Huge Online Bank Heist

Wow:

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona—up to £580,000—in what security company McAfee is describing as the “biggest ever” online bank heist.

Over the last 15 months, Nordea customers have been targeted by emails containing a tailormade Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved.

This is my favorite line:

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea security procedures.

Um…hello? Are you an idiot, or what?

Tags: , , , , , , , , ,

Posted on January 23, 2007 at 12:54 PM106 Comments

Comments

Pat Cahalan January 23, 2007 1:36 PM

Are you an idiot, or what?

Heh.

“or what”

Ehlin’s certainly not going to blame their own security procedures (or lack thereof) and thereby not only eat the £580,000, but put the bank on the hook for the next big heist. If nothing else, they’re going to hit up their insurance company for some/all of the losses, and publicly saying, “our security is less than stellar” is going to make your insurance claims adjuster purr and roll over in the warm sun for a belly scratch while languidly reaching for his “DENIED” stamp.

I personally like this quote: “Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus on their computers.”

Most? So… the Trojan infected some people who were running antivirus software? Isn’t that actually the newsworthy detail, there?

Anders Gustafsson January 23, 2007 2:05 PM

Of course there aren’t any deficiencies in Nordea security procedures.

The fact that the login form is NOT https, but only posts to a https page so no ssl certificate checking happens until it is too late is no deficiency, is it?

And using 5-digit one time codes provided on a card with 100 codes that can be used in any order so if someone gets hold of some of these they can use it at a later time, that is just part of nordea’s great security?

One may wonder why nordea use this system when every other Swedish bank use a challenge-response system with a token..

tg January 23, 2007 2:19 PM

As I understand this exploit – customers were offered a free virus scanner with a builtin keylogger aimed at the NORDEA logon process. This scanner apparently came from somewhere in Russia. Pretty dum to accept such an offer but hardly NORDEA’s fault.

tcliu January 23, 2007 2:34 PM

Anders Gustafsson: “100 codes that can be used in any order”

Not in any order. You have to use the codes in order.

That said, I believe Aftonbladet had an article that basically said that all Swedish banks use crap authentication measures. Again, no excuse for Nordea, but I bring it up because the reason for that assertion was interesting: Specifically, as the article notes, there is no bank where your access token tells you what you are signing when you use it.

Instead of typing in a code in the access token, I should type in the amount and account number (for example), and use that to sign. That way, I’m safe even if an attacker intercepts the “please sign your order” page.

Jay January 23, 2007 2:35 PM

If NORDEA had a internet security team they should have detected the matter and made public the security measures against it. so part of the blame false on NORDEA as well.They weren’t vigilant enough

Guillaume January 23, 2007 2:40 PM

If that Nordea bank has any fault, it’s that they should have a transaction based anomaly system. Unusual transfers, address change and the like should have raised a flag.

It might not have prevented the fraud alltogether, but I doubt it would have lasted 15 months and scraped so much money…

Tokens and challenge helps somewhat, but are easy to circumvent for a custom made trojan.

Göran Dahl January 23, 2007 2:47 PM

One of Nordeas biggest problems right now is their credibility in handling this matter.

To constantly, stubbornly stick with the statement that their system is as secure as any other Swedish bank is outrageous.

A quick fix right now would be to at least print ID numbers on top of each and every one-time-code, and then CHALLENGE the user with a specific code. (Not taking them in order). This would make it a little more secure on the short-term basis.

The long term fix is of course as a lot of other people has suggested: A hand-held signing challenge-response token. No software, no personal certificates, no files, no more extra pincodes.

tcliu January 23, 2007 2:49 PM

Guillaume: “Tokens and challenge helps somewhat, but are easy to circumvent for a custom made trojan.”

I disagree. If you accept that the token is secure and trusted, then the problem reduces to getting messages securely from the bank to the token and back, along an untrusted path.

(Of course, if someone can hack the token, then you’re dead.)

McGavin January 23, 2007 2:51 PM

The security of my house is excellent…

I was only robbed because I left the window open, not because of a deficient security system.

Janek January 23, 2007 3:00 PM

Just to make things clear:
* The codes CAN be used in any order. (I’m a Nordea customer, I’ve tried.)
* The codes use 4 digits, not 5.

Jason January 23, 2007 3:16 PM

Wow, 121 people involved.

That seems high to me. Usually breaking in over the internet enables greater efficiency for crooks, not less given that computers enable so much to be automated….
I wonder what the average number of robbers which are needed for a job this size using only physical security to break in.

AlexP January 23, 2007 3:27 PM

Acoording to a Russian expert quoted in the Moscow Times on this hack ‘the attacker must have also been in possession of the database of the bank’s customers’. Inside job?

Dom De Vitto January 23, 2007 3:44 PM

Ok, I used to be in a small (5 techies) that ran the 3rd largest banking op in the world:

The purpose of a Bank’s security team is NOT to stop people doing stupid things.

The purpose of a Bank’s security team is to stop the bank’s shareholders/owners from getting a fiscal surprise.

Clearly the Bank’s security was massively flawed, not because some small (IMO) amount was stolen, but because the number of customers using online banking will drop significantly. This will result in an upshift in phone calls, and physical walk-ins, requiring more staff-hours, and higher costs.
In some cases, branches that have been downsized to a handful of staff will now not be able to cope, resulting in either the cost of hiring extra staff, until customer confidence is back, or alternatively riding out a period of long queues, and consequential customer churn.

So did the bank security fail? Absolutely.

Of course, outside the circle, people/customers think that bank security is to protect customer money, rather than bank share price!!

Half a million, for a bank, is chicken-feed – maybe the operational cost of 10 staff.

Dom

Pizo January 23, 2007 3:51 PM

To AlexP:
No, in this case they spammed a variant of the Haxdoor trojan in an “ordinary” mail with enticing text in it. Once installed it waits for predefined stuff to happen. In this case a web form with a field name “Skrapkod1”. Then it took over.

The other phishing attempts on Nordea during last fall they used standard phishing techniques and spammed all of Sweden.

No need for an insider to smuggle out databases in the middle of a dark and musky night

Dom De Vitto January 23, 2007 3:52 PM

The attacker has a list of customers???

Customer list data is the most valuable thing a bank has, the attackers could just contact the customers and social-em out of their money, no trojan required.

Thinking about the size of the attack, 250 customers, maybe a Swedish ISP has a dirty employee, logging which IPs are going to the banking site, and converting that into a list of email addresses? Police should check that vector, as it seems simple and effective.

bob January 23, 2007 3:57 PM

I’m a little confused as to “where” the criminals transferred the money to? Is this perhaps how they’ve traced/tracked the 121 suspects?

J. Siren January 23, 2007 4:14 PM

Okay. For your information, Nordea is a result of the merger between two major banks: the Finnish Merita and the Swedish Nordbanken. As a result, the security practices are slightly different across the gulf. (Of Bothnia. Look it up.)

In nordea.se, according to Firefox’s report, the central frame of the login page is encrypted with 128-bit RC4, although the page as a whole is reported as not encrypted. Not having an account at Nordea Sweden, I can’t verify the encryption any further. It offers three ways to log in:
1) username+password+one-time-password.
This gives access to all of the services available to the user.
2) username+password.
This gives access to a limited subset of services, essentially only allowing to view the status of the user’s accounts and transfer money between the user’s own accounts.
3) smartcard login.
I presume this would give full access; I don’t know.

The public web pages don’t tell any details about how transactions are entered into the system. A previous visitor commented that the one-time-passwords can be used out of order, so given a table of 100 four-digit passwords (is this correct?), a random OTP would have a 1 out of 100 chance of success at best (an unused table) and a 1 out of 10000 chance at worst (only one password left). The security section of the nordea.se pages talks mostly about firewalls, malware protection, and privacy issues. There’s also a pretty good article about phishing.

