Author Topic: Online broking fraud  (Read 2994 times)

0 Members and 1 Guest are viewing this topic.

Offline Totro

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 517
  • Cogito ergo sum ...
    • View Profile
Online broking fraud
« on: October 25, 2006, 05:31:17 AM »
If you trade stocks & shares (equities) with an online broker then read this news about how hackers could be selling your shares to buy shares in a company they hold - in order to bump the price (of their shares) up.

Here:-

http://www.smh.com.au/news/Technology/Fraud-scheme-costs-Ameritrade-ETrade-22-million/2006/10/25/1161699375500.html

or here:-
Edited by Totro 9 November 2006 :- Link removed ... Reason >>> 2nd Link is now Dead

PS.  I just noticed - when checking the links, that the first one may deliver you a "pop-under" - it's nothing to worry about - just an Ad. but thought I should explain that that may happen.  :thumbsup:




Panic slowly...

Brought to you from the land down-under...

ASAP (Member) Alliance of Security Analysis Professionals

Offline Profixer

  • Visiting Experts
  • Full Member
  • *****
  • Posts: 249
    • View Profile
    • Profixer - Security For All (Under Construction)
Re: Online broking fraud
« Reply #1 on: November 21, 2006, 09:04:40 PM »
Basically, this is yet another example of the appauling level of security thinking by banks, when it comes to authentication... the very thought that an ID and Password was all that was needed to gain access to these accounts is just scary, and sadly, very very common...

"And we're working with software vendors to develop new techniques for preventing this from even happening at their keyboard level."

how far behind are they?

when I log into my internet bank, I have a little keycode device seperate from the computer that contains an algorithm also stored on the banks servers. The bank sends two numbers to me on the login page, and I type those two into my device, which generates another number ( a number which if intercepted by spyware or wireless sniffing would mean nothing to anyone )... when I send these two numbers (plus my generated number), back to the bank, the bank performs the same calculation on their server as my keypad did... then compares the numbers to see if they match... and these types of devices have been around for over 5 years in swedish banks... I am shocked that they say they are looking into "new ways"... they shouldnt be letting users enter usable data with their keyboards at ALL....
My sarcasm knows no bounds

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 19507
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Online broking fraud
« Reply #2 on: November 21, 2006, 10:58:02 PM »
Your bank is way ahead of those in the U.S.  At my bank, I was provided an initial pin which I changed.  It appears to be un-expiring.  I use a different password for every place and a completely different "code" for my bank account and I never access it on a public computer. 

Supposedly, two-factor authentication is to be in place in the U.S. by year end (BankTechNews).  Sadly, I don't see it happening.

Here's an interesting take on The Failure of Two-Factor Authentication


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Profixer

  • Visiting Experts
  • Full Member
  • *****
  • Posts: 249
    • View Profile
    • Profixer - Security For All (Under Construction)
Re: Online broking fraud
« Reply #3 on: November 22, 2006, 09:20:12 AM »
Actually Corrine...the cool thing about my bank is that any transaction you make, has to be accompanied by entering of new codes.... so disconnection or session piggybacking would not work, cos he still needs by keypad to generate the random numbers... and also he is unlikely to get his own transactions authorized, cos I would have all these strange transactions in my transaction queue... granted... someone who has ALOT of transactions might not notice a few extra ones... and that is where the problem could lie.....

Basically, my advice to ANYONE using Online banking is to keep a PC in the house somewhere that runs Linux... do not take the chance with Windows... its not worth the chance that you are infected...

This aint a problem for me, because I run Linux exclusively... Windows only runs in VM for me...

//Pro scientia et humanitate
My sarcasm knows no bounds

Offline Profixer

  • Visiting Experts
  • Full Member
  • *****
  • Posts: 249
    • View Profile
    • Profixer - Security For All (Under Construction)
Re: Online broking fraud
« Reply #4 on: November 22, 2006, 10:43:19 AM »
I guess the solution to the problem of the additional transactions would be that every transaction which is made, must be verified by attaching a unique code to each transaction which is generated by the hand held device and the banks servers... as each transaction is made, the unique is checked against what the bank servers know that it should be...this would however severely limit the user's ability to commit bulk transactions on one verification and could become very very annoying... but the bonus is, this is pretty much a rock solid way of stopping someone from inserting their own transactions and committing this type of fraud... the only other attack vector could be that the attacker figures out what the algorithm is or physically steals the hand held device (plus the pin code) from the person....
My sarcasm knows no bounds