A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account. News reports here and here say $479,247 vanished from a bank account belonging to the Cumberland …
"Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them."
Yep but here in Finland, we stopped using them seriously - oh - 25 years ago. I've never had a cheque book in Finland. Never even been offered one - all payments I make are online, either from home, or from a bar-code reader in the bank's foyer (which I never use - costs €2/month for the service)
When I got my pension cheques from the UK, I had to go through a lot of form-filling - in the main Oulu branch, 3kM from home - to cash a £100 cheque. Took the famous "10 wurkin daze" and cost me £25 for the priviledge. Thank fuc*k the Equitable changed to Worldpay. Only £3 now...(Sigh)
@big-nosed Pengie - were you referring to the Ford Pinto, as best satirised in the film "Top Secret"?
Penguin icon, natch. I only use my mini-lappari (Asus 701/eeebuntu) for the bank. Plus my one-time pad access code, used with my memorised 7-digit customer number. Wanna see how it works? Try
http://www1.nordea.fi/appx/solo/3/include/demo/pndemo/index.html and click the mouse icon.
Not bad for a quid or so a month TOTAL bank charges...Now, that's real service.
I think the problem is their security was based on a code from a hardware token - ok so that stops someone else logging in to your account, but if they've infected your computer then it doesn't stop them adding an extra payment to the list of actions you're doing
why not something similar to what my bank does? instead of the hardware generating a token that can be used to do anything, make it generate a code that can only be used to verify that single transaction! if i want to send a payment to a new destination their website gives me a code, i type that in to my reader, and it generates a code to verify *that action* and no other - the reader also has the ability to verify specific transactions (supplier, and value) although so far they only use it to verify adding a new account to receive payments (although if they mitm that, then they can easily change it without issuing new hardware)
I knew the flame bait statement regarding Windows being fit for nothing but games and media would spark such a reaction. At least your tears will quench the flames ;-) However I withdraw that statement because with draconian DRM windows isn't fit for media either. However it is excellent at running Cubase as well as allowing criminals to earn a bob or two.
Ooooo, wankers and penetration in the same sentence, I'm getting hot.
Linux audio works fine although it would work even better if hardware manufacturers wrote Linux drivers or released sufficient documentation to allow OS developers to leverage the best from their kit.
I have cause to be optimistic, if Windows was secure and Linux easier to get working with obscure hardware I would have likely been a bus driver or gigolo perhaps.
/removes tongue from cheek
I like ducks, have you seen the way water flows of their back?
What utter tripe
All of this malware relied on THREE points of failure:
- An insecure windows install
- An idiot user
- Banks with weak authentication
I've been using online banking, antivirus AND windows together for nearly 10 years, and the only place this seems to happen is the US with usernames and passwords for account holders.
Dutch banks use two-factor authentication, and I have yet to hear of a real-life case where this was hacked, despite many scare stories from security twits.
Dan - I'm disappointed.
Windows is NOT the problem. I am in security
re: "i'd love to see... #"
"...The state of a linux system administered by a guy who clicks random email attachment executables. No need for a trojan if you've got root...", David W.
Can you demonstrate opening an attachment on a Linux system that executes malware or a site that executes malware by clicking on an URL. Running as root is a non issue as the system is still usable running as standard user. In most systems it isn't possible to login using the GUI as root.
re: "Windows is NOT the problem. I am in security, I know", Mr. Barbour
"The problem is not Windows, the problem is the end users"
Is it possible to configure a Windows desktop that don't require the end user to have admin access?
"I am an IT professional who specializes in security and viruses"
Can you right-now point me to a web site that I can get 'infected' by clicking on an URL, or a sample of an email attachment that does same, by clicking on the attachment icon. No other action required.
"education to users on how to avoid infecting their PCs or how to perform regular scans, keep the OS patched, patch all third party applications, replace end of life applications, and even upgrading the the newer versions of windows"
Users can't be bothered to waste their valuable time doing all that. Besides they can avoid it by one of those bootable CDs.
