Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Luuuk Stole Half-Million Euros in One Week
Newest First  |  Oldest First  |  Threaded View
Bprince
Bprince,
User Rank: Ninja
6/30/2014 | 12:16:36 AM
Flags
I have a question - how come the sudden transfer of €39,000 didn't trigger something? I mean, that is not a small amount of money. If that doesn't happen with an in person transaction, should the bank maybe send a SMS?

BP
RyanSepe
RyanSepe,
User Rank: Ninja
6/29/2014 | 9:23:58 PM
Triple Authentication
With the financial industry being a large target for malicious attacks, do we think there are any motions to incorporate another complimentary method of authentication?

Maybe biometrics or device temp passwords. With a low FAR and FRR, biometrics in the form of a fingerprint could help enhance yet expediently allow the user access to there accounts. This might help attacks that end with extraction from an ATM. For online transactions or transitions, register your device. Once registered everytime you go to transfer a temporary password is sent to that device in which you have to input before the money could be successfully transferred. I know in incorporating these, finance will be a factor but the ROI might be justified against the amount stolen. It will provide another layer of authentication and, in my opinion, is easy for the end user to incorporate into their process. I would think we will see this on the horizon soon.
LindzKay
LindzKay,
User Rank: Apprentice
6/27/2014 | 3:56:54 PM
Re: Failure to Connect the Dots
I followed the flow of a medical record through our "encrypted" software only to find that some employees were pulling the documents into their downloads folder when they should have been previewing them within their browser.

So much for dots. And a massive fee for ShareFile "encryption."
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/26/2014 | 1:23:43 PM
Re: Failure to Connect the Dots
@Christian Bryant

Thanks so much for the link! 

You are exactly correct on broadening security intelligence to include the human factors.  I too find it hard to believe that actions only one step removed from what is considered a "high-risk" transaction is allowed to take place without batting an eye.  We as security professionals need to be able to see the whole picture and that means being able to judge the risk of a string of transactions rather than on an individual basis.
RetiredUser
RetiredUser,
User Rank: Ninja
6/26/2014 | 12:07:21 PM
Re: Failure to Connect the Dots
@Robert McDougal

Yeah, you're right on the last point, Robert - I took a moment to "soap box" :-)  But to that point, I think incorporating human factors to the security intelligence in the software for both users and staff would aid in keeping the keys to the kingdom inaccessible.

On a side note, there is a great paper (now stale) on HECC in Java over at Google Code: http://code.google.com/p/heccinjava/
Robert McDougal
Robert McDougal,
User Rank: Ninja
6/26/2014 | 8:59:57 AM
Re: Failure to Connect the Dots
I am also a proponent of the hyperelliptic curve cryptography (HECC) system.  I think it is a matter of time before we see HECC making a much larger push into the market.  For example, OpenSSL and OpenSSH have built HECC into their products starting with versions 0.9.8 and 5.7 respectively.  The main advantages of HECC over RSA is threefold, increased security with shorter key length, lower CPU usage, and lower memory utilization. 

However the main benefit of RSA is that it is already entrenched.  RSA was first released in 1978 and HECC was released in 1985.  Additionally, developers feel that RSA is easier to understand than HECC which ultimately is a fallacious argument since all of the finer details of the algorithm are contained in a class that a developer calls, just like RSA.

In my opinion, the best valid argument you can make for RSA and against HECC is that RSA relies on the robustness of factorization which has been tested for over 2500 years whereas HECC is based on only 25 years of research.

I have a feeling that HECC will eventually make inroads but it will take time to unseat the champ.

Also, in this incident with a Man in the browser attack, I don't think it matters what encryption algorithm the bank uses because the attackers had the keys to the kingdom.
RetiredUser
RetiredUser,
User Rank: Ninja
6/26/2014 | 1:46:47 AM
Failure to Connect the Dots
This is an excellent example of why online banking workflows are terribly flawed.  This isn't high-tech hacking here, and the exploit is taking advantage of poor security and disconnected processes between the bank's online interface and the ATM functions. 

On the security end, Ganesan and Vivekanandan in their article "A Secured Hybrid Architecture Model for Internet Banking" note that for securely and privately transmitting the data over the Internet, "most protocols use both public key and secret key cryptography. To implement public key cryptography, the RSA algorithm is used with the key size of 1024-bits. But a hybrid architecture model is implemented with the hyperelliptic curve cryptosystem and it performs the encryption and decryption processes in an efficient way merely with an 80-bit key size. The main objective of this model is to consider and include the hyperelliptic curve cryptosystem and MD5 in the internet banking environment to enrich the privacy and integrity of the sensitive data transmitted between the clients and the application server."  A few years old, this idea is still worth looking at and not currently implemented by any bank in the US that I'm aware.

But more importantly, by not having bank transaction analysis in place that takes into account the human element, online banking fails by not putting 2 and 2 together when specific types of online banking activity is followed by ATM activity in the same accounts.  For crying out loud, my bank freezes my account every time I'm trying to take care of my Christmas shopping, yet will let me execute any number of online purchases or money transfers without blinking an eye.  The processes associated with every type of monetary transaction need to be defined, documented in algorithms, joined intelligently with flexibility for variations during holidays, or family milestones (document the user's childrens' ages, for instance, or marriage date to anticipate anniversary purchases, and so on) – anything to make online banking and associated processes not just secure from a technology standpoint, but from a human standpoint.

Encryption, passwords and network security are only part of the puzzle.  Processes, their interfaces and lifecycles need to be acknowledged as well.
securityaffairs
securityaffairs,
User Rank: Ninja
6/25/2014 | 6:40:55 PM
it's just the beginning
The bad actors behind the campaign have temporary changed tactic and infrastructure, the fact that they attacked a single bank could indicate that they were testing their product to use it in further and more sophisticated campaigns against the banking industry in the next months.

Banks are advised!


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-26135
PUBLISHED: 2022-06-30
A vulnerability in Mobile Plugin for Jira Data Center and Server allows a remote, authenticated user (including a user who joined via the sign-up feature) to perform a full read server-side request forgery via a batch endpoint. This affects Atlassian Jira Server and Data Center from version 8.0.0 be...
CVE-2017-20122
PUBLISHED: 2022-06-30
A vulnerability classified as problematic was found in Bitrix Site Manager 12.06.2015. Affected by this vulnerability is an unknown functionality of the component Contact Form. The manipulation of the argument text with the input <img src="http://1"; on onerror="$(â€&tra...
CVE-2017-20123
PUBLISHED: 2022-06-30
A vulnerability was found in Viscosity 1.6.7. It has been classified as critical. This affects an unknown part of the component DLL Handler. The manipulation leads to untrusted search path. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. ...
CVE-2017-20124
PUBLISHED: 2022-06-30
A vulnerability classified as critical has been found in Online Hotel Booking System Pro Plugin 1.0. Affected is an unknown function of the file /front/roomtype-details.php. The manipulation of the argument tid leads to sql injection. It is possible to launch the attack remotely. The exploit has bee...
CVE-2017-20125
PUBLISHED: 2022-06-30
A vulnerability classified as critical was found in Online Hotel Booking System Pro 1.2. Affected by this vulnerability is an unknown functionality of the file /roomtype-details.php. The manipulation of the argument tid leads to sql injection. The attack can be launched remotely. The exploit has bee...