat posed.  (it would also provide an ROI to the issuing bank via interchange revenue derived from usage of the device for eCommerce purchases)



Whats the phake phishing site going to ask people to do? Swipe their card and Enter their PIN?  Worthless move.  It's instantly 3DES DUKPT encrypted inside the device and guess who "doesn't" have the encryption key? If you said the phisher you're right.  If you said the online banking customer you are also correct.  The way it's done now, the customer does have the information being phished phor.  



Translation: No more username/passwords.



Even the customer him/herself does NOT have the "information" the phishers are looking for so they cannot be "duped" into providing it.



Make sense?  When swiping the card and entering the PIN "outside the browser and inside the box" and there isn't "ANY phishable" information.





That's why Eugene Kaspersky of Kaspersky Labs last week called for "MASS adoption of peripheral card readers for ALL internet banking customers. (see top left...and click the top right sidebar graphic for the complete story)

May 28, 2010  By Larry Barrett

Phishers don't play favorites and their latest intended victims are the men and women in uniform.

As eSecurity Planet discovered, several clever phishing traps have popped up online in the past year with almost the exact same look and feel of a pair of popular credit unions primarily used by folks serving in the U.S. military.

Security software experts are warning customers of both USAA, an insurance and financial services firm, and the Navy Federal Credit Union to be especially vigilant before divulging their Social Security numbers, passwords, account numbers and other personally identifying information.

Symantec said this latest attack comes from Web sites hosted on servers in Taiwan and variants of this particular phishing URLs have been used to spoof other online brands as well.

---

U.S. Strategic Command officials are joining leading security software vendors in warning soldiers serving in the U.S. Army, Navy, Air Force and Marine Corps to be on high alert for a new phishing scam that targeting customers at a pair of credit unions catering to servicemen and their families.

Gen. Kevin P. Chilton, the STRATCOM commander, is warning soldiers and their families that bogus Web sites imitating both USAA, a popular insurance and financial services firm catering to military families, and the Navy Federal Credit Union have successfully stolen the personal and banking data of an unknown number of customers. 

Read the full story at eSecurity Planet: 

Phishing Scam Targets Military Credit Unions

Related articles by Zemanta

• Online Phishing Scams Get Personal, Experts Caution (pindebit.blogspot.com)


• Yet another phishing attack to be aware of. This one's sly and nasty. (thenextweb.com)


• Customer vs. Bank: Who is Liable for Fraud Losses? (pindebit.blogspot.com)


• Trust on Trial: Online Banking Industry Awaits Comerica/EMI Lawsuit on Phishing (pindebit.blogspot.com)


• New UK Cyber Team to Target Online Banking Fraudsters (pindebit.blogspot.com)

Phishers Ambush Military Credit Unions

Internet.com is reporting that "a number of bogus Web sites that appear to be the official pages of a pair of credit unions used by military personnel are actually phishing traps designed to steal soldiers' identities."



Phishing can be eliminated. What they are "phishing" for are online banking passwords and usernames. Get rid of the antiquated login process and start "really" getting serious about authentication.



Replicate the same trusted process to disperse cash "in real time" from an ATM and two-factor" authenticate the online banking session by having customers swipe their bank-issued card and enter their bank-issued PIN.  



Start doing that, and banks will eradicate the "phishing" problem...because there will be nothing left to phish phor.



The money banks spend "phighting" phishing can be spent providing their customers with a PCI 2.1 Certified PED resulting in the complete eradication of the threat posed.  (it would also provide an ROI to the issuing bank via interchange revenue derived from usage of the device for eCommerce purchases)



Whats the phake phishing site going to ask people to do? Swipe their card and Enter their PIN?  Worthless move.  It's instantly 3DES DUKPT encrypted inside the device and guess who "doesn't" have the encryption key? If you said the phisher you're right.  If you said the online banking customer you are also correct.  The way it's done now, the customer does have the information being phished phor.  



Translation: No more username/passwords.



Even the customer him/herself does NOT have the "information" the phishers are looking for so they cannot be "duped" into providing it.



Make sense?  When swiping the card and entering the PIN "outside the browser and inside the box" and there isn't "ANY phishable" information.





That's why Eugene Kaspersky of Kaspersky Labs last week called for "MASS adoption of peripheral card readers for ALL internet banking customers. (see top left...and click the top right sidebar graphic for the complete story)

May 28, 2010  By Larry Barrett

Phishers don't play favorites and their latest intended victims are the men and women in uniform.

As eSecurity Planet discovered, several clever phishing traps have popped up online in the past year with almost the exact same look and feel of a pair of popular credit unions primarily used by folks serving in the U.S. military.

Security software experts are warning customers of both USAA, an insurance and financial services firm, and the Navy Federal Credit Union to be especially vigilant before divulging their Social Security numbers, passwords, account numbers and other personally identifying information.

