A Theft – but Stupid?

cranky 1 August 2008 47

Discovered today that someone has overnight managed to empty one of my bank accounts to the tune of $1500+. Bank (ANZ) and Police advised.

In the absence of any other explanation, it would appear that access details were probably garnered by tapping into our home wireless network.

The transaction popped up as an Internet bank transfer, so both access code and password were required to do the deed.

If anyone knows of a Benjamin John McKay, the name of the apparent recipient of this transaction, who is walking around with a $1500 smile on his gob, the Police would be very interested.

I’ma bit less than impressed with the ANZ’s method of dealing with this occurrence. No feedback, and more interested that the fraud is in Police hands and stat decs (very carefully worded) are received than apparently tracking down the above perp.

Bank holiday Monday cannot help.

Police were excellent.


What's Your Opinion?


Please login to post your comments, or connect with
47 Responses to A Theft – but Stupid?
Filter
Order
caf caf 10:51 am 05 Aug 08

You are talking a load of rubbish, peterh. In the threat model under discussion (using a PC at an untrusted web cafe), you can trust NOTHING that the PC says to you. It’s trivial for the administrator of the PC to generate their own CA certificate and install that as a trusted certificate on the PC; hell, they could even have installed a their own hacked-up web browser that lies to you.

So all you know is, you are entering your username, pincode and tokencode into a web page that looks like your bank’s. If you are in fact talking to a proxy controlled by a malicious party, there is nothing stopping them from forwarding those authentication details on to the real bank’s server, and entering any transactions they wish from that point.

As I pointed out, the attack is time-limited – they can only authenticate to the bank as you during the time that the tokencode remains valid. “They would have to be pretty damn quick!” you say – well, I hear that computers are pretty good at doing things quickly.

Comments about “the complexity of the encryption” are just handwaving – you might well be using encryption, but that doesn’t help you if you can’t verify who is on the other end of that encrypted connection. The only way you can have any certainty of this is if your endpoint (that is, the PC you’re using) is secure.

Note that almost everything in the “PC owned by webcafe” threat model also applies in the “home PC 0wned by trojan” threat model.

It so happens that the system I manage uses RSA tokens (SID700s) to authenticate users, so I too know something of what I speak. Two-factor authentication can help, and it does increase the complexity of an attack, and it does ensure that attacks are time limited. But it’s also important to understand that it is not a magic bullet.

To cranky: I would not be 100% confident in the anti-spyware tool finding everything – some malware is pretty clever at hiding itself. Another possibility is that your ISPs nameservers are/were vulnerable to the recent “Kaminsky attack”.

peterh peterh 9:40 am 05 Aug 08

Woody Mann-Caruso said :

What sort of spy software is involved, & how close to the computer do you have to be?

You pretty much sit anywhere within wireless range of your computer (which can be a long way away if you’ve got a decent antenna) and run something like Kismet. Bit by bit, your network gives up its secrets – it’s like listening to a conversation in another room, and slowly piecing together the number of people, their genders, who they’re talking to, what they’re talking about and so on. It can be pretty fast if you launch an active attack – something that makes your network generate more traffic than it usually would, thus giving up more information about itself more quickly. With dictionary attacks and hash tables, simple passes fall almost instantly, while even decent passes can fall in time. If it was somebody in your neighbourhood, they’ve had all the time in the world.

More likely that you’ve been owned by malware or phishing, though – or even through physical access to the machine. Who else has access to your computer?

Good luck!

the best defence, I have found is to run several AS / AM packages simultaneously. ad aware is a good one, if you want a basic protection package. avast! is another one, as is the commercial Symantec and CA products. I am extremely paranoid, and have dual av scanners, as & am scanners running on my system at any given time. The info on my home pc is both sensitive, and, as my wife runs a business from home, the client details she has are irreplaceable.

peterh peterh 9:35 am 05 Aug 08

Madman said :

Jonathon Reynolds said :

With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring.

Jonathon, where do I get myself one of these?

speak to your bank. I know, they may not be up on technology, but, considering that the Bendigo Bank, CBA, NAB and a few others have gone down this path, they may already be investing in the technology. The issue of kismet is defeated by the 2 factor authentication token. it is smart, but when confronted by a 3DES encryption algorithm, it is pretty much dead in the water.

I use symantec endpoint protection at home, as it provides me with the tools to back-trace an attack, and identify with WHOIS, once the ip address has been confirmed. It also prevents spoofing attacks, as well as some other insidious methods out there now.

Madman Madman 9:13 am 05 Aug 08

I had by bank cancel my credit card a few months ago because I made a transaction in Fyshwick at a gas station then 2.5 hours later I made a transaction at another gas station in Nowra.