The Finnish system at nordea.fi is encrypted throughout with AES-256, including the login page and the logout page. Login is with username+OTP. The OTP table contains 80 passwords and 18 transaction authorization codes, which are valid as long as the OTP table is. Every transaction that requires a signature is authorized with one of the 18 transaction codes, selected by the service. This acts as a rudimentary challenge-response system. The only transactions exempt from this are transfers between the user’s own accounts (where nordea.se offers the simplified login without OTP). The OTPs must be used in order; if the customer enters a password that’s off by one or two, the system will tell the number of the current password. Otherwise it will just complain. On login, it tells the time of the last login.

The security pages focus on privacy and phishing issues; even my latest OTP card states that under no circumstances will the bank ever contact the customer by email or phone to ask for the passwords.

I’d venture to say a lot of the differences are legacy issues. Nordbanken has done things a certain way, and Merita (and its predecessors SYP and KOP) another way. What I see as risky in the Swedish case is possibly the OTP process; the actual password management process may give a random password an even higher probability of success than predicted above, and it certainly opens the whole process to phishing and fake web site attacks. The latter is especially bad, given that some browsers report the page “not encrypted” while a frame has encrypted content, allowing the user to be easily mislead about the source of the data (even more so than usual…). Forging a login page would enable an attacker to gather an username, password, and at best several one-time-passwords that the victim considers “used”, but which really are not…

The challenge-response nature of the authorization codes and using the OTPs strictly in order in the Finnish system provides a degree of protection against information theft attacks. Not to say it hasn’t been tried: there have been attacks against nordea.fi customers, consisting of web pages that request filling in several one-time-passwords plus several authorization codes, but few customers have fallen for these.

X the Unknown January 23, 2007 5:43 PM

“£580,000…15 months…121 people”

So, these people went to all that risk and effort for about £300 per month? Doesn’t sound like they’re living large on their ill-gotten gains.

not Dom De Vito January 23, 2007 6:32 PM

@Dom De Vitto

“The purpose of a Bank’s security team is NOT to stop people doing stupid things.”

I did a little searching for information about haxdoor.ki but couldn’t find anything to confirm a suspicion of mine. I suspect that the people who were infected with haxdoor.ki were running with administrative privileges when opening email etc.

You cannot stop people doing stupid things but perhaps you should assume that people do stupid things and design security accordingly.

I seem to remember hearing about a bank that used a GUI numeric keypad on their web page; the idea was that users would type in their access code by clicking on the numberpad on the screen with the mouse instead of typing. This seemed like a reasonable try to stop keystroke logging. It’s not perfect but you get the idea – whoever designed the system assumed the worst and started from there.

TNT January 23, 2007 9:36 PM

“not Dom De Vito”, a clickable numeric keypad is a good idea, huh?

No, it’s just rubbish.

It’s defeated incredibly easily (in fact, it has been defeated in multiple ways before), it offers a false sense of security, and offers nothing whatsoever other than irritating customers.

Andrew January 23, 2007 10:28 PM

The bank’s security worked perfectly.

The bank cannot be held directly accountable for any of the losses. Money belonging to depositors was frauduently withdrawn. Thus the depositors — and not the bank — were the victims.

One could also argue that a bank could keep its customer deposits in individual glass cases. So long as the bank documents that each little case is properly locked, the bank is not liable if someone smashes the glass . . .

and this is why certain minimal security standards have to be imposed on banks by law.

johnsy January 23, 2007 10:52 PM

ok TNT, rather than just disrespecting Dom De Vito’s post immediately, can you provide a constructive argument as to why numeric keypads are “rubbish” i.e. provide some links to articles or papers describing the vulnerabilities, how the keypads were circumvented (screen scraper trojan) etc.
I’m sick to death of seeing discussion threads where someone posts a comment, only to be attacked by someone of “superior knowledge” who immediately dismisses the comment as stupid. Wasn’t the idea of the www to share knowledge?

I’m fairly certain that there are people reading this discussion thread (myself included) who either use or are thinking of using their banks’ Internet banking system which utilizes this clickable keypad mechanism. So could you please provide some more information……

BTW, Dom De Vito said clickable keypads ‘seemed like a reasonable try to stop keylogging’ not that it was a good idea. I think the point trying to be made here was that it reduces the number of attack vectors for retrieving banking details, but its not perfect.

scosol January 23, 2007 11:10 PM

fta:

“The bank has borne the brunt of the attacks, and has refunded all the affected customers.”

This sounds like a “good bank”…

Tezra January 24, 2007 12:11 AM

@Johnsy
There actually is a trojan that is specially crafted to defeat the on screen keyboard.

It takes a snapshot of the screen area around the mouse cursor every time the mouse clicks.

Since I can’t remember it’s name right now I will be stomped upon for sure… 🙁

Maybe someone can help me out here?

piglet January 24, 2007 12:34 AM

“”£580,000…15 months…121 people”

So, these people went to all that risk and effort for about £300 per month? Doesn’t sound like they’re living large on their ill-gotten gains.”

I concur. If those numbers are correct, then the surprise is how little this business seems to pay. Plus, it looks like they got caught. And it seems that those attackers were competent and determined. If that’s the best they can do, then maybe Nordea’s security wasn’t so bad after all.

Another surprise is that they pulled this stunt for so long. They must have felt very secure, I wonder why. How could they expect that nobody gets suspicious!

slup January 24, 2007 1:50 AM

I think the main security breach was relying on security by minority (beware firefox users).
The nordic countries (Denmark, Sweden, Norway and Finland) each has their own language and banks despite having less than 10 mio inhabitants each.
This has kept them under the radar for major fishing attacks up until now, since most attacks are written in english or are badly translated or ar targetted at major US and british banks.

Student January 24, 2007 2:13 AM

Nordea has been targeted many times and part of the reasons is that they have had practices that are just not very secure compared to the other Swedish banks.

SEB uses a challenge response system with a token and 6 digit codes in addition to normal login. All transactions have to be verified with a challenge response.

Skandiabanken uses login and (four digit) pin, personal SSL certificates (that you need a one time code sent over SMS or post to download) and either a one-time code sent over SMS or codes taken from a code sheet sent by snail mail.

Anthony Lai, Hong Kong January 24, 2007 2:35 AM

It is hard to believe that outgoing transaction does not require second level of authentication. By the way, if the OTP or so called “Code” could be “Reused” at a later time and the Code Space is so small, I can’t imagine it could not raise any audit and implementation review concern before deployment.

In fact, there are many banks in developing countries without complete regulations and governance on its e-Banking security. Most phishers will target those profitable markets. However, the most ridiculous point is that Sweden is a developing country, is it?:)

lindq January 24, 2007 2:55 AM

The fact that they targetted Nordea isn’t surprising. If I was a phisher with a list of (scandianvian) e-mail adresses that wanted to target banks but didn’t know who was a customer where, I’d spoof the sender as the largest scandinavian bank to get a high hit rate as possible.

Also in the past has Schneier written and commented on Nordea. First positively about their authentication scheme in http://www.schneier.com/crypto-gram-0406.html#5 item 10, and then on their lack of authenticating transactions (rather than users) at http://www.schneier.com/crypto-gram-0511.html#5

And of course the bank should cover the losses of the users; it makes better business. They do NOT want people to stop trusting their security and stop doing their bank business online and instead go back to going into banks to do banking business (and demanding more bank offices and more bank employees), sending in bills via mail (to be scanned and entered into the system by bank employees) etc.

Ben January 24, 2007 3:05 AM

@Pat,

“So… the Trojan infected some people who were running antivirus software? Isn’t that actually the newsworthy detail, there?”

You’re presuming that those running antivirus software also had the latest defs.

Rory January 24, 2007 3:32 AM

Bank’s security functions do have to deal with stupid customers. Because it is a given that there will be a small (hopefully) but significant percentage who are stupid. But the protection they specify must be appropriate. For example corporate banking customers usually use smart cards, strong encryption, segregation of transaction raising and approving etc. For low net worth customers (like me) it just isn’t worth doing, although the bar is coming down due to the increasing losses.

