|
While the media at large is all agog at Stuxnet, they probably would do better to keep their writers looking at Zeus. Zeus/Zbot must be one of the most successful banking trojans ever. It's been around for three (four?) years, and no doubt has made some of its originators very very rich. McAfee last week published a write-up on the capabilities that come with the recent Zeus Build-kit. Yes, there's an actual application that allows to create custom versions of Zeus. If you're an online banking user who feels safe because your online bank uses one-time passwords, or because it sports one of these cute "on-screen keyboards", think again: Zeus got them all in the bag. Brian Krebs regularly reports about the latest frauds linked to this family of malware. Recently, he wrote about a church that lost 600k$ from their accounts to key-logging malware. Somehow, it looks like the banks either don't care, or don't grasp the concept of "defense in depth", or both. Here's four simple measures that would make online banking fraud a whole lot harder: * Changing my email address / mobile phone number on file can only be done by visiting my bank branch in person There, dear banks: All of this can be implemented basically for free. You can even allow your customers to opt-in voluntarily. You'll be surprised how many of them do so - you know, folks and organizations who actually earn their money the hard way seem to oddly enough care a whole lot about keeping it safe. I have no doubts that a new Zeus version would find a way around these measures eventually. But if you don't fight, you already lost. Banks, get off your collective behinds, and evolve, please. |
Daniel 385 Posts ISC Handler Sep 28th 2010 |
| Thread locked Subscribe |
Sep 28th 2010 1 decade ago |
|
The attacker controlling the victims pc could easily delete the mail (step #3) locally or by using the keylogged login.
|
Alex 13 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
Updated to read email/SMS. Out-of-band to the mobile device is what I meant. And yes, with full control over the PC, this can still be tampered with, but it makes things harder for the bad guys. And that's what it should be all about.
|
Daniel 385 Posts ISC Handler |
| Quote |
Sep 28th 2010 1 decade ago |
|
"... If you're an online banking user who feels safe..."
There is/should-be NO SUCH THING, to the tune of $559.7 million last year: - http://www.ic3.gov/media/2010/100312.aspx ... and that's only what was reported. The only ones who have the real total are those who are now spending it. To the banks, it's just a "write-off", just another "stroke on the pen" for the accountants. . |
Jack 160 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
Hmmm... that's 559.7 million... the dollar sign seemed to mess-up the post.
. |
Jack 160 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
Banks don't care because to a large degree, consumers don't care. They appear to care when there are major announcements of fraud, etc, but *most* of them don't -- not for long, anyway.
Just look at the very minor repercussions experienced by TJ Maxx (from a customer standpoint) after its breach announcement. Banks will start caring when more people care more regularly, and are willing to put their money where their mouths are. |
Jack 10 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
Banks will really start caring when laws make them liable for online verification in the same way as paper verification. Why is it that if someone forges a paper check the bank is liable for not doing proper verification, but if an electronic transfer is forged, they just wash their hands (or at least most do)?
|
RichH 9 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
The big problem with #1 is that online banking was setup to reduce foot traffic in branches and therefore overhead by having less fulltime staff for branches.
|
Anthony S. 2 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
To the consumer online banking is about convenience first, security fifth or sixth. You can't make them go to the branch to make a change for their online identity. You can't make them wait 7 days to pay a new bill. You CAN educate your users, something I see very few banks doing in a real way. Krebs is probably the best teacher our there on this stuff, but the people who most need his advice won't see it.
@Anthony, I think the reason a check better liability protection is that is is proof of the forgery...tangible paper with a signature, harder to ignore than non-random packets from outer Slobovia. |
Paul 47 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
The base of the problem here is that e-banking solution design should always consider the end-user computer to be compromised, and most don't... Solutions such as IBM's ZTIC and the IronKey USB key go along that thinking. That does not mean they're the perfect solutions, but they are properly aligned... |
Paul 17 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
@daniel:
Thanks for your answer and expanding #3 with the sms channel. i'll opt to answer with http://www.h-online.com/security/news/item/Banking-trojan-ZeuS-homes-in-on-SMS-TAN-process-1097104.html  . of course i'd agree, that infecting the victims mobile phone and intercept/change sms is currently not that easy and reliably done as to infect his/her pc. |
Alex 13 Posts |
| Quote |
Sep 28th 2010 1 decade ago |
|
At least the German Spiegel has an article
about paypal that states that they are accepting credit card data promisciously: http://www.spiegel.de/netzwelt/web/0,1518,719825,00.html |
Jens 42 Posts |
| Quote |
Sep 29th 2010 1 decade ago |
|
I wouldn't like the physical branch visit requirement -- my bank doesn't have any!
|
packetdude 22 Posts |
| Quote |
Oct 1st 2010 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
