Supporting the economy (in Russia and Ukraine)
While the media at large is all agog at Stuxnet, they probably would do better to keep their writers looking at Zeus. Zeus/Zbot must be one of the most successful banking trojans ever. It's been around for three (four?) years, and no doubt has made some of its originators very very rich. McAfee last week published a write-up on the capabilities that come with the recent Zeus Build-kit. Yes, there's an actual application that allows to create custom versions of Zeus. If you're an online banking user who feels safe because your online bank uses one-time passwords, or because it sports one of these cute "on-screen keyboards", think again: Zeus got them all in the bag. Brian Krebs regularly reports about the latest frauds linked to this family of malware. Recently, he wrote about a church that lost 600k$ from their accounts to key-logging malware.
Somehow, it looks like the banks either don't care, or don't grasp the concept of "defense in depth", or both. Here's four simple measures that would make online banking fraud a whole lot harder:
* Changing my email address / mobile phone number on file can only be done by visiting my bank branch in person
* Changing them triggers an email/SMS to the old address
* Adding a new payee that was never before used triggers an email/SMS
* A new payee can only be used for a payment or transfer 7 days after it has been added
There, dear banks: All of this can be implemented basically for free. You can even allow your customers to opt-in voluntarily. You'll be surprised how many of them do so - you know, folks and organizations who actually earn their money the hard way seem to oddly enough care a whole lot about keeping it safe.
I have no doubts that a new Zeus version would find a way around these measures eventually. But if you don't fight, you already lost. Banks, get off your collective behinds, and evolve, please.
Comments
Alex
Sep 28th 2010
1 decade ago
daniel@isc
Sep 28th 2010
1 decade ago
There is/should-be NO SUCH THING, to the tune of $559.7 million last year:
- http://www.ic3.gov/media/2010/100312.aspx
... and that's only what was reported. The only ones who have the real total are those who are now spending it.
To the banks, it's just a "write-off", just another "stroke on the pen" for the accountants.
.
PC.Tech
Sep 28th 2010
1 decade ago
.
PC.Tech
Sep 28th 2010
1 decade ago
Just look at the very minor repercussions experienced by TJ Maxx (from a customer standpoint) after its breach announcement.
Banks will start caring when more people care more regularly, and are willing to put their money where their mouths are.
ASB
Sep 28th 2010
1 decade ago
RichH
Sep 28th 2010
1 decade ago
Anthony S
Sep 28th 2010
1 decade ago
@Anthony, I think the reason a check better liability protection is that is is proof of the forgery...tangible paper with a signature, harder to ignore than non-random packets from outer Slobovia.
Paul
Sep 28th 2010
1 decade ago
The base of the problem here is that e-banking solution design should always consider the end-user computer to be compromised, and most don't...
Solutions such as IBM's ZTIC and the IronKey USB key go along that thinking.
That does not mean they're the perfect solutions, but they are properly aligned...
prontissimo
Sep 28th 2010
1 decade ago
Thanks for your answer and expanding #3 with the sms channel. i'll opt to answer with http://www.h-online.com/security/news/item/Banking-trojan-ZeuS-homes-in-on-SMS-TAN-process-1097104.html ;-). of course i'd agree, that infecting the victims mobile phone and intercept/change sms is currently not that easy and reliably done as to infect his/her pc.
Alex
Sep 28th 2010
1 decade ago