Blog article
See all stories »

An article relating to this blog post on Finextra:

Lords calls for law to make UK banks liable for online fraud

The UK's House of Lords is calling on the government to make banks legally responsible for losses incurred by customers through electronic fraud.


See article

Limbo Dancing in the House of Lords

The UK's House of Lords is calling on the government to make banks legally responsible for losses incurred by customers through electronic fraud (https://www.finextra.com/fullstory.asp?id=18699). That's because today's banking code leaves responsibility on consumers.

In practice the banks do not typically use the code to that effect, and refund fraudulent transactions that manage to pass through their ever-improving defence network. The day when a major bank tells its online customers it won't offer them guarantee against fraud, is the day people will start abandoning the online banking channel, preferring the good old phone and branch venues. Online banking will go down the drain.

But even though the practice is different, the current banking code is still putting the responsibility on the user's shoulders. In my mind, it's tasking the consumer with an impossible mission.  

I'll give you an analogy. Suppose the National Health Service Code said that people should take steps to protect themselves against contagious diseases, and if they happen to catch a virus, then it's their responsibility. They weren't careful enough, so they have to pay the bill.

It sounds mad, right? But that's exactly like expecting the average consumer to protect himself from malicious Trojan viruses and other malware.   

That's because today, almost everyone can be infected, and worse – they won't even realise that until their bank account is emptied.

I promised to dedicate a future blog to infection points. Take my word for it – even if you have the latest anti virus and firewall, you may still get infected, and not just in Internet Cafés but rather in the safety of your home. Trojans are built these days to escape AV detection, very much like stealth planes.   

So lets just assume you got infected despite having the latest firewall and AV protection. Would you be able to spot the malicious Trojan?

I'm willing to bet that 95% of people won’t. And to strengthen this claim, I'd like you to meet Limbo.  

Limbo sells for $350 in select fraud forums. It's been around for a couple of years, and by now has been outperformed by even nastier, more popular malware. But even Limbo will fool everyone infected with it into thinking it does not exist.

As soon as your computer is infected by Limbo, it starts tracing your web activities and when you enter an online banking site, it silently rubs its tiny hands and gets to work.  

Limbo lives in your browser. To be more exact, it's in the twilight zone between the display layer that is presented to you, and the communication layer that gets the information from your bank.

This allows Limbo to ride the SSL session of the browser, so when you look at the URL, you'll see your regular bank website address. No funny URL, mis-spelling or anything else that can raise suspicion.   

Press the yellow lock on your browser, and you'll see the bank's certificate. Use the latest anti-fraud features of your browser, and it will show calming green.

That's because it's really the session you have with the bank.  

But whatever the bank sends to your browser is now intercepted by Limbo, and when the page is presented to you, it looks different. This HTML injection technique allows Limbo to present whatever devious social engineering its controller wants you to see.

So if you login via user name and password, Limbo can just leave that on screen, grab that information and send it to the Trojan operator. It can also add some other innocent fields – like your ATM card number and PIN code - that will now look like part of the official login process.

These may raise some suspicion, but here's the thing with social engineering: once you're convinced you are communicating with the bank, you'll do anything the bank asks you in order to authenticate. And Limbo does not for a moment give you any hints you're talking to a Man in the Middle, and not directly with your bank.  

If you have more sophisticated login process, such as a one-time access code, Limbo can accommodate that as well by making the appropriate changes on the screen. Theoretically it can defeat even transaction signing (but this requires an immediate generation of a transaction to a mule account, and that's difficult to do from an operational perspective).

Trojans such as Limbo also have other fascinating features. My favourite is deleting all your cookies. That's to make sure that whenever you enter a site – say, your free email account or your Facebook – you'll need to re-enter the password, which Limbo will dutifully send to its remote master. Other features include shutting down your firewall (oops!) leaving your computer open to other useful thingies.  

The bottom line is this. The average user cannot be educated to follow this moving target called online fraud. Even if it did, today's malware makes sure he or she won't suspect a thing, and may be infected even if it has the latest end point protection.

Which means the House of Lords is absolutely right in saying that users cannot be responsible for protecting themselves. Not anymore.  
4840

Comments: (1)

A Finextra member
A Finextra member 15 July, 2008, 05:32Be the first to give this comment the thumbs up 0 likes

There have been and still are some glaring flaws in the system which really mean that the only reason someone hasn't yet stolen your money is because they just haven't bothered to get around to you yet.

It seems to me that it is impossible for even the most expert customer to guarantee they will be safe, certainly not when they're transacting on the internet.

So what can we do about it?

Of course everyone knows my plans, I'll happily underwrite all losses and protect all your transactions on the net and in-store for half of the present losses. No biometrics, no infrastructure, and you can still use your cards if you want, it'll just cost you a little more, or ditch them altogether and pay lower fees.

Uri Rivner

Uri Rivner

Chief Cyber Officer

BioCatch

Member since

14 Apr 2008

Location

Tel Aviv

Blog posts

87

Comments

37

This post is from a series of posts in the group:

Transaction Fraud Systems and Analysis

A community for discussion of Transaction Fraud systems and anlaytical techniques for bank card and financial services organisations.


See all