E-Banking on a Locked Down PC, Part II
A pair of Security Fix blog posts last week urging businesses to consider using something other than Microsoft Windows when banking online elicited strong reactions from readers. Most said they thought it was a fresh perspective and sound advice, while others criticized me for going too far or for failing to recommend less drastic alternatives.
Let me be clear: The advice was aimed not at consumers, but at small to mid-sized companies that may not have a full-time IT/security staff, and who rely on one or two people to handle their bank accounts and payroll online.
That said, I wanted to respond to a couple of specific alternatives suggested by readers, because I felt they fell short of the level of security that these companies need to avoid becoming the next victim.
For example, some readers emphasized the importance of ensuring that employees' Windows computers are running under a limited user account that does not have the ability to install software or alter critical system settings. This so-called least-privilege principle is foundational in the field of computer security, as it can defeat many malicious software attacks. Indeed, I recommend the approach so frequently that if you Google for the term "limited user" you will see my column as the first entry.
Still, a number of today's more advanced threats - including the Zeus Trojan, a sophisticated family of malware most commonly associated with these attacks against small businesses -- will just as happily run on a limited user account as an administrator account in Windows.
Likewise, purchasing a cheap Windows netbook that is used only to access the company's bank Web site is a nice start, but one of the most common malware families associated with these attacks I've written about - the Clampi Trojan - spreads quite easily among Windows systems over a company's internal network. My advice was aimed at providing a no-cost solution for small to mid-sized businesses, but if these firms are going to purchase anything with a mind toward offering their controller or payroll administrator a safer computing option, they should probably splurge and get a Mac.
Since this series began, I have been flooded with pitches from companies providing all manner of security products and services aimed at securing the online banking site from the user's end. But in my opinion, most of these approaches come up short, erecting yet another hoop for the user (and the bad guys) to jump through.
From where I sit, any solution that fails to assume that a customer's system is already completely owned by the bad guys doesn't have a prayer of outsmarting today's threats. I find it strange that so few security companies are talking about what appears to be a clear demand for better back-end fraud detection technologies by many of the nation's banks (more on this topic in a future column).
It's also interesting to see that there are still people in the financial or security industry touting security tokens as the answer to this type of fraud. In break-in after break-in, the perpetrators have shown their ability to slip past virtually all of the customer-dependent security barriers erected by online banks (e.g., passwords, secret questions, and token-generated one-time codes).
I discovered the latest example of this failure just last week, when I spoke with Genlabs Corp., a chemical manufacturing firm based in Chino, Calif. Even though Genlabs' business banking account was protected by a security token code and a password, the thieves still were able to break into the firm's account online and transfer $437,000 to 50 different co-conspirators around the country.
Joyce Nicola, Genlabs' controller, said the thieves infected a PC belonging to a subordinate who was helping to set up new payroll accounts for the company. Normally, Nicola said, when they log in to their account at the bank, the site asks for a user name on one page, then the next page requests a password, and a third and final page requires the user to type in the output from a key fob that generates a new six-digit number every 60 seconds. When the employee logged in to the bank's site on the morning on the 16th, all three of those fields were instead present on the bank's home page.
A local computer forensics expert later determined that an infection from the "Zbot Trojan" (a.k.a., "Zeus") had allowed the attackers to re-write the bank's login screen as displayed on the employee's computer, so that the credentials were intercepted before they could be sent on to the bank's actual Web site. The technician's report on the Zeus infection -- available here (PDF) -- is worth reading, particularly points 5 and 6, which noted that the infection could not be diagnosed from within Windows.
To date, Genlabs has succeeded in reversing just $48,000 worth of fraudulent transfers, Nicola said.
October 20, 2009; 2:00 PM ET
Categories: From the Bunker , Safety Tips , Small Business Victims | Tags: ach fraud, clampi, genlabs, zbot, zeus
Save & Share: Previous: ChoicePoint Breach Exposed 13,750 Consumer Records
Next: Nastygram: 'A new settings file'
Posted by: jbmoore61 | October 20, 2009 2:48 PM | Report abuse
Posted by: n3ujj | October 20, 2009 2:49 PM | Report abuse
Posted by: eteonline | October 20, 2009 4:03 PM | Report abuse
Posted by: mhenriday | October 20, 2009 4:06 PM | Report abuse
Posted by: nl01 | October 20, 2009 4:41 PM | Report abuse
Posted by: dward__ | October 20, 2009 4:49 PM | Report abuse
Posted by: FaustoCG | October 20, 2009 5:30 PM | Report abuse
Posted by: tuber | October 20, 2009 5:32 PM | Report abuse
Posted by: Rixstep | October 20, 2009 7:08 PM | Report abuse
Posted by: dragonwisard | October 20, 2009 10:49 PM | Report abuse
Posted by: philipsloss | October 21, 2009 7:50 AM | Report abuse
Posted by: B1nm90 | October 21, 2009 10:39 AM | Report abuse
Posted by: eiverson1 | October 21, 2009 11:13 AM | Report abuse
Posted by: user099 | October 21, 2009 12:10 PM | Report abuse
Posted by: eiverson1 | October 21, 2009 12:58 PM | Report abuse
Posted by: johnlevine | October 21, 2009 1:00 PM | Report abuse
Posted by: firstname.lastname@example.org | October 22, 2009 2:33 AM | Report abuse
Posted by: eteonline | October 22, 2009 8:48 AM | Report abuse
Posted by: phmckenna | October 23, 2009 10:04 AM | Report abuse
Posted by: BTKrebs | October 23, 2009 10:43 AM | Report abuse
Posted by: Garak | October 23, 2009 2:49 PM | Report abuse
Posted by: MichaelsPostingID | October 27, 2009 12:02 AM | Report abuse
The comments to this entry are closed.