Man in the Browser Malware defeats 2-step bank authent

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
Post Reply
Topic Author
Pacific
Posts: 1329
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Man in the Browser Malware defeats 2-step bank authent

Post by Pacific » Wed Feb 08, 2012 2:00 am

Very very scary.

http://www.techspot.com/news/47351-man- ... ation.html
A new breed of malware called a Man in the Browser (MitB) attack can successfully bypass a bank’s two-step online authentication process. In most cases, the victim isn't even aware their account has been compromised until it's too late.

khh
Posts: 299
Joined: Sat Dec 27, 2008 10:31 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by khh » Wed Feb 08, 2012 3:09 am

Are devices such as ipads and android tablets at risk from this malware?

User avatar
at
Posts: 542
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Re: Man in the Browser Malware defeats 2-step bank authent

Post by at » Wed Feb 08, 2012 3:24 am

old news.

Occupier
Posts: 284
Joined: Wed Feb 01, 2012 10:21 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Occupier » Wed Feb 08, 2012 6:50 am

This is why I have several computers. One is never used for anything other than going to the bank. I has never opened an e-mail. Dave

User avatar
norookie
Posts: 3016
Joined: Tue Jul 07, 2009 1:55 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by norookie » Wed Feb 08, 2012 7:21 am

at wrote:old news.
:shock: not to all here i'd gather, occupier has a valid suggestion. As I posted once before, theres been more money stolen by cyber heists than anything!
" Wealth usually leads to excess " Cicero 55 b.c

tonythered
Posts: 834
Joined: Thu Apr 24, 2008 4:08 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by tonythered » Wed Feb 08, 2012 7:22 am

Supposedly, Trustseer Rapport software protects you from this type of attack...

http://www.trusteer.com/support/en/about-rapport

I recently saw INGDirect offering it for download so it is being adopted by banks.

campy2010
Posts: 935
Joined: Sun Nov 28, 2010 5:01 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by campy2010 » Wed Feb 08, 2012 11:05 am

"During the typical log in process, the malware is activated and acts as a middleman between the user and the bank’s website. Most variants will ask the victim to reenter their credentials as part of an “enhanced security measure.” If the victim falls for this prompt, the attacker then has full access to the bank account."

So my take-home is that if your bank's security protocol changes or has more fields than normal, then be wary of malware on your computer.

tdogz
Posts: 179
Joined: Fri Nov 11, 2011 12:28 pm
Location: United States

Re: Man in the Browser Malware defeats 2-step bank authent

Post by tdogz » Wed Feb 08, 2012 12:03 pm

I work at a community bank and deal with our corporate customers and their online banking. Trustseer Rapport isn't the best option (when I used it it was buggy), but it is better than nothing (though very few institutions use it right now). The best option I know of is to find a version of Linux that runs completely on a CD-ROM or USB drive. You boot into Linux, do your online banking, then boot into Windows/OSX/Linux from your regular HDD. Of course, you have to be disciplined enough to only go to your banking website (no email, no Bogleheads, etc.) or the benefits start diminishing quickly. For the most part, consumer accounts have protections against losses from online attacks (if you follow the TOS), but businesses have almost none - the company is stuck with the loss. Here is a PDF from IC3.gov which covers security-related issues regarding corporate account takeovers: http://www.ic3.gov/media/2010/corporate ... keover.pdf

Sidney
Posts: 6736
Joined: Thu Mar 08, 2007 6:06 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Sidney » Wed Feb 08, 2012 12:41 pm

Occupier wrote:This is why I have several computers. One is never used for anything other than going to the bank. I has never opened an e-mail. Dave
Question for techies. Does vm, dual boot or booting from Linux DVD accomplish the same thing?
I always wanted to be a procrastinator.

brianH
Posts: 327
Joined: Wed Aug 12, 2009 12:21 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by brianH » Wed Feb 08, 2012 1:05 pm

Same as it ever was.

I'm currently writing a web portal login and decided to use a one-time password method that is compatible with the 'Google Authenticator' program for cell phones. With proper implementation, this prevents a 'replay attack', i.e. malicious browser plugin/javascript/keylogger obtains your credentials and uses them to login. With how easy it was to implement and use, I'm starting to consider it negligence for websites to use the outdated name+password model as the only step.

User avatar
slayed
Posts: 270
Joined: Wed Feb 01, 2012 3:07 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by slayed » Wed Feb 08, 2012 1:10 pm

Sidney wrote:
Occupier wrote:This is why I have several computers. One is never used for anything other than going to the bank. I has never opened an e-mail. Dave
Question for techies. Does vm, dual boot or booting from Linux DVD accomplish the same thing?
a VM snapshot is a good option yes. it can be a very bare-bones virtual machine that just has a browser installed. once you have the VM set up, create a snapshot of it and then just load that snapshot to do your financial transactions.

ourbrooks
Posts: 1575
Joined: Fri Nov 13, 2009 4:56 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by ourbrooks » Wed Feb 08, 2012 1:36 pm

A possible route for infection is a "drive-by" infection in which you visit an infected web page which then installs a bunch of software, including an add-in in your browser. The web site's owners may not even know that it's infected since this can be done by someone else through a security hole in the site.

