info@qualityplusconsulting.com l +1 262-553-6510

Online Banking Issues

1/10/2014

A few years ago, I covered in great detail the legalities and methods of commercial organizations getting their bank accounts cleaned out by criminals. Criminal techniques have only become more sophisticated. The favorite toolkit they use nowadays is Zeus. The solutions to the problem remain the same and it seems the public needs a refresher course on this topic.

Use live boot CDs, please, if you don't have a secure computer

One article of interest describes a business owner who did some online banking from a computer that he did not know was clean or secure. And hacked is what he got. He has yet to recover most of his money that was transferred out of his account due to stolen credentials. What I found pretty funny was that he didn't seem to understand that kids' games are a huge attack vector.

For at least the last 8 years I have been seeing computers that are used for kids' games and they are frequently hacked or compromised. The primary issue comes from online games that are supposed to be free. So if they are free, then who is spending any time or money making sure they aren't hacked and serving up malware to website visitors? I hope the answer is obvious to you.

The other issue comes from very poorly written kids' game software. I used to install software from CD for the youngsters in the extended family. What I found is that I had to make all kinds of modifications to make the games work under non-administrator credentials. So the poorly written software meme strikes again. I still see this all the time in commercial, expensive software.

Lack of patch management or any real security strategy

Another issue is lack of patch management or defense-in-depth strategies used in most people's homes. Take a look at this article to see what you are missing. Realize the strategies that block infected advertisements are similar to those that block infected Java bytecode and other nasty things in general.

Banking lawsuits

Krebs recently wrote an article about a dispute/battle between an escrow services company and their bank. He does an excellent job of describing the fact that organizations do not have the same consumer fraud protection as individuals do in the U.S. You should read his article to learn more about the legalities and limitations.

The last time I covered this topic, the hot news items were about school districts and municipalities getting their accounts cleaned out because they were ignorant enough to use their everyday computer for online banking. The result was that their everyday computer had been compromised, keystroke loggers installed, credentials compromise, and account cleaned out. And that was before Zeus existed.

What was really funny at the time was the head accountant for a school district knew that his computer was hacked, he got his password changed at the bank so that the old, breached password couldn't be used by the hackers anymore, and then he proceeds to type in the new password on the same computer that was previously infected and never properly cleaned. Duh x 100.

Solution

So the solution is the same as it always has been. You must use defense-in-depth strategies. And since 97% of breaches occur due to misconfigurations, you really need to find competent IT engineers to do the configuring for you. Then your systems need to be maintained and patched, and you cannot be browsing the internet and doing email as an admin account. You can also take the approach of using a Live CD and boot from that when you need to do your online banking. I don't think that is very practical for most people. But what is practical is to have a dedicated computer used only for online banking.

Krebs has a good article on this topic I suggest you read. He calls it Online Banking Best Practices. For businesses, he suggests sophisticated egress filtering restrictions, which I totally agree with. In my article about PCI standards, I talk more about that in detail. I am really amused by Krebs' statement that "antivirus software is no substitute for common sense." Very true. This is why at Q+ we try to educate the public through articles and podcasts about computers, technology, and security issues.

One last thing. If the banks had two-factor authentication turned on where it integrated with something like PhoneCrypt or Yubikey, these bank account compromises likely wouldn't occur. So I do blame the banks for their pathetic use of image-based authentication that then registers cookies on a computer. That is all the same silly single souce. When the host computer is compromised, all of that is compromised. When will banks in the U.S. decide to get real about security?

Johnson Bank has implemented a system that they call Positive Pay. Basically you have to enter transactions twice. You would have to enter your transactions in your account software, and then go into their website and setup the transaction as "authorized". Otherwise, the check will bounce when the recipient attempts to deposit it. While this system has a modicum of additional security, it is still the same breach vector. If the endpoint is compromised, then the credentials for the Positive Pay system are also compromised.

I'm currently researching Yubikey and will do an article and podcast on that when I get it all figured out.

 


 

1/29/2014 Update

A security researcher has found many security vulnerabilities in many online banking applications for mobile devices. If you do online banking with a mobile device, please check out this article.

Linkedin