[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CBEGIFDHGBLGDCJDOKAPEELJDKAA.viktor.larionov@salva.ee>
Date: Thu, 11 Dec 2008 15:45:26 +0200
From: "Viktor Larionov" <viktor.larionov@...va.ee>
To: <mars@...f.de>,
<full-disclosure@...ts.grok.org.uk>
Subject: FW: 21 Million German bank accounts stolen - but
accounts are still more secure than many other ones
P.S.
By baking trojans, I meant trojans injecting additional payment information
into your bank transfers - e.g. you make 5 payments, but the trojan makes
also the sixth one, still browser with the help of a trojan displays you
only 5 of them.
You press accept - and you'r done. Correct me if I'm wrong, but I somehow
remember that Torpig was one of the bad things doing such tricks - as I
already said, forget about RSA or one-time passwords in theese cases :)))
Still there are very successfull strategies used by banks to fight this -
mostly based on social analysis of your behavement, but that's another
story.
Regards,
vik
-----Original Message-----
From: Viktor Larionov
Sent: Thursday, December 11, 2008 3:36 PM
To: Martin Salfer; full-disclosure@...ts.grok.org.uk
Subject: RE: [Full-disclosure] 21 Million German bank accounts stolen -
but accounts are still more secure than many other ones
Dear Martin of good old Germany,
You are absolutely correct on the poor security and other things...but you
actually should keep in mind, that US internet banking, as far as I am
concerned by the amount and complexity of operations is way behind Germany
and Europe in general.
In example, US residents, correct me if I'm wrong, it's not every bank in US
where you can make a wire transfer, or apply for a mortrage all online.
That's one side of the coin - another side of it, is banking trojans - as
like Torpig, Apophis - keeping theese trojans techniques in mind, there's
actually no smart card, one-time password, RSA to help you.
And if you have a list of Deutsche bank clients, modifying Torpig a bit for
Deutsche bank and blasting this thing out to the clients is good start
point - at least from my point of view.
And I'm not even talking about personal privacy and etc. aspects.
There's surely more than one way to use this data.
Kindest regards,
vik
from poor young Estonia :)
-----Original Message-----
From: full-disclosure-bounces@...ts.grok.org.uk
[mailto:full-disclosure-bounces@...ts.grok.org.uk]On Behalf Of Martin
Salfer
Sent: Wednesday, December 10, 2008 8:35 PM
To: full-disclosure@...ts.grok.org.uk
Subject: Re: [Full-disclosure] 21 Million German bank accounts stolen -
but accounts are still more secure than many other ones
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Hello,
English readers might wonder why Germans usually don't use cheques:
because they're too expensive and insecure.
Everybody prefers electronic money transfers ("Überweisung") as those
are for free and well protected. And direct debits or PADs
("Lastschrift") even can be rolled back up to 6 weeks after withdrawal.
So usually, people simply exchange account numbers and directly transfer
money.
Even if someone successfully sniffs German account credentials, e.g. ID
+ passwords, someone would still be unable to steal any money as every
single transfer must be confirmed with an one time password!
Those are mostly handed out to the account holder in person. This of
course varies from bank to bank. But I don't know any German bank that
doesn't demand at least one time password confirmation. Major banks
already offer RSA smart cards, which can be used with the nation wide
online banking standard HBCI or FinTS:
http://en.wikipedia.org/wiki/FinTS
I'm still shocked about the poor security of North American banks, where
one successful phishing email is enough to control and empty entire bank
accounts.
Greetings from good old Germany,
Martin Salfer
Jost Krieger wrote:
>> http://it.slashdot.org/it/08/12/09/0125201.shtml
-----BEGIN PGP SIGNATURE-----
iD8DBQFJQAvEy4+E3T5McJsRAwlgAKCZ13lqR2mSW5Mb9naEhlRi4dm6FQCgpp7r
3z+O7fR7Wz4mBpI/AUHHvVI=
=Gpxg
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists