[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] 21 Million German bank accounts stolen - but accounts are still more secure than many other ones
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] 21 Million German bank accounts stolen - but accounts are still more secure than many other ones
- From: Martin Salfer <mars@xxxxxxx>
- Date: Fri, 12 Dec 2008 11:12:19 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Dear vik,
Nice to see that people from all over the world read and answer
full-disclosure. :-)
Yes, you're right. Those trojans that log and intercept data on the fly
are really a pain for most online banking customers. Fortunately some
banks are already technically prepared to resist those trojans.
Some banks already demand a class 3 smart card reader, which means the
reader itself must be equipped with a separate display and keyboard.
(costing roughly 100 € in total). Such devices look alike the credit
card machines at a checkout.
The amount of every single transaction must be displayed and
acknowledged on the separate card reader, which has its own OS/firmware.
This means, any PC trojan would completely fail intercepting, as any
alteration would be visible on the display or would invalidate the RSA
signature. A successful trojan would need to breach two security zones:
the PC OS plus the super hardened card reader OS.
The crucial point is to use separate smart card readers that have an own
OS/firmware. (not Windows for sure) Fancy card readers, aren't they? ;-)
Best regards,
Martin Salfer
Viktor Larionov wrote:
> Dear Martin of good old Germany,
>
> You are absolutely correct on the poor security and other things...but you
> actually should keep in mind, that US internet banking, as far as I am
> concerned by the amount and complexity of operations is way behind Germany
> and Europe in general.
> In example, US residents, correct me if I'm wrong, it's not every bank in US
> where you can make a wire transfer, or apply for a mortrage all online.
>
> That's one side of the coin - another side of it, is banking trojans - as
> like Torpig, Apophis - keeping theese trojans techniques in mind, there's
> actually no smart card, one-time password, RSA to help you.
>
> And if you have a list of Deutsche bank clients, modifying Torpig a bit for
> Deutsche bank and blasting this thing out to the clients is good start
> point - at least from my point of view.
>
> And I'm not even talking about personal privacy and etc. aspects.
> There's surely more than one way to use this data.
>
> Kindest regards,
> vik
> from poor young Estonia :)
>
> P.S.
>
> By baking trojans, I meant trojans injecting additional payment information
> into your bank transfers - e.g. you make 5 payments, but the trojan makes
> also the sixth one, still browser with the help of a trojan displays you
> only 5 of them.
> You press accept - and you'r done. Correct me if I'm wrong, but I somehow
> remember that Torpig was one of the bad things doing such tricks - as I
> already said, forget about RSA or one-time passwords in theese cases :)))
>
> Still there are very successfull strategies used by banks to fight this -
> mostly based on social analysis of your behavement, but that's another
> story.
-----BEGIN PGP SIGNATURE-----
iD8DBQFJQjkCy4+E3T5McJsRA31AAJ9qb9SxszRcNK1igUP++D9eJub9+wCfR4WS
AUgbWdcxZncL+RtEnT3H36Y=
=4s/o
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/