P.S. By baking trojans, I meant trojans injecting additional payment information into your bank transfers - e.g. you make 5 payments, but the trojan makes also the sixth one, still browser with the help of a trojan displays you only 5 of them. You press accept - and you'r done. Correct me if I'm wrong, but I somehow remember that Torpig was one of the bad things doing such tricks - as I already said, forget about RSA or one-time passwords in theese cases :)))
Still there are very successfull strategies used by banks to fight this - mostly based on social analysis of your behavement, but that's another story. Regards, vik -----Original Message----- From: Viktor Larionov Sent: Thursday, December 11, 2008 3:36 PM To: Martin Salfer; full-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] 21 Million German bank accounts stolen - but accounts are still more secure than many other ones Dear Martin of good old Germany, You are absolutely correct on the poor security and other things...but you actually should keep in mind, that US internet banking, as far as I am concerned by the amount and complexity of operations is way behind Germany and Europe in general. In example, US residents, correct me if I'm wrong, it's not every bank in US where you can make a wire transfer, or apply for a mortrage all online. That's one side of the coin - another side of it, is banking trojans - as like Torpig, Apophis - keeping theese trojans techniques in mind, there's actually no smart card, one-time password, RSA to help you. And if you have a list of Deutsche bank clients, modifying Torpig a bit for Deutsche bank and blasting this thing out to the clients is good start point - at least from my point of view. And I'm not even talking about personal privacy and etc. aspects. There's surely more than one way to use this data. Kindest regards, vik from poor young Estonia :) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Martin Salfer Sent: Wednesday, December 10, 2008 8:35 PM To: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] 21 Million German bank accounts stolen - but accounts are still more secure than many other ones -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Hello, English readers might wonder why Germans usually don't use cheques: because they're too expensive and insecure. Everybody prefers electronic money transfers ("Überweisung") as those are for free and well protected. And direct debits or PADs ("Lastschrift") even can be rolled back up to 6 weeks after withdrawal. So usually, people simply exchange account numbers and directly transfer money. Even if someone successfully sniffs German account credentials, e.g. ID + passwords, someone would still be unable to steal any money as every single transfer must be confirmed with an one time password! Those are mostly handed out to the account holder in person. This of course varies from bank to bank. But I don't know any German bank that doesn't demand at least one time password confirmation. Major banks already offer RSA smart cards, which can be used with the nation wide online banking standard HBCI or FinTS: http://en.wikipedia.org/wiki/FinTS I'm still shocked about the poor security of North American banks, where one successful phishing email is enough to control and empty entire bank accounts. Greetings from good old Germany, Martin Salfer Jost Krieger wrote: >> http://it.slashdot.org/it/08/12/09/0125201.shtml -----BEGIN PGP SIGNATURE----- iD8DBQFJQAvEy4+E3T5McJsRAwlgAKCZ13lqR2mSW5Mb9naEhlRi4dm6FQCgpp7r 3z+O7fR7Wz4mBpI/AUHHvVI= =Gpxg -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/