They thought it was a fradulent transaction as I had only just filled up with fuel in a different State – didn’t think of calling me to check and didn’t think that maybe I had driven there and the fuel was empty again…. GRRR!

At least I had enough fuel to get through the weekend and back home and enough money for food in my wallet to do with. They also re-ordered me a new card straight after cancelling the current one – so I only had to wait 4 days till payday!

Madman Madman 9:06 am 05 Aug 08

Jonathon Reynolds said :

With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring.

Jonathon, where do I get myself one of these?

tylersmayhem tylersmayhem 8:59 am 05 Aug 08

I would be extremely pleased if anyone could find a “Branch Manager”, as opposed to the shift supervisor/leading hand/person who has been there the longest and can work the coffee machine.

I have to say that I was very surprised to have so much to do with my new branch manager. Granted, we have recently taken out a mortgage with them – but he is available on the end of the line, or face to face with no trouble at all.

I really feel for you Cranky. I’d be so…well, cranky! And pissed off to the max. Keep on at the bank, go in to your local branch and sit there until you can talk to the manager. Ask them to refund the money to you on a good will basis so you can pay your bills, and if there is any reason that you are liable in the future, that they have the right to take the money back. While this sounds quite bull*hit, my bank in the UK did this when an international ATM debited my account, but dipensed no cash.

That was good advice by DJ to contact the ombudsman. Do that too!

Something came to mind yesterday, mind you I think you’ve already ruled this out. I received an e-mail from ANZ prompting me to update my details. The email looked very legit, and was sent from anz.com.au. Have you provided ANY updates to your details to an email from “ANZ”?

MelonHead MelonHead 8:51 pm 04 Aug 08

All this is good and sage advice and was going well till someone mentioned “Branch Manager”

I have had occasion over the years to ask for one of these, only to be told that they don’t exist anymore.

I would be extremely pleased if anyone could find a “Branch Manager”, as opposed to the shift supervisor/leading hand/person who has been there the longest and can work the coffee machine.

Seriously, though, good luck with the problem. As much as I wish I had some great advice, I can just hope it resolves in your favour.

cranky cranky 8:30 pm 04 Aug 08

Woody,

Thanks for that.

On the results of the anti (thanks JB) spyware software, I am happy that the PC itself has not been infected. I am also totally certain that I have not been ‘phished’. No one (other than the thief) has the account details/password. They have never been committed to paper, and I’m the only person (other than the thief) with the password. Family members have access to the computer, but all have their own, and I cannot conceive of a strike from them.

Having read the Wiki entry on Kismet, I am amazed that anyone (particularly the Banks) can feel confident that this sort of attack is not only inevitable, but a potentially massive problem. Right up the alley of bored computer nerd teenagers, some of whom are probably clever enough to get away with this type of crime. I hope the turd who got away with my dollars hasn’t been clever enough to cover his tracks.

Woody Mann-Caruso Woody Mann-Caruso 7:51 pm 04 Aug 08

What sort of spy software is involved, & how close to the computer do you have to be?

You pretty much sit anywhere within wireless range of your computer (which can be a long way away if you’ve got a decent antenna) and run something like Kismet. Bit by bit, your network gives up its secrets – it’s like listening to a conversation in another room, and slowly piecing together the number of people, their genders, who they’re talking to, what they’re talking about and so on. It can be pretty fast if you launch an active attack – something that makes your network generate more traffic than it usually would, thus giving up more information about itself more quickly. With dictionary attacks and hash tables, simple passes fall almost instantly, while even decent passes can fall in time. If it was somebody in your neighbourhood, they’ve had all the time in the world.

More likely that you’ve been owned by malware or phishing, though – or even through physical access to the machine. Who else has access to your computer?

Good luck!

DJ DJ 7:14 pm 04 Aug 08

Chin up Cranky – contact the Banking Ombudsman. The Police are probably waiting for the ANZ to give them details.

http://www.abio.org.au/ABIOWeb/abiowebsite.nsf

‘The fraud branch would be asking why I was trying to access the account’ – from the front counter officer. Isn’t the account yours? Do they think you don’t need to pay rent or buy food anymore? Ask to speak to the Branch Manager in person…

cranky cranky 6:17 pm 04 Aug 08

An update, and request for ideas.

4 days of stewing on this matter are reducing me to tears. There is no feedback from Police/Bank, and I am not enjoying having to explain to creditors. The account has been locked down by the Bank, and I have no way of establishing the value of further expected deposits. The branch could’nt distance themselves quickly enough from my enquiries – ‘The fraud branch would be asking why I was trying to access the account’ – from the front counter officer.

