back to article Bank Trojan crooks trouser £800k from 30,000 Brits

Trustwave SpiderLabs has revealed how criminals stole more than £800,000 (€1m) from UK bank accounts using the Zeus Windows PC malware. The scam - which ran from June to November last year - targeted customers of six banks in Britain. It began with a flurry of emails that tricked marks into clicking on a link to a fake …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Trollface

    My bank

    says internet banking is secure.

    1. Blitterbug
      Happy

      Re: My bank says internet banking is secure.

      ...and my bank wants me to install Trusteer Crapport. Over my dead body!

  2. David 66

    so which banks? who should be (re)checking statements? I am too lazy to search. Or check.

  3. I think so I am?
    Facepalm

    it's your job on the line...

    My bank asks me if I'm interested in internet banking every time a call them.

    The irony is the people on the phone pushing internet banking are pushing people to a service that will make them redundant. *cough* idiots *cough*

    I trust internet banking as much as I trust the village drunk with my car keys.

    1. handle

      Re: it's your job on the line...

      I've used internet banking without trouble with two banks for more than 10 years. Probably a lot more. No, I'm not saying I'm immune to attacks, but a combination of not using Windows, not responding to phishing emails (which is basic much common sense and is what the article said was the route to infection in this case), using unique passwords, keeping my browser/OS up to date and the knowledge that I am very likely to get my money back after a fraudulent transaction satisfies me that the risk is so low that it is dwarfed by the huge leap of convenience that internet banking offers over having to resort to telephone banking.

      It's not ironic that telephone agents are pushing internet banking: it's part of their job to do so and better to have a temporary job than no job at all. And how do you know that by dealing with a human you are not putting yourself just as much at risk as using internet banking?

      1. handle

        Re: it's your job on the line...

        Further to that, as a refusenik you probably don't know that internet banking security goes beyond a password nowadays - or even asking for a subsection of a password so you need to spy on several log-ins before being able to replicate the process. Some banks use card readers where you need to insert your card into the reader and enter its PIN plus a code from the website or a transaction cannot be completed. Others use text messages where a code is sent to your mobile phone which you have to enter on the site before a transaction can be completed. Neither of these methods of two-factor authentication are used with telephone banking as far as I know. And the inconvenience is not great because they limit this to important operations such as setting up new payees. (I prefer text messages to card readers as I'm much more likely to have my mobile phone with me, but all card readers are the same so it's possible you may be able to borrow one.)

        If you get a call "from your bank", I hope you refuse to accept it and call back on a known number instead. Because otherwise you can get phished by phone just as effectively as by email. It astonishes me that banks call people like that and expect them to identify themselves.

        1. Anonymous Coward
          Anonymous Coward

          Re: it's your job on the line...@handle

          "all card readers are the same so it's possible you may be able to borrow one."

          They certainly look and operate identically in the small sample I've had (of two), but when I tried to use my RBS card reader for a Nationwide transaction 'cos I couldn't find the proper one, NW wouldn't accept the authentication code from the RBS card reader. Not something I've tried to hard to explore, obviously.

          1. Z80

            Re: it's your job on the line...@handle

            I've just logged in to Nationwide online banking with a code generated by a NatWest card reader.

            1. Anonymous Coward
              Anonymous Coward

              Logging on

              Why is that surprising, they use the same technology, the security (sic) in in the card.

              Search for Ross Anderson at cambridge uni, his lab is into wank (in)security. (sorry should have said bank, been a bad day!!

        2. paulf
          Thumb Up

          Re: it's your job on the line...

          @ Handle

          "It astonishes me that banks call people like that and expect them to identify themselves."

          Completely agree. I've refused to give out personal details on incoming calls for years since I was called by someone from a clearly foreign call centre (and withheld number) claiming to be from my bank and wanting me to give my DOB to confirm my identity. He wouldn't tell me what the call was about and I refused to tell him anything and he hung up.

          When I tell callers I don't confirm any personal details on incoming calls, I usually get a bemused but understanding response, and I call back on a known number and usually get through to the person I was speaking to before. But sometimes they can be a bit stroppy about it.

          Thing is when I call the bank (or other entities like my mobile phone company) they want to check MY identity. When the bank calls me they want to check MY identity. They never seem to understand there should be a way to confirm their identity on incoming calls.

