Here's How Brazilian Crooks Steal Billions

Man-in-the-middle attack against a Brazilian payment system:

Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.

This is the sort of attack that bypasses any two-factor authentication system, since it occurs after all authentication has happened. A defense would be to send a confirmation notice to another device the account-owner owns, confirming the details of the transaction.

Posted on July 9, 2014 at 7:30 AM • 23 Comments


askmeJuly 9, 2014 8:09 AM

Clickbait headlines and odd article selection. Looks like Bruce is no longer doing his own blog. Adios.

npcJuly 9, 2014 8:36 AM

Waiting for Friday to see if there will be more about Squids?

a72,e77,i69,o49,u19 totaling 286 (which isn't prime).
Title has 15 vowels, excluding those 271, the article body is prime.

He might be under duress.

askmeJuly 9, 2014 8:37 AM

I can ignore the headlines, but my concern is that it is clearly being used to drag in readers from around the internet that are not interested in a Security blog, but just knee-jerk reacting to a headline. Pretty soon it will be Youtube comments in here.

MeJuly 9, 2014 8:43 AM

From last post:

Bill • July 8, 2014 7:08 AM

Bruce, are you okay? If you're being coerced in some way use a prime number of vowels in your next post.

Reading the post, 284 vowels (excluding 6 'y's used as vowels), I think he's ok guys.

HugoJuly 9, 2014 8:45 AM

My bank requires not previously used account numbers to be verified by an extra (2 factor) confirmation so it would defeat this "trick"

dandrakaJuly 9, 2014 9:25 AM


Mine does as well, but that doesn't really matter. If there's malware intelligent enough to interfere with a, let's call it, "live" e-banking session (something which, btw, was predicted from Bruce a few years ago) that it just needs to find the weakest link in the chain to get money from the account.

Possible examples :
- getting (and later using) credit card details, when the user is checking the card balance
- creating an ebanking "message" to the bank, which, at least in my bank, is accepted by bank's staff as completely authenticated (e.g. that's how I registered a change of address when I moved). That way the malware authros could change the address where the bank sends physical mail, and then request a new maestro card. If done during vacation time, I'll just notice the money missing and the crooks will be long gone.

Thomas M.July 9, 2014 10:03 AM

My bank has a TAN generator. There is a flicker code on the screen, then you insert you bank card into the generator and let it scan the flicker code. The generator then displays the details of the transaction (account no., amount) and then generates a TAN (transaction number) from PIN generator serial #, the transaction details and some secret stored on the bank card (maybe even the chip on the card is used, I don't know the details). So the TAN implicitly contains the transaction details displayed on the TAN generator screen.
So if you always verify the details displayed on the TAN generator screen, it's impossible to fake the transaction as it would result in an invalid TAN.

Flim FlamJuly 9, 2014 10:22 AM

A little straw poll: what are your favorite IT Sec / crypto blogs out there (besides Bruce's, of course?

ChuckJuly 9, 2014 10:52 AM

Na, you don't have to do TwoFactorAuthentication (you can for you as user) but one would like to have a TwoFactorAuthorization (per transaction), i.e., the transaction has to be authorized and authenticated. Don't know, why often it is just kept focus on the user authentication??

For my banking, I am authenticating myself as user with my password (yeah! can only be five characters strong! Thanks!) but any transaction is to be authorized by a TAN, that is valid only for this specific transaction - and the second channel (SMS, RSA-Chip/Terminal, flicker code) provides enough information for the user to cross-check the transaction, i.e., the amount of money and the destination. (So, who cares for just five character passwords...? well maybe someone interested in checking my financial sattus :-/ )

UhuJuly 9, 2014 11:08 AM

@Thomas M.
As long as your TAN generator does not display details of the transaction, with a sufficiently advanced malware you would still be vulnerable:

  1. submit your transaction
  2. the malware replaces the recipient's account
  3. the bank sends a TAN for the modified request
  4. the malware uses the flicker code but changes the recipient's account to be displayed back to the original one
  5. the user thinks everything is legit

Even if the malware cannot successfully display the original account number, I bet a number of people would not verify the details and accept the transaction.

I found an approach by IBM that, as far as I can tell, would be really difficult to defeat. I don't know anybody using it, though.

hermanJuly 9, 2014 11:09 AM

I think this blog is now run by an unpaid intern at the NSA just to capture the details of commenters.

UhuJuly 9, 2014 11:11 AM

@Thomas M.
Sorry, I misunderstood your description. Your device would indeed be similar to the device from IBM.

Geoff 'Shivoa' BirchJuly 9, 2014 11:24 AM

Seems rather off to say this defeats 2FA but I guess it depends on how it is implemented in your region (and clearly in Brazil any 2FA isn't using the same protocols as the ones in my location). In the UK online banking uses chip&pin with the generic (all banks use a common Chip Authentication Program) 2FA code generators so logging in is 2FA (password + use one of your cards+pin in a device with the id function to generate a code) but transferring money to a destination you haven't used before & saved requires a slightly different 2FA that seems designed to combat exactly this malware target. The Chip Authentication Program device, when in signing mode to confirm the transfer, requires the pin for the card and the amount being transferred and the bank number+sort code of the account being transferred to as part of the response code generation. Anything that changed these numbers would require the person to not realise they were being asked to enter in different numbers to the ones they intended or (if it masked the true destination and showed the fake one on the screen) the response code would fail when the bank checked it.

There are known flaws in the UK system, but this does not appear to be one of them.

SamJuly 10, 2014 2:29 AM

Has it really occurred to noone that the reason for the funny headlines is the same reason as the Friday squid posts (e.g. proxy -- geddit?), namely that the man has a sense of humour?


fajensenJuly 10, 2014 2:35 AM

@Sam: Nah, not possible. It is much more likely that Bruce has been replaced by an android. They are tuning it, soon it will be unleashed!

SlowhandJuly 10, 2014 3:28 AM


That's way too oversimplified.

Let's assume I had a blog that many people read, and you put me under orders not to tell the public that you sent me a national security letter and Bill told me "Are you under duress ? Answer in rot13". Let's assume I used rot13 to tell what was going on. Then when you showed up on my door I suggested that I just wrote an article of meaningless gibberish for fun on my blog, and the fact that it makes sense in rot13 was entirely coincidental, do you think you would let me get away with that ?

Of course he cannot answer "in code" like that. The real suggestion from Bill is similar. But Bruce could hint of it in a way that was difficult to prove either way, without ever truly acknowledging directly in words what he was doing. In fact, even if people didn't take the hint, he could make his site so rubbish in terms of hopeless news articles that most people simply lost interest and left on their own accord, that would work too.

GaryJuly 13, 2014 4:09 AM

Very poor article.Offering no insight at all.If you feel that you are obligated to put something up all the time.Then maybe its time to stop bloggin.Hold yourself up to a higher standard.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient Systems, Inc.