Schneier on Security
A blog covering security and security technology.
« Hacker Firefox Extensions |
| Chemical Plant Security and Externalities »
October 17, 2007
Future of Malware
Excellent three-part series on trends in criminal malware:
When Jackson logged in, the genius of 76service became immediately clear. 76service customers weren't weren't paying for already-stolen credentials. Instead, 76service sold subscriptions or "projects" to Gozi-infected machines. Usually, projects were sold in 30-day increments because that's a billing cycle, enough time to guarantee that the person who owns the machine with Gozi on it will have logged in to manage their finances, entering data into forms that could be grabbed.
Subscribers could log in with their assigned user name and password any time during the 30-day project. They'd be met with a screen that told them which of their bots was currently active, and a side bar of management options. For example, they could pull down the latest drops -- data deposits that the Gozi-infected machines they subscribed to sent to the servers, like the 3.3 GB one Jackson had found.
A project was like an investment portfolio. Individual Gozi-infected machines were like stocks and subscribers bought a group of them, betting they could gain enough personal information from their portfolio of infected machines to make a profit, mostly by turning around and selling credentials on the black market. (In some cases, subscribers would use a few of the credentials themselves).
Some machines, like some stocks, would under perform and provide little private information. But others would land the subscriber a windfall of private data. The point was to subscribe to several infected machines to balance that risk, the way Wall Street fund managers invest in many stocks to offset losses in one company with gains in another.
That's why the subscription prices were steep. "Prices started at $1,000 per machine per project," says Jackson. With some tinkering and thanks to some loose database configuration, Jackson gained a view into other people's accounts. He mostly saw subscriptions that bought access to only a handful of machines, rarely more than a dozen.
The $1K figure was for "fresh bots" -- new infections that hadn't been part of a project yet. Used bots that were coming off an expired project were available, but worth less (and thus, cost less) because of the increased likelihood that personal information gained from that machine had already been sold. Customers were urged to act quickly to get the freshest bots available.
This was another advantage for the seller. Providing the self-service interface freed up the sellers to create ancillary services. 76service was extremely customer-focused. "They were there to give you services that made it a good experience," Jackson says. You want us to clean up the reports for you? Sure, for a small fee. You want a report on all the credentials from one bank in your drop? Hundred bucks, please. For another $150 a month, we'll create secure remote drops for you. Alternative packaging and delivery options? We can do that. Nickel and dime. Nickel and dime.
And about banks not caring:
As much as the HangUp Team has relied on distributed pain for its success, financial institutions have relied on transferred risk to keep the Internet crime problem from becoming a consumer cause and damaging their businesses. So far, it has been cheaper to follow regulations enough to pass audits and then pay for the fraud rather than implement more serious security. "If you look at the volume of loss versus revenue, it's not horribly bad yet," says Chris Hoff, with a nod to the criminal hacker's strategy of distributed pain. "The banks say, 'Regulations say I need to do these seven things, so I do them and let's hope the technology to defend against this catches up.'"
"John" the security executive at the bank, one of the only security professionals from financial services who agreed to speak for this story, says "If you audited a financial institution, you wouldn't find many out of compliance. From a legal perspective, banks can spin that around and say there's nothing else we could do."
The banks know how much data Lance James at Secure Science is monitoring; some of them are his clients. The researcher with expertise on the HangUp Team calls consumers' ability to transfer funds online "the dumbest thing I've ever seen. You can't walk into the branch of a bank with a mask on and no ID and make a transfer. So why is it okay online?"
And yet banks push online banking to customers with one hand while the other hand pushes problems like Gozi away, into acceptable loss budgets and insurance -- transferred risk.
As long as consumers don't raise a fuss, and thus far they haven't in any meaningful way, the banks have little to fear from their strategies.
But perhaps the only reason consumers don't raise a fuss is because the banks have both overstated the safety and security of online banking and downplayed negative events around it, like the existence of Gozi and 76service.
The whole thing is worth reading.
Posted on October 17, 2007 at 1:07 PM
• 27 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
...The banks know how much data Lance James at Secure Science is monitoring; some of them are his clients. The researcher with expertise on the HangUp Team calls consumers' ability to transfer funds online "the dumbest thing I've ever seen. You can't walk into the branch of a bank with a mask on and no ID and make a transfer. So why is it okay online?"
Exactly. I have no problem with a person INITIATING a transaction online.
But the CONFIRMATION for that transaction MUST be done on a completely different avenue. I'd suggest using the phone number that the customer has on record.
But more often than not the ability to change personal information such as telephone number and address are the first things added to a web interface to your bank account.
