Bogus training offer opens hacker doors to bank accounts

February 5, 2012 by Nancy Owano weblog

( -- Mischief-making hackers, always willing to try clever ways to bypass advanced security safeguards, have figured out a way to make off like bandits, literally. According to a BBC report, the exploit first tricks account-owning victims by presenting offers of training for an upgraded security system. The hacker criminals, with their victims unaware, proceed to move money out of these users’ accounts.

What braces bank security in particular is not only the crime but the fact that continue to easily skirt the latest-generation security techniques.

Bank security measures in the past like PINSentry from Barclays and SecureKey from HSBC have come up with devices that use an account holder’s card or code to create a unique key at each login. The entry is valid for around thirty seconds. “While these chip and pin devices make the hackers' job more difficult, the hackers themselves have raised their game,” says the BBC report.

The hacker technique at play is "man in the browser" malware, meaning that the malware is in the browser. With this kind of attack, the exploit can change what is seen and can play with details of what is being entered. Some of the attacks, for example, change payment details and amounts on screen balances. The user and the host application are unaware that a break-in is under way. “MitB” code is likely to remain a headache for banks as attackers continue to evolve their capabilities. Daniel Brett, of malware testing lab S21sec.was quoted in the report as describing the browser attack as an advanced, banking-focused threat.

Online banking fraud losses totaled £16.9 million in the first six months of 2011, according to Financial Fraud Action UK. In the UK, banks usually refund victims of online fraud.

Actually, as worrying as new types of exploits may be, the problem is not new. The banking industry has been coping with hackers targeting them for some time. Back in December 2010, Security Week was reporting that attackers were starting to improve the “autonomous capabilities of MitB code.” The article noted how the SilentBanker Trojan targeted more than 400 banks and had the ability to intercept banking transactions, even those guarded by two-factor authentication. Two-factor authentication refers to a measure whereby the user is required to provide two means of identification, one of which is something the person has (a card, e.g.) and the other something memorized, something the person knows.

Banks and experts nonetheless say that online banking users can do well to simply be alert and take care. Experts suggest typing bank URLs in the browser rather than using links included in unsolicited emails.

When up on the site, they recommend users be alert to suspicious signs such as a process not looking the same as usual or a transaction taking longer than usual. If worried about a break-in, they advise users to contact the bank by phone, not e-mail, and report the time and date of the suspected incident.

Explore further: Human error puts online banking security at risk

Related Stories

Human error puts online banking security at risk

November 7, 2007

Using an SMS password as an added security measure for internet banking is no guarantee your money is safe, according to a new Queensland University of Technology study which reveals online customers are not protecting their ...

Ramnit's heist bags 45,000 Facebook passwords

January 6, 2012

( -- Ramnit, the bank-thieving worm, is at it again, this time scoffing up Facebook accounts. The latest oh-look-another-threat is one that security watchers say could get ugly. Ramnit has grown up since it was ...

Feds bolstering online banking security

October 19, 2005

Federal banking regulators are ordering financial institutions to bolster their Internet security by the end of next year, hoping to halt identity theft. But experts tell UPI's The Web that the measures still may not be strong ...

New Internet ID Card Prevents Online Fraud

March 31, 2008

Times are getting hard for anyone trying to get away with online fraud. That’s because Siemens, in cooperation with a partner company, has developed an Internet ID card the size of an ATM card that enables users to provide ...

Recommended for you

Startup Pi out to slice the charging cord

September 19, 2017

Silicon Valley youngster Pi on Monday claimed it had developed the world's first wireless charger that does away with cords or mats to charge devices.

A solar cell you can put in the wash

September 18, 2017

Scientists from RIKEN and the University of Tokyo have developed a new type of ultra-thin photovoltaic device, coated on both sides with stretchable and waterproof films, which can continue to provide electricity from sunlight ...


Adjust slider to filter visible comments by rank

Display comments: newest first

2.4 / 5 (5) Feb 05, 2012
The irony is that these idiots are only serving to lock this world down even more, along with creating even MORE corrupt politicians as they come up with underhanded ways to try to deal (or not deal) with this problem.
5 / 5 (1) Feb 05, 2012
There's no irony in that; criminals are finding new ways to steal money, as they always have. This is the reason why I don't buy things over the net, unless they let me pay on the act of delivery (with actual money, or credit card on a wireless terminal).
4 / 5 (3) Feb 06, 2012
Cash is extremely easy to steal, and card readers are extremely easy to acquire. Still feel safe?

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.