"I support thousands of end users everyday, and the biggest problem is them going to infected sites (drive-by malware attacks) and downloading files that are not legitimate"
Do you charge money for this 'support' ?
"I personally would rather stick with the company that has been in the game fighting this stuff from the beginning rather than switch to a company that doesn't even recommend trying to protect yourself and has no experience defending from these"
I personally don't understand why I have to pay extra off the top, to get a working computer that don't get infected by malware.
ps: Doing AV scans on someone's desktop is not being 'in security' ..
A Timely Article
I was just called up to the main office to find out why a users Outlook was reporting errors. I found not an error, but 2 e-mail messages from "Support" claiming that their version of MS Outlook, she is running Thunderbird, was mis-configured and that they needed to run the attached install.zip file to correct it. Another virus obviously. Had this user followed the instructions I am sure that part of my day tomorrow would be spent cleaning up the users system.
This is even more of a concern to me because here in Korea you can not do any on-line banking or anything else without using Internet Explorer and at least half a dozen ActiveX Crypto, keyboard, screen, etc. plugins that may or may not actually protect the user. These plugins come from the institution, are installed in the background, and run without the users knowledge or any user intervention the site complains if the plugins are not in place.
There was an article published in the Korea Times, one of the local English news papers, about the dangers to Korea of the Existing Microsoft mono-culture. http://www.koreatimes.co.kr/www/news/nation/2009/09/123_52401.html
"...country's overreliance on the technology of Microsoft, the U.S. software giant that owns the Korean computing experience like a fat kid does a cookie jar."
I wonder how many other Korean computers enlisted the the latest bot army today?
"Contrary to what banks say, writing checks really isn't that much of a hassle, at least if you don't write that many of them."
Its not about the writing, its about the banks and the company your sending them to having hassle, and it is basic politeness in modern accounts to use BACS or CHAPS if you can, so that other people will do that for you. It may seem like big numbers, but to most medium to large accounts departments £250k is not a huge sum compaird to the cost of processing cheques.
Cheques are a pain in the arse to process from an accounts recivable point of view.
For those of you who are blaming the users....
Yes, user training is a problem especially with Windows based systems.
But I find it interesting that when The Apple Mac had a much smaller share of the computing market, less than 2 percent, Mac OS up through OS9, had virus problems and virus scanners to deal with them. Since then Mac's market share has grown significantly, some say 5% Plus others put it higher. Yet Mac OSX has not seen a corresponding rise in virus problems. In fact they have pretty much disappeared. And Mac users are also considered to be some of the most "trusting" of any computer users, but they don't have the same virus problems and fears that are just a part of the Microsoft computing experience for users at all user levels of experience. They just get their work done.
Then -- Less than 2% market share, Mac was worth attacking. Now -- More than 5% of a much larger computing market and no virus problems to speak of. Same Users. Even similar Intel based hardware. Hmmm could the OS architecture be a factor?
Problem and solution...
Problem: You want to use Linux or a live Linux CD but your bank only supports IE.
Solution: Notify them of the problem. If they don't fix it, change banks.
Congratulations - the first truly sensible post on this topic.
It is of little value to castigate the end users, consider them 'unfit to use a PC', describe them as 'bozos' or whatever. The fact of the matter is that the internet in its current form only exists (and a large number of techies have jobs, including security pros like me) because the use of a PC to conduct business and pleasure is now a mass-market occupation and the mass users have the perfectly legitimate expectation of switching on their machines in the morning and just using them.
Blaming 'the user' is futile and achieves nothing.
So - is blaming the platform of any more value? I'm not a huge fan of Microsoft but after many years of indifference they appear to have finally started to get their act together and its self evident to me that just as Sun Solaris boxes sitting on corporate networks were the prime target in the late '90s, Windows is the prime target now and for the same reason - its the most widely used O/S and the focus of the bad guys' knowledge base.
I think we need to come up with a new paradigm for end-user computing where the user doesnt buy a PC and a basic O/S complete with Admin access, but a pre-configured unit with everything locked down in advance. Back that up with recent proposals that ISPs take steps to isolate machines infected with botnet malware and we might start to get somewhere.