Even if changing that information on the website isn't possible, it is surprisingly easy (frightening really) to get the phone company (any of them) to setup call forwarding for you on a line other than the one you are calling from. You have no guarantees that the number you are calling doesn't forward somewhere else.
By opening up services to allow remote use, be it by telephone or Internet, you're increasing the pool of people who can attempt to exploit them. If I live in a town of 30,000 and my bank is local, that means there are about 30,000 people who could conceivably convince the bank to give them my money. If by bank allows for online transfers, that number jump up to everyone with access to the Internet..
Oh, that's not at all fair to the banks and other "financial institutions". Certainly the worst of the bunch might do that, but others have taken even small instances of this sort of thing very seriously, investing way more money than would be indicated by the actual potential fraud loss.
@Brandioch Conner's comment ..
Online Banking is not the dumbest thing, it's a good thing.
Alternatives have costs and issues too.
- Travel has it's risks
- Paper mail gets lost & stolen too.
The problem is not the services but the security implemented by banks as well as consumers who do dumb things like save forms on a computer and "not" have a firewall, or better still, not even know about it.
They are like the guy who was using his lawn mover to trim the hedge and sued claiming the lawn mower design let him do it.
In this case the culprits appear to be consumers for letting their machines be hijacked .. and not the banks.
Using the Interwatch system to monitor our property in Cyprus, yes Cyprus! Security is becoming an issue over there (only minor granted) so we feel to install the some kind of surveillance system like the Interwatch holiday home system gives us a little protection. Gutted that we have to do this but this is world we now live in I guess.
I know Interwatch and I know Jason Farley who works with them.
He is the proprietor for CY Security.
Great guy, not sure about his singing though!!!!
"Online Banking is not the dumbest thing, it's a good thing."
And the people who "stole" 8 million + "identities" would agree with you.
Their victims would not. I do not.
"Alternatives have costs and issues too."
It isn't about whether something else costs money or can be cracked. It's about:
#1. Is this way more or less secure than the alternatives? It is less secure.
#2. Is this done as securely as possible? No.
#3. Is the customer willing to pay for that level of security? That is to be determined.
"They are like the guy who was using his lawn mover to trim the hedge and sued claiming the lawn mower design let him do it."
No. Anyone can sue anyone else over anything. That is our legal system. It has nothing to do with security.
"In this case the culprits appear to be consumers for letting their machines be hijacked .. and not the banks."
The bank accepts such activities from machines that are KNOWN to be vulnerable ... and does so without ANY other validation.
If the money was coming out of the bank's profits, you'd see the system completely revamped tomorrow.
I'm with you, Brandioch, to a point.
Banks can't implement new security protocols that make life more difficult for their users unless all the banks do it; otherwise their customers will pack up and leave to another bank that doesn't make them do anything else to get to their money - customers bear some responsibility here.
Here's where I'll chip in and say banks should be required to offer two channel authentication (I really like this term, and I'm surprised that there's no wikipedia entry for it yet) for e-bankers, or they need to offer a secure terminal.
Now BofA needs to either implement a two-channel auth system, or they need to distribute some sort of e-checkbook. But so does Wells Fargo, and any other bank that wants to let their customers e-bank. So BofA customers who get disgruntled at having to go through an extra step to pay their bills can't just pack up and move to Wells Fargo.
The cold reality of it is that our banking system as currently deployed enables insecure terminals, and that can't be solved in a single channel, but you can't expect any one bank to take on the burden of trying to change the industry (and alienate their customers).
Dunno, but over here in Germany (and many other European countries), money transfer via Internet is absolutely common. It is also taken as a fact that there are password stealing or man-in-the-middle Trojan Horses sitting on the customer's PCs. Therefore, banks are enhancing their authentication protocols accordingly. Many will authenticate transactions by having them signed on a separate token (user will have to type in some essential data, like recipient's account #). Granted, it makes banking slightly more inconvenient, but it is accepted widely by the customers. I'm not sure I understand why this should not be an option for US banks.
Enhancing online banking security even more is not a matter of banks not caring, it's just not a priority because the customer is not asking for it; this is mostly because the customer generally isn't liable for the losses (at least when we're talking consumer banking, not commercial banking.)
It's just like credit cards - why demand enhanced security, and thus generally decreased ease of use, if you're not liable for potential damages? On the surface it makes zero economic sense for the consumer to do so, so they don't.
We could of course try to make arguments surrounding ID theft, but let's face it - if your machine is a bot, no online security mechanism in the world is going to save you from people stealing your date of birth, SSN and other info needed to obtain credit.
