Permalink 02:26:26 pm, by Igor Drokov, in Internet banking, Trojan, Social engineering  

Imagine you login into your online bank account and see that it has been credited with a few thousand euros - no you didn't win the lottery as a polite notice on bank's website will inform you - there has been an error it says and asks you to kindly return the funds to the sender. Here is the catch though, as if you do send the money back to the sender's account you will be sending your money.

This latest type of social engineering attack executed with the help of Trojan malware was reported last week by Bundeskriminalamt (the German Federal Criminal Police Office). Here is a (slightly edited) Google translation of the original:

The Federal Criminal Police (BKA) warns of a new variant of malware in online banking

The BKA warns of a new variant of malware that performs the manipulation of online banking site.

After logging into the victim's online banking account it will appear to him in a first step under the name of his bank, indicating that a credit on his account by mistake had been received. This he must immediately be transferred back to unlock his account again.

In a second step, the malware manipulates the web page displaying the balance of online banking accounts to show the alleged receipt of the credited funds. In fact, at the customer's account but never received the credit.

Next, the customer is asked to make the transfer to return the funds, where the malicious software presents the true but already filled-in online transfer form.

Because the victim is willingly initiates the transfer, the usual safeguards for online banking are ineffective and the amount will be transferred to the attacker's bank account.

The Federal Criminal Police Office advises:
If you receive this message on your computer, do not make the requested transfer and contact the nearest police station. The used computer is infected by this time with malicious software.

The general rule:
Keep updated status of the operating system and your anti-virus software used always up to date, this increases the chances that it does not even come to an infection with malware.
Users should be cautious, even for unknown links or attachments in e-mails. Behind it can hide malicious programs, as well as infected or fake websites.


Permalink 03:51:21 pm, by Igor Drokov, in User experience, Strong authentication, Internet banking  

So you want to do transaction signing to protect against online banking Trojans? Here is a few videos to help to compare usability of the options.


Permalink 08:00:00 am, by Igor Drokov, in Strong authentication, Internet banking  

"Since the records began", here at Cronto we have been talking about AND working on addressing the Banking Trojans and Man-in-the-Browser. Back then, there were very few public real-world examples of successful attacks and 2FA (Two-Factor Authentication), especially in a form of showing a picture of your dog, was all the rage :)

While we pronounced 2FA dead back in the beginning of 2008, it wasn't until Gartner's Avivah Litan, vice president and analyst, stated in December 2009:

"These attacks have been successfully and repeatedly executed against many banks and their customers across the globe in 2009" 

publishing the report on shortcomings of 2FA methods to address Trojan-based attacks that the Man-in-the-Browser/Trojan has arrived :).

It's arrived and it's going mainstream judging from the recent article by USA Today:

First, they [criminals] acquire valid account log-ons, often by purchasing them from specialist data thieves. Next, they quietly access accounts, making note of high cash balances and access to credit lines. They also familiarize themselves with the bank's protocols for authorizing the creation of new online accounts and approving cash transfers.

They look for coding security holes — and invariably find them in the Web browser, the tool banks rely on to run programs that serve as a virtual bank teller. But Internet Explorer, Firefox, Opera, Google Chrome and Apple Safari are designed to let users navigate the entire Internet; they weren't meant to execute secure financial transactions [Sounds familiar? See The most insecure banking/sales terminal]. Cyberrobbers craft banking Trojans that inject software code into the Web browser, letting the attacker take control of online banking sessions, alter what the account holder sees and make stealthy transactions.

and talking about the solutions:

Litan, the Gartner banking security analyst, says banks need to move away from technologies that rely on common Web browsers, which is where banking Trojans thrive. Handheld optical readers, a more advanced technology, are available from Gemalto and Cronto. These devices must be used to take a picture of a visual cryptogram — a secure image produced by the bank — as part of authorizing any cash transfers.

It is absolutely great to see our technology - the Cronto visual cryptogram - mentioned in the article. A bit unfortunate that it only refers to the standalone hardware device - optical reader - whereas in fact our solution offers either a mobile app for your cellphone or a dedicated device. As we strongly believe in the power of choice when it comes to authentication solutions for banks and their customers, offering both options allows us to achieve the most optimal combination of usability, security and cost.