Tokens such as SecurID are an extra layer of security, but all they do is shorten attack windows – and attacks have been tested which can exploit within the 30 second window (typically) given. Screen keyboards are another layer, but I have looked at a number of trojans which successfully screen scrape clickable screen keyboards. And anti-virus apps are another good layer.

But so many home users really don’t understand the risks, “running as admin” doesn’t even have any meaning to the majority of home users. So banks need to take that into account.

Layers…y’know like an onion. That’s all we can do.

(or parfait)

Magnus January 24, 2007 4:01 AM

tcliu:

With Swedbank you have to sign every account number you wish to be able to make a transaction to once. Then for every transaction you have to sign the amount. In other words, the worst you could easily do would be to transfer the signed amount to another signed account.

Szabolcs January 24, 2007 5:27 AM

Funny that so many banking systems are so easily fall to social engineering, trojans, etc.

In my country (Hungary) most online banking systems employ a simple method: after sending the the query for the transaction (this is obviously after a password based login), I get an SMS (Short message) to my mobile phone (the bank will only change the phone number if appearing in person and identifying myself), with the details of the transaction and a random code. I have to enter this code (which is valid for a short time only) to validate the transaction.
Even if my password is compromised, getting an SMS would still raise suspicion.

Incidentally, Most banks send SMS notification for any transaction on an account, this is very efficient against credit card fraud, because usually the SMS arrives so fast, that before signing the slip, I can verify that the correct transaction is going on. I even get SMS on failed (wrong PIN example) transactions.

Obviously this system is not foolproof, but it certenly would need considerable and non-automtizable effort to eavesdrop on a mobile phone and pair it with the correct transaction, in a limited time.

Florian January 24, 2007 5:59 AM

@Cahalan (‘I personally like this quote: “Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus on their computers.” Most?’)

I grow to dislike this thinking (AV == security) more and more. Many phishing Trojans are distributed by email within just a few days. There is no way the AV companies can update their definitions in time, and the users to update their AV software quickly enough.

Can we please get the relevant security measures in order:
– Not opening .exe attachments in emails. It is incredible that Trojans are still successfully distributed by simple mail attachments (“please open the attachment”).
– Having an admin account only for administrative tasks.
– Keeping one’s operating system on a current patch level.

Then, if you like, add an antivirus software for another layer of security. But there are also many happy trojanless windows users without AV, personal firewalls and the like.

Pope January 24, 2007 6:51 AM

The 121 people under investigation were tricked by the bad guys to move the money out of Nordea. Don’t know if there is some extra security checks for moving money to external banks or if the bad guys only want to (temporarily) cover their tracks. Evidently ‘the 121’ were tricked by adds (work from home, easy money..) to receive money to their accounts in Nordea and then to forward the money to external accounts minus ~5% which they could keep themselves…

Nothing beats the combination of greed and stupidity..

Mats January 24, 2007 6:53 AM

“£580,000…15 months…121 people”

So, these people went to all that risk and effort for about £300 per month? Doesn’t sound like they’re living large on their ill-gotten gains.”
This is a slight misunderstanding. The real “bad guys” are very few, the rest are people that have been fooled into lending their accounts to act as transfer points, much as in Nigeria letters.
There has been a flood of spam promising earnings from “simple jobs” to swedish e-mail adresses for some time. At least some of these have a connection to the Nordea scam

Anonymous January 24, 2007 6:57 AM

No need of phishing with Nordea…

Some months ago, a friend of mine, Nordea customer, tried their new online share management system, after being proposed by a bank employee.

He logged in and ended up being logged in as someone else !

Talk about software glitch… He could have done anything with the other guys money !

He reported the issue to the bank, who said they would look into it. He never got any more contact from the bank on that issue.

Of course he never used their online system again.

If you want more information, contact me and I will forward your email to my friend…

lindq January 24, 2007 6:58 AM

If the 121 people were just money laundring mules who lent their time and accounts to transfer money back and forth; I don’t see how that becomes the bank’s problem or anything it should detect. The genuine person is performing a legitimate transfer (the transfer is legit, the actions behind them getting the money in the first place is not).

Calwan January 24, 2007 7:20 AM

I have nordea’s internet bank.

This is how it works:
– You get a personal 4-digit code.
– You get a card of 100 4-digit codes (looks like a credit card – fits in your wallet).
– Your account number is the same as your social security number.

To make a transaction you need:
-Your personal code
-Two codes from the card.
-You social security number

Sure, it’s not a good system since the card codes work for a large period of time but hell, there has been information on phishing in red on the logon page for like 6 months now. I blame the idiots who give their codes to the russians.

Also, the login page is hosted on https. It’s just the frameset the is hosted on http (click “Calwan”).

Rich January 24, 2007 8:46 AM

@arnim

While TANs could have prevented this attack, a varation would succeed. TANs are vulnerable to man-in-the-middle so a trojan which acted in a similar way would succeed. That is, a trojan could modify a valid transaction in process.

Gina January 24, 2007 8:47 AM

I got Swedbank. And I thinkt it as safe as it gets. You have your own personal code calculator it’s based on our swedish social security numbers and dates and something in each unique calculator too I think. It calculates new 8 digit codes for each thing you do. You can’t move any money outside your own accounts if you don’t have you 8 digit code from the calculator.

I thought about change my bank to Nordea for a while. But decided not to becaus I didn’t like their code system for the internet bank. It doesn’t feel very safe when you scratch your bank codes like a cheep lottery ticket. 🙁 Glad I trusted my instincts on that one 🙂

Guillaume January 24, 2007 9:09 AM

@tcliu
If I wrote the trojan, I would made it wait for the user to log on with the uncompromised, trusted token. Then make fraudulent transactions.

If I understand correctly, your reply to Anders Gustafsson is a way to authenticate the transaction, and it’s the way to go. The more I think about it, there must be a “defense in depth” concept at the application level…

Usability tradeoffs aside, signing each sensible transaction with a token should bring the problem down to keyspaces and slowing down brute force attacks.

But if the list is just static, like the TAN link mentionned by arnim, the trojan must wait for a transaction, modifies the amount and account and adjust the display so the user doesn’t suspect a thing. Much more involved for the trojan writer, but feasible for the right amount of potential fraud.

Server-side transaction based anomaly detection is a must. Any hurdles your users are willing to put up with helps, but can burn your credibility (as an bank) security-wise if someone spends the time to circumvent them and still fraud you.

Bjorn January 24, 2007 9:10 AM

I use Swedbank and the security at that bank seams so much smarter then the Nordea version.

At Swedbank you are provided with an external device looking like a calculator witch will provide you with a unique number at that exact time, calculated via an internal clock. And you need to use this device etch time you sign on, add an new account to transfer money to and when you make the actual transfer.

This system seams almost fail safe to me, but are there any down sides? And it seams so much smarter then what Australien bank WestPac uses (the on screen keyboard thing, extremely annoying).

tcliu January 24, 2007 9:37 AM

@Guillaume:

I think we agree on the “authenticate the transaction” part. Let me just expound on what I was trying to say.

We are both talking about a man-in-the-middle attack where the user thinks he is signing one transaction, when in reality, he is signing a fraudulent one.

An example – using SEB’s system where you have a little token with a keypad and sign using two 4-digit codes that give you a 6-digit signature.

As it is now is that the user gets something like this:

You have the following orders:
100 SEK to account 12345 (Mom)
Sign using codes 1234 5678

While in reality, the order is (if the trojan intercepts the web page – which we assume it can):

You have the following orders:
10000 SEK to account 666 (Evil)
Sign using codes 1234 5678

The problem is that the user has no way of verifying that the codes 1234 and 5678 are the right signing codes for the orders shown.

However, if you had to input the whole transaction on the token, then the user would know that the signature that is being produced is for the orders input.

