Posted on 07/04/2006 10:03:34 PM PDT by Stoat
Edited on 07/05/2006 1:46:15 AM PDT by Jim Robinson. [history]
Hackers have penetrated internet banking facilities and gained access to the accounts of clients of three major banks, the Cape Times reported on Tuesday.
Its website said hackers had in the past three months gained access to the online accounts of clients from First National Bank, Standard and Absa banks.
(Excerpt) Read more at mg.co.za ...
here is the damage as expressed in US dollars as of this moment:
10,500.00 ZAR
South Africa Rand =
1,494.53 USD
United States Dollars
1 ZAR = 0.142336 USD
1 USD = 7.02561 ZAR
It's not exactly a "King's Ransom", but it's more a matter of principle....if they have broken the encryption at this South Africa bank, it begs the question of what sort of encryption are they using and is it similar to what's being used at US or UK banks.
We are frequently told that the encryption used at US banks would require a massive amount of time and computing power to crack, and hopefully that's true.
Possible "inside" job.
That's my guess also, but the article uses the term "hackers" which implies a breaking of the encryption....if it were a matter of simply stealing users' passwords I wouldn't call that "hacking".
Too bad the article doesn't give more detail.
>>if it were a matter of simply stealing users' passwords I wouldn't call that "hacking".
FYI: Tricking a person out of their password is known as "Human Engineering"
LMAO !
Of course, if somebody steals a laptop without protection or has access to client keys with authority, the encryption strength doesn't matter.
Very true. Hopefully this is all a matter of the reporter using the term "hacker" incorrectly, which is quite possible; in fact likely.
We all know of the incredible number of errors that reporters make in matter pertaining to technology as well as firearms and other subjects.
(How often have we heard of semiautomatic rifles being equated with machine guns?)
Hopefully this is all a matter of another inarticulate reporter and another inarticulate editor....there are so very many of them "sigh"
Good point, Stoat. My confidence in accurate reporting from the media has dropped in recent years!
Perhaps the web banking application has flaws, or the box it's running on is insecure. It's more likely to be stupidity on someones part than cleverness on the part of the criminal.
Nigerian business schemes weren't bad enough, and now this.
More typical behavior from the Chocolate Continent. Mayor Nagin, Mugabe and Jesse should feel proud.
Mine as well. For some time now, when there's been a heartstopping story in the MSM, my reaction has been "well gee, that's interesting, I wonder if it's true? I'll have to check with the bloggers and see if they verify it".
I have no doubt that if there has been an actual breaking of the encryption at a bank it will be all over the blogs within a few hours.
ROTFLMAO!!
If we're going to get racial about this, honesty demands that we recognize the HUGE white population in South Africa, and so the criminal(s) could really be of any shade
. :-)
But I agree, I wouldn't trust a Nigerian financial institution any further than I could throw it :-)
Even a fairly strict definition of hacker (what I might call a cracker) includes the possibility of exploiting other software bugs. Your bank data is usually only encrypted while going over the internet. On both ends, your PC, and the banks computer, it is often wide open.
If I were trying to crack the bank to steal money, I'd probably go after other possible software or human weaknesses, rather than trying to crack the encrypted data going over the net. It's not even clear what good cracking the data intransit would do me.
It is as if you hired an armored car to transport your pile of cash from the mattress in your apartment, to your uncle's shoebox in his garage. If I wanted to steal that money, I'd let the armored car pass, and either sneak in before to your apartment, or after to your uncle's garage, to steal it.
In this case, getting into your PC only nets me your money, while getting into the banks computer could net me the money of many customers, if I can just figure out how to get it transferred out to someplace I can use it, without leaving a trail that leads the investigators straight to me.
One of the uses for rootkits is to hide programs on your PC that will wait until you connect to your bank, and then add a few instructions to those you send along, asking for some money to be transferred out to the bad guys account as well.
Most likely, the banks computers get hit now and then as well. That's harder (one would hope) but more lucrative. We don't hear much about such attacks, as the banks tend not to publicize them, or as in this case, publicize them with insufficient or inaccurate details.
