Main » 2011 » Март » 16 » "Attack on the bankclient » view from a bank employee
11:25
"Attack on the bankclient » view from a bank employee
I am very interested in becoming a attack on the bank-client or hunting in a million due to the fact that I appear directly involved in the process of e-banking service (hereinafter - DBS) of the bank. A little later, an article appeared Who do I need?, So thoughts on this subject has accumulated a great deal and want to share with everyone (and yet I've been wanting to register, but for the right moment was not). If possible I will be brief and will not be rolling in scientific terms.


Types of client banks

Let us first separate the flies from cutlets.

There are two main areas of remote (and not only), banking (hereinafter - DBS) - A service for individuals (Internet banking (hereinafter - IB)) and entities (systems like the Internet Client-Bank (hereinafter - SDS )). In the article Attack on bank-client or hunting in a million understands the issue of service of legal persons and Article Who do I need?, Written under the influence of the first and its comments, concerns RBS systems for individuals.

What's the difference? In the volumes of production and products! Average daily turnover of the company, send payments to the bank, is about the amount of surgery is usually an individual for six months or a year. Hence we have the need to completely different systems for operations here and there.

I guess I'm not mistaken if I say that 99% of information security systems based on Java. They are required to commit a small number of operations per second ..., sorry day. The second requirement - do not blow up the brain to the client and the prospective buyer what else the bank's products in the future (well, who will give him a loan with a hole in the head!? Hence - ready-made forms of payment for various services, plain and simple interface, without the use of transaction systems encryption. All that is necessary for the client - a browser that supports SSL, Java Script and installed on a PC Java RE. As a means of protection can be used by additional factors of authentication, such as mobile phone, enter PIN-code, one-time analogues of a handwritten signature (MSA codes ).

programs such as "Client-Bank", and in our case, Internet Client-Bank (hereinafter - the CBI) in the market there a couple of dozen, I think. Some of them represents a software is installed on a PC client, part - web-clients, and for the second future, and his first dying away, as the use and support them - it terribly inconvenient, and not a quick (that I'm talking about installing the software on the site, setting, etc. etc.). If you want a month to connect the order of 100-200 clients and employees you have as much as a man (as in my case), without the web-client you can not do.

The main difference between systems of SDS from the IB - the use of encryption (required for certified FSB!). This, for example, paid CryptoPro or free and open IPRIV. On the other does not come across, I will not lie.
The second nuance - several types of payment transactions in different currencies, exchange with the bank files , communication, interaction with the accounting software, the ability to multi-level signature of documents and the interface - not for blondes.

techie banking and hacking skills, more theft

As you can see, the differences in DBS systems - the indigenous, and therefore ways of unauthorized access to customer accounts are different for each system. Briefly and clearly described in the above mentioned articles, for which the author very much.

You can access the account - it's sex business. Get money - is the goal of attackers. Let's not call to hackers and other "beautiful" words. In the Russian language for these people is simple designation - a thief and a crook. unsightly, but it's true.

So, the thief gained access to customer account. The theft of data of natural persons, he can go two ways - take advantage of these credit card for purchases at online retailers (fees) or to transfer money to another card (or account). If you buy at the store funds from the account did not immediately written off. They reserved for onward transmission to the recipient. In this state, they can hang up to 30 days if payment has not occurred and the funds are requested, they come back from a reserve in the available balance in the account (they were all this time on the account!). Therefore, here can save SMS informing, neglecting some short-sighted companions. The first thing you should call your bank and block the card. In parallel with the first step is to write a statement to the bank's disagreement with the transaction, in most systems, the IB it can be done directly at the site. If your bank understand the working, law-abiding and responsible officers (from the manual!), the transaction will cancel and money you will return.

When transferring funds to another account (card) is not all bad. The funds also go not instantly . First payment must monitor operating employee (plus or minus 15-30 minutes). More money is spent in the cash department of the Central Bank of Russia. Then from there they will come in the recipient's bank, and there probably are already waiting and standing near the ATM to immediately remove it. Master Card then stated that the card is lost, and who took advantage of her - he does not know. In this case also can save the SMS notification. Take the 50 rubles a month and let you come to these SMS-ki, that once you throw in a cold sweat, then you can relax in the evening with a cold beer.

Another way to recover the funds - to insure your card. The cost of insurance, for example, in my bank from 300 to 500 rubles a year (tax refunds - up to 30,000 rubles). All transactions via the Internet and in retail stores - it is a very simple way to get rid of headaches. In addition to returning funds to the insurance company will pay up to 2000 rubles for the restoration of documents in case they are lost. So learn in their banks about this service. Better safe than you know who cares.

This concludes the story about the system for individuals. I do not specifically consider ways to combat the theft of your information, because this detail is written on the website of each bank, the employees of the Savings Bank here this too detailed written.

