UK police have arrested 19 cybercrime suspects who allegedly used the ZeuS crimeware toolkit to capture online banking credentials before looting victims' bank accounts. A total of 15 men and four women, aged between 23 and 47 years old, were arrested in dawn raids on in London Tuesday by officers from the newly established …
Once the guilty have been given a 20 minute community service order and a sound ticking off, will the gangs victims get their money back?
Not sure about the UK
...but in the states, it's my understanding that the bank is responsible for reimbursing the accounts in the event of fraudulent transactions of this type (again, AFAIK that protection does not apply to 419 type scams) similar to credit cards.
That said, the impact of a situation like this typically goes beyond the account balance. Depending on the balance and amount stolen this type of issue could have caused bounced checks, missed payments to other creditors (mortgage, car, credit cards, etc), which could have caused additional financial impact (late fees) not to mention impact to credit.
So in short, unless the UK is substantively different than the US on this, the victims should get their money back but that probably won't go very far to making things right.
Cops and Robbers
As there is a drive to put 'real' policemen back on the streets and out from behind desks I expect police departments like this one to have funding withdrawn or at least viciously hacked to pay for a visible but pointless presence.
But 'The People' (tm) voted for it so the public gets what the public wants (but I don't get what society wants).
What I am more interested in is
Which banks have rubbish online security so that it is just a matter of sticking on a key logging trojan to get people's credentials? At least the likes of Natwest and HSBC have two-factor security for the majority of the money transfer online functions.
Even Facebook has primitive IP checks to lock your account if it is suddenly accessed from an unexpected range.
I hope the banks don't pull the "It's your fault for revealing your password/pin code" and not pay up.
"Detective Chief Inspector Terry Wilson of the PCeU, said: .... "Online banking customers must make sure their security systems are up to date"
All very well and good against other malware or very old samples of Zeus. But as as it re-encrypts each time it will defeat all Windows signiture based AV solutions. Forget your Firewall and Banking 2 factor authentication systems and almost every consumer defence. Zeus will just ignore them.
The only "safe" way to do Internet banking is from a bootable Linux Live CD if you run Windows as your operating system. Good write ups on Brian Krebs security blog about Zeus:
And unfortunately, this is defeated when banks build their online banking sites to support only IE.
RE: Unfortuanatly (sic)
".....The only "safe" way to do Internet banking is from a bootable Linux Live CD...." That won't save you from decoy sites using man-in-the-middle attacks via poisoned DNS to capture your login details. In that case, even bootable Linux CDs are vulnerable as the casue of the issue is higher up the stack on someone else's DNS device (or your cable/ADSL router). The only safe way is simply not to do online banking, fullstop. Call me a Luddite if you wish, but until my bank supplies an RSA fob and makes all logins and responses happen inside a minimum transaction time and with a checked route (to defeat man-in-the-middle attacks), I'm not interested.
One of the simplest ways to make internet banking secure would be to have access only permitted from a number of devices ( by MAC address and OS unique ID) and the typical route to that device known (as in, if Mr Smith normally makes requests via a BT Home Hub and goes three hops via the same exchange every day, but suddenly starts making requests from a new device in Russia, the login gets denied). Sure, that would put a cramp on mobile banking, but I'm not particularly interested in flashing my bank details over WiFi or 3G either.
Can't wait ...
... to see what the surnames of alleged perps are and any association with ethnic/national minorities in the UK.