Echo - windows legacy arch definitely a big problem here
I'd go along with posts pointing out the structural flaws in the way windows is constructed -
1. It's built to support a huge range of hardware: therefore the driver model is too open (and when MS attempts to close the model a bit, everybody moans about it and it slows machines to a crawl)
2. As admitted by MS themselves, they never though windows would ever be connected to a world wide network of PCs - it simply wasn't secure from the ground up
3. As mentioned above, the original single-user mode operation is still hamstringing attempts to squish security into the platform
But in addition - and probably more importantly - the very fact that windows is /on/ 95% of the world's computers should be the very reason why those with a little knowledge shouldn't use windows for online banking. Those statistical reasons for making all the malware for windows (as well as the structural ones) mean we should keep schtum and do financially sensitive work in Linux, or OSX, or whatever - just not windows.
So I think the thrust of the article is in fact totally correct, not "defeatist" or "negative". You can't argue with the plain truth that Windows has hundreds of thousands of pieces of malware trying to get in, and you need to be savvy enough to keep it clean (touch wood, I've never had any money stolen this way and I work on windows all the time).
People aren't ever going to learn this habit (hell, most of them don't secure their wireless access points unless it's shipped to them that way), so the windows machine base will always be swarming with infection.
Run away from the herd!
Apart from anything, even when you DO know how fragile Windows is, who wants to spend all that damn TIME cleaning, disinfecting, updating, doing dull maintenance work when the PC is so bloody powerful it could do it all for you, and be more secure from the outset anyway?
I've had enough of complex operating systems which are dragging around legacy issues - just got rid of my last symbian handset, and - you guessed it - got an iPhone. Locked down, yes. Some things dumbed down to hell in comparison - yes. But solid, safe (so far) and I have some confidence in its' long-term future.
Good article, says I.
Free Clue Here.
Stop blaming the users. Read the following, particularly any self-proclaimed experts. Some slides:
A longer read:
I'd rather bank online than call the bank
bank: "can I have your name, address, DOB, account details, last sexual experience, etc"
me: "and who might you be?"
bank: "someone with a fake name working in a call centre a thousand miles away from where you live, with no particular concern for your security or that of your bank, sir"
Here's your car analogy.
Car X is made of cardboard, sticky back plastic and bottle tops. There is a nice(ish) looking plastic body kit on top of that but it only gets updated once every 5 years or so, usually by working in some gimmick they stole off Car Z.
Despite the flimsy lightweight nature of it, Car X requires a 6 litre engine in order to travel the same speed that Cars Y and Z can go using a 2 litre engine. In order to meet the needs of this 6 litre engine, a high capacity fuel tank must be added also. If the car hits any sort of obstacle it will disintegrate instantly.
Car X is very uncomfortable when you first drive it. The air con, sun roof, windows, electric mirrors etc don't do anything until you find the right 3rd party software. And every piece of 3rd party software adds 3 seconds to the amount of time the engine needs to turn over when you first turn the key.
You must install airbags yourself and check them EVERY DAY or you WILL die. Same goes for seat belts and head rests.
If you drive Car X to the bank criminals will steal it and use it as their get away car, because the doors are made of plastic and can simply be pulled off. Any valuables you leave in the boot will be going with the criminals, along with the 600 brochures and catalogues for miscellaneous junk that the car came pre loaded with.
Cars Y and Z are actually good.
Which one do you want?
everyone already saying it but i gotta chime in too
windows is not the issue its dumb ass users yes trojans are nasty and they can even do tricky stuff like rewriting the banking webpage so you don't even see your funds are gone but if you use even a little common sense you wont get infected. when i get a virus (usually because i was slumming it on the nastier parts fo the internet looking for viruses) i wipe my computer. i don't log into online banking anywhere i make sure that i trust that the machine is not compromised and if i even start to suspect it i wont go to online banking. i mean its like saying use macs because they dont get viruses well now they are and while some other options may be less likely to get infected but if you are just safe in the first place you will never have an issue
oh and i forgot to say
Car X's chassis was originally designed to be used for a motorbike, until MONOCORP realised people wanted cars and they tacked 2 extra wheels on the side. They've never stopped building cars that way.