Sounds like an inside job to me.
ping
Thanks very much for your detailed reply. I hope that you're right, it's just that I had sort of understood that in the matter of financial operations on computers, all links in the chain were typically encrypted, or supposed to be at any rate. I don't pretend to be an expert on the systems used by banks, but it's easy to see that if there are unsecure elements in the chain, any of those elements, if compromised, could lead to a criminal having easier access to the system.
Hopefully this is what has happened and hopefully the systems used by banks in the US and UK are far more secure than those used ny the banks in South Africa.
If for example, I gain access to your computer, then my software would wait in hiding, until you connect to your banks web site and login, then have my software issue a couple of additional transactions, transferring money to my account. I have no need to decrypt anything to accomplish this, as your PC is momentarily trusted (when you are logged on to the banks web site) to issue instructions against your bank accounts.
Or, the other possibility if I can gain access to your PC is that I can steal enough information from your Quicken file, say, to enable me to make my own purchases with your credit card.
In neither case, did I have to decrypt anything.
Similarly, if I could get some software hidden away in the one of the banks computer that is allowed to issue account transactions, then I could have that software issue transactions against any of the accounts of that banks customers.
Or, the other possibility if I've cracked the banks computer is to copy out sufficient account information on many customers to enable me to issue fraudulent funds transfers against their accounts.
What's valuable in any case is not learning the details of any particular legitimate transaction, which is what was usually protected by the encrypted data transmission. What's valuable is being able to issue additional transactions, that direct the theft of money, whether by directly issuing them from a trusted computer such as your PC when you are logged onto a bank site or an actual trusted computer within the bank itself, or by issuing normal credit card charges or funds transfer requests, using previously gleaned account information.
In summary, I (as hypothetical thief) don't care one twit about your transactions (which is what the encryption hides while being transmitted). I want to have either enough access to the right computers or enough information about your bank or credit account to be able to generate my own transactions against your accounts.
Just keep watching the banks transactions against your various accounts, and object if you see one that you didn't authorize. They will refund your money for fraudulent credit card charges (above a $50 minimum, if I recall) and other fraudulent checking or saving account charges (if the bank is honorable.)
I take significantly more care than most people do to avoid being the victim of fraudulent changes, and I still catch one every few months. In some cases, I never did figure out how the crooks managed it, but I've always gotten my money back. Usually its others in my family who created the exposure, as they are less paranoid and computer savvy than I am, which is to say they are normal people who have to put up with my weird self.
See the latest posts on the thread Watch out for this online credit card fraud via Fandango.com!! for the latest way that the bastards tried to get some of my money.
The cure is always the same - quickly identify and protest any unauthorized transactions on any of your credit, checking, savings or investment accounts. And watch your credit reports for signs of identity theft, which can unleash a flood of grief, if not caught quickly.
The New York Times will probably have a full detail article soon, to show Al Quida how to do it.
Warning: This post contains geek speak.
>> One of the uses for rootkits is to hide programs on your PC that will wait until you connect to your bank, and then add a few instructions to those you send along, asking for some money to be transferred out to the bad guys account as well.
For those of you wondering if you have a rootkit on your computer, here is a link that may help you out (http://www.sysinternals.com/Utilities/RootkitRevealer.html )
Spoofing: is a process where you fool the network into thinking you are someone else (like sending an email in bill gates name to Slashdot and surrendering). Spoofing can also be used to breach IP address specific protection schemes.
Spyware: (http://dictionary.reference.com/browse/spyware )
Spyware can range from a cookie placed on your system so the owner can tell what outer sites you visit that use their service to software that records key presses (Key logger) and sends them to the criminal looking for your information, they can compare things in your favorites, web sit addresses etc and when you go to a site that looks promising, they can capture your keystrokes before they reach the browser. In this way they capture your login and account information to your bank, and once transmitted to the crook planting this thing, they can log in just as easily as you can.
Do not trust the Default setup on any machine, get a third party firewall (so the default methods of getting through wont work on your machine. If you are running a a windows box, I like Zone alarm http://www.zonelabs.com/store/content/home.jsp ) Run a spy ware Checker regularly (I like spybot search and destroy http://www.spybot.com/ and ad aware http://www.lavasoft.com/ ) Also run a Virus scanner that will watch your email program for incoming viruss (Try http://www.grisoft.com/doc/1 )
Just thought you might want to know, besides, these all have free versions!
NJoy
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.