So, the above would be:

You have the following orders:
100 SEK to account 12345 (Mom)
Sign using code: 100-12345

if unaltered and

You have the following orders:
100 SEK to account 12345 (Mom)
Sign using code: 10000-666

if altered. The thing being that a man-in-the-middle must make his presence known in order to get a signature.

Of course, the above doesn’t stop social engineering like:

You have the following orders:
100 SEK to account 12345 (Mom)
Transaction selected for verification
using Special CyberGuard code.
This code is different from the 
ordinary and provides higher security.
Sign using code: 10000-666

And so anomaly detection is a must as well…

lindq January 24, 2007 9:40 AM

The four digit codes discussed earlier are used as TANs (see Calwan’s explanation).

UID and password will give you LIMITED access only (view information and move funds within your own accounts only).
In order to get full access, you will need UID, password and one of the one time codes, or a smart card. When logged in with full credentials and wanting to move money outside your own account, you need to authenticate that transaction with another one time code (TAN) or sign it via the smart card.

American Banker January 24, 2007 9:40 AM

You know, most American online banking sites still operate with SSL/username/password, no OTP or secure cards. With so much more capital under management, why are they not deploying more secure systems?

tcliu January 24, 2007 9:48 AM

@Bjorn

That system isn’t foolproof by a long shot.

Imagine that I send you an email:

Dear customer, we have detected problems with your bank account. Please log in and verify:

http://swedbank.se@fraud.com/login

So you – being temporarily blind and not looking at urls that much – click and end up at my webpage at fraud.com.

There, you type in your login details. The second you hit enter to log in, my webserver will start a program to log in on the real swedbank site using the login you just gave me. Since your token is just a number that is the same no matter from where you log in, my program will succeed in impersonating you.

My program will then send you the page it received from Swedbank. Now you think you are logged in – which you are, in a sense: But I see everything you do, and I can modify anything you see.

So you put in an order for 100 kronor to your mom.

I stop that order from going to Swedbank (remember, you are accessing Swedbank through my server), but I remember it for the future, and put in an order for 10000 sek to my Afghan bank account. (Good luck tracking that one.)

I then show you a page where you are asked to sign your order. Remember, the order that I intercepted?

When you sign it using the changing time key, I use the code you input to sign my transaction to Afghanistan.

Three days later, 10K of your money has gone to Afghanistan.

See my previous reply to Guillaume for a partial solution to this. Basically: The actual amount and recipient must be a factor in the signature code, and the user must be able to verify that the right account and amount is used.

Rich January 24, 2007 10:11 AM

@ bjorn

Let me add to tcliu’s and Guillaume’s excellent comments by pointing out that a trojan on your computer can also do the man-in-the-middle attack on your Swedbank transaction.

Rich January 24, 2007 10:14 AM

@tcliu

Your requirement for signing with amount and recipient only works if the signature is generated by a device off the computer. Otherwise, a trojan could hijack that process.

Lars Westergren January 24, 2007 10:21 AM

tcliu: You are right that it is not foolproof, but Swedbank at leasts takes two further security measures: First you have to go through another page and validate new “pay to” accounts using your pad before you can transfer money to them, so redirecting to another account would be difficult. Secondly, you must validate the sum of all your current transactions, so it is unlikely that you could redirect more than 100sek (unless the user is sloppy of course and does not notice that they are asked to validate “10000000” instead of “00010000”)

I agree Nordeas claim that their security is as good is rediculous.

Joacim Persson January 24, 2007 10:22 AM

So, the security at Nordea is based on the customer using a certain anti-virus programme which perhaps (or not) will prevent a specific malicious software to be planted on their computers…

It can also be added that Nordea recently told (quite explicitly) their now former customers using Linux to F*** off. “We don’t support your operating system.” — sic! (because the virus doesn’t either? eh?)

It’s not so much a question IF they are idiots, but rather WHY idiots are running a bank in the first place. Nordea is a government-owned bank (or has a history as such). This soap smells like a case of The Swedish Model of Corruption, i.e. when the most important merit for having a career within any governmental organisation or enterprise is loyalty to and contacts within the Social-democratic party. Intelligence is thereby not. Neither is service-mindness.

tcliu January 24, 2007 10:26 AM

@Lars Westergren:

How is the validation done? I was led to believe that all you had was a changing code on the token. No keypad or anything.

Does the user have to type in anything on the token when validating new accounts or amounts?

X the Unknown January 24, 2007 11:16 AM

I currently use a plugin for FireFox, called “Keyscrambler”, which supposedly protects against keyloggers. The technique seems to be to encrypt the data from the keyboard driver up to the application (FireFox). Clearly, this won’t protect at all against hardware keyloggers, but it might be of some utility against software versions.

Given the information provided by TNT, http://ip.securescience.net/exploits/virtualkeyboards.pdf , my question for the comunity is: does this software plugin offer any real security at all?

This slide-set implies that a goodly number of attacks use either screen-scraping or HTML Form-Reading to attack “secure” data. In this case, the keyboard-encrypting plugin seems to be completely bypassed…

Magnus January 24, 2007 11:46 AM

@tcliu:

Apparently my first description (first one mentioning Swedbank at all above) was unclear…

If I want to transfer 100 SEK to you account, say 1234567-8, I first need to sign “12345678” by entering it into a special signing device that’s separate from the computer. (Looks a bit like a pocket calculator.) Then I get a return code that needs to be typed on the computer. That makes your account a valid account to transfer money to (so I don’t need to sign it again). After that, I need to sign the amount by entering “00010000” (for 100,00 SEK) on the device. I get another code to type on the computer.

So to make me transfer money to your Afghan account you need to get me to type the account number for that Afghan account on the external device, and then enter the corresponding return code on the computer. Then you need to get me to sign the amount in the same way. Of course you can hijack the transfers and make them to another valid account, but getting someone to sign your Afghan account in the first place would be the really hard part…

Pat Cahalan January 24, 2007 12:00 PM

@ Ben

You’re presuming that those running antivirus software also had the latest defs.

Not really, I’m just wondering why the detail, “Most people weren’t running anti-virus software on their home computers” is relevant to the story.

I understand why Ehlin includes it (it’s an obvious dodge to throw some of the blame on the users), but from a journalism standpoint (IMO) including the statement in the report obligates you to clarify that part of the story… example, “Does the bank require customers to run AV software as part of their Terms and Conditions?” If not, the lack of AV software on the customers’ computers is not relevant. If the bank does require you to run AV software, are you required to keep it current, also, or is that responsibility supposed to fall upon the AV vendor? If they require you to run AV software and people were nailed otherwise, why?

@ Florian

I grow to dislike this thinking (AV == security) more and more.

So do I, that’s part of my point 🙂

Many phishing Trojans are distributed by email within just a few
days. There is no way the AV companies can update their definitions
in time, and the users to update their AV software quickly enough.

Absolutely.

Can we please get the relevant security measures in order:

Note, I agree with all of the below as “good security”, but even if everyone knew these rules and followed them, we would have the problem of Trojans anyway.

  • Not opening .exe attachments in emails.

“.exe” is not relevant. Trojans can and have been hidden away in any type of file, .jbs, .pcr, .bat, .exe, .doc, .png, .gif, .jpg, ,mp3, you name it.

(I’ve got a bet with myself that the boot sector virus will come back at some point when someone clever starts distributing Trojan’d .isos on bittorrent.)

Moderately aware computer users won’t open “exe” files from people they don’t know, but they may open jpg files (or their mail client may do it for them) or any other type of file. It’s not feasible for anyone to expect the common user to keep track of every announced security vulnerability in every piece of software.

How this particular Trojan spreads is more or less besides the point.

It is incredible that Trojans are still successfully distributed by
simple mail attachments (“please open the attachment”).

This isn’t incredible, it makes sense (and probably could have been avoided if anyone with paranoia had participated in writing RFC 989).

Email (commonly deployed, let’s not get into “well everyone should use PGP here) is not authenticated. As long as this is the case, any file included in an email must be regarded as untrusted.

