Online Bank Fraud

Online Bank Fraud #418261 5th Jul 2010 9:36pm
Joined: Sep 2009 Posts: 417 birkenhead Neil_c OP Smartchild
OP Neil_c Smartchild Joined: Sep 2009 Posts: 417 birkenhead	I thought that I'd put together a post on my recent experiences with online banking fraud. I was a victim of it myself and I write this from a perspective of someone who should know better. What happened? I went to use the hole in the wall one dinner time and it declined saying there was insufficient funds. This was odd as it was just after pay day and I hadn't had much chance to waste money yet. Upon going back into work almost £2,500 had been creamed out of my account to a Josef Leki (someone I'd never heard of before). How did it happen? Someone had got into my online banking and created a FPO (fast payment online) to take money out. Why did it happen? I scratched my head for a bit and remembered that one time the bank system had asked for my Lloyds TSB memorable information without the drop-down lists but as text instead. I thought this was odd, but because I'd been drinking I entered it anyway and didn't stop to check the page that was on my screen. From what I remember the web page failed then diverted me back to the real LloydsTSB site. How is this possible? Firtly, to get to a web site your computer needs to know about the IP address that the web site is hosted on. This is a unique identifier assigned to each server (and any other device on the internet). In the case of Lloyds TSB the IP address is 141.92.130.226. To resolve this address it uses a system called DNS to look up the name to the IP address. So: www.lloydstsb.com = 141.92.130.226 you can see this with the dos command nslookup: Got answer: HEADER: opcode = QUERY, id = 8, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 0, additional = 0 QUESTIONS: www.lloydstsb.com, type = A, class = IN ANSWERS: -> www.lloydstsb.com internet address = 141.92.130.226 ttl = 176 (2 mins 56 secs) ------------ Non-authoritative answer: ------------ Got answer: HEADER: opcode = QUERY, id = 9, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: www.lloydstsb.com, type = AAAA, class = IN AUTHORITY RECORDS: -> lloydstsb.com ttl = 843 (14 mins 3 secs) primary name server = ns2.lloydstsb.co.uk responsible mail addr = dnsreg.lloydstsb.co.uk serial = 2010033066 refresh = 10800 (3 hours) retry = 3600 (1 hour) expire = 2592000 (30 days) default TTL = 900 (15 mins) ------------ Name: www.lloydstsb.com Address: 141.92.130.226 How are websites commonly accessed? This depends on the individual but commonly: * An internet favorite (shortcut) * A link on a page (typically a search engine like Bing) * A direct link in a browser It just takes one of these links to become compromised, perhaps through a virus. Can bank systems be hacked? Yes, but not easily and this would probably be beyond the scope of any scammer. A bank will have intrusion detection systems to warn against attack. It's more likely that the request will be intercepted before it gets to the bank and re-directed to another website that will store your logon details that you enter in to the dodgy page. How is this possible? It's fairly easy by sending an email with a link in that looks like it belongs to the bank. Other ways are by compromising your computer's ability to resolve DNS names to IP addresses. Instead of sending these request to your ISP's name server that your computer usually queries when you browse the net, they can be sent somewhere else to supply your computer with false information. This will direct you to other web servers elsewhere in the world that host pages that appear to look like the bank's to collect your account information and store it for later attack. As an example, it's really simple, all you need to do is change your PC's host file (found in a Windows sub directory) to divert the request elsewhere. Changing mine to include a line that says: 66.102.9.104 www.lloydstsb.com Would send my computer to google every time I typed www.lloydstsb.com in my browser. Checking the address Always check your address at the top of the browser. If it says anything other that your bank's real adddress, i.e. something like www.lloydstsb.com.bank.tw something's wrong. If the banking site asks for any information out of the blue or a change in the way you enter your personal details, something is wrong so double check. Check the SSL certificate (by clicking on the browser's padlock) too if you're unsure. It's quite easy to spoof an address, particulary with something called an IDN attack. See extract from Wikipedia: The internationalized domain name (IDN) homograph attack is a means by which a malicious party may seek to deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters may have nearly (or wholly) indistinguishable glyphs. In a typical example of a hypothetical attack, someone could register a domain name that appears almost identical to an existing domain but goes somewhere else. For example, the domain "rnicrosoft.com" contains "r" and "n", not "m". Other examples are G00GLE.COM which looks much like GOOGLE.COM in some fonts. Two factor authentication Keyboard loggers can easily steal passwords, but asking for characters or phrases at random helps circumvent key loggers somewhat. Security tokens and smart cards are further ways to secure pages, but these are more expensive to produce an administer, which is why you'll only see them on business accounts. Did you get the money back? Fortunately yes, but I did have to jump through a fair few hoops to get it back. There was something else I'd noticed, the fraudster had been in the account a few weeks before and changed the contact number in case the bank tried to call to query large payments going out of my account. You can usually set up text alerts to warn you of this. Naturally if the bank called, he would have pretended to be me. Some simple tips: 1) Always check the web address of your bank to ensure it's what you'd expect (www.lloydstsb.com, www.halifax.co.uk) etc 2) Check the validity of the SSL certificate 3) Keep your computer up-to-date with anti-virus 4) If in doubt, don't enter your details 5) Don't action any emails whatsoever asking for personal banking details 6) Set up automated text alerts should any of your bank details change 7) ensure your PC and browser patches/critical updates are regulary applied.