Bogus training offer opens hacker doors to bank accounts

Feb 05, 2012 by Nancy Owano weblog

(PhysOrg.com) -- Mischief-making hackers, always willing to try clever ways to bypass advanced security safeguards, have figured out a way to make off like bandits, literally. According to a BBC report, the exploit first tricks account-owning victims by presenting offers of training for an upgraded security system. The hacker criminals, with their victims unaware, proceed to move money out of these users’ accounts.

What braces bank security in particular is not only the crime but the fact that continue to easily skirt the latest-generation security techniques.

Bank security measures in the past like PINSentry from Barclays and SecureKey from HSBC have come up with devices that use an account holder’s card or code to create a unique key at each login. The entry is valid for around thirty seconds. “While these chip and pin devices make the hackers' job more difficult, the hackers themselves have raised their game,” says the BBC report.

The hacker technique at play is "man in the browser" malware, meaning that the malware is in the browser. With this kind of attack, the exploit can change what is seen and can play with details of what is being entered. Some of the attacks, for example, change payment details and amounts on screen balances. The user and the host application are unaware that a break-in is under way. “MitB” code is likely to remain a headache for banks as attackers continue to evolve their capabilities. Daniel Brett, of malware testing lab S21sec.was quoted in the report as describing the browser attack as an advanced, banking-focused threat.

Online banking fraud losses totaled £16.9 million in the first six months of 2011, according to Financial Fraud Action UK. In the UK, banks usually refund victims of online fraud.

Actually, as worrying as new types of exploits may be, the problem is not new. The banking industry has been coping with hackers targeting them for some time. Back in December 2010, Security Week was reporting that attackers were starting to improve the “autonomous capabilities of MitB code.” The article noted how the SilentBanker Trojan targeted more than 400 banks and had the ability to intercept banking transactions, even those guarded by two-factor authentication. Two-factor authentication refers to a measure whereby the user is required to provide two means of identification, one of which is something the person has (a card, e.g.) and the other something memorized, something the person knows.

Banks and experts nonetheless say that online banking users can do well to simply be alert and take care. Experts suggest typing bank URLs in the browser rather than using links included in unsolicited emails.

When up on the site, they recommend users be alert to suspicious signs such as a process not looking the same as usual or a transaction taking longer than usual. If worried about a break-in, they advise users to contact the bank by phone, not e-mail, and report the time and date of the suspected incident.

Explore further: Startups offer banking for smartphone users

Related Stories

Human error puts online banking security at risk

Nov 07, 2007

Using an SMS password as an added security measure for internet banking is no guarantee your money is safe, according to a new Queensland University of Technology study which reveals online customers are not protecting their ...

Ramnit's heist bags 45,000 Facebook passwords

Jan 06, 2012

(PhysOrg.com) -- Ramnit, the bank-thieving worm, is at it again, this time scoffing up Facebook accounts. The latest oh-look-another-threat is one that security watchers say could get ugly. Ramnit has grown ...

Feds bolstering online banking security

Oct 19, 2005

Federal banking regulators are ordering financial institutions to bolster their Internet security by the end of next year, hoping to halt identity theft. But experts tell UPI's The Web that the measures still may not be strong ...

New Internet ID Card Prevents Online Fraud

Mar 31, 2008

Times are getting hard for anyone trying to get away with online fraud. That’s because Siemens, in cooperation with a partner company, has developed an Internet ID card the size of an ATM card that enables ...

Recommended for you

Startups offer banking for smartphone users

7 hours ago

The latest banks are small enough to fit in the palm of your hand. Startups, such as Moven and Simple, offer banking that's designed specifically for smartphones, enabling users to track their spending on the go. Some things ...

'SwaziLeaks' looks to shake up jet-setting monarchy

Aug 29, 2014

As WikiLeaks founder Julian Assange prepares to end a two-year forced stay at Ecuador's London embassy, he may take comfort in knowing he inspired resistance to secrecy in places as far away as Swaziland.

Ecuador heralds digital currency plans (Update)

Aug 29, 2014

Ecuador is planning to create what it calls the world's first digital currency issued by a central bank, which some analysts believe could be a first step toward abandoning the country's existing currency, ...

WEF unveils 'crowdsourcing' push on how to run the Web

Aug 28, 2014

The World Economic Forum unveiled a project on Thursday aimed at connecting governments, businesses, academia, technicians and civil society worldwide to brainstorm the best ways to govern the Internet.

User comments : 3

Adjust slider to filter visible comments by rank

Display comments: newest first

LuckyBrandon
2.4 / 5 (5) Feb 05, 2012
The irony is that these idiots are only serving to lock this world down even more, along with creating even MORE corrupt politicians as they come up with underhanded ways to try to deal (or not deal) with this problem.
Jotaf
5 / 5 (1) Feb 05, 2012
There's no irony in that; criminals are finding new ways to steal money, as they always have. This is the reason why I don't buy things over the net, unless they let me pay on the act of delivery (with actual money, or credit card on a wireless terminal).
TheSpiceIsLife
4 / 5 (3) Feb 06, 2012
Cash is extremely easy to steal, and card readers are extremely easy to acquire. Still feel safe?