The criminals are always one step ahead.  Banks continually come out with safety suggestions, and on is to never link to a banking site, always type in the URL.  In this example the criminals are able to spoof that, by hacking the ISP that hosted the Banks site, and redirecting legitimate customers to a fake site, where they (the criminals) gathered the customers usernames and passwords.

Banks Hit With New Spoofing Attacks – Yahoo! News

Thu Mar 30, 11:00 AM ETThree Florida banks have had their Web sites compromised by hackers in an attack that security experts are calling the first of its type.

.. attackers were able to hack servers run by the Internet service provider that hosted the three banks' Web sites. They then redirected traffic from the legitimate Web sites to a bogus server, designed to resemble the banking sites,

… Users were then asked to enter credit card numbers, PINs, and other types of sensitive information

 This blog isn't intended to be a detailed security resource, but what I want to deal with here is the ambiguity that bankers must face in this environment.  Its become de rigeur to state that criminals "are always one step ahead" or they are "very smart".  In truth they are quite rational, merely deliberately staying only one step ahead.  This is an important point, because it means they are managing their resources, and doing only what they need to do, exploiting that opportunity, and then they move to the next opportunity.

If we track their progress, this becomes evident.  Online banking began in 1996.  The key offer then was based on 128 bit enctyption.

Phase 1 – 1996 – 128 bit encryption

• debate about whether it could be hacked
• brute force attacks – attempts to enter online banking using thousands, or millions of attempts hoping to land on a correct password/ username combination
• much debate in the security community on topics, such as, "man in the middle", "website spoofing" and other obscure but real security concerns
• Its not clear (to me) who was perpetrating but probably a mix of hackers, and crime syndicates

Phase 2 – 2003 – phishing attack

•  ciminal gangs realised the potential of email.  Send emails randomly to thousands of addresses using big banks, such as Citibank, with the hope that a ligitimate Citibank customer would receive one, and provide their username and password
• the early iterations, had terrible spelling, and were hopelessly random in their success

Phase 3 – 2004 – targetted phishing

• criminals became organised
• some groups developed lists of prospects to attack
• some groups developed the software to perform the attack
• others developed groups of accessories; stooges, who would receive the money stolen and fence it to the criminals in cash, through outlets such as Western Union
• trojans, and keyboard loggers attached to music and other downloads, implanted on customers PC's.  These are able to collect usernames and passwords, and automatically send them to the bad guys

phase 4 – 2005 – banks started to take it seriously

• banks had considered digital certificates, through the last 9 years, but they are just not viable nor practical to implement
• however phishing had presented sufficient practical examples that software companies began to develop software solutions that would recognise the banks' customers, and help the bank legitimise the users of online banking as well as reduce fraud
• serious education of customers, such as always type in the URL of the bank, never click on email links, take care with banking from the same PC that your teenage children use for downloading

phase 5 – just beginning

•  lets call this smart crime
• criminals have collected all the protections that we have provided to customers, and  they will bypass them.  This goes back to the lesson of phase 1.  Its impossible to beat 128 bit, so… go around it. 
• The item at the top of this story, is precisely designed to attack the safety associated with the instruction to always type in the Banks URL.  Of course this will only work with small banks, such as the small community banks in the US, because by nature of their size, they must outsource their technology to an ASP. (Application Service Provider).
• Its no secret that banks are implementing two factor authentication. That will be next on the criminals list to beat.

So its time to get ahead of the bad guys, centralise and coordinate amongst banks, and take these criminals on in the space they own right now, internet.  Banks have some very smart folks, and if we get together to work with the police authorities, we can make a dent in this crime.

Relevance to Bankwatch: 

Not rocket science, but things to watch for are the things that banks are doing.  this list is not exhaustive – just a simple list from a banker, that is intended to show banks must thnk like the ciminals to beat them.

Incidentally, we will never beat them.  Despite drawer limits, cash holding rules, and dye packs, people still rob banks for cash.  This is merely the digital equivalent, so we have to work to minimise it, and never give up.

1. two factor – look to criminals finding a way to gather the questions and answers provided in two factor.  Keyboard loggers would be one example
2. Computer recognition software (Banks recognise the customers PC).  Expect criminals to fake that – find a way to replicate the customers PC identity
3. IP recogition;  Microsoft, and other companies are compiling lists of black sites and countries;  those that have been the source of crime previously; expect the criminals to find ways to mask their IP address
4. tied to 3:  expect criminals to use multiple computers, including yours at home as zombie armies able to fake their identity to evade software protection solutions