Wednesday, April 22, 2009

Name Your Poison and Cache In

From now on, every time you see the graphic on the left, expect to read a post or article about why banks need to get rid of the username: password: routine.  It ain't safe!!!  Here's another example why...

Complete item:

One of Brazil's biggest banks has suffered an attack that redirected its customers to fraudulent websites that attempted to steal passwords and install malware, according to an unconfirmed report.

According to this Google translation of an article penned in Portuguese, the redirection of Bradesco was the result of what's known as a cache poisoning attack on Brazilian internet service provider NET Virtua.

DNS cache poisoning attacks exploit weaknesses in the internet's domain name system. ISPs that haven't patched their systems against the vulnerabilities are susceptible to attacks that replace the legitimate IP address of a given website with a fraudulent number. End users who rely on the lookup service are then taken to malicious websites even though they typed the correct domain name into their browser.
"That's pretty serious when you're talking about a banking organization," said Paul Ferguson, a security researcher with anti-virus provider Trend Micro. "If people are trying to log in to their account and they get rejected, they'll try again and again with the same user name and password."
DNS cache poisoning has been around since the mid 1990s, when researchers discovered that DNS resolvers could be flooded with spoofed IP addresses for sensitive websites. The servers store the incorrect information for hours or days at a time, so the attack has the potential to send large numbers of end users to fraudulent websites that install malware or masquerade as a bank or other trusted destination and steal sensitive account information.

In 1998, Eugene E. Kashpureff admitted to federal US authorities that on two occasions the previous year he used cache poisoning to divert traffic intended for InterNIC to AlterNIC, a competing domain name registration site that he owned.

Makers of DNS software were largely able to prevent the attacks by adding pseudo-random transaction ID numbers to lookup requests that must be included in any responses. Then, last year, IOActive researcher Dan Kaminsky revealed a new way to poison DNS caches, touching off a mad scramble by the world's ISPs to fix the vulnerability before it was exploited.

The article from cited a Bradesco representative who said that about 1 percent of the bank's customers were affected by the attack. It went on to suggest that customers who were paying attention would have noticed Bradesco's secure sockets layer certificate generated an error when they were redirected to the fraudulent login page.

Interestingly, it also said that a domain used for Google Adsense was redirected to a site that used malicious Javascript to install malware redirected machines. The attacks have since been resolved, the article stated.

It's still not clear exactly how the caches were tainted. Representatives for the ISP and the bank hadn't responded to requests for comment at time of publication.

For more details :,

I'll Give You $10k for Your Nokia 1100!

Why?  Cause I can selll it for $25k.  No...scroll down further ...I can sell it for $32k.  Of course if you hooked up our device to your phone, and swiped your card and entered your PIN (ONE TIME) that phone would be a secure payment terminal.  I've gotten a few emails regarding hooking up our device to a mobile phone and wanted to clarify.  You would only need to swipe and enter your PIN "one-tiime" to morph your phone into a secure payment device.  Not everytime you wanted to purchase something.  I'll have more on this in future posts, but in the meantime, if you've got a Nokia 1100 let me know!

Complete item:

Scammers are reportedly prepared to pay $25,000 for German Nokia 1100 handsets, on the basis that they can be reprogrammed to intercept SMS messages and thus crack banking security.

The claim comes from Ultrascan, a security association that generally follows up 419 scams and ID theft. Ultrascan tells us it was approached by Dutch police concerned that the price of a second-hand Nokia 1100 was unexpectedly rising. The company subsequently discovered that buyers were interested in a security flaw that makes the German version of the handset worth so much, though the technical background remains obscure.

The supposed exploit is based around codes - mTAN - that are sent to customers over SMS and are unique to each mobile-banking transaction. The premise is that criminals have "thousands" of login details and just lack these single-use codes, so are trying to get hold of Nokia 1100 handsets to intercept them.

The problem with this hypothsis is that the GSM security model is managed by the SIM, which colludes with the network's authentication server to create an encryption key which is made available to the handset. Communications can only be intercepted by getting hold of that key, or breaking the encryption itself, neither of which is easier to do while in position of a Nokia 1100, German or otherwise.

We put these technical issues to Ultrascan who told us that they "did not investigate [the technical] part", but are hoping to get hold of a '1100 for testing in the next few days to see what is possible.

