Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Luuuk Stole Half-Million Euros in One Week
Newest First  |  Oldest First  |  Threaded View
Bprince
Bprince,
User Rank: Ninja
6/30/2014 | 12:16:36 AM
Flags
I have a question - how come the sudden transfer of €39,000 didn't trigger something? I mean, that is not a small amount of money. If that doesn't happen with an in person transaction, should the bank maybe send a SMS?

BP
RyanSepe
RyanSepe,
User Rank: Ninja
6/29/2014 | 9:23:58 PM
Triple Authentication
With the financial industry being a large target for malicious attacks, do we think there are any motions to incorporate another complimentary method of authentication?

Maybe biometrics or device temp passwords. With a low FAR and FRR, biometrics in the form of a fingerprint could help enhance yet expediently allow the user access to there accounts. This might help attacks that end with extraction from an ATM. For online transactions or transitions, register your device. Once registered everytime you go to transfer a temporary password is sent to that device in which you have to input before the money could be successfully transferred. I know in incorporating these, finance will be a factor but the ROI might be justified against the amount stolen. It will provide another layer of authentication and, in my opinion, is easy for the end user to incorporate into their process. I would think we will see this on the horizon soon.
LindzKay
LindzKay,
User Rank: Apprentice
6/27/2014 | 3:56:54 PM
Re: Failure to Connect the Dots
I followed the flow of a medical record through our "encrypted" software only to find that some employees were pulling the documents into their downloads folder when they should have been previewing them within their browser.

So much for dots. And a massive fee for ShareFile "encryption."
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/26/2014 | 1:23:43 PM
Re: Failure to Connect the Dots
@Christian Bryant

Thanks so much for the link! 

You are exactly correct on broadening security intelligence to include the human factors.  I too find it hard to believe that actions only one step removed from what is considered a "high-risk" transaction is allowed to take place without batting an eye.  We as security professionals need to be able to see the whole picture and that means being able to judge the risk of a string of transactions rather than on an individual basis.
RetiredUser
RetiredUser,
User Rank: Ninja
6/26/2014 | 12:07:21 PM
Re: Failure to Connect the Dots
@Robert McDougal

Yeah, you're right on the last point, Robert - I took a moment to "soap box" :-)  But to that point, I think incorporating human factors to the security intelligence in the software for both users and staff would aid in keeping the keys to the kingdom inaccessible.

On a side note, there is a great paper (now stale) on HECC in Java over at Google Code: http://code.google.com/p/heccinjava/
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/26/2014 | 8:59:57 AM
Re: Failure to Connect the Dots
I am also a proponent of the hyperelliptic curve cryptography (HECC) system.  I think it is a matter of time before we see HECC making a much larger push into the market.  For example, OpenSSL and OpenSSH have built HECC into their products starting with versions 0.9.8 and 5.7 respectively.  The main advantages of HECC over RSA is threefold, increased security with shorter key length, lower CPU usage, and lower memory utilization. 

However the main benefit of RSA is that it is already entrenched.  RSA was first released in 1978 and HECC was released in 1985.  Additionally, developers feel that RSA is easier to understand than HECC which ultimately is a fallacious argument since all of the finer details of the algorithm are contained in a class that a developer calls, just like RSA.

In my opinion, the best valid argument you can make for RSA and against HECC is that RSA relies on the robustness of factorization which has been tested for over 2500 years whereas HECC is based on only 25 years of research.

I have a feeling that HECC will eventually make inroads but it will take time to unseat the champ.

Also, in this incident with a Man in the browser attack, I don't think it matters what encryption algorithm the bank uses because the attackers had the keys to the kingdom.
RetiredUser
RetiredUser,
User Rank: Ninja
6/26/2014 | 1:46:47 AM
Failure to Connect the Dots
This is an excellent example of why online banking workflows are terribly flawed.  This isn't high-tech hacking here, and the exploit is taking advantage of poor security and disconnected processes between the bank's online interface and the ATM functions. 

On the security end, Ganesan and Vivekanandan in their article "A Secured Hybrid Architecture Model for Internet Banking" note that for securely and privately transmitting the data over the Internet, "most protocols use both public key and secret key cryptography. To implement public key cryptography, the RSA algorithm is used with the key size of 1024-bits. But a hybrid architecture model is implemented with the hyperelliptic curve cryptosystem and it performs the encryption and decryption processes in an efficient way merely with an 80-bit key size. The main objective of this model is to consider and include the hyperelliptic curve cryptosystem and MD5 in the internet banking environment to enrich the privacy and integrity of the sensitive data transmitted between the clients and the application server."  A few years old, this idea is still worth looking at and not currently implemented by any bank in the US that I'm aware.

But more importantly, by not having bank transaction analysis in place that takes into account the human element, online banking fails by not putting 2 and 2 together when specific types of online banking activity is followed by ATM activity in the same accounts.  For crying out loud, my bank freezes my account every time I'm trying to take care of my Christmas shopping, yet will let me execute any number of online purchases or money transfers without blinking an eye.  The processes associated with every type of monetary transaction need to be defined, documented in algorithms, joined intelligently with flexibility for variations during holidays, or family milestones (document the user's childrens' ages, for instance, or marriage date to anticipate anniversary purchases, and so on) – anything to make online banking and associated processes not just secure from a technology standpoint, but from a human standpoint.

Encryption, passwords and network security are only part of the puzzle.  Processes, their interfaces and lifecycles need to be acknowledged as well.
securityaffairs
securityaffairs,
User Rank: Ninja
6/25/2014 | 6:40:55 PM
it's just the beginning
The bad actors behind the campaign have temporary changed tactic and infrastructure, the fact that they attacked a single bank could indicate that they were testing their product to use it in further and more sophisticated campaigns against the banking industry in the next months.

Banks are advised!


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-33311
PUBLISHED: 2022-08-18
Browse restriction bypass vulnerability in Address Book of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Address Book via unspecified vectors.
CVE-2022-25986
PUBLISHED: 2022-08-18
Browse restriction bypass vulnerability in Scheduler of Cybozu Office 10.0.0 to 10.8.5 allows a remote authenticated attacker to obtain the data of Scheduler.
CVE-2022-28715
PUBLISHED: 2022-08-18
Cross-site scripting vulnerability in the specific parameters of Cybozu Office 10.0.0 to 10.8.5 allows a remote attacker to inject an arbitrary script via unspecified vectors.
CVE-2022-2876
PUBLISHED: 2022-08-18
A vulnerability, which was classified as critical, was found in SourceCodester Student Management System. Affected is an unknown function of the file index.php. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to...
CVE-2022-29487
PUBLISHED: 2022-08-18
Cross-site scripting vulnerability in Cybozu Office 10.0.0 to 10.8.5 allows a remote attacker to inject an arbitrary script via unspecified vectors.