Symantec said this latest attack comes from Web sites hosted on servers in Taiwan and variants of this particular phishing URLs have been used to spoof other online brands as well.

---

U.S. Strategic Command officials are joining leading security software vendors in warning soldiers serving in the U.S. Army, Navy, Air Force and Marine Corps to be on high alert for a new phishing scam that targeting customers at a pair of credit unions catering to servicemen and their families.

Gen. Kevin P. Chilton, the STRATCOM commander, is warning soldiers and their families that bogus Web sites imitating both USAA, a popular insurance and financial services firm catering to military families, and the Navy Federal Credit Union have successfully stolen the personal and banking data of an unknown number of customers. 

Read the full story at eSecurity Planet: 

Phishing Scam Targets Military Credit Unions

Related articles by Zemanta

• Online Phishing Scams Get Personal, Experts Caution (pindebit.blogspot.com)


• Yet another phishing attack to be aware of. This one's sly and nasty. (thenextweb.com)


• Customer vs. Bank: Who is Liable for Fraud Losses? (pindebit.blogspot.com)


• Trust on Trial: Online Banking Industry Awaits Comerica/EMI Lawsuit on Phishing (pindebit.blogspot.com)


• New UK Cyber Team to Target Online Banking Fraudsters (pindebit.blogspot.com)

Shouldn't We Have Figured Out How to Authenticate an Online Banking Session with a PC Before Introducing Mobile Banking?

I have a burning question.

Shouldn't the banks have figured out how to authenticate their online banking sessions using PC's before they started introducing Mobile Banking?



They're not going to do the username/password thing again are they? Didn't they hear? That doesn't work.



It's not that there isn't a solution. Again, the easiest, most trusted and most familiar method to authenticate the online banking session is to do what we do at an ATM.



Hundreds of millions of Americans are both familiar with the process and trust it. The banks seemingly trust it as well (or they wouldn't give you $200 at 2:00 AM two thousand miles away from their main branch when you swipe your bank issued card and enter your bank issued PIN.)



So why do banks still ask us to "type" in our username and password? What don't they get? (cause keystroke loggers, phishermen and online banking trojans all seem to get it)



Here's a rhetorical question for you...



Do you think that banks would trust an easily obtained "username and password" to dispense cash from their ATMs? No?



Then why do they push this antiquated Login method for online banking? Don't they understand that all they are doing is creating a gateway for the bad guys to obtain sensitive online banking credentials.



The long and the short of it is that banks still haven't introduced a viable authentication platform for online banking (such as using a PCI 2.0 Certified PIN Pad for two factor authentication) and now they are going to simply "shrug their shoulders" and introduce mobile banking platforms.

Man oh man, when I replaced "Economy" with "Typing" in Clinton's "It's the Economy Stupid" and introduced the "It's the Typing Stupid" slogo, I thought was being facetious but maybe, just maybe, I was right on.



Bank's cannot continue to shrug off security... it will be their own undoing.  Instead, I'd love to see an American bank step up to the plate and be the first (30% of Europeans use a card reader to authenticate financial transactions) to issue our devices to their online banking customers. Watch what happens. It ain't about convenience anymore. It's about securing people's money.



The lack of monetary security breaks up marriages everyday...if you are a banker, don't think for a moment that a lack of monetary security won't destroy your relationship with your customer.



I guess now is the time we move from the "Online Banking is Not Secure" era into the "Mobile Banking is Not Secure" era. Banks need to "pitch" security. The Security Pitch would produce an "ERA" they could be proud of.



Let the games begin with this...ComputerWeekly has published a couple of articles over the past 10 days questioning the security of Barclay's Mobile Banking platform. Now the Information Commissioner's Office is involved...

ICO in talks with Barclays over weak mobile banking security

The Information Commissioner's Office (ICO) is in talks with Barclays Bank about the security set-up of its mobile banking service.





Simple security questions expose details of Barclays' mobile customers

The personal information of millions of people is potentially at risk of exposure on Barclays bank mobile banking site.

People who lose their bank card, or have their card details copied, could have their banking transactions exposed to prying eyes, Computer Weekly has discovered. The problem affects the Barclays.mobi web link which connects customers to pages designed to be viewed on mobile phones. The site allows users to view their financial transactions if they answer four basic security questions.

Three of the answers are available on the card itself. These are surname, 16-digit account number and three-digit security code. The other question is the customer's date of birth. 

Editor's Note: Believe it or not, bank's are still under the impression that those "four questions" constitute "multi-factor" authentication.



Here's a tip.



Anytime you "type" ("anything") into a browser (yes, mobile browsers too) it can be lifted by a bad guy.



So it doesn't matter if you type two things, (username and password) four things (username and password, card number and three digit security code) or ten things. (you get the idea)



Typing is the problem and requiring that people type more information into boxes in browsers isn't the solution. A PCI 2.0 Certified PIN Entry Device utilizing 3DES/DUKPT Encryption is... 