After reading some comments about the banking system in our country would like to clarify some issues. Our banks are, thankfully - is not the Swiss banks (which have also not what they used to).'s banking system in Russia transparent. everyone knows everything, and all everyone can see where and how funds are going. At the request of the Interior transmitted them to all information on operations of any person or organization. platezhek destruction of the RCC too, no one does. destroy all traces of your nasty work attackers do not need, but they do not do and not do it. The system works simply theft. Funds are transferred to the card accounts of individuals, after removing their card, or "lost" or they are removed and not returned. get someone to return the money can be if it is proven guilty. If a person is innocent, it is believed that he was just "lucky" when the account has fallen manna from heaven. to prove the guilt is very difficult. Draw your own conclusions. Why do so - see below for discussion on legal persons. In any case, if a bank customer enters into a strange situation - it comes other people's money, the bank will work with the customer no longer wants. attackers for the second time on the same account the money does not translate - the face of the Interior Ministry, they will look not just as lucky. "Therefore, theft of funds in the systems of information security for individuals is not very common - a lot of hassle, but money is not enough. In my memory there was only one case where a client system suddenly for no apparent reason has requested a four-PIN-1 (for authentication IS systems are 16-digit PIN-2).

"Attack"

And now we go to our sheep, more legal entities. How can a computer become infected? Much to the dismay of fans of detective stories, no insiders are not needed. Why do with someone to share, when 90% of users, sitting at the computer, do not differ from his boots, except that the boots alone can not push the buttons? Links to other sites, letters, lack of normal anti-virus and firewall, careless administrators, are too lazy to configure at least the proxy, and in some cases, the absence of such employees in the state do their dirty work. Yes, and it is difficult to imagine how a man sitting in Ryazan, Saratov and Moscow, has insiders in dozens of organizations throughout Russia.

"All attacks on our system and customers and the system began in late 2009. During this time, in the region were recorded over 10 cases of infection, unfortunately 3 of them have been fatal - the means irretrievably lost, 2 cases - with a happy ending - funds are not written off due to an error in the payment order or have not reached the receiving bank and returned from the Roman Catholic Church of the CBR. Other cases of infection were identified in the early stages and was presented to the customers "happy" news that the computer cocoa admin - Loh.

"Where are looking at the bank?! Do they not see that my money pi ...!?» © my

The total cost of damage has not exceeded 900 000 rubles (100 300 2 X500 (one payment had to return)).
As you can see, the amounts are not astronomical. What is a hundred thousand rubles for the organization for which such payments - 90%, and the bank fees and pass 10 and 100 times greater? Such amounts banks even do not have control! Control begins with amounts exceeding 600 thousand rubles.

Therefore, the success rate of passage of such payments is much higher than that mentioned in Article 1 and 6 million. Generally, I do not understand the process of monitoring and enforcement of payment by the bank on such amount. In this case, the controller must contact the organization and not just ask on the phone, they sent them there, and to require documents confirming legal to send money. This requirement of the law against money laundering and the laundering of funds.

In our case, the Trojans sent only "master" secret key and password to login. intruder has already registered itself in the system, checking your account balance, and if he missed, filled payment order and send funds to account (not on your own!), and figureheads, who, naturally it in his eyes "not seen", but obtaining such a nice gift, the funds from the account removed. Many people here can tell me: "Well, well!" All clear! Here they are - rogues and thieves! "Catch them!" What I tell you, comrades, easy answer: "Termorektalny cryptanalysis in the internal affairs of the Russian Federation is not a legitimate means of production of evidence can not be applied because, as in the actions of citizens when dealing with them bank account of a crime is not revealed. "

That is, in principle, all clear who, where and to whom transferred the money, no it does not hide, everyone knows everything, but doing nothing can not, because when you receive money on account and withdrawing their bank the payee is not responsible. Making the citizen can only recover the amount of conscience, otherwise there is no reason for it, guilt is not proven. To prove his involvement in interrogations and entreaties - not impossible, he's no fool:) Track attacker on IP-addresses, too, is not possible - they do not work from his home and use for their dirty deeds compromised computers of unsuspecting users who have deployed virtual machine is already in it to log into the system, etc. For two years, no one anywhere in the court is not dragged, and dragged. Therefore, we proceed to the third part of our story ...

Life Saving ...

In 99.99% of RBS bank customers are given valuable guidance on how and what to do to avoid such situations ... As you know, 99.99% of clients wanted to spit on the valuable guidance of banks
A way to counteract really simple and very cheap:
  1. Work with a single location. It is advisable not to use the workplace for trips to the internet, shopping and girlfriends in sotsitsalnyh networks. Ideal - a shortcut on the desktop - it's your client bank. :) Expensive? 100,000 more expensive.
  2. Work with the same IP-address. If you configure the client-bank allow tightly bind the IP to the system to go with the other addresses were not available. Love to travel? Then go to the next item.
  3. Be sure to get an electronic ID Rutoken or eToken. Better to buy EDS Rutoken or eToken GOST. This is a private means of formation of EDS with nonremovable private key, ie for each subsequent operation formed the new EDS. With this key information to retrieve it would be impossible. The cost of a single key is the order of 1 thousand rubles.
  4. Antivirus, firewalls, security ... In general, Classics of the genre. But for non-compliance with items 1-3, it will not help you

Conclusions

I would like to most customers no longer rely on "maybe" and assume that if the money in the bank, then nothing will happen to them, and if that happens, the bank will return all. On the part of DBS Bank fully carry out their part of the contract - provide the means and methods of the customer to quickly resolve their problems and take care of his safety, advised how to behave in an Internet society. Unfortunately, many customers do not know that the responsibility for keeping keys and cleanliness drive is primarily for them, rather than the bank. The presence on the hard drive signs of infection are automatically makes client guilty (though so it really is) and the subsequent struggle for their money in court (if it comes up) will not succeed. And whether or not to condemn someone when you left the door wide open and left for work?
Views: 503 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: