The following scenario is unlikely with my regular banking account:
A ransomware victim accidentally transfers 10 million dollars in Bitcoin to my account and the next day the ransomware actors show up armed and dangerous to my house demanding that I transfer it to their bank account
So my understanding is that ultimately the bank is responsible for any loss on my end as a result of someone breaking into my bank account, therefore I don't really care if my banks don't follow best security practices.
I guess it's probably more complicated than that, so perhaps someone more knowledgeable can expand on what I can expect to happen if someone steals money from my bank accounts because of one of the vulnerabilities in the article?
Quick question: What would an attacker gain from getting into your bank account?
From mine (french big bank), they could be annoying (asking the bank to close accounts, ordering new checkbooks, getting all kind of information on past transactions, wire money between my accounts), but I can't see how one would effectively leverage that.
I mean, an attacker goal would be to draw money in some way; all money wirings to external bank accounts are protected by a code (SMS or in-app verification), with a 24h delay between the time one enters a destination account and the actual wiring.
Is that any different with other banks? Is an attacker able to effectively draw money as soon as they get access to the account?
What about your passwords to your real-life bank accounts?
Your bank has ways to make that more secure. If someone logs into your account from a strange IP (e.g. different country from the bank and customer), if someone tries to transfer money online, you might need to enter another password (which they might not have), or it might be based on a fob that generates a code. If you do manage to transfer money to your account, they can now follow the money to find out where you are and arrest you.
BitCoin stealing doesn't have any of these drawbacks, so is probably a much more tempting target.
> usually takes a few seconds to arrive in the destination account
This also means that whoever takes over your account, can send the money out and cash it in very fast.
This of course would never happen to me or you, but happened to a relative of mine who got a call from "their bank security" and then were directed to install a "security check app" (remote control tool), and change their password in the banking app. The thieves then got off with money that they transferred out in a matter of seconds, with no recourse.
One bank that I'm not going to identify is particularly scary. Predictable account number (sequential, I think) + 4 digit PIN. Even if they lock individual accounts after X retries, nothing prevents a well-distributed botnet from gaining access to an account (on average) every 10,000 attempts.
Do banks get hacked very often? They seem to have their security in order. Probably because they would have to reimburse their customers if something went wrong.
All of those analytics would already have the ability to run in the bank's origin and steal my money. What threat model are you operating under where malicious code running on your bank's website is trying to do something other than steal all of your money (which they're already able to do if they're executing on the bank's origin)?
Imagine if they wanted to use this for a terrorist attack, or sold the data to someone who did.
If they set up a bot net to log into as many bank accounts as possible and transfer money around (even if it were just between a users own accounts or accounts already setup for transfer), banks would basically be forced to shutdown internet banking until they could come up with a solution. The economic losses would be tremendous--it would take forever to sort out the mess.
And if they get hacked and my password is abused to steal money from my account, will my bank cover the liability? I doubt it - I gave my password away. I assume it's like a stolen ATM PIN, I eat the loss. No thanks.
Many US bank websites have so few features I'm not even sure what hacking mine could get someone. They can transfer from my checking to my savings account?
I remember a presentation by the head of security of an Internet-only bank years ago, about banking malware.
The latest malware was a man-in-the-browser style one: it intercepted your input and changed what you saw on-screen. This was used to defeat extra authentication: the malware inserted a (fake) deposit (something like "yearly subscription mr. X" for $2134.56) into your on-screen total and phoned home. The victim was then called by a mr. X who claimed to have accidentally swapped two digits in a transfer, and that the bank had said they can't fix it because the target account was a valid account. All they could do was exceptionally give out the phone number of the receiving side. Would you be so kind to rectify the situation?
Since mr. X had all the details correct (amount, statement on transaction), the victim would initiate and authenticate a transfer. No way for the bank to detect, as this wouls be a genuine transfer order by the account owner.
To be clear: the attack requires a victim whose browser is hacked and an associated phone number. That seemed like a tall order to me, but apparently not tall enough to stop this attack from being integrated into multi-banking malware.
In short: read-only access is good, but not sufficient to prevent all attacks.
My bank phoned me last summer. I'd authenticated with my usual two factors but a new browser fingerprint, then transferred a large sum to a new recipient. The bank blocked the transfers I did thay day, then phoned me to check whether I'd been phished, suffered a keylogger attack or something.
A ransomware victim accidentally transfers 10 million dollars in Bitcoin to my account and the next day the ransomware actors show up armed and dangerous to my house demanding that I transfer it to their bank account
reply