In the early days of GSM some operators introduced a critical flaw (zeros) into early versions of GSM cryptography, to enable the use of cheaper SIMs, but almost all operators have since upgraded to proper security and 3G networks have open algorithms that are well known to be pretty secure. Some countries, such as Pakistan, aren't permitted to use cryptography so still suffer from SIM-cloning and the like, but such places don't generally offer mobile banking for obvious reasons.

Ultrascan say they'll be in touch when they have more technical details, but for the moment it's beyond us how one phone can intercept calls made to a different SIM, and it seems more likely that one scammer is simply ripping off another with promises of magic handsets.

Complete item:

The mystery why cybercriminals want a discontinued Nokia phone isn't getting any clearer. Hackers have been offering up to $32,413 in underground forums for Nokia 1100 phones made in the company's former factory in Bochum, Germany. The phone can allegedly be hacked so as to facilitate illegal online banking transfers, according to the Dutch company Ultrascan Advanced Global Investigations.

Nokia said on Tuesday it is not aware that resale prices for a phone that retailed for less than $17 when it debuted in 2003 have risen so high. Further, Nokia maintains the phone's software isn't flawed.

"We have not identified any phone software problem that would allow alleged use cases," the company said in an e-mailed statement.

The 1100 can apparently be reprogrammed to use someone else's phone number, which would also let the device receive text messages. That capability opens up an opportunity for online banking fraud.

In countries such as Germany, banks send an mTAN (mobile Transaction Authentication Number) to a person's mobile phone that must be entered into a Web-based form in order to, for example, transfer money into another account. A TAN can only be used once, a security feature known as a one-time passcode.

Criminals have proven adept at obtaining people's usernames and log-ins for online bank accounts, either through tricking people into visiting look-alike bank Web sites, through clever e-mail messages or simply hacking PCs.

European banks typically issue customers a list of TANs, but phishers tricked people into revealing those. Deutsche Postbank used to accept any TAN from the list to complete a transaction. Then the bank moved to requesting specific TANs from the list. After continuing fraud, it decided in 2005 to expanded the use of mTANs.

"The mTAN is valid only for the requested transfer and only for a short period," according to the bank's Web site. "It thus has no value for a fraudster."

That is, unless the hacker could also receive the mTAN, which Nokia 1100 hack allegedly allows.

Nokia said it doesn't know of an 1100 software problem that would allow call spoofing. The company said that a phone's SIM (Subscriber Identity Module) card -- which holds the device's phone number -- has security mechanisms that are separate from the phone itself.

Nokia said it is aware of commercial services that claim to provide caller identification or phone-number spoofing services, but in those cases the service provider acts as a proxy between the caller and the recipient, Nokia said.

But it is possible to have multiple phones running on a service provider's network that use the same phone number, said Sean Sullivan, a security adviser at F-Secure Corp., a security vendor in Helsinki, Finland. Usually, the last phone that used the network will be the one that receives inbound messages, he said.

Reblog this post [with Zemanta]

Web Site Redirects for Coke, Microsoft and HSBC

This is just the tip of the iceberg as to what we can expect in the near future.  Again, bank websites are most at risk of these DNS Hijack's and as long as they continue to use what many consider to be obsolete "username, password" they continue to needlessly put their online banking customers at risk.  It isn't hard to imagine a scenario whereby a bank website is cloned and their DNS hijacked.  The bank's customer, completely unaware, enter's their username and password into the box.  The bad guys now go to the "real" site, enter the username and password and "voilla" complete unfettered access to that individuals account.

Of course, if Banks used HomeATM's PCI 2.0 certifed SafeTPIN Pin Entry Device for secure 2FA (2 factor authentication) log-in,  a cloned website would NOT work.  The unsuspecting banking customer would be redirected to the "hijacked" site, but instead of a username/password log-in they would be instructed to swipe their card and enter their PIN.  Since the information is encrypted inside the SAFETPIN (instead of the browser) the bad guys wouldn't have anything with which to get into the genuine site.  Same thing with cloned cards.  They wouldn't work. 

Same thing with phishing....which costs banks $350 a pop.  I'll give you 10 SafeTPIN's for $350 and reduce your phishhing attacks to zero.  Click on the graphic on the right about phish-stick-tistics  as to why that would be the best investment a bank could make.

Here's the article about the DNS hijacking...

Source: Zone-h
Complete item:

Some Turkish defacers broke into the New Zealand based registrar (which belongs to MelbourneIT) and redirected some of their customers' high profile web sites to a third party server with a defaced page. Companies which had their New Zealand web sites defaced include Microsoft, HSBC, Coca-Cola, F-secure, Bitdefender, Sony and Xerox.

The hacked websites carried the messages: "Hacked by Peace Crew" ,"STOP THE WAR ISRAEL". In addition the crackers inserted a picture of Bill Gates creampie'd on the Microsoft defacements.

It is interesting to note that the attacker going by the handle of "agd_scorp", a member of Peace Crew, hacked a big amount of MSN and microsoft.* web sites in the past (Microsoft Canada, Morocco, Tunisia, Austria, Ireland... MSN Israel, Korea, Spain, Denmark, China, Norway...).

This time they exploited a simple SQL Injection vulnerability to hack the administration panel of the registrar, where they modified the DNS records of the domains. Again, it is quite scary to see how a so big company can get hacked because of a famous programming vulnerability.

Registrars have been one of the main aims during the past months as they are often the weakest link and an easy target for attackers who want to hijack high profile web sites.


Reblog this post [with Zemanta]

Blogging Has Come a Long Way

Blogging Has Come a Long Way, Baby

APRIL 22, 2009
Blogging ain’t what it used to be.

If yesterday’s blogs were about personal expression, today’s are about two-way conversations that take place on many fronts: independent, standalone blogs; social networks; e-commerce and mainstream media sites; and microblogging platforms such as Twitter.

“This blogging activity presents new opportunities for marketers to influence—and monitor—conversations that may be relevant to their businesses,” says Paul Verna, eMarketer senior analyst and author of the new report, The Blogosphere: A-Twitter with Activity. “These conversations will continue to happen with or without participation from marketers, but those who join in—whether through their own sites or through a brand presence on independent ones—will have a place at the table.”

And the opportunities are large—larger than many people and pundits expected only a few years ago.

“Blogs are now mainstream media,” said Richard Jalichandra, CEO of Technorati. “You’re also seeing mainstream media coming in the other direction by adding blog content.”

This point of view is echoed by David Tokheim, of Six Apart Media. “The lines are becoming blurred between a standalone blog that might be created on TypePad or Blogger or WordPress and blog content that’s created by The New York Times.”

Currently, 27.9 million US Internet users have a blog they update at least once per month, and they represent 14% of the Internet population. By 2013, 37.6 million users will update their blogs at least monthly.

Several sources put the number of US bloggers even higher (Note: Though often reported in 2009, the estimates are for 2008.)  Even more important than the number of bloggers, though, is the number of blog readers.

eMarketer estimates that in 2009 96.6 million US Internet users will read a blog at least once per month. By 2013, 128.2 million people, or 58% of all US users, will do the same.

“Blog sites now touch tens of millions of people in the US, and the numbers of blog readers and creators are projected to continue growing,” says Mr. Verna.  The numbers tell the tale—or long tail, if you prefer.

“Blogging activity presents new opportunities for marketers to monitor and influence conversations relevant to their businesses,” says Mr. Verna. “Opportunities no marketer should ignore.”

Before you read your next blog, or tweet, download the new eMarketer report, The Blogosphere: A-Twitter with Activity.

Reblog this post [with Zemanta]

On Online Banking

Source: Finextra
Complete item:

The number of US online banking customers continued to grow at a steady rate throughout 2008 as customers looked to keep a close eye on their finances during the recession, according to research from Web metrics firm comScore.

The study found the growth in the number of customers at the 10 most-visited online banks hardened in 2008 as financial institutions became more aggressive in their customer acquisition efforts, after weak gains the previous year.

Over 51 million Americans visited one of the top ten online banking sites in the fourth quarter of 2008, around four million more than in the same period the previous year.

ComScore says nearly 60% of the total US Internet population now visits any one of the top 20 financial institutions' sites in any give quarter.

The study also examined customer satisfaction with online services and a survey of over 4800 US adults shows 71% are "highly satisfied" with their primary online bank - just one per cent down on the previous year.

Satisfaction with credit card issuers also held steady at 62%, compared to 65% the previous year.

However, brokerage firms saw their highly satisfied customers decline from 70% of respondents in 2008 to 58% in 2009.