 If someone is going to "Swipe" your card information, shouldn't it be you? 

Related articles by Zemanta

• Online Banking Is Convenient For Everyone, Including Hackers (pindebit.blogspot.com)


• Security Fears Dog Online Banking (pindebit.blogspot.com)


• Hackers Steal $50,000, Bank of America Refuses to Assume Responsibility (pindebit.blogspot.com)


• Featured Post: Card Reader Use Online Jumps 31% (pindebit.blogspot.com)


• New UK Cyber Team to Target Online Banking Fraudsters (pindebit.blogspot.com)

Shouldn't We Have Figured Out How to Authenticate an Online Banking Session with a PC Before Introducing Mobile Banking?

I have a burning question.

Shouldn't the banks have figured out how to authenticate their online banking sessions using PC's before they started introducing Mobile Banking?



They're not going to do the username/password thing again are they? Didn't they hear? That doesn't work.



It's not that there isn't a solution. Again, the easiest, most trusted and most familiar method to authenticate the online banking session is to do what we do at an ATM.



Hundreds of millions of Americans are both familiar with the process and trust it. The banks seemingly trust it as well (or they wouldn't give you $200 at 2:00 AM two thousand miles away from their main branch when you swipe your bank issued card and enter your bank issued PIN.)



So why do banks still ask us to "type" in our username and password? What don't they get? (cause keystroke loggers, phishermen and online banking trojans all seem to get it)



Here's a rhetorical question for you...



Do you think that banks would trust an easily obtained "username and password" to dispense cash from their ATMs? No?



Then why do they push this antiquated Login method for online banking? Don't they understand that all they are doing is creating a gateway for the bad guys to obtain sensitive online banking credentials.



The long and the short of it is that banks still haven't introduced a viable authentication platform for online banking (such as using a PCI 2.0 Certified PIN Pad for two factor authentication) and now they are going to simply "shrug their shoulders" and introduce mobile banking platforms.

Man oh man, when I replaced "Economy" with "Typing" in Clinton's "It's the Economy Stupid" and introduced the "It's the Typing Stupid" slogo, I thought was being facetious but maybe, just maybe, I was right on.



Bank's cannot continue to shrug off security... it will be their own undoing.  Instead, I'd love to see an American bank step up to the plate and be the first (30% of Europeans use a card reader to authenticate financial transactions) to issue our devices to their online banking customers. Watch what happens. It ain't about convenience anymore. It's about securing people's money.



The lack of monetary security breaks up marriages everyday...if you are a banker, don't think for a moment that a lack of monetary security won't destroy your relationship with your customer.



I guess now is the time we move from the "Online Banking is Not Secure" era into the "Mobile Banking is Not Secure" era. Banks need to "pitch" security. The Security Pitch would produce an "ERA" they could be proud of.



Let the games begin with this...ComputerWeekly has published a couple of articles over the past 10 days questioning the security of Barclay's Mobile Banking platform. Now the Information Commissioner's Office is involved...

ICO in talks with Barclays over weak mobile banking security

The Information Commissioner's Office (ICO) is in talks with Barclays Bank about the security set-up of its mobile banking service.





Simple security questions expose details of Barclays' mobile customers

The personal information of millions of people is potentially at risk of exposure on Barclays bank mobile banking site.

People who lose their bank card, or have their card details copied, could have their banking transactions exposed to prying eyes, Computer Weekly has discovered. The problem affects the Barclays.mobi web link which connects customers to pages designed to be viewed on mobile phones. The site allows users to view their financial transactions if they answer four basic security questions.

Three of the answers are available on the card itself. These are surname, 16-digit account number and three-digit security code. The other question is the customer's date of birth. 

Editor's Note: Believe it or not, bank's are still under the impression that those "four questions" constitute "multi-factor" authentication.



Here's a tip.



Anytime you "type" ("anything") into a browser (yes, mobile browsers too) it can be lifted by a bad guy.



So it doesn't matter if you type two things, (username and password) four things (username and password, card number and three digit security code) or ten things. (you get the idea)



Typing is the problem and requiring that people type more information into boxes in browsers isn't the solution. A PCI 2.0 Certified PIN Entry Device utilizing 3DES/DUKPT Encryption is... 



 If someone is going to "Swipe" your card information, shouldn't it be you? 

Related articles by Zemanta

• Online Banking Is Convenient For Everyone, Including Hackers (pindebit.blogspot.com)


• Security Fears Dog Online Banking (pindebit.blogspot.com)


• Hackers Steal $50,000, Bank of America Refuses to Assume Responsibility (pindebit.blogspot.com)


• Featured Post: Card Reader Use Online Jumps 31% (pindebit.blogspot.com)


• New UK Cyber Team to Target Online Banking Fraudsters (pindebit.blogspot.com)