Wednesday, October 10, 2012

Online banking: hacking storm clouds gather

I have been warning people away from online banking basically the whole time I've been blogging.  The reasons were pretty diffuse, based on experience built over a number of years.  Now I'm suggesting that people do not bank online, and actually tell their bank that electronic transactions should be blocked.  The reason is that it looks like there's a hacking storm a'coming:
Last week, security firm RSA detailed a new cybecriminal project aimed at recruiting 100 botmasters to help launch a series of lucrative online heists targeting 30 U.S. banks. RSA’s advisory focused primarily on helping financial institutions prepare for an onslaught of more sophisticated e-banking attacks, and has already received plenty of media attention. I’m weighing in on the topic because their analysis seemed to merely scratch the surface of a larger enterprise that speaks volumes about why online attacks are becoming bolder and more brash toward Western targets.

...
The campaign, purportedly to be rolled out between now and the Spring of 2013, proposes organizing hacker cells throughout the cybercriminal community to collaborate in exploiting these authentication weaknesses before U.S. banks erect more stringent controls. “The goal – together, en-masse and simultaneously process large amount of the given material before anti-fraud measures are increased,” vorVzakon wrote. A professionally translated version of his entire post is available here.
Krebs has a detailed and insightful analysis, and if you bank online you really need to RTWT.  What is most interesting is the quote from the hacker who is organizing this effort, vorVzakon:
Many saw videos on neighboring forums, where I openly demonstrate my cars, house and face.
What do I want to say?
That if you accurately target customers in the USA while being in Russia then you can fear nothing while living in your country. Except the one thing – you should never expose yourself during заливы ["залив" means "in the process of stealing victim's money from a bank account"].
I am the obvious example of the fact that you can fear nothing in our country, you can live openly and calm.”
The long arm of the law may or may not reach onto Russian soil, particularly with the Russian government increasingly unimpressed with Hillary Clinton's "Overload" button.  Given the recent court decision ruling that banks do not have to cover losses due to hacked accounts, my advice is that you should not bank online until this settles down.  Call your bank have have them set up a block on electronic transactions, and you should be in decent shape.

10 comments:

TommyG said...

I am able to check balances nothing more. Should I have that disabled too?

TommyG said...

I am able to check balances nothing more. Should I have that disabled too?

Borepatch said...

TommyG, it's very important that you read the agreement (probably a EULA) for using the service. It's very likely written to disclaim anything that might ever happen.

If you don't have something very clear, I would recommend that you have your bank block all access. I'd even go so far as to send a registered letter telling them this.

The real problem is that the banks are starting to pass on losses to customers. In days past they would treat it as a cost of doing business, but now the customers are on the hook.

Anonymous said...

Borepatch,
Three things:
Can banks refuse to cover losses on hacked consumer accounts or just commercial accounts? The linked article seemed to say it was only commercial accounts.
What did you think of the suggestion to bank using a copy of Linux burned onto a CD?
Final thing - the linked article seemed to say that just using something other than Microsoft Windows was adequate. Comments?
Roscoe

Borepatch said...

Roscoe,

I'm a fan of using a Linux CD to do your online banking:

http://borepatch.blogspot.com/2010/03/guess-who-wants-you-to-run-ubuntu-linux.html

The issue of commercial vs. consumer is really one of risk - how much can you afford to lose, and what are the chances of losing? I'm unimpressed with any consumer guarantee from the banks that are refusing to deal with commercial customers. The reason is that I don't know what the chances are that they'd refuse to cover me. But I doubt very much that the chance is 0%.

wolfwalker said...

"I'm a fan of using a Linux CD to do your online banking:"

I tried that once. After five or six sessions like that, the bank computer locked my account because it was having to replant its security cookies every time I logged in. As far as it could tell, every time I was logging in from a different computer, and that raised a red flag.

Questions: Does this 'don't bank online' warning apply if:

a) none of my accounts are at a major bank

b) most of what I do online is paying utility (and other) bills, which is done at the biller's website, not the bank's.

Anonymous said...

Most US banks seem to be living in the dark ages when it comes to online security. Few seem to offer any sort of two-factor authentication. My bank still relies on "security questions", like those that enabled a hacker to access Ms. Palin's email account.

When I visited the US to clear up my mother's estate, I was shocked to discover that companies could simply debit her account, with no authorization other than a phone call. Which is to say: with no authorization at all, since they only had my word (on the phone) for the fact that I was executor of the estate. What kind of bank allows an account to be debited without any sort of verifiable authorization?!

For what it's worth, banks here in Europe are much more concerned with security, so hacking is much harder. Any online access requires two-factor authentication. No company can debit your account without your specific, written authorization.

On a related note, but still having to do with security: Companies cannot give information about your financial transactions to third parties, without your explicit permission. These has interesting effects, for example, there is no such thing as a credit-rating agency.

Chris said...

My wife does all our bill-paying, and much of that is done with electronic payment. Both of our paychecks are direct deposit. Are these transactions included in what you are calling online banking? If not, what would that term include? (I am supposing non-scheduled electronic funds transfers and the like.)

Borepatch said...

Chris, inbound payments (e.g. direct deposit) are no risk. Outbound is where the problem is. If there's no way to restrict payments (say, only to vendors you've done this with before) then you're at risk.

The problem is that some companies have had their bank accounts emptied to offshore locations.

Anonymous said...

I'd go further. Cash in and close out all bank accounts. Put the cash in your mattress, or your safe, or bury it in the back yard in a Mason jar. Do all business in cash, face to face. If you MUST send funds long distances, go to the post office and buy a money order.

Not kidding. As porous, and as arrogant, and as corrupt, and as inept, as our too-big-to-fail banking system has shown itself to be, I would not trust them with the care of a potted plant, much less my life savings.

And as an added bonus, this reduces your signature "on the grid" and makes it just a little bit harder for Big Brother to spy on your daily activities. And has it not become a moral imperative for free men to throw whatever monkey wrenches into the System's gears as they have at hand?