But users, for the most part, have to have some level of trust in email, or its use as a communication medium is nulled. Very few people will go to the trouble of verifying the authenticity of an email before opening an attachment, just like very few people will actually check the signing authority of an SSL cert. You cannot expect this behavior.

I will guarantee you that I can write an email with an attached executable and send it out to everyone I know in my address book, and fully 50% of them will fall for running it (even some of the sysadmins!), in spite of the fact that I’ve informed everyone, over and over, that I will never send them an attachment.

Why? Because my “from” address comes with the psychological weight of, “The IT Guy”.

So, either ban attachments in email entirely (SMTP isn’t designed for file transfer anyway) and revoke 989 (good luck with that), or live with the fact that users are going to fall for this, forever and always. At least until you get universal adoption of authenticated email.

  • Having an admin account only for administrative tasks.

All the normal arguments of vendor discussion and poor defaults and bad security practices aside, the only reason why there is an administrative-level account on a computer is that sometimes someone needs to accomplish administrative tasks. Since personal computers, outside an organizational boundary, are owned and operated by non-computer people, those non-savvy people are going to have to be able to do administrative tasks. Device drivers require administrative access. A great many software packages require administrative access. Whether they should or not is a different issue, the fact is that they do. So people are going to run as administrators, because they are not going to take the time to log out of the computer, log back in as an admin, run their administrative task, log back out of the computer, and log back in using their normal account. You can’t stop this by saying, “It’s bad security practice”, because the existence of the administrative account, on a machine run by a non-security minded person, is the actual bad security practice. It has to exist, because otherwise people won’t buy the computer (it’s unusable to them), but placing the blame on the user is ignoring the human aspect of security.

There’s also the fact that regardless of the level of the account’s permissions, you can still trojan the machine if they can run an escalation exploit (and we don’t need to go through a list of those, we all know they exist).

  • Keeping one’s operating system on a current patch level.

Again, basic security I agree with, but again, it’s not going to stop Trojans, for the same reason you yourself mention -> zero day exploits are a problem for OS vendors as well as AV vendors.

TNT January 24, 2007 12:04 PM

X, does this plugin offer real security? Personally, I doubt it.

It certainly is completely useless against the capture of http post.

Anonymous January 24, 2007 12:04 PM

(cont.)

Also, you sign a session and not a transaction. So if I transfer 100 SEK to mom, 200 SEK to dad and 300 SEK to the dog, you sign the amount of 600 SEK. You do however have to sign each of mom’s account, dad’s account and the dog’s account once. If you’ve never transfered money to either before, that’s four return codes you need to type on the computer. If you’ve transfered money to all of the in the past, it’s only one…

tcliu January 24, 2007 12:54 PM

@Magnus:

Ok, that makes much more sense. Yes, then I would basically have to trick you into signing the wrong account numbers and amounts.

tcliu January 24, 2007 1:19 PM

@Florian:

“Can we please get the relevant security measures in order:”

No. You can’t have those, I’m afraid.

I have thought and thought about it and my conclusion is that if I, with 22 years of computer experience, still can come up with a number of scenarios where I would be fooled, I don’t think “educating the user” is the right way to do it.

In order for a personal computer to be an effective tool, you must allow the user to install programs. But with that comes the danger that the user will install something bad. There’s nothing that can be done about it. Everyone thinks that OS X is so secure because you run as a user and have to input the root password only when doing administrative tasks. Another take on that would be that OS X is conditioning the user to input the root password every time it is asked. If a program installer asks for your root password, do you tell it or not? How do you know that it will only do what it says? How do you determine that?

For all I know, someone may have cracked Bruce’s blog software and this website (schneier.com) may have exploited a FireFox bug and taken over my machine already. If I have been 0wn3d by Bruce, should I feel ashamed that I visited an “untrusted” website (see – no https or cert, Tcliu is such a gullible idiot, doesn’t he know that he should only visit safe websites)?

The problem with banking on a PC is that you use your PC for banking (serious stuff) as well as checking out the latest cool link on some obscure website or reading funny emails from friends.

Your PC will catch something. Just like you will get sick every now and then. So assume that it will happen and try to mitigate the damage.

I think Swedbank’s solution where the PC is treated as completely untrusted and you have to sign using a machine that is separate from the PC and which is single-use-only is a neat way. Own my PC all you want, but you still can’t get at my money.

(Then I wished that all ISPs would automatically resolve all DNS queries from suspected owned boxes to a website where the user would have his PC scrubbed by the most brutal anti-bot software known to man.)

Less is More January 24, 2007 1:23 PM

@Pat Calahan

Interesting contribution.

“You can’t stop this by saying, “It’s bad security practice””

Please try to persuade your friends and family to stop doing everything with admin privileges. I think that this is one of the the biggest problems we have at the moment for the average windows user.
Don’t forget the “Run as…” option as well.

Aside from defaulting to the Administrator for everything, another problem is that PCs are shipped in a configuration to make it easy to set up Windows networking. If you only connect to the Internet, there is no reason whatever to have “Client for Microsoft Networks”, “File and Printer sharing for Microsoft Networks” or “NetBIOS over TCP/IP” enabled.

Also ensure that the following services are switched off:
Computer Browser
Messenger
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
Remote Registry
Routing and Remote Access
Server
SSDP Discovery Service
Task Scheduler
Telnet
Terminal Services
Universal Plug and Play Device Host
Webclient

I’ve been running like this for years (with hardware filewall and AV) without any problems.

Pat Cahalan January 24, 2007 2:07 PM

@ Less is More

Please try to persuade your friends and family to stop doing everything
with admin privileges

Oh, I do.

What I was trying to say: given the set S={computer users}, there will always be a subset S’={people who run as administrator}, as long as they are allowed to do so, and required to do so to obtain functionality they want.

Also ensure that the following services are switched off:

You’re assuming Windows 🙂

That’s a basic list, but for the most part I agree with it.

mansec-epn January 24, 2007 3:20 PM

The obvious problem is that a customers computer can not be trusted. This mandates the use of a second level of authentication. Authentication, as well as transaction level security, thus must rely on “have”-properties as well as “know”-properties of the customer. Neither alone should be sufficient. To do a transaction the bank SHOULD thus be certain that the customer know some token as well as is having some kind of device. The device should be separate from the computer and should not be connected to any external net in anyway.
The bank should also be certain that the customer is signing the transaction the bank is trying to present the user.
Signing a transaction should always be required and the signing algorithm SHOULD involve the significant part of the transaction.
Besides a login procedure all transactions should thus be signed and the signing challenge should involve for example the amount of money as well as the destination account, and the verifyable cryptographic signing should thus not rely on the computer but a the separate device.

I suppose it is better to present the password (the “know”-property) to the separate device rather than the computer, since the device is less likely to be compromised. On the other hand, if the device is stolen it is hard for the bank to recognice it.

I guess this would give a high level of security!

Any comments?

Pat Cahalan January 24, 2007 4:33 PM

@ mansec-epn

The obvious problem is that a customers computer can not be trusted.

Yep!

This mandates the use of a second level of authentication.

Nope!

It mandates that you don’t use the customer’s computer as a terminal to initiate a transaction. Whatever kind of security you glop on top is going to only solve symptoms of the problem, and in the long run will fail, because the terminal is untrustworthy.

C’mon, a Palm Pilot can be had for less than $100. A bank that wants to cut costs by allowing its customers can use a digital passbook/checkbook. It could be built to use TCP/IP, IPSec, 802.11. It can use the same IP network that the user’s computer uses -> people can still connect to a wireless network and then out to the Internet and to their bank. Keys are only transferable at a bank, so if the bank needs to revoke a key, it sends messages out to the customers and they bring their d-checkbook to the bank to get the new key. Heck, you can even eliminate a host of other security concerns, because the bank can regard the terminal as more or less trustworthy*

  • yes, I’m aware there are hacks here, but it’s infinitely preferable to using a general-purpose PC installed by God knows who maintained by nobody at all as a secure banking terminal. If nothing else, physical access to the device is required to hack it in most ways, which makes a class break orders of magnitude more difficult to achieve.