Call the bank? More secure? Nope.
Phone banking? More secure? You've got to be kidding
I opened a new bank account with the Halifax this morning. To set up phone security I was asked to choose a 6 digit numeric pin, and told I would be asked for two numbers.
How many people would choose a date?
How many of those dates would have 0, 1 or 2 as the first letter and 0 as the third letter?
How likely is it that I'd be given three tries to get it right?
Banks: Don't ask for 6 digit pins, or if you do don't prompt for just two digits.
Downloading files in unix/linux
I'm not sure that I buy that users are less likely to fall for trojan attacks in in unix/linux based OSes because downloaded files can't be executed without additional steps after download. My reasoning is that if a user is prepared to run anything that they are told to by an email, they'll also be happy to fire off a chmod command (or however it's done through the gui) which an email would presumably instruct them to do.
Also, if Vista is anything to go by, users will probably be happy to stick in their root password at the drop of a hat, without asking why, in fact they'll probably sudo any usefull commands so they don't even have to.
This is clearly a user problem, until users are educated enough to not believe everything that their magic box tells them, it will continue to be a problem. Remember this: It's 60 years since the Orson Wells 'War of the Worlds' broadcast and many, many people still believe anything any form of technology tells them.
Reading comprehension fail
Y'all didn't read the guy's article, nor the comments, did you? What he suggested was a cheap ie "free" way for a lay person to get himself a secure terminal by using a Linux live-cd. He pointed out the advantages of a live-cd such as the fact of the read-only nature of its boot drive. I reckon that if MS or Apple would sell you a live-cd he probably would have reccommended that one, or at least mentioned it.
Virtual Machine all the way
For the ultra security concious:
Set up a Virtual XP Machine (Virtual PC/VMWare Server) for the sole purpose of online banking. Don't use it for anything else whatsoever and you WILL be malware and trojan free.
Although, if you know how to do the above you probably know how to browse safely already. Hmmm
Rely on cheques? HaHaHaHaHaHaAAAAAAAAAAAHHHH! I am still waiting for a cheque I posted to a bank to arrive. I posted it on the 25th September. 20 days so far and no sign of it getting there. That is a joke.
Shall we regress back to the caves with thinking like that?
2 points about mac / linux users and not just 1
1, as said they have less market share
2, rarely said but very important - AT THE MOMENT most mac / linux people are more knowledgable and less likely to click things than windows users as they have to be to be or at least know somebody who is to change in the first place
I have always used windows and internet explorer and have used online banking from the start and have never been hacked , the only time I got even a minor virus issue was when I was being impatient trying to find something and downloaded from somewhere not very safe and I immediately realised and then wiped the computer to make sure that I felt safe.
Windows is not perfect but it is complicated and has a lot of legacy support so mistakes will happen and things will have to be patched, this patch tuesday is a good thing and not bad as at least it means that a whole load of issue have been patched.
stupid or silly users will always manage to find ways to cause problems or get themselves hacked
The problem is the user
Ok so lets say theoritecally that users stopped using windows machines for online banking. Well seeing how Wndows has the biggest market and it is a super high chance that the banks themselves are using windows machines, then what say you? If the banks can seem to keep their windws machines uninfected then so can the home user. If they bothered to try. OS is not he problem Yes Windows may be full of holes and blah blah blah but all Im saying is if the Banks use Windows and money isn't being stollen then then home user should be able to as well.
It's funny reading all these comments where people are blaming, the OS writers, the users or the banks. Maybe we should blame the people who write the malware?
Just a thought...
Have a nice day.
On Line Banking
A co-operative bank i use , in addition to password has a little gizmo that has a 6 number displayed that changes every minute.
It seems to be a very good extra security to my Joe 6 Pack knowledge.
I understand my OS is safer to use than another more popular one.