You see, Oliver...
[sung] In this life, one thing counts
In the bank, large amounts
I'm afraid these don't grow on trees,
You've got to pick-a-pocket or two.

You've Got To Pick-a-Pocket or Two lyrics, from Oliver!

Does this ABC News story on criminals looting 401K and online trading accounts of tens of millions of dollars surprise anyone in the security field? Well of course it shouldn’t. We have known about the potential for this type of criminal activity for over 8 years.

We are performing computing that requires high assurance, such as managing an online trading account, on a low assurance terminal, the home computer. The network layer of these transactions is using high security crypto in the form of SSL. The financial institution very likely has excellent security on the servers that run their account management software. But what about the customer? Who is making sure his or her machine is up to the task of being part of a high assurance transaction? The answer is nobody. Attackers will always go for the weak link and that weak link is, by far, the end user’s computer.

I gave a presentation at the Digital Commerce Society of Boston on April 6th, 1999. It was titled, “Client Security: You've got armored trucks, but what about the pick pockets?” Here is the presentation abstract from the announcement:

Everyone in ecommerce these days is peddling better vaults for stores and stronger armored cars to deliver payments and merchandise. Does this really matter in an Internet world where you can pick the pocket of a consumer? Or more likely, to automate the pocket picking of a large number of consumers.

Current authentication and purchasing systems rely on consumers using off the shelf operating systems such as Windows 95/98. This is the operating system which Microsoft has admitted to having no security model. Current ecommerce client security is layering strong encryption on this bed of jello.

What are some of the attacks that are being used? What technology can be used to overcome this problem?

In June 1999 I was interviewed on Dateline NBC by Lea Thompson. The story was about how banks were moving into the world of online banking without considering the risks of the customer’s home computer. It’s as if the banks were only setting up their branches in high crime neighborhoods, knowing there were dozens of skilled pick pockets waiting outside the door, and doing nothing to protect customers.

Catherine Allen, the CEO of BITS, a consortium of 100 of the largest financial institutions, was on the program defending financial organizations and stating that online banking was secure.

The final participants in the show were 2 young men in a dark room in San Francisco that agreed to demonstrate how a Trojan keystroke logger worked. The correspondent, Lea Thompson, sat at her home computer. The only information the young men knew was her email address. They sent her an email with a Trojan animated greeting card attached. It contained a keystroke logger. She opened the attachment. She then proceeded to log into her online checking account. Then she logged out. The young men in San Francisco retrieved her password from the keystroke log and proceeded to log in and check her balance. They decided not to transfer any money because it might be considered wire fraud.

It was clear to any viewer of this Dateline NBC show 8 years ago that this was a problem. So where have we gotten in the intervening 8 years? Online crime has grown dramatically and most of the attacks are taking place on the customer’s home computer –- a threat that was clearly demonstrated to banks and customers on national television.

Symantec’s latest Internet Security Threat Report has the sobering statistics showing that the “pick pocket” risk to online banking is getting worse.

    • Home users were the most highly targeted sector, accounting for 93 percent of all targeted attacks.
    • Eighty-six percent of the credit and debit cards advertised for sale on underground economy servers known to Symantec were issued by banks in the United States.
    • The volume of Trojans in the top 50 malicious code samples reported to Symantec increased from 23 percent to 45 percent.
    • Trojans accounted for 60 percent of the top 50 malicious code samples when measured by potential infections.
    • Keystroke logging threats made up 79 percent of confidential information threats by volume of reports, up from 57 percent in the first half of the year and 66 percent in the second half of 2005.
    • Seventy-eight percent of malicious code that propagated did so over SMTP, making it the most commonly used propagation mechanism.

So it is clear the combination of user behavior, home computer security, email, and online banking lead to massive amounts of online theft.

Back in 1999 at my talk at the Digital Commerce Society of Boston I recommended that banks require authentication tokens for accounts with more than $2000. A token doesn’t completely solve all of these problems but it can at least cut down on one of the biggest which is keystroke logging of passwords. This recommendation was dismissed as too expensive at the time. I recommended building software more securely which is starting to become an accepted practice but it needs to become a requirement.

What did we mainly do over the last 8 years? We upgraded operating systems and browsers. We added anti-virus, personal firewalls, and anti-phishing protection. We learned not to open certain attachments. Yet the problem got worse.

It is going to take a dramatic change in what we think of as secure authentication and a dramatic change in how we build software to turn this around. If we don’t do these things I fear in 2015 we will be looking at cybercrime rates that have either gone through the roof or people will have stopped trusting the Internet to manage financial accounts.

About Chris Wysopal

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Comments (2)

Pete | March 21, 2007 6:29 pm

What is interesting to me is why these folks (in the ABC News email transcript) would sell accounts but not exploit them themselves... like it's okay to make some money, but not a lot of money. Any thoughts?


cwysopal | March 22, 2007 10:13 am

I think this is just standard behavior in a criminal enterprise - specialization and separation of duties. In the illegal drug business you have manufacturers, mules, wholesalers, street level dealers. Some operations are completely vertically integrated but most aren't.

There are people who are very good at stealing information but don't know how to launder money. There are people who are very good at laundering money but can't steal the information. Perhaps over time, some of these operations will become more vertically integrated but specialized operators will likely persist.


Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.