Online bank punters tricked into approving theft of their OWN CASH

Thursday 6th September 2012 09:31 GMT Silverburn

C'mon, name and shame...which bank???

0 0
Thursday 6th September 2012 10:05 GMT Gabor Laszlo

Stupidity is a luxury

and luxury must be paid for.

My bank (HVB) sends TANS by SMS with the transaction details, which then have to be entered into the webform. I'd like to see someone circumvent that :D

1 0
1. Thursday 6th September 2012 10:59 GMT Silverburn
  
  Re: Stupidity is a luxury
  
  No probs: what's your logon details?
  
  Lets hope I can't edit your destination SMS number without an mTAN...
  
  0 1
  1. Thursday 6th September 2012 15:16 GMT Remy Redert
    
    Re: Stupidity is a luxury
    
    If it's anything like the TAN SMS system used by my bank, changing the phone number requires either going to the bank in person, with the bank card and ID or going through a lengthy process involving snail mail and verification from the old phone.
    
    0 0
2. Thursday 6th September 2012 14:59 GMT Scott Wheeler
  
  Re: Stupidity is a luxury
  
  SMS is a reasonably secure transport, but it relies on the handset being trustworthy. In the past two important phones (Nokia 6210i and Ericsson T610, I think) had Bluetooth bugs such that it was possible to pair with them without authentication, then read and delete an SMS without the user's knowledge. These days there may be other vulnerabilities introduced by Smartphones with malware installed, which could allow receiving and manipulating SMS from a distance.
  
  I don't want to give the impression that SMS authentication is a bad method: it isn't, particularly if it is part of two-factor authentication. However as with most methods, it cannot be seen as a silver bullet.
  
  0 0
  1. Thursday 6th September 2012 16:30 GMT Gabor Laszlo
    
    Re: Stupidity is a luxury
    
    I make sure to use a very dumb phone for this, and for a BT attack one would need if not access at least proximity.
    
    0 0
3. Monday 10th September 2012 11:48 GMT SImon Hobson
  
  Re: Stupidity is a luxury
  
  >> My bank sends TANS by SMS .... I'd like to see someone circumvent that :D
  
  Already been demonstrated, so you can wipe that smug expression off your face.
  
  http://www.theregister.co.uk/2012/03/15/malware_based_mobile_banking_blag/
  
  1 0
Thursday 6th September 2012 10:28 GMT Anonymous Coward

Injecting Code

Banks should randomise HTML div names etc when generating the web pages.

This would make is a lot more difficult for malware to inject code in the right places..

0 1
Thursday 6th September 2012 14:40 GMT Anonymous Coward

Malware attack against the chipTAN

Any idea as to what Operating System this malware runs on?

0 0
1. Thursday 6th September 2012 15:50 GMT Ken Hagan
  
  Re: Malware attack against the chipTAN
  
  Well it's a German bank, so I imagine it is Linux.
  
  0 1
  1. Thursday 6th September 2012 17:24 GMT Lars
    
    Re: Malware attack against the chipTAN
    
    Sad to say it, but it's hardly Linux. You do find Linux on POS systems like Wincor Nixdorf. Or are you perhaps sarcastic Ken. Nixdorf used to deliver banking terminals but that was a long time ago.
    
    Perhaps somebody has more up to date information.
    
    0 0
    1. Friday 14th September 2012 18:58 GMT Anonymous Coward
      
      Re: Malware attack against the chipTAN
      
      It is the users machines that are affected, not the banks. Quote "...by fooling users of malware-infected machines..." unquote.
      
      0 0

Topics

Special Features

Vendor Voice

Resources

User topics

Article topics

User topics

Article topics

COMMENTS

Stupidity is a luxury

Re: Stupidity is a luxury

Re: Stupidity is a luxury

Re: Stupidity is a luxury

Re: Stupidity is a luxury

Re: Stupidity is a luxury

Injecting Code

Malware attack against the chipTAN

Re: Malware attack against the chipTAN

Re: Malware attack against the chipTAN

Re: Malware attack against the chipTAN

About Us

Our Websites

Your Privacy