Supporting the economy (in Russia and Ukraine)

Published: 2010-09-28. Last Updated: 2010-09-28 09:38:37 UTC
by Daniel Wesemann (Version: 1)
12 comment(s)

While the media at large is all agog at Stuxnet, they probably would do better to keep their writers looking at Zeus. Zeus/Zbot must be one of the most successful banking trojans ever. It's been around for three (four?) years, and no doubt has made some of its originators very very rich. McAfee last week published a write-up on the capabilities that come with the recent Zeus Build-kit. Yes, there's an actual application that allows to create custom versions of Zeus. If you're an online banking user who feels safe because your online bank uses one-time passwords, or because it sports one of these cute "on-screen keyboards", think again: Zeus got them all in the bag. Brian Krebs regularly reports about the latest frauds linked to this family of malware. Recently, he wrote about a church that lost 600k$ from their accounts to key-logging malware. 

Somehow, it looks like the banks either don't care, or don't grasp the concept of "defense in depth", or both. Here's four simple measures that would make online banking fraud a whole lot harder:

* Changing my email address / mobile phone number on file can only be done by visiting my bank branch in person
* Changing them triggers an email/SMS to the old address
* Adding a new payee that was never before used triggers an email/SMS
* A new payee can only be used for a payment or transfer 7 days after it has been added

There, dear banks: All of this can be implemented basically for free. You can even allow your customers to opt-in voluntarily. You'll be surprised how many of them do so - you know, folks and organizations who actually earn their money the hard way seem to oddly enough care a whole lot about keeping it safe.  

I have no doubts that a new Zeus version would find a way around these measures eventually. But if you don't fight, you already lost. Banks, get off your collective behinds, and evolve, please.

Keywords: fraud keylogger zeus
12 comment(s)

Comments

The attacker controlling the victims pc could easily delete the mail (step #3) locally or by using the keylogged login.
Updated to read email/SMS. Out-of-band to the mobile device is what I meant. And yes, with full control over the PC, this can still be tampered with, but it makes things harder for the bad guys. And that's what it should be all about.
"... If you're an online banking user who feels safe..."
There is/should-be NO SUCH THING, to the tune of $559.7 million last year:
- http://www.ic3.gov/media/2010/100312.aspx
... and that's only what was reported. The only ones who have the real total are those who are now spending it.
To the banks, it's just a "write-off", just another "stroke on the pen" for the accountants.
.
Hmmm... that's 559.7 million... the dollar sign seemed to mess-up the post.
.
Banks don't care because to a large degree, consumers don't care. They appear to care when there are major announcements of fraud, etc, but *most* of them don't -- not for long, anyway.

Just look at the very minor repercussions experienced by TJ Maxx (from a customer standpoint) after its breach announcement.

Banks will start caring when more people care more regularly, and are willing to put their money where their mouths are.
Banks will really start caring when laws make them liable for online verification in the same way as paper verification. Why is it that if someone forges a paper check the bank is liable for not doing proper verification, but if an electronic transfer is forged, they just wash their hands (or at least most do)?

The big problem with #1 is that online banking was setup to reduce foot traffic in branches and therefore overhead by having less fulltime staff for branches.
To the consumer online banking is about convenience first, security fifth or sixth. You can't make them go to the branch to make a change for their online identity. You can't make them wait 7 days to pay a new bill. You CAN educate your users, something I see very few banks doing in a real way. Krebs is probably the best teacher our there on this stuff, but the people who most need his advice won't see it.

@Anthony, I think the reason a check better liability protection is that is is proof of the forgery...tangible paper with a signature, harder to ignore than non-random packets from outer Slobovia.

The base of the problem here is that e-banking solution design should always consider the end-user computer to be compromised, and most don't...

Solutions such as IBM's ZTIC and the IronKey USB key go along that thinking.

That does not mean they're the perfect solutions, but they are properly aligned...
@daniel:
Thanks for your answer and expanding #3 with the sms channel. i'll opt to answer with http://www.h-online.com/security/news/item/Banking-trojan-ZeuS-homes-in-on-SMS-TAN-process-1097104.html ;-). of course i'd agree, that infecting the victims mobile phone and intercept/change sms is currently not that easy and reliably done as to infect his/her pc.

Diary Archives