TNT January 24, 2007 4:51 PM

As for the keyscrambler extension, I took a video that you can download here: http://www.megaupload.com/?d=ZJEVNRE9

As you see, there’s nothing very “impressive” about what this extension provides. A lot of trojans, even old (Haxdoor, Metafisher, Goldun) already do this (capture http post), and I frankly doubt this extension has that much to offer against kernel-level keyloggers as well.

tcliu January 24, 2007 6:35 PM

@Pat Cahalan:

“It mandates that you don’t use the customer’s computer as a terminal to initiate a transaction. Whatever kind of security you glop on top is going to only solve symptoms of the problem, and in the long run will fail, because the terminal is untrustworthy.”

But so is every piece of network equipment between your digital passbook and the bank.

You can use the PC to initiate the transaction.

What you can’t do is use the PC to create the signature for the transaction. You can use the PC to send the signature – because in itself the signature is worthless to an attacker, since it can only be used to sign one specific order.

Minor technical quibbles aside, I think that your way may be the way to go, though. Having a special-purpose terminal for important stuff is probably the way to go.

Rich January 24, 2007 9:24 PM

Why don’t banks invest in better security? It costs too much.

I heard a talk by a security officer of a large international bank (100 million customers or something like that). The cost of the RSA secure token for all their on-line customers was almost double what they lost on-line in a year ($5 million if I remember correctly).

The other interesting tidbit was that fraud from walk-in customers using government issued IDs based on fraudulent data was considerably greater than their on-line losses.

From a financial standpoint it didn’t make sense to buy the tokens — it cost more than he lost.

lindq January 25, 2007 1:56 AM

@Rich

As long as the costs for less than perfect security is bourne by the same entity that would pay for improving security (ie the bank) I’m perfectly fine with the fact that we don’t live in a perfect world.

Then it may well make good financial sense to not implement fool-proof security systems.

JR January 25, 2007 7:39 AM

Another fine example of the low competence of management in companies run by the Swedish Labour Movement. What else could you expect when party connections are more important than credentials in management recruitment?

lindq January 25, 2007 8:15 AM

@JR:
This really is a discussion I’m not going to get in to as it’s beside the point, so I’ll just stick with the facts:

I’ll leave it as an excersise to the reader to determine whether these people were appointed based on experience in the financial industry or something else.

lindq January 25, 2007 8:26 AM

On authenticating a checksum which is unique to the transaction I want to make:

That’s what I do when I sign transfers with a smart card. If I choose to look at what’s sent for signature, I am presented with a string to sign that contains the relevant information; from and to which accounts, the ammount and time the transfer is to take place etc. This eliminates any man in the middle attacks (but still requires that the signing SW on my machine is corect).

Do I ever look at this information, potentially several hundred characters? Hardly every. Woudl I type it in by hand, on the keyboard of a hand held device. Not likely!

Rich January 25, 2007 11:09 AM

@lindq

Your signature scheme is quite good and it does eliminate the classic man-in-the-middle, but putting on my pedantic hat a trojan could hijack that process. True, it is difficult, but this discussion began with the model of a trojan.

As an aside, the weaknesses of existing hashing schemes which allow some hash collisions are feared to possibly allow a man-in-the-middle to subvert that signing process. Difficult, but theoretically possible.

lindq January 25, 2007 11:47 AM

@Rich

I doubt the problem can be solved practically. Either you will need to manually type in a lot of information on an external device to get it signed, or type it in on a (trusted) external device that will produce a hach that you will need to type in to the signing device. Users are not likely to accept either (and no one is so far be willing to fund the infrastructure).

The option would be signing something VERY short, 10 bytes at the most. Even that is pushing it when it comes to user acceptance.

Pat Cahalan January 25, 2007 11:50 AM

@ tcliu

PC> “It mandates that you don’t use the customer’s computer as
PC> a terminal to initiate a transaction. [snip] the terminal is untrustworthy.

T> But so is every piece of network equipment between your
T> digital passbook and the bank.

True, but if you trust your digital passbook and you trust the bank, you can use existing encryption technologies to tunnel through untrusted networks. Sure, you need to be careful here (you don’t want to fall for DNS spoofing, for example, or rely on any other services other than basic connectivity), and your traffic can be analyzed, but you’re trying to prevent man-in-the-middle attacks and untrusted terminals, which are the two problems we’re talking about here. That can be done now, if the bank and the customer trust the device initiating the transaction.

T> You can use the PC to initiate the transaction.
T>
T> What you can’t do is use the PC to create the signature for the transaction.

Oh, sure, that would work as well, good point. But now you’re into a two-phase process, and if we can’t get people to use basic security processes they’re certainly not going to use two different devices for online banking.

I agree that verifying transactions is a good thing… however, in the context of phishing, trojans, etc., verifying the transaction only prevents bad transactions from going through (and its cumbersome and annoying), it’s not going to prevent bad requests coming from untrusted terminals.

Why not just distribute basic terminals that are fairly trustworthy to begin with (and certainly aren’t vulnerable to class breaks)? You can still use various two-factor auth schemes to provide transaction verification (passwords and fingerprint readers on the devices), preventing misuse if the device is lost; you have a pretty easy solution to the problem of key revocation, because people can go to their bank, etc.

Not to mention the fact that they can make a digipassbook with a thumbprint reader and a stylus now that’s smaller than the existing checkbook that people have been used to having to carry around… so it’s not like you have to convince them to carry a completely new device, just a replacement one.

Pat Cahalan January 25, 2007 11:53 AM

Let me correct that last:

They’d still be vulnerable to class breaks, but they would be much, much more difficult to perform (I have already thought of a couple potential ones, admittedly), because the device itself is dedicated to one purpose.

It’s really, really hard to secure a computer. Something like this would be orders of magnitude easier to make reasonably secure, and it would certainly be much easier to recover.

tcliu January 25, 2007 2:36 PM

@Pat Cahalan:
“Oh, sure, that would work as well, good point. But now you’re into a two-phase process, and if we can’t get people to use basic security processes they’re certainly not going to use two different devices for online banking.”

I would disagree with that. In fact, all of the Swedish banks require two different devices (Nordea’s second device is a plastic card with codes scribbled on it, but still…), and I know of nobody who has a problem using their PC and their “second device”.

I think this is because it is “obvious” how to use the second device in the sense that you get immediate feedback on if you did it right (your orders are executed) or wrong (you get an error message and instructions for how to use your second device).

What you list as “basic security processes” are in fact highly un-intuitive and easy to get completely wrong. Let’s take one example: Turning off unused services in Windows.

  1. The user doesn’t even know that the services are running.
  2. Even if they did, there is no big flashing sign that tells them that they have to deactivate them before proceeding.
  3. Even if they manage to deactivate the services, there is no guarantee that some installer won’t turn them back on again.
  4. If you fail to deactivate them, you can count yourself lucky if you notice when your machine gets 0wn3d, because you probably won’t even notice it.

Seriously mate, I don’t want to start a flame war here, but I feel I have to express my gut reaction to you comparing using a simple access token like the little calculator-things that Swedish banks issue to being able to follow what you consider “basic security practices” which are highly complex. I think that not only should you re-think and take back that assertion, you should take the assertion out behind the barn and shoot it right in the head so it won’t ever come back to haunt anyone of us again.

(I’m sorry if the above paragraph is offensive – I do hope you understand the spirit in which it was written.)

Let me finish with one thing you get with using a web browser UI to interact with the bank and a second device to sign: You can copy and paste account statements into your spreadsheets. Having them only accessible on a second device would make that quite useful feature much harder.

frimble January 25, 2007 3:29 PM

@tcliu:

On OSX, this is part of what I posted for “Debating full disclosure” :

===

Apple has been touting the “security” of OSX. In point of fact, it’s full of holes that are well-known in a subsegment of the developer community. For years, Apple has left open “object swizzling” (InputManager) and mach_inject’ion — the latter only partially fixed on the intels, and the former considered a “feature, not a bug.”