@Anonymous, it's not just a matter of customers not asking for it, it's also that bankers expect customers will object to it if it causes inconvenience.
unfortunately they're probably correct.
As someone who has multiple accounts compromised from unknown sources, I don't consider it a pain to fix everything.
The credit card companies call me when their software sees a weird charge, they change my account number, remove the charge, and I never hear about it again.
Once it happened with a bank account, and that was frustrating, but the bank merely put replacement funds in the account immediately, and a few weeks with a letter confirmed that the transaction was fraudulent.
Now... it could have been worse. Perhaps attackers will begin to make transactions that don't look fraudulent, and are difficult to prove as fraudulent.
But the reality is there is no guarantee online banking had anything to do with the fraud. It could just as easily have been the waiter at a restaurant. They only get to take your card and write everything down out of view, including the super secret number on the back.
If banks and creditors are comfortable with losses due to fraud, that's not my problem. Banks and creditors have bent over backwards to rectify my accounts... usually in minutes, so I don't ever feel like I've been inconvenienced as a "victim"
As a German now living in the US I was very surprised to see how underdeveloped internet banking is over here. The last time I sent a physical check around in Germany is as least 10 years ago. Here, I have to remember each month when to send what amount to whom. In Europe, this stuff was done automatically. And in all this time I never had a problem with it. And when a suspicious transaction took place, I could always go to my bank and tell them to undo it. The party who initiated this suspicious looking transaction then had to provide proof to the bank that it was indeed legitimate. If one transfers money online to somebody else, one is required to enter a one-time-password (sorta like S/key). A list of these one-time passwords is sent via regular mail. It is now also possible to get these passwords over the mobile phone. One requests it when one wants to finish a transaction and it is sent to your mobile phone and just valid for this single transaction. I would like to see something similar to this here as well.
I liked that a few banks here in the US started to implement 2-way authentication (European banks can learn something from that. 2-way authentication is seldom used there). And yes, it makes logging in a little less convenient, but I know why I am putting up with it. And a lot of customers would put up with it when these things were properly explained to them. It is to a large extent about education (both customers and banks).
One last thought: I have the suspicion that the reason for this underdeveloped internet banking/regular banking structure is not that the customers don't want it, but the big companies don't want it. Something like 40% of the profit of a credit card company in the US now comes from fines and penalties! Imagine what would happen to this revenue segment when all transactions would be done automatically on the due date!
The online transactions at my bank (Down here in South Africa) is quite tightly tied to the cell-phone as well. Any transaction to a non-trusted account requires you to enter a one-time-pin that is sent to your phone (or other trusted receiving point, as selected by you). Any transactions over a specified limit, and I get informed by sms, and there is a daily limit chosen by myself.
So, the only way to get into my bank account is by getting access to both my phone (physically, or by 'cloning' it) and online details. Not impossible, but enough to keep me happy without being inconvenient.
In my eyes, I'm more likely to lose more money from a stolen/lost/duplicated credit card than from a compromised online bank account.
You can also choose to use a special electronic key generator in place of this one-time code, which is in a way more secure.
If the money was coming out of the bank's profits, you'd see the system completely revamped tomorrow.
Posted by: Brandioch Conner at October 17, 2007 05:38 PM
The money will only come out of the bank's profits if they are completely negligent (or more negligent than everyone else in the industry) and everyone knows about this (e.g. through whistleblower or press). Otherwise, if security spend is increased (e.g. through regulation), the costs will generally be passed on to the consumer and profits will, as ever, increase. Wouldn't it be nice if we had a kind of security ratings agency for banks (rather than explicit regulation) which allowed me (consumer) to look at a product and say 'Hey - That's a AAA security rated credit card at an APR
However I acknowledge it's late and it's been a long day :)
Just a comment about the sentence "If I complain to my bank, they will remove the invalid transaction".
That put the costumer of the bank in the position of checking each and every transaction, and most of people do not do that at all.
One attack path is to spread very small payments ($10-$20) to generic names (which looks like shop names) once or twice a year (at the beginning) to thousands of stolen ID's.
It is still an "externality" for the bank, so no need of fixing; even if the $20 has disappeared from costumer's virtual wallet, costumer did not noticed it and so do not complain.
In average, the cost to the bank is just the invalid transactions which *are detected by costumer*, so just tell the costumer to use their credit/debit card even for very small payments - they will detect less fraudulous transactions.
The money does (in the U.S. consumer banking and credit card segments at least) come out of the bank's profit. It's just not enough yet to convince the business that it's cost-effective to increase security beyond what's required by law and regulation.
The situation described in the original item begs the question. Suppose ones PC has a Trojan -- which of the current authentication schemes would make it most difficult for the Trojan's operator. For example is e*trade's random password vulnerable to this kind of penetration.
