What is Digg?Sponsored by newegg
Missed out on the best electronic deals last Black Friday? view!
newegg.com - Newegg.com's Cyber Monday Promotion has you covered. No Lines, No Crowds; Just Click and Save.
13 Comments
- Rogor, on 10/30/2009, -0/+9No you are wrong, they blaze straight past all the current electronic tokens including the Paypal one, it is a total disaster for the security world, and those things cost Paypal almost $100 a pop inc licensing. Because it is Man In The Broswer they control everything on your browser, waiting for you to connect to any SSL then checking from an internal database of over 4000+ bank login configurations, you go in and they go in, the token does nothing. Then they record your balance and in the background simply create a *almost maximum outgoing transfer to their mule account, do they need a new token value for that transfer? Easy, oops your session has expired give me a new token value and boom there goes your money in the background, the thing is you dont even know because every time you go back to your bank it detects it and changes the balance to the orginal. They dont even need to sneak a trojan onto your computer now they simply added a jabber client to the standard phishing scam and so when the user enters their token value the attacker is waiting and logs in within the 30 second window when your genuine token value pops up in his client.
All the electronic tokens systems from every single token company use generic number confirmation methods so the user kas no idea what they are actually authenticating. People have been taught that the electronic tokens are the final solution (hey until recently that was what I have been telling people) but they are all expensive junk now and with the high profile accounts that have been looted recently expect to see an explosion in this type of fraud. As I said we all need to school up on these trojans, heres a good article http://blogs.techrepublic.com.com/security/?p=2464 ... - filltev, on 10/29/2009, -0/+9Smart way to do it, just need to be more careful online with important details
- Rogor, on 10/30/2009, -0/+5This is because the new breed of Man In The Browser trojans have just torn through all the banks expensive electronic token authentication methods and there isnt ***** they can do about, even the vice president of RSA was forced to say "you cannot trust our products". everyone needs to school up on URLzone and Zeus, the guys behind it are ripping off millions.
- jeremanrox, on 10/30/2009, -2/+6thats what people get for thinking they can work from home by clicking sites or moving money..... exactly how retarded is our nation?
- JohnnySoftware, on 10/30/2009, -0/+3Hmmm... what are the names of the malware the hackers are using for this and what operating system does each malware run on. Key piece of information missing here. Where is the "responsible disclosure"?
Omitting the names of the malware having the biggest impact protects the hackers and the vendors whose products are responsible through "security by obscurity". Obviously, the public could take counter measures like simply using a different browser, online banking client program, or operating system. But ONLY if they know which one is at fault!
So yeah, good to know that a king's ransom is being stolen across the country but bad that the details needed to make the info actionable at a "grass roots" level are missing. Given that the problem has arisen from what people do not know, that is not the right thing. How can we have the benefits of a free market, capitalism system if people do not know what products are safe and what products are unsafe. Seems like common sense.
Right now bank customers are suing banks and banks are ignoring the customers problems. And vendors are leaving them both to stew in the status quo. The status quo has gotten so bad because the status quo has gotten so good at protecting itself
http://digg.com/security/Woman_Sues_Bank_for_Lax_S ...
Project things forward and you will see it will get better at making things worse faster and faster. Before it collapses and forces things to get fixed, it will take a lot of things with it. Might want to skip that last step. It seems to be the kicker in a lot of status quos that were "ignored till collapse" in past couple years.
Think of hackers as very effective though undoubtedly unscrupulous testers employed by very evil organizations. They are. So, why have software vendors not digested the test information, found the common causes of failures, and aggressively overhauled their affected products? Right now, it is as if they have addressed a problem with a tiny watercolor paint brush that should be handled with sandblasting and a complete new coat of paint, and an even deeper treatment.
It is silly to fear starting a rush of lawsuits so disclosure is swell in this case. The Windows & IE software license agreement allows for only collecting $5 in damages (look at it) at most so nobody is going to hire a lawyer to recover that. Nobody wants to receive $3.62 check in the mail from a class action lawsuit and besides it does not fix the problem anyway. - Rogor, on 10/30/2009, -0/+3What I would like to know was how many of em know full well whats going on but figure they will play dumb if anyone comes knocking.
- Barackalypse, on 10/30/2009, -0/+2They can force customers to use hardware security keys like Paypal has had available for a while. Basically the security key generates authentication codes either on demand or on fixed time intervals (ie: a new code every 30 seconds) and you can't log into the account without the code. Since the device isn't plugged into your computer and the code is only good for a limited time, it pretty much stops this stuff cold.
https://www.paypal.com/cgi-bin/webscr?cmd=xpt/Mark ... - Barackalypse, on 10/30/2009, -1/+2This is sort of like a 411 scam in reverse, they're actually depositing money. I bet the traditional Nigerian 411 scammers are loving this, it must make it easier for them to find victims.
- PeppermintPig, on 10/30/2009, -0/+1Excellent points. Given the Federal Reserve is inclined to just print more money, they don't seem all that concerned about "small-time" crooks.
- JohnnySoftware, on 11/01/2009, -0/+1Printing money is someone's responsibility. I think it is Treasury (govt.) rather than Federal Reserve (private company).
Federal Reserve basically sets monetary policy, as I understand it. Basically, it is the banker for the government and by extension of that and the fact that they set policy - they are the banker for the banks of the country (USA) as well.
Law enforcement (FBI, etc.) and regulators (FDIC, etc.) are involved and concerned by this recent trends, as their press announcements indicate.
Going and reading what the FBI (malware robberies subject) and FDIC (money mules in USA laundering money for organized crime syndicates behind the malware-based robberies of American bank account holders subject) demonstrate the government getting involved - at least with the consequences - of malware this year.
Really, it is up to consumers to buy better software, and companies Microsoft and Adobe to remove problems, not put more in, and if necessary replace or even retire programs they cannot fix.
Most Americans cannot piece together what software products are the ones that are conspiring with the malware to allow these robberies to occur.
I will rest easier when agencies or victimized corporations begin truly responsibly disclosing which commercial software products are involved, once a clear pattern has emerged.
Responsible disclosure should never be defined as not telling anybody ever when there is a clear pattern happening for a long time with many victims or dollars involved. It is not enough by a long shot merely to tell that people are being robbed and not what products are at the root of it.
I believe once this happens routinely, the free market, capitalist system will clean up the the companies who have a monopoly on malware infections. - pagno, on 10/30/2009, -1/+2Basic computer and internet literacy can prevent alot of this ***** from happening. Alas, no, the general populace cant be buggered to even learn and understand how any of it works. Besides, the game is on, and that is SO much more important.
- JKAL, on 10/30/2009, -0/+1the original 411 scammers always deposited money from stolen/faked cheques(checks).
that is how they hook people in the first place. - pstroll, on 10/30/2009, -11/+3***** L4D2 DEMO IS TOO GOD DAMN SHORT
© Digg Inc. 2009
— Content created and posted by Digg users is