But just google mach_inject — a library to over-write running code was released back in ’02, and is used for good in a number of open-source utilities. Only in the latest release, and only on intels, do they require super-user permission for code injections. And they’ve done absolutely nothing about the fact that if you slip a file into the right directory (no special permission), you can intercept and re-write any objective-c function call, which is the basis of almost all interface elements on OSX.

===

Writing a key-logger for OSX is incredibly easy. The social engineering is minimal. You don’t need to get someone to use their administrative account. All you have to do is manage to slip into ~/Library/InputManagers a few files, which can be done by anything you install. From there, you can escalate your permissions to root, by intercepting regular calls by a program that uses the password entry feature. At that point, you can inject code into any running application, even removing you InputManager, and leaving just some stub in regular code you call. And to inject into root app’s, you can then steal from any program that goes from your current privileges to root (which can be done outside of an administrative account, such as by dragging a file into a root directory).

OSX is security by obscurity.

Pat Cahalan January 25, 2007 5:51 PM

@tcliu

I think you’re confusing me with another poster.

I agree that what most sysadmins would call “basic security practices” on a windows machine are pretty unintuitive and not something I would expect a normal user to do correctly… in fact, I sort of tried to point that out 🙂

That is one of the reasons why I regard personal computers as untrustworthy.

I know of nobody who has a problem using their PC and their “second device”.

We Yanks don’t have the gizmos, so I can’t refute your experience directly, but I know plenty of people who would have a serious customer satisfaction problem with entering a transaction and then having to sign it independently through another process.

Regardless, my point is, why involve the PC at all, when it is bug-addled, security-challenged, and generally horribly untrustworthy… and you can easily and fairly cheaply distribute a dedicated device that can serve as a minicomp that’s dedicated to your financial transactions?

You can copy and paste account statements into your spreadsheets.
Having them only accessible on a second device would make that quite
useful feature much harder.

True, but you can deal with that independently -> you can still have a web interface with the bank that can show you a statement that you can cut and paste (read only access to limited information) instead of having the computer have read-write access to your financial info.

Less is more January 25, 2007 7:43 PM

@tcliu

“What you list as “basic security processes” are in fact highly un-intuitive and easy to get completely wrong.”

Yes, I agree that the Windows PC platform isn’t the nicest thing in the world for interacting with the Internet and I don’t see any simple answer to your criticisms about my suggested PC security configuration (which is far from complete but that’s another story …)

IMHO, the conflict between market pressures (release more features) and security requirements (use less features in a more controlled manner) implies this problem is not going to go away soon. My suggestion is to try to raise user awareness about web security problems among our friends and families. If you are in a position to set security policy for your work environment, then you have an opportunity as well as a problem w.r.t user training and awareness.

Pat Calahan’s suggestion that we should not trust PCs at all and require a simple, reliable second authentication device does seem to have some merit to me.

“Seriously mate, I don’t want to start a flame war here”

Me neither.

piglet January 25, 2007 7:49 PM

“We Yanks don’t have the gizmos, so I can’t refute your experience directly”

That’s true, and that’s one reason for a lot of misunderstandings. Even Bruce Schneier has written many times that customers won’t accept two-factor authentication, totally ignorant that almost everybody uses it in one form or another except North America. To be fair, because of the way transactions are typically handled in Europe, European online banking needed a higher degree of security from the outset whereas North American online banking typically doesn’t allow transactions to arbitrary destinations. My Canadian bank added this feature to its online banking platform so I could then for example pay the landlord online, but the way it was done – using social insurance number as password and the like – was total crap from the security perspective. The bank tried to add safeguards but it is worrying that this kind of transaction might become widespread without adequate security in place.

piglet January 25, 2007 8:05 PM

“Regardless, my point is, why involve the PC at all, when it is bug-addled, security-challenged, and generally horribly untrustworthy… and you can easily and fairly cheaply distribute a dedicated device that can serve as a minicomp that’s dedicated to your financial transactions?”

Are you kidding? We are using PCs precisely because they can do everything. And as tcliu pointed out, we use banking software in an integrated way, to receive and consolidate account statements and the like. Why should we welcome the introduction of “dedicated devices” for different tasks? And should every bank introduce their own banking hardware? People have multiple accounts. Or should they develop a standardized banking computer? Why should we believe that this won’t be compromised?

One of my banks has developed its own banking application that is supposed to be more secure than a web browser. I think this addresses some of your concerns. It doesn’t solve everything but don’t forget that ordinary paper-based banking is ne less vulnerable! Rather than telling scare stories about online banking insecurity, I would prefer North America to abolish its outdated checks, as Europe has done long ago. That one million dollar fraud at Nordea over 15 months (with prompt compensation for the fraud victims) is certainly peanuts compared to routine check fraud in the US. I think you are vastly exaggerating the security issues of online banking.

Dror Eiger January 26, 2007 6:26 AM

Notwithstanding Bruce’s opinion about tokens such as SecurID, it is the right choice for defense against these attacks, together with a good anomaly identification system and cellular notification upon transactions.
Considering the adversary cannot hack the token itself, the only way for him to steal money is during the fairly short time window after the user logs in. In order to go under the radar of the anomaly system, only a very small amount of money may be stolen, and then the customer will probably identify it as a wrong transaction, making the whole thing not worth it.
Since normally people don’t make more than one money transfer a day, it should be fairly easy for them to recognize transactions they didn’t make.
As Rory said, it is all about security layers.

Pat Cahalan January 26, 2007 12:38 PM

@piglet

Are you kidding?

No, I’m dead serious.

We are using PCs precisely because they can do everything.

Yes, and that’s the problem. You have a platform that’s being used for several different classes of activity (low security — high security). If you believe that security is a tradeoff, you can’t expect people who write software for what is essentially a “low security” activity to take the same approach as someone who writes software for a “high security” activity. But vulnerabilities in the “low security” software can leverage into attacks or completely bypass the functions of the “high security” software… and they run on the same machine.

This is why trojans work… because (for example) people reading email consider it a low security activity. People, as a class, are never going to be anywhere near as security conscious while reading their email as they are when they vote or bank or whatever other activities they regard as “something I ought to be careful while doing”.

And as tcliu pointed out, we use banking software in an integrated
way, to receive and consolidate account statements and the like.

It should be trivially possible to keep this functionality without enabling transactions. You could still use your computer to read your statement, for example, which could be delivered to you in a myriad of ways, without enabling your banking software on your PC to initiate the transfer of funds.

Why should we welcome the introduction of “dedicated
devices” for different tasks?

First, it’s not an introduction, it’s a replacement. You carry a checkbook and/or an ATM card now, this device could replace both, and do a better job.

Second, because by their nature some tasks require a different security profile. We don’t put airbags on a bicycle, we put them in cars. But for some reason, we expect to use our computer like a bicycle some times, and like a car some other times, and yet we expect it to be equally safe in both operating modes. This is absurdity.

And should every bank introduce their own banking hardware?

Optimally, no, of course. They don’t now. Each bank doesn’t design its own individual ATM machine, they buy from vendors who build ATM machines.

Why should we believe that this won’t be compromised?

It probably will be eventually, but it can’t be compromised in the same way that a computer can be, or on the same scale. Some pretty simple design considerations can remove virtually all of the attack vectors that hackers use now to subvert personal computers. If the device does not allow remote changes (say, the OS and software sit on read only storage that can only be changed by physical access and you take some basic steps to protect the memory stack), you can’t write and deliver a trojan that can be delivered to the device in the same way that you can attack a PC. You simply can’t subvert the device remotely.

Yes, it would be possible to have a class break instituted by an insider, but that is a threat that will never be removed.

Look, you don’t have two choices: be secure, or be insecure. That’s absurd. We’re not trying to prevent anyone from ever hacking your bank account, that’s obviously not possible.