@several, I work for a bank, and I can confirm that the costs of fraud come out of our profits, as do the costs of reducing fraud.
Part of the problem is distributed pain.
We are balancing customer pain points, the pain of draconian security measures is felt by all customers, the pain of loss is felt by few and then referred to the corporate banking institution by some of them.
We are also balancing internal corporate pain points, the pain of customer angst is felt by one part of the business line but the pain of fraud is felt by a different part. And until the issue bubbles up to a high enough level in the corporate foodchain it remains gridlocked on the status quo.
Remember, corporations such as banks are not monoliths, they are collective entities with internal politics that make our national government look harmonious.
> Suppose ones PC has a Trojan
Do not start the trojan, boot the PC from a bootable CDROM given by the bank?
The CDROM may have to detect if it is running on a virtual machine.
First, this remark was geared towards comments that I often hear from people that they are reluctant to give away their account information to companies because "they want to keep control over their account". However, what these people don't realize is that every time they sign a check they give away their account information anyway.
Second, as Bruce always says 'Security is a trade-off'. Of course, one can often come up with some scheme that breaks a certain security protocol. However, does this imply, as you seem to suggest, one never implements anything because it could be broken theoretically? The question becomes how likely is this event and is one willing to accept this risk in favor of the benefits one gets? In the beginning one should implement a solution as robust as possible and improve it along the way as new threats are identified.
Third, you don't seem to have a lot of confidence in the customers. Granted, a lot of people don't check the details of their bank or credit card statements. But some do. And your suggested attack scheme will get noticed eventually. You argue that banks still don't have an incentive to follow up. I would disagree. The reason for banks to embrace electronic transactions is the cost-saving factor. But they can only realize these savings when the customers come along. Customers who don't trust the security mechanisms in place will simply not sign up for it. And why shouldn't banks implement a similar fraud detection scheme as credit cards companies since it IS in their interest that electronic transaction are secure (if the bank management understands this is an entirely different question). Otherwise customers will continue to send paper checks around (and here fraud is possible also). All I am saying is, that in case of fraudulent transactions the burden of proof should not be on the customer, otherwise this will never get off the ground.
@Futility, "why shouldn't banks implement a similar fraud detection scheme as credit cards companies"
It's a very different dynamic. Credit Card companies don't eat the cost of fraud, banks do.
obviously similar countermeasures would not be equally appropriate to both circumstances.
I don't get your point. Doesn't this mean that banks have even more incentive to implement a similar fraud detection scheme (data-mining through the maze of electronic transactions to find patterns of fraud) when the cost of fraud falls back on them? I am not saying this should be the only security measure in place for online banking, of course.
In Upton Sinclair's book "The Jungle", we read of workers in canned meat factories who would never eat the product, nor permit their families to eat the product.
I am an IT Security professional. I don't use online banking, period, and disrecommend it to family and friends.
Call me old-fashioned, but like Mr. James, I know what goes into the sausages.
What's funny is Bank of America rolled out second factor authentication via cell-phone in September. Its optional for anyone who wants the extra security. Those that don't take on the extra risk. The problem is the customers who don't get it are the same customers who are stupid enough to fall for phising trick trojan emails, or don't have a firewall. If you mandate it you have very nagry customers who blame you for the inconvenience
In my country, Australia, some banks have a secure token authentication that you can choose as an extra security measure. It is set up for your account only and generates a 6 digit key that only works for 30 seconds. If you do not log in within the 30 seconds you must press the button and generate another one again. This is a physical item that they mail to you, separate from your computer. This 6 digit key has to be used as well as your username and another traditional password. The same thing is used for authentication on high level secure government networks.
While I find this to be a great security setup, I will NEVER EVER log onto my back account from any computer but my own. I never save passwords or forms and I wipe all cache, cookies, etc when done. I also only open one browser window when I do my banking then close that one when I finish.
A phsyical firewall (pix router), software firewall (with outbound monitoring) and antivirus is also present on the machine.
I save no financial data of any kind on my computer.
Now I come to think of it, I don't really trust the online banking very much. But I do feel secure enough to use it the way I just mentioned. The convenience far outweighs the risk, when doing it the way I stated above at least.
Most other infosec pros I have talked to claim banks are probably among the most security conscious of business sectors. But, I've witnessed some pretty negligent attitudes about infosec in other sectors, so it doesn't entirely surprise me if some/most banks take a "do the minimum necessary" approach. It's all about dollars, after all. And doing the minimum that one can get away with is considerably cheaper than doing the right thing.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.