See http://www.youtube.com/watch?v=2GdqoQJa6r4 for more information.

Using a VMware or VirtualBox image running Linux can help, because most viruses are targeted at more popular platforms. Starting with a clean image each time means that any malware installed last time won't be there when you start again.

mptfan
Posts: 5712
Joined: Mon Mar 05, 2007 9:58 am

Re: Man in the Browser Malware defeats 2-step bank authent

Post by mptfan » Wed Feb 08, 2012 2:16 pm

I have a question for you techies who know way more than me about this stuff.... Are the new Chromebooks safe from viruses?

hicabob
Posts: 2907
Joined: Fri May 27, 2011 5:35 pm
Location: cruz

Re: Man in the Browser Malware defeats 2-step bank authent

Post by hicabob » Wed Feb 08, 2012 2:20 pm

A linux boot CD (ubuntu is nice and free) is super-safe - easy enough and the price is bogleheadish too.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Epsilon Delta » Wed Feb 08, 2012 2:29 pm

slayed wrote:
Sidney wrote:
Occupier wrote:This is why I have several computers. One is never used for anything other than going to the bank. I has never opened an e-mail. Dave
Question for techies. Does vm, dual boot or booting from Linux DVD accomplish the same thing?
a VM snapshot is a good option yes. it can be a very bare-bones virtual machine that just has a browser installed. once you have the VM set up, create a snapshot of it and then just load that snapshot to do your financial transactions.
Using a VM for only for financial transactions will help but is not perfect. A VM prevents a compromise of the VM from affecting the host. It does not prevent all compromises of the host from affecting the VM. To the VM the host operating system replaces the "hardware layer". IO, such as keyboard, screen and Internet connections go through the host OS. In theory a sufficiently ingenious compromise of the host can compromise the VM or fool the user.

Ideally you use VMs to do anything that might result in an infection. Since you don't know what might result in an infection you should run everything inside a VM, particularly any dodgy web browsing. You can then start a fresh VM for any financial transactions.

Booting from a DVD is more secure since it does not rely on the host OS. It still relies on the hardware and modern hardware often contains firmware that can be compromised. Still, it does makes the bad guys job harder.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Epsilon Delta » Wed Feb 08, 2012 2:39 pm

khh wrote:Are devices such as ipads and android tablets at risk from this malware?
mptfan wrote:I have a question for you techies who know way more than me about this stuff.... Are the new Chromebooks safe from viruses?
If something does the things a computer does then it's a computer. In theory all computers are subject to malware. That does not mean that some computers are not safer than others, either because they are actually better designed or because the bad guys have not attacked that device [yet]. Just don't get complacent.

ourbrooks
Posts: 1575
Joined: Fri Nov 13, 2009 4:56 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by ourbrooks » Wed Feb 08, 2012 2:50 pm

Chrome OS, which is the operating system for Chrome notebooks is a Linux distribution and so is Android and they're as malware proof as Linux is.

How malware proof is Linux? An OS is really only as safe as the applications that run on it; I absolute guarantee that I can write a Linux word processor or spreadsheet or browser or cute desktop accessory which will allow any and all malware to run. For Linux to be safe, every single application which runs on it has to be safe, and there are lots and lots of applications besides the browser. How malware proof is Open Office or Amahi or Flock or Jcow? Any one of them could be the entry point for malware.

Right now, Linux only accounts for around 7% of the desktop market. If were interested in writing malware for financial gain, the Linux version might be in your 2015 plans but it's not something you'd be working on today. Once Linux reaches a larger market percentage, the attacks will increase. In the meantime, though,using Linux probably does reduce your chances of being attached.

Additionally, I'd argue that it's better to run Linux from a virtual machine that having it be the primary OS. That makes it really easy to revert to a clean install and, if nothing else, not running the VM image all of the time means that remote control malware schemes are likely to think your machine has gone away.

User avatar
Ice-9
Posts: 1454
Joined: Wed Oct 15, 2008 12:40 pm
Location: Rockville, MD

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Ice-9 » Wed Feb 08, 2012 2:57 pm

mptfan wrote:I have a question for you techies who know way more than me about this stuff.... Are the new Chromebooks safe from viruses?
This should answer your question. :D

http://www.youtube.com/watch?v=ZY6FuADDHKc

User avatar
Boglenaut
Posts: 3090
Joined: Mon Mar 23, 2009 7:41 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Boglenaut » Wed Feb 08, 2012 2:58 pm

Occupier wrote:This is why I have several computers. One is never used for anything other than going to the bank. I has never opened an e-mail. Dave

+!