One of my banks has developed its own banking application that is
supposed to be more secure than a web browser. I think this addresses
some of your concerns.

No, it doesn’t. You’ll note in this particular case the trojan had nothing to do with the web browser. It subverted the operating system of the machine, not the browser.

Using a personal computer to do banking has the following security problems:

(1) The operating system is demonstrably totally untrustworthy

(2) Any number of vendors write software that runs on your customer’s computers, all of whom have different attitudes towards security (and almost all of them are at the bottom end).

(3) People are going to install software on their computers.

Ergo, you can’t write secure software to run on the computer, because of (1) – (3). QED.

Now you may argue that this is a security tradeoff that you don’t want to make, because you, yourself, maintain your own computer and you’re confident in your ability to take care of it… but we’re not talking about you, we’re talking about the set S={everybody who banks}.

Don’t forget that ordinary paper-based banking is ne less vulnerable!

Say what?

On the contrary, if I go through the effort to hack your bank account by forging your check, it doesn’t necessarily give me the ability to forge anybody else’s check.

And, say I’m a traditional paper hanger, relying upon making good looking fake paper checks instead of forging one person’s signature perfectly as my main con. I have to physically pass checks. I have a window of vulnerability each time I pass a fake check. I can’t write a block of checks pretending to be from 250 different accounts in the amount of £580,000 and pass them all at once.

Digitally, it’s a click of the button.

Do you not see the difference?

I would prefer North America to abolish its outdated checks, as Europe
has done long ago.

Until someone gives me a reasonably secure method of electronic banking (and I think current methods stink on ice), I’ll stick to paying my bills with paper checks, thank you very much. Not that I use paper checks for anything else.

That one million dollar fraud at Nordea over 15 months (with prompt
compensation for the fraud victims) is certainly peanuts compared
to routine check fraud in the US.

I doubt that the bank was contractually obligated to return the money, doing so was PR on their part. If the number of victims and the amount of money had been small enough to keep the story out of the headlines, I would be totally un-astonished to hear instead a number of sob stories about people spending years getting the bank to give them back their money.

Regarding “Check fraud”, yes, the dollar figures for all check fraud make this story look like peanuts:
http://ezinearticles.com/?Fraud—Check-Fraud-Statistics&id=131847

However, this includes an extremely large class of fraudulent activities, and really, is utterly besides the point -> having a e-checkbook would eliminate virtually all of the check fraud described in the ezinearticles article (it would be impossible to write an insufficient funds check, for one, and extremely difficult to forge a check for another account).

Moreover, these numbers are also highly affected by the fact that most people in the US don’t bank online, they still write checks.

Crime goes where the pool of money is. If you suddenly get rid of paper checks and force everybody to e-bank, you’ll obviously see a huge drop in fraudulent checks, but within a couple of years you’ll see dozens of stories like this one. Rather than settle for a slight reprieve, why don’t we actually take some steps to make financial transactions more secure, instead of as insecure, in different ways?

piglet January 26, 2007 4:01 PM

Pat, we obviously disagree. I think you exaggerate the vulnerability of online banking. Theoretically you are correct, online fraud should be more efficient than paper fraud. But at least this story doesn’t bear out the conclusion. The sum is not that impressive considering it took them 15 months.

Your suggestion is theoretically a good one but it won’t happen. Online banking will not disappear on the grounds that there is a more alternative, because most people, like me, cherish the ease of use of the PC. Maybe banks will start to introduce devices as you suggest but they won’t suddenly close all the existing platforms.

I believe that on the whole, online banking is more secure than paper banking, although this claim is hard to prove or disprove. Attackers will become more sophisticated but banks will also learn and improve security. Transaction monitoring might play an increasing role, which makes sense whatever the vector of attack.

Fortunately, you can choose not to use online banking, and I can choose not to use checks (well, almost, you can’t always avoid it). I deeply dislike checks and one of the reasons for this are the indecent profits US banks are deriving from bounced check and overdraft fees, which are often not the customer’s fault. Because of the way checks work, and because of the Check 21 law that abolished check postdating, and because banks have the right to arbitrarily place holds on legitimate check deposits, check users can’t control their cash flow as well as I can with European-style online banking. This is an issue that concerns me at least as much as Trojans and phishing.

piglet January 26, 2007 4:02 PM

Correction: Online banking will not disappear on the grounds that there is a more secure alternative…

piglet January 26, 2007 4:11 PM

Forgot to mention, checks can get lost in the mail, or be delivered late, or the recipient can claim late delivery. It seems that certain US credit card companies are doing this on a routine basis to extort exorbitant late payment fees. All of this is pretty specific to the US banking system. It doesn’t happen elsewhere, not that I am aware of.

Pat Cahalan January 26, 2007 4:32 PM

@ piglet

Valid points.

Online banking will not disappear on the grounds that there is
a more secure alternative

Heh, it will if the bank says, “The customer is responsible for fraudulent charges due to operating an insecure terminal”… which, reading some agreements about online banking, they actually already do, they just don’t enforce it universally.

I believe that on the whole, online banking is more secure than paper banking

On the whole, I think it can be, but yes, we’re comparing apples and oranges, and really it’s a matter of opinion, since it’s difficult to quantify.

I think you exaggerate the vulnerability of online banking.

Picking nits here, but I think one of our differences is I’m arguing about the vulnerability space, and you’re arguing about the actual threat. I agree, online banking heists aren’t common, but I do think they can be.

Regarding all of the late fee and delayed processing points you make -> well, that’s not really a security threat, per se, that’s the bank taking advantage in loopholes in their process to maximally squeeze their customers. That’s bad business practice, IMO, but isn’t quite the same as unauthorized access to my account(s). I agree it’s certainly something to take into account, however.

Mats January 27, 2007 4:34 PM

Interesting to read the comments from the US. I’m a customer to the Nordea bank and formerly to to other swedish banks (and obviously live in Sweden). I have not used a check for at least the last twenty years. I’ve used ATM cards to get cash. To pay my bills I’ve mailed signed “payment orders” together with (mostly preprinted) “paper slips” in the same envelope. This is kind of a forerunner for online banking still used by quite a few people.
(Sorry for the somewhat unprecise terminology, but I simply am not sure of the correct terms)

Guillaume January 29, 2007 8:14 AM

@tcliu
I like the token you described. I didn’t know a company had build one. (Try “SEB token” in Google to see a case study)

The usuability aspects of it are mostly cultural, and I don’t know how such a device would be accepted over here. But the device will get better, and the need for it will grow to, unfortunatly…

piglet January 29, 2007 11:07 AM

“I’m a customer to the Nordea bank and formerly to to other swedish banks”

Tell us, what do you think about Nordeas handling of seurity, and of this special fraud? How do people in Sweden react to this?

Knutars January 29, 2007 6:53 PM

Get rid of the banks completely.
Demand your salery be paid in cash.
Store the money in your pocket beside the handgun.
It doesn’t get any safer than that.

asdf January 30, 2007 10:19 PM

“You know, most American online banking sites still operate with SSL/username/password, no OTP or secure cards. With so much more capital under management, why are they not deploying more secure systems?”

Yeah, thats what I was going to say, I had a Bank of America (which is considered one of the more secure major US banks for online use) untill a few weeks ago, and their security measures could be defeated by a simple hardware keylogger. It did verify your IP address but if you used it at a different computer you only had to fill out a form with some simple questions (what branch you opened your account at, ect)

Tim February 10, 2007 1:25 AM

I’m amazed that people who are conscious about computer security even on the broadest level are installing anything what so ever that is sent through email.

That’s the first bad deed mentioned in pretty much any Internet, and Computer Usage material on earth.

NO legitimate company’s send, or suggest executable code through an email.

Bank Accounts Australia July 3, 2008 3:01 AM

Yeah, thats what I was going to say, Bank of America which is considered one of the more secure major US banks for online use until a few weeks ago, and their security measures could be defeated by a simple hardware keylogger. So we must be careful for all those things.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.