Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Banks and Security - Locking accounts for prevention?


  • Please log in to reply
26 replies to this topic

#1 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 22 January 2015 - 09:51 AM

Alright so,

I just had a call, where someone couldn't access his bank account because it said that the account was locked for prevention, since the computer from which the person was connected from was infected with a malware. Naturally, that person called us (technical support) and asked us if we could help him. So I took the call and asked that person to explain me that situation. He said that he called the bank, and they said that nothing could be done about it and he had to scan his computer to remove the malware present on it, before going in a store and get his card changed (and just for the record, he called the right number for the bank, it wasn't a fake one). Honestly, I thought this was phishy. Why would the bank lock the account? How did they know that the computer from which the connection was from was indeed infected? So I called the bank support myself to clarify this situation. The lady I spoke to told me that there was no proofs that the system was indeed infected, despite keep on saying that their Security Department tagged the computer as infected and locked the account by prevention. And to get the account "unlocked", the customer had to call them back, and tell them that a tech verified the system, scanned for malware, etc. and found nothing, then they would trust the customer and unlock the account. This is the 3rd call in 2 days that we receive for this. Every person that called uses the same bank and are on the same network. Therefore, pretty much anyone who will connect to that bank website will get their account locked and we'll have to scan every single computer, one by one, to make sure that they are all clean.

I understand that they are doing this by "prevention", but they have no actual proof that the system from which the connection is made IS infected, yet they try to make the person using that computer believe that and they scare him. What's the point?

Edit: Just learned that this bank was "compromised" a few days ago, and this is why their are tightening their security.

Edited by Aura., 22 January 2015 - 09:57 AM.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


BC AdBot (Login to Remove)

 


#2 Al1000

Al1000

  • Global Moderator
  • 7,716 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:05:20 AM

Posted 22 January 2015 - 01:27 PM

How did they know that the computer from which the connection was from was indeed infected?

I got a call not so long ago from my bank, telling me that they had detected "unusual activity" on my computer, and that they had locked internet access to the account until I reset my password. They also said that I should do a "full virus and malware scan" on "all devices" I use for internet banking before resetting my password.

I think that was my fault for running netstat (on Linux) while I was logged onto my bank account, which I suspect might have been recognised as "unusual" software asking the bank's server for its IP address. I tried explaining this to the manager that contacted me, who is one of only three staff in my local branch, but he was just passing on the message and didn't have a clue what I was talking about.

Edited by Al1000, 22 January 2015 - 01:28 PM.


#3 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 23 January 2015 - 08:10 AM

That looks like the most logical explanation to be honest, that they go via IP addresses. The thing is that, I'm on a corporate network, and so are the two employees whose accounts got locked. We have over 500 computers here for employees, not even counting Thin Clients, servers, etc. We don't have a public IP addresses for every computer and laptop that we have. So I guess that they noticed that one IP address was accessing to many bank accounts and they decided to lock them by prevention. Another explanation is that the people who uses a laptop (like one of the employee that had his account locked) have access to a VPN client to connect to our network. So if he connected to the website without the VPN, then reconnected quickly after hoping on the VPN, I guess this could have triggered the lock too. The bank cannot tell if the computer from which the connection is from is indeed infected. If 50 computers uses the same IP address, we won't do a malware check-up on 50 computers because one "might" (and even there) be infected, it doesn't make sense. If we receive another call for that, I guess we'll just tell the employees to stop using their work computer to connect to their account on that bank website since they'll get themself locked out and there's nothing we can do about it.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#4 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 23 January 2015 - 09:19 AM

The first employee got called back by the back, who said that they detected ZeuS on his system, hence why the account got locked for prevention. After a bit of research, I saw that a variant of ZeuS was detected this summer, targeting Canadian banks. I'm from Québec, Canada so it's really possible that he's infected with this new ZeuS variant dubbed ZeuS.Maple.

http://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/

I took the call and will proceed to check his system for any traces of a ZeuS malware, or any other malware.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 1PW

1PW

  • Members
  • 316 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North of the 38th parallel.
  • Local time:09:20 PM

Posted 23 January 2015 - 05:03 PM

Hello Aura.:
 
Since you are likely more than well qualified to select/use the appropriate Anti-Malware to mitigate and prevent the Zeus/Zbot Trojan you may have found, I'll instead point you to a possible future solution for your client's personal banking needs.
 
Most folks know about LiveCDs / bootable USB thumb drives that can be easily be made holding a minimal Linux OS bootable with most Intel-based PCs and Macs.
 
I am beginning to recommend Lightweight Portable Security (LPS) to family and friends. Among the few dozen available, their particular emphasis is on security and staying current.