Same here. It cannot get a virus when it's off.

It has no e-mail. It had a clean install. The browser has bookmarked known legitimate sites. No googling or browsing. It's PW protected so the kids don't browse. CAT5 only - no wi-fi. Virus protector, browser, and system get regular updates (essentially every time I turn it on). Firewall turned on.

I used to think this was overkill...now I suspect it'll be the new norm.

User avatar
dmcmahon
Posts: 2079
Joined: Fri Mar 21, 2008 10:29 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by dmcmahon » Wed Feb 08, 2012 6:26 pm

slayed wrote:a VM snapshot is a good option yes. it can be a very bare-bones virtual machine that just has a browser installed. once you have the VM set up, create a snapshot of it and then just load that snapshot to do your financial transactions.
But what if the host OS is infected with a keylogger? Isn't that still a danger, especially if you use Windows as the host for Linux (instead of the other way 'round)? If not, what if (while running a less secure OS) your BIOS has been compromised? Couldn't a BIOS hack (presumably targeting keystrokes) expose you even if you're using a dual-boot, or even when using a DVD?

User avatar
at
Posts: 542
Joined: Thu May 24, 2007 12:10 am
Location: Singapore
Contact:

Re: Man in the Browser Malware defeats 2-step bank authent

Post by at » Wed Feb 08, 2012 6:52 pm

Linux should be just as bad as Windows in term of security considering so many 3rd party software is involved and the fact that there are millions upon millions of lines of code. It's impossible to secure.

raf1919
Posts: 68
Joined: Wed Jan 11, 2012 9:21 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by raf1919 » Wed Feb 08, 2012 10:36 pm

i think you have also look at what you use our computer for. computer virus dont spread by being near a sick person on a bus. you have to download them into your computer. if you are not surfing and downloading porn or from malicious pirate sites i wouldnt worry about it. Usually by the time we find out about an advanced virus and goes public, a new one is already in the works by hackers. I think keeping a clean computer for business use only and securing your network will keep you safe.

like someone else stated, i have one laptop for basic use, no downloading, no games. just news, banking, etc. than i have a separate porn computer that has no limitations.

User avatar
Steelersfan
Posts: 3764
Joined: Thu Jun 19, 2008 8:47 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Steelersfan » Wed Feb 08, 2012 10:41 pm

And for those folks who worry about strength and length of passwords, these are the types of attacks you should really be worrying about.

JMHO.
Last edited by Steelersfan on Thu Feb 09, 2012 5:44 am, edited 1 time in total.

Eagle784
Posts: 73
Joined: Sat Mar 01, 2008 4:12 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Eagle784 » Wed Feb 08, 2012 11:40 pm

I don't get why I should care - I'm not liable for fraud in my personal checking/saving accounts. Worst case scenario, there's a small risk I pay my credit card bills a little late one month - the card company will most likely waive the late fee when I explain. Just doesn't seem worth the tine and hassle of engaging in far from foolproof techniques like only accessing accounts from dedicated computers.

In fact, I remember closing an account at one online bank because they mailed out secureids and insisted I use it to log in.

Topic Author
Pacific
Posts: 1329
Joined: Tue Mar 06, 2007 8:19 pm
Location: Lost in the middle of the Pacific

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Pacific » Thu Feb 09, 2012 12:44 am

like someone else stated, i have one laptop for basic use, no downloading, no games. just news, banking, etc. than i have a separate porn computer that has no limitations.
:lol

User avatar
linuxuser
Posts: 1107
Joined: Mon Jan 24, 2011 9:15 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by linuxuser » Thu Feb 09, 2012 9:41 am

raf1919 wrote:if you are not surfing and downloading porn or from malicious pirate sites i wouldnt worry about it.
Actually that is not true.

A legitimate site can get hacked with malicious code usually through Javascript.
I experienced this myself.

I once visited a website that was hacked in such a manner. All I did was visit the site. Did not download anything.
It was a pure HTML website.

The malware stole all the passwords for my FTP client .
My FTP client had usernames and passwords for several websites I was responsible for.
The malware went into every one of the websites and modifed all of the files in them to include the malicious Javascript code.
I had to spend hours and go into all the websites and clean out each of the files.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by Epsilon Delta » Thu Feb 09, 2012 10:14 am

Steelersfan wrote:And for those folks who worry about strength and length of passwords, these are the types of attacks you should really be worrying about.

JMHO.
Unfortunately you have to worry about both. That's the problem with defense, the attacker gets to choose and you have to be ready.

AQ
Posts: 467
Joined: Mon Feb 25, 2008 11:38 pm

Re: Man in the Browser Malware defeats 2-step bank authent

Post by AQ » Thu Feb 09, 2012 10:32 am

In general, is it safer to use an office PC in a big company than a home PC (ignoring the issue whether it's OK to do it in work time)? I would assume so since big companies have professionals to do all those anti-virus stuff?

Post Reply