          I have used internet banking for some 12-13 years, so I'm not looking for a tinfoil hat nor am I paranoid, but I am really careful who I give personal information to.

        3. Anonymous Coward
          Happy

          Re: it's your job on the line...

          Good advice, my wank called up and said.

          Hello Aimee this is acme wank, please can you confirm your date of birth?

          Me: No

          Wank: we need to verify we are speaking to Aimee.

          Me: I need to verify you are my wank.

          Wank: You can call us on <expensive line>

          Me: No thanks, send me a letter, or an email, my policy is not to talk to Wanks/Gov etc as

          you will deny all knowledge of the conversation, and I need a paper record as evidence when I sue you

          Wank: ok, bye

          Sorry for the W instead of B, my keyboard is playing up!!!, I am sure there is a good Wank

          with ethical Wankers out there somewhere.

      2. Blitterbug
        Happy

        Re: a combination of not using Windows...

        Nearly voted you up, Mr Handle, but then you wend and spoiled it...

        Yes, your point is well taken but a less incendiary phrase would be: "A combination of not being an idiot..." An informed, cautious Windows user who doesn't visit every jerk site on the web or click on every damned email in their inbox, together with a good free AV just in case, is all you need to be safe.

  4. Roger Varley

    Hardly the most successful scam of all time ...

    all that time and effort to net, on average, a tad under GBP 27 per sucker.

    1. smudge
      Facepalm

      Re: Hardly the most successful scam of all time ...

      Let me correct that for you.

      Relatively little time and effort, with little chance of being caught, in your own controlled environment and not out on the streets, to net 800 grand.

      Seems quite a successful scam to me.

      As for taking less than 27 quid per punter - please go and look up "salami slicing".

  5. Reboot_IT
    Thumb Up

    On-line banking = Secure

    End-user computer = Not Secure (full of Malware, Trojans, Keyloggers, [insert more crap here]

  6. Anonymous Coward
    Anonymous Coward

    indeed, send it right back at them......

    Try as then to write and apply for an 36 characters authentication code that must have a mixture of upper and lower case characters, at least one number, at least one special character, it should not have any characters or numbers that are repeated in a consecutive sequence, also warn them that they can not use the same password as been used in the last 24 previously passwords. Obviously like phone companies and banks that are happy to make you deal with them via email or automated systems, but insist you write any complaints in writing (pen and ink) in order to discourage you - if its good for them, its good for you. For good measure insist that you can not send the code to an addresss outside the UK, or to a PO Box Number.

    Once they have recieved and activiated the code which they must do within 7 days of reciept and prefreably on one of the 3 days a year DFS do not have a furniture sale. Whilst supplying a memeroable phrase in order to further validate thier authentication.

    This credentials can only be allocated to an individual and should never be shared or written down in case of fraudulent use.

    Only the, when they ring will you be able to ask them for the 3rd, 7th and 22 digit of their authentication code, if successul they will have to validate this with the 8th, 19th and 24th charater of their memorable phrase. They will also have to give the phone number of which they are calling of (which you will of course know as its on your screen..., but every littel helps), then you can ask them to confirm their first line of address or post code.

    If they get any of this wrong, they will have to start the process again with you supplying new character positions for them to validate.

    If it takes longer than 3 minuted for them to complete the process, they will also have to restart the process

    If they get it wrong three times in row their account is locked and they will have to write requesting a new code be sent.

    If they ask to talk to a supervisor then you should tell them one is not available and can they ring back, or submit a request in writing.

    If they are sucessfull, then you can inform them that no one is available as the service window close on the previous hour, and could they ring back again when someone was available to take their call

    That shoudl do it!

    c athat they will be able As then for the 2 character of thier password.

    1. damian fell

      Re: indeed, send it right back at them......

      Nice one - But obviously if they get it wrong they should be asked for the same character positions that they've got wrong again, to avoid the interception of the pass phrase by a third party by listenign in on the multiple iterations.

  7. b166er

    I've used online banking for years on Windows PC's. The only time I had a problem was after using my card at a shady filling station and the bank credited me as soon as I raised the issue.

    I would therefore say that internet banking is very safe if you understand what to do to make it that way and therein lies the rub. Most people are just too damn lazy and blockheaded to understand how computer operating systems and the internet works (and to check their statements).

    The banks have done lots wrong, god knows, however on this occasion it's the fault of dumbass users.

This topic is closed for new posts.

Other stories you might like