Can anyone explain the nuts and bolts of tapping into a (apparently protected, non contaminated) network and stealing the details required to access the account? I am not computer literate enough to fully understand the full gamut of the foregoing replies. What sort of spy software is involved, & how close to the computer do you have to be?

Is there any other way this theft could have been carried out?

peterh peterh 4:52 pm 04 Aug 08

i might like to mention, i don’t sell to the public, i work for an IT distributor. resellers sell to the public.

peterh peterh 4:50 pm 04 Aug 08

caf said :

tylersmayhem: no, they don’t. Web cafe presents you with web page. You submit your username, passcode and tokencode. Web cafe sends you a “login failed” page. Web cafe passes on the credentials to the bank… and empties your account.

All that two-factor authentication achieves against this risk profile is to increase the complexity of the attack (it is now time-limited).

i have to disagree. The other factors in play are that the webcafe would need to provide the bank with the authentication at the same time, ghosting your connection. the encryption keys are significantly complex, and the code is encrypted. (it appears as symbols, not numbers) if the bank’s authentication server doesn’t like the response, or the webcafe is too slow, it asks for a new code. the webcafe will fail, and the ip address is logged.

the authenticators on ebay, on the other hand, are just random number generators, they aren’t synced to the authentication server, as there isn’t one.

This technology is designed to prevent unauthorised access, at any time. The use of tokens is as complex as the backend. if the administrator is compromised, then the tokens will do little to prevent an attack.

in regards to the scenario,

Web cafe presents you with web page. the web page is your bank’s, it cannot be a dummy site, as the authenticator must communicate with the server at the bank, or it will fail.

You submit your username, password, passcode and tokencode. you use your standard login u/n & password, then the pin code and the authenticator code.

Web cafe sends you a “login failed” page. it cannot, as you have authenticated with the bank to gain the connection.

Web cafe passes on the credentials to the bank… and empties your account. unable to do so. they would need your username, password, pin code, and the current authentication code.

keyloggers cannot be deployed through your system if you have AV / AS installed.

johnboy johnboy 4:45 pm 04 Aug 08

If they’re doing it at all they’re probably well practiced.

tylersmayhem tylersmayhem 4:38 pm 04 Aug 08

Sorry, make that 30 seconds. I just counted mine. Still, they’d have to be VERY quick!

tylersmayhem tylersmayhem 4:36 pm 04 Aug 08

RSA token code change every 10 seconds. They would have to be pretty damn quick!

caf caf 4:09 pm 04 Aug 08

tylersmayhem: no, they don’t. Web cafe presents you with web page. You submit your username, passcode and tokencode. Web cafe sends you a “login failed” page. Web cafe passes on the credentials to the bank… and empties your account.

All that two-factor authentication achieves against this risk profile is to increase the complexity of the attack (it is now time-limited).

tylersmayhem tylersmayhem 4:04 pm 04 Aug 08

Caf – RSA tokens would take away that risk completely.

caf caf 3:41 pm 04 Aug 08

Two factor authentication doesn’t help a bit against a man-in-the-middle attack. If the web cafe owner is truly dodgy you can’t even trust SSL on those machines unless you know and manually verify the bank certificate’s fingerprint, because they could have fake root CA certificates loaded.

peterh peterh 3:17 pm 04 Aug 08

ant said :

It’s a puzzling case though. The wireless thing… they’d have to be located pretty nearby to catch your signal (although people often don’t realise how far their signal is broadcast… useful though when one’s internet goes down!).

Does the OP access their online banking through a saved “favourites” link? re advice abotu phising from other posters. My insitution allows access via a/c number and p/w, but you can’t move money out of the account without clicking on some pre-chosen pictures in a certain sequence, and the pictures are always in a different spot. I don’t know how strong that is, but apparently it’ll foil keyloggers?

The device Jonathan Reynolds mentioned also gets very good raps, I think my institution is moving to something like that, using one’s mobile phone and a text message. I’ll sign up for that.

the product is manufactured by RSA – I sell it. the tokens work on a random number generated code, so if you are at a web cafe, they can keylog you (if the cafe owner is a bit dodgy, not all are) and will get no-where after you have logged out.

the token is classified as two factor authentication, that is, you have a 4-digit pin code (something you know) plus the token’s generated number (something you have). Tokens have on average a 3-year life, after this point, they expire. Then, you need to buy a new one.

There are also software based tokens, that sms you a code for entry to the system. these have a window of 60secs for connection.

my wireless connection is secure, I have a firewall running behind the connection.

Norton 360 isn’t the best, but it does pre-fetch websites and check them for fraud.

CBR Tweets

Sign up to our newsletter

Top

Search across the site