News: More attacks on Scandinavian bank customers
Published: 2007-01-19 17:59:05 . Categories: Computer Norway
Earlier today it got known that at least 250 customers of the banking groups Sparebank 1, Nordea, DNB Nor and Skandiabanken have gotten their bank accounts emptied after having been infected by trojan horses. Most of them from Nordea.
My first thought was, but why isn't there any random token authentication to protect against Trojans as well as phishing. But the more I thought about it, the more clear it got to me that I would rather just monitor the activity of the customer, wait until the user him/her-self logged in and then capture the computer, do the necessary transfers, change the password and log out, while the user only thought there was a lag in the system by forcing up another window.
Which brings us back to the root cause of the problem, the users. Albert Einstein is often attributed the quote "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." and indeed, security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivete, or ignorance come into play.
I really hope the banks doesn't take full responsibility for this, as it will only result in higher prices for users that actually bother to protect themselves.
And for crying out loud, learn how to protect your computer, or don't use it at all. The last time something similar happened, a vulnerability that was fixed by Microsoft in April got used, so the users had more than half a year to upgrade the systems, yet didn't.
More about protecting your computer can be read at www.secure-my-internet.com
Update: 20:37
As more information get out, it is actually getting clearer that a proper Random Token Generator, e.g. from RSA would have gotten around this issue, a method used by quite a number of other internet banks.
Update: 2007-01-20 14:24
An important thing with regards to the random token generator would be for it to be required to perform the transactions themselves as well, not only logins, as we would be back to the monitoring and hijacking of session again. But even here, as long as the clients computer is infected it would be possible to hide the transactions from the display, it would just require some more work. So please, keep your system updated.
My first thought was, but why isn't there any random token authentication to protect against Trojans as well as phishing. But the more I thought about it, the more clear it got to me that I would rather just monitor the activity of the customer, wait until the user him/her-self logged in and then capture the computer, do the necessary transfers, change the password and log out, while the user only thought there was a lag in the system by forcing up another window.
Which brings us back to the root cause of the problem, the users. Albert Einstein is often attributed the quote "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." and indeed, security is too often merely an illusion, an illusion sometimes made even worse when gullibility, naivete, or ignorance come into play.
I really hope the banks doesn't take full responsibility for this, as it will only result in higher prices for users that actually bother to protect themselves.
And for crying out loud, learn how to protect your computer, or don't use it at all. The last time something similar happened, a vulnerability that was fixed by Microsoft in April got used, so the users had more than half a year to upgrade the systems, yet didn't.
More about protecting your computer can be read at www.secure-my-internet.com
Update: 20:37
As more information get out, it is actually getting clearer that a proper Random Token Generator, e.g. from RSA would have gotten around this issue, a method used by quite a number of other internet banks.
Update: 2007-01-20 14:24
An important thing with regards to the random token generator would be for it to be required to perform the transactions themselves as well, not only logins, as we would be back to the monitoring and hijacking of session again. But even here, as long as the clients computer is infected it would be possible to hide the transactions from the display, it would just require some more work. So please, keep your system updated.
Comments
| No comment posted at this time |
[Sitemap]
