Daily Archives: 04/07/2012

Hackers outwit online banking identity security systems

Criminal hackers have found a way round the latest generation of online banking security devices given out by banks, the BBC has learned.

After logging in to the bank’s real site, account holders are being tricked by the offer of training in a new "upgraded security system".

Money is then moved out of the account but this is hidden from the user.

Experts say customers should follow banks’ official advice, use up-to-date anti-virus software and be vigilant.

Devices like PINSentry from Barclays and SecureKey from HSBC – which look a lot like calculators – ask users to insert a card or a code to create a unique key at each login, valid for around 30 seconds, that cannot be used again.

This brought a new level of online banking security against password theft.

The additional line of defence provided security even if a user’s computer along with any password information was hacked, and they still offer the best level of protection available against online banking fraud

While these chip and pin devices make the hackers’ job more difficult, the hackers themselves have raised their game.

A test witnessed as part of a BBC Click investigation suggests even those with up-to-date anti-virus software could be at risk.

There is no specific risk to any one individual bank.

‘Man in the Browser’ attack
In the test the majority of web security software on standard settings did not spot that a previously unseen piece of malware created in the software testing lab was behaving suspiciously.

The threat does not strike until the user visits particular websites.

Called a Man in the Browser (MitB) attack, the malware lives in the web browser and can get between the user and the website, altering what is seen and changing details of what is being entered.

Graphic of how a Man in the Browser attack works

Some versions of the MitB will change payment details and amounts and also change on-screen balances to hide its activities.

With the additional security devices, the risk of fraud is only present for one transaction, and only if the customer falls for the "training exercise".

"The man in the browser attack is a very focused, very specific, advanced threat, specifically focused against banking," said Daniel Brett, of malware testing lab S21sec.

"[Although] many products won’t pick this up, they’ve got a much bigger scope, they’re having to defend against all the viruses since the beginning of time."

Every time a new update to the malware is released, it takes the security companies a number of weeks to learn how to spot it – to learn its common features.

But one security company did privately concede that, if this threat had come from a source not known to be bad and started communicating with a web address also not on the black-list of "bad" sites – until they had discovered and analysed it – it probably would have beaten their protection.

Fraud detection software

Makers of many of the security products featured in tests argued that it was not valid as it only tested one part of their protection.

They point out that they continually search for and blacklist websites, emails, and other sources of malware.

Mark Bowerman, of Financial Fraud Action UK, said: "Banks also employ what’s called back-end security and that’s what’s happening behind the scenes to protect you from online banking fraud.

"We’ve got intelligent fraud detection software, and it’s used to seeing how you operate your online bank account.

"Any deviations from the norm and the software is going to pick it up – that may be the type of transaction you’ve made or the amount."

Most computer security products will block this kind of threat if their security settings are turned up to maximum but will also block many legitimate programs too.

Online banking fraud losses totalled £16.9 million in the first six months of 2011, according to Financial Fraud Action UK.

In the UK, banks usually refund victims of online fraud as a matter of course.

Banks and experts say customers must continue using online security anti-virus products.

source: http://www.bbc.com/news/technology-16812064

Did you like this? Share it:

Man who hacked into abortion provider website jailed

A computer hacker who targeted the website of Britain’s biggest abortion provider has been jailed for two years and eight months.

James Jeffery, from Wednesbury, West Midlands, pleaded guilty to breaking into the BPAS website.

The 27-year-old said he acted after two women he knew had abortions which he "disagreed" with.

Jeffery, who stole the records of 10,000 women registered on the site, was jailed by Southwark Crown Court.

Jeffery, who admitted two offences under the Computer Misuse Act, boasted on Twitter about what he had done.

Planned to publish data
The court was told he intended to publish the data, including names, email addresses and telephone numbers, on an online sharing site but got cold feet.

The court heard that 60,000 women contact BPAS every year and 53,000 have abortions under their supervision.

Judge Michael Gledhill QC told Jeffery: "You only have to think for a few seconds of the terrible consequences had that threat been carried out."

The judge said: "Just as many people disagree with the view you held, many do agree. However, those who find abortion repugnant do not use this as an excuse to justify deliberately committing offences."

The court heard he hacked into the site using a "learning penetration testing software" which identified weaknesses.

Continue reading the main story

Start Quote
The publication of the information would cause great anguish for women who contact the charity in confidence and would put some of these women at serious risk mentally and physically”
End Quote
Daniel Higgins
Prosecutor
The court heard he did not access medical information about any of the women.

When Jeffery was arrested, police found his computer was "in the process of being wiped clean".

Daniel Higgins, prosecuting, said: "In order to demonstrate that he had hacked the website, he posted the log-on details of Clare Murphy, who is the head of communications at the charity."

Mr Higgins said: "Clare Murphy states women who contact the charity are often in a vulnerable situation.

"They speak to teenagers who have not disclosed their pregnancy to their parents, women who have been victims of domestic violence and victims of sexual violence – many women for whom an unplanned pregnancy is a very private affair and would not wish to share this with others.

"The publication of the information would cause great anguish for women who contact the charity in confidence and would put some of these women at serious risk mentally and physically," he added.

‘Computer whizkid’
Shaun Wallace, defending, said Jeffery initially hacked the site to test its vulnerability but added: "The more curious he became, the less responsible he became."

He said of his client: "He is not a staunch anti-abortionist. He is a bit of a computer whizkid."

Mr Wallace said Jeffery was a "part-time" member of the hacking group Anonymous.

But the judge said: "In my view, it is significant that the online name you used on Twitter was that of notorious criminal Pablo Escobar."

The court heard Jeffery wrote BPAS a letter of apology expressing remorse and suggesting ways they could improve their security.

Jeffery told police he had also identified "vulnerabilities" on websites belonging to the FBI, CIA, Houses of Parliament, West Midlands Police, US Navy, Arizona police and Spanish police.

source: http://www.bbc.co.uk/news/uk-17706621

Did you like this? Share it: