How do online banking trojans work?
June 3, 2012 5:04 AM   Subscribe

How do online banking trojans work?

I recently heard a few reports of people losing a lot of money because a trojan had taken over their computer and sent money through online banking to a criminal's account. I don't understand how that can happen. The online banking accounts in question don't just have password protection, they also have key-encryption with an identifier. This is a small calculator-like device. You have to type in a user-id and pincode first, and then after every transaction the online banking program gives you a number, you type that in in the device, and then you get back a new number that you type into the program. With my bank you also type in the amount of money you send specifically.

So, I assumed that even if someones computer is completely compromised, as long as the server software is secure and has no security holes, there is no way a criminal can get money from someones account without them typing in some specific codes in that identifier-device (which is of course one way those scams can work: call the people and ask them to type in some codes - but that's not what happened in these cases). So it seems to me that the bank has to be at fault with their security, even if the client also had a security problem of their own. Is my understanding incorrect? If so, can you explain to me why?
posted by davar to Computers & Internet (5 answers total) 1 user marked this as a favorite
When I make a transfer, I need to verify it by entering an sms tan.

If someone has control over my computer, it could *look* like I was transferring 500 pounds to my friend, but in reality I might be transferring 2500 pounds to a thief. Think of video card driver trickery.

When I get a tan from my bank, I see the recipient's account number and the amount I am trying to transfer, as well as the tan. I have to check the amount and account number match what is on screen. Some people don't get this information with their tans, and most people don't check the information. That is where the opportunity is.
posted by devnull at 5:11 AM on June 3, 2012

One method is to forward the victim's browser to a faked website. The scammer configures the website so that it will use the data the victim types in for authentication to log in to their account, then when the bank site gets to the challenge-response portion, the malicious site is able to read the challenge code from the bank's real website, provide it directly to the user and send through the response to the bank.
posted by fearnothing at 5:18 AM on June 3, 2012

There's "Cross-site Scripting".
posted by Chocolate Pickle at 7:29 AM on June 3, 2012

Thanks for your replies. I am still a bit confused, though I do understand somewhat better how this can happen if people don't pay enough attention, or perhaps with identifiers that do not require you to type in the amount of money (which I then think are a terrible idea).

Two more questions:
- Assuming I DO pay attention to the amount of money I type in the identifier, is it still possible for an attacker to withdraw more money from my account than I type in? If so, how would this work?
- I know at least one of the victims said that they didn't use online banking at all on the day that the hacker withdrew lots of money. Is that at all possible, or would that indeed imply a security breach at the bank's server? The way I understand the scenario's above they would always imply tricking someone who thinks they're sending money to someone else.
posted by davar at 11:23 AM on June 3, 2012

Banking trojans work under the premise of a "man in the browser" hijack. What this means is, is that the data that you view and the keystrokes that you enter are compromised and able to be manipulated prior to encryption. Some banking trojans are sophisticated enough to provide you with a view of your account that hides the fraudulent transactions that occur (granted only if you're checking your account from the compromised PC and not on other devices).

In your case mentioned above, think of the hijack as living in the browser anticipating the security of the bank for which it was designed. Anything that you type can be manipulated in the background, and any session you create can be kept open by the trojan after you close the browser or assume that you've "signed out." In other words...when there's human interaction, there's opportunities for scripted hijacks.
posted by samsara at 7:23 AM on June 4, 2012

« Older What do I charge in eggs for accommodating...   |   Saccharine sweet love songs? Newer »
This thread is closed to new comments.