And You Say You Want Software Internet PIN Debit?

Back in 2002, a company called ATMDirect was hyping their software based Internet PIN Debit platform...but nobody listened.  Eventually they went bankrupt and Pay By Touch bought their assets out of bankruptcy.

Pay By Touch pushed ATMDirect but nobody listened. (okay Accel Exchange did do a pilot with JPaul)  Then Pay By Touch went bankrupt...and ATMDirect's assets went up for sale AGAIN!

Not a single payments entity placed a bid.  Not Paypal (who paid almost a billion for eBillMe) not a single EFT Network, no alternative payment company whatsoever even showed a hint of interest.

Finally, it was purchased for a measly $600k, including Dell according to one report./IBM according to another, Blade Servers valued at $1.5 million plus.  Fast forward to 2009.  ATMDirect's software-based platform, under a new name, "Acculynk" is gaining some traction.  With the exponential growth of malicious threats hitting the web, time may have passed this "application" bye.

Ironically, in the short history of the Internet, the year 2002 was probably the optimal time to introduce a software-based PIN Debit application. But 2009? Look at the chart above. A 12 Fold increase in malicious code threats since the beginning of 2007?  That means that there are web-based attacks that exist this morning that didn't exist last week, let alone in 2000.  So what does tomorrow hold? Not a lot of promise for alternative PIN debit.  Especially when you consider that (not surprisingly) the "VAST MAJORITY" of attacks focus on Financial Services.

Take a gander at the article below from The Sydney Morning Herald based on last week's release of  the results of a new study on Intenet security by seems obvious the time for an internet PIN Debit application was years ago, not now.

False sense of security - Banking - Money - Business - Home - John Kavanagh - April 22, 2009

No website is safe from the increasing number of internet criminals who want your money. Internet security threats are increasingly likely to come from popular, trusted sites with a large number of visitors. The growing sophistication of internet fraudsters and the techniques they use are resulting in an increasing number of cases where malicious code is finding its way into the web browsers of visitors to websites of reputable organizations.

This is the main finding of the Internet Security Threat Report, published last week by Symantec. The report is based on feedback from 240,000 sensors monitoring attack activity in 200 countries. The report says the online underground economy is maturing, with a range of "service providers" selling phishing tool kits and blank credit cards, as well as stolen data.

The area where the threat level is highest is financial services. Frauds and malicious attacks involving bank and other finance sector websites make up more than 75 per cent of the total.

The senior director of Symantec Australia and New Zealand, David Dzienciol, says bank account and credit card details are the most popular items being traded by internet criminals.

The report says 76 per cent of phishing attacks target financial-services sites. Keystroke logging, a technique used to steal online banking log-on details, is another common form of attack. Twelve per cent of all data breaches in 2008 involved credit card information.

Credit card details are the most popular items for sale in the "underground economy". The reason for this, the report says, is that "there are numerous ways for that stolen information to be cashed out. The underground economy has a well-established infrastructure for monetising such information."

The report states: "The lengthy and complicated steps being pursued to launch successful web-based attacks demonstrate the increasing sophistication of the methods used by attackers."

Local banks are reporting that fraud levels in some areas, such as check fraud, have gone down but..."The area where there has been a big increase is in card-not-present transactions involving credit and debit cards (card-not-present transactions take place online)

The Australian Payments Clearing Association (APCA) reports that in the 2007-08 financial year, check fraud declined from 1.4 cents to 0.8 of a cent in every $1000 of payments. Debit card fraud (involving Eftpos and ATM transactions) went up from 7.1 cents to 7.4 cents for every $1000 of payments. Credit and charge card fraud jumped from 38.6 cents to 50.2 cents for every $1000.

APCA says card-not-present fraud accounts for 48 per cent of card fraud. (Editor's Note: A software PIN Debit application is a "card-not-present" approach) True PIN Debit is a debit card that is 1. Swiped, in order to capture the PIN Offset, the PIN Verification Value and the Track 2 Data and has True 2FA (two-factor authentication) by entering the PIN after the magnetic stripe data is captured. HomeATM has the ONLY TRUE PIN Debit solution designed for eCommerce.)

symantec, malicious code, Internet PIN Debit, Acculynk, HomeATM

Reblog this post [with Zemanta]

Disqus for ePayment News