Now that the Trojan problem has become mainstream, there will be another "gold rush" of vendors to address it. Also, as usual, there will be some smart solutions and many not so smart :) Yet, we believe the visual channel is the best way to provide full secure "free-text" transaction signing and as of today the Cronto visual cryptogram is the only mature solution designed specifically to requirements of the online banking security market.

Want to see it in action? Watch this video, demonstrating the Cronto Blackberry mobile client app used for the visual transaction signing at Commerzbank AG, the second largest bank in Germany:


Permalink 07:42:01 pm, by Igor Drokov, in User experience, Online identity  

A lot is written on privacy implications of sharing your personal information with different web services. Concerns have been raised about the ownership of information users upload in "the cloud" and it's persistence.

One recent experiment demonstrated that once you have used an online service to share your photos it might be problematic to remove them even when you choose:

My colleagues Jonathan Anderson, Andrew Lewis, Frank Stajano and I ran a small experiment on 16 social-networking, blogging, and photo-sharing web sites and found that most failed to remove image files from their photo servers after they were deleted from the main web site. It’s often feared that once data is uploaded into “the cloud,” it’s impossible to tell how many backup copies may exist and where, and this provides clear proof that content delivery networks are a major problem for data remanence.

Well, maybe deleting a single photo is too small of an operation to expect the site to really make sure it's gone forever. Surely, one would hope that once you de-register your whole account, it will be gone for good?

I have recently tried to close my Facebook account. According to Facebook's privacy policy:

Individuals who wish to deactivate their Facebook account may do so on the My Account page. Removed information may persist in backup copies for a reasonable period of time but will not be generally available to members of Facebook.

OK, I understand purging backup copies is probably asking too much for a user. However, I was surprised to receive the following email after deactivating my account:

You have deactivated your Facebook account. You can reactivate your account at any time by logging into Facebook using your old login email and password. You will be able to use the site like you used to.

The Facebook Team

Indeed, trying to click on the "resurrect" link I found myself back to my profile with all connections and personal information intact.

OK, maybe having a "grace" period for users deactivating their accounts on the spur of the moment is a good feature. So I deactivated my account again and this time left it for almost a month. Yet, today I was able to successfully login to my surely-by-now-non-existent account and found all my connections and information intact as it was...

Welcome to the Hotel California 2.0:

"You can checkout any time you like, But you can never leave!"


Permalink 08:37:09 am, by Igor Drokov, in Strong authentication, Internet banking  

The increasing number of online banking attacks from phishing to trojans has been largely driven by a high Return on Investement (ROI): buy a toolkit, rent a botnet and get access to a high numbers of compromised accounts. It is all about the Economy of Scale - a single piece of malware can infect millions of computers and attack hundreds of banks.

e-crime_crowd-sourcing The malware technology has been rapidly evolving, yet it is a known fact that some tasks are still better done by humans than a machine. Resolving CAPTCHAs is one of them, hence they are often used to circumvent automated mass scale attacks (e.g. blogs comments spam), hitting e-crime where it hurts - its ROI.

Unfortunately, these measures are no longer effective – E-crime crowd-sourcing has arrived! The screenshot on the left advertises "Easy money here!" and offers a job of "re-typing text from pictures". Required skills: "knowledge of English letters" and "medium proficiency in English keyboard layout". Paid for every correctly recognised picture, the site promises rates up to 3 dollars/hour with daily payouts.

Wondered why would anyone need this? Have a look at this in-depth analysis of Koobface - the Facebook virus that needs to resolve CAPTCHAs in order to propagate itself.

"Every time Koobface runs into CAPTCHA protection at Facebook, it transfers that image to its command-and-control server. From there, the image is relayed to an army of CAPTCHA resolvers, who work day and night ready to pick up a new image from their profile, solve it, submit an answer, and get paid something like 0.5 cent for the answer."

ThreatExpert Blog

Now, apply the same concept to the Man-in-the-Browser attack on online banking and it becomes Hu(Man)-in-the-Browser – a real-time Trojan+Human attack. These attacks, already seen in the wild, indicate a shift from the basic "spray and pray" approach to maximising the return value of each compromised account - a human can assess the account balance, overdraft limit, payments patterns (e.g. when does your salary arrive) in a matter of seconds allowing then to choose the optimal amount and time for the attack.

With the required technology infrastructure in place: Compromised Computer – Command & Control centre – Human Operator, it is only a matter of time, before the virtual gold digging sweatshops switch to a more lucrative revenue stream.

:: Next Page >>