 

HTH :)


Edited by 1PW, 23 January 2015 - 05:13 PM.

All viruses are malware but not all malware are viruses and if the malware doesn't self replicate it just isn't a virus.


#6 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 23 January 2015 - 05:10 PM

Well, I would recommend them to do that for their personal computers, but they have no permission to do that on our corporate computers, they are at work after all :P Also, looks like my instincts were right. ZeuS.Maple was indeed present on the system, using the same naming and dropping pattern described in the article below. I fully removed it, and now I'm waiting for the employee to contact his bank to get his account unlocked so he can try to login, and see if the website will still detect an infection on the system.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 AM

Posted 23 January 2015 - 07:15 PM

Instruct the employee to change his passwords from a machine that is not infected. Because Zeus could have stolen his credentials.

Edited by Didier Stevens, 23 January 2015 - 07:16 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 PM

Posted 23 January 2015 - 08:31 PM

If this is happening all the time, then you can see why the bank believes your system is compromised. It's possible the computer system IS compromised and needs to be checked by a certified tech that can verify it's clean. However, the system may not be infected. There may also be someone out there who just knows the login account name and not the password. This is why both the account NAME and PASSWORD needs to be changed after the system has been checked. The login account name is half the authentication process. If this still happens then I would be contacting the bank and asking them when was the last time they had a security audit. It's possible they have a security breach via website/cert or server/employee.


Edited by technonymous, 23 January 2015 - 08:31 PM.


#9 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 23 January 2015 - 09:46 PM

Instruct the employee to change his passwords from a machine that is not infected. Because Zeus could have stolen his credentials.

 

We forced him to change every passwords he have, both personals and corporatives (we forced the change on AD).

 

If this is happening all the time, then you can see why the bank believes your system is compromised. It's possible the computer system IS compromised and needs to be checked by a certified tech that can verify it's clean. However, the system may not be infected. There may also be someone out there who just knows the login account name and not the password. This is why both the account NAME and PASSWORD needs to be changed after the system has been checked. The login account name is half the authentication process. If this still happens then I would be contacting the bank and asking them when was the last time they had a security audit. It's possible they have a security breach via website/cert or server/employee.

 

They lock it be prevention, not every systems are compromised. The employee will have to contact the bank, it's his business (his bank account), not ours. If it was the bank account an employee was working on and that account belongs to the company, then it would be something else.


unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#10 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 AM

Posted 24 January 2015 - 04:36 AM

I do not recommend changing the username. This can cause many unwanted side-effects.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#11 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 PM

Posted 22 February 2015 - 01:39 PM

I do not recommend changing the username. This can cause many unwanted side-effects.

Yes that is true. However, lets say your username =Stevens Passowrd=@*(@EF#(HFD*&#  The hacker doesn't know your password but does know your login username. So he attempts to login 3 times. Oops to many login attempts, the server locked your account. So you call the bank reset your password. 1 Hour later hacker attemps to login again. Oops you're locked out of your account again. This happens over and over. The hacker isn't just generating randomly generating passwords he may know other info, DOB, SSI, ADDRESSES, E-mail and attempting to use that info. Many people do use DOB, SSI etc as a password. So with that said, if your Username=Stevens and Password=DOB# Eventually the hacker will get a hit. Like I said Usernames are half the authentication process. If you changed your username=#@*(&9;dk&$(&*#@^ and Password=FI(J#*(#RJFH{}{F9fjd the possibility of getting hacked is ZERO. So when the hacker knows your Username the server is verifying the password is correct/wrong. Take e-mails as an example. Many e-mails are the Username! They are relying on the servers 3 hit/miss policy to protect your account. That is not 100% protection.



#12 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 AM

Posted 22 February 2015 - 02:51 PM

 

I do not recommend changing the username. This can cause many unwanted side-effects.

Yes that is true. However, lets say your username =Stevens Passowrd=@*(@EF#(HFD*&#  The hacker doesn't know your password but does know your login username. So he attempts to login 3 times. Oops to many login attempts, the server locked your account. So you call the bank reset your password. 1 Hour later hacker attemps to login again. Oops you're locked out of your account again. This happens over and over. The hacker isn't just generating randomly generating passwords he may know other info, DOB, SSI, ADDRESSES, E-mail and attempting to use that info. Many people do use DOB, SSI etc as a password. So with that said, if your Username=Stevens and Password=DOB# Eventually the hacker will get a hit. Like I said Usernames are half the authentication process. If you changed your username=#@*(&9;dk&$(&*#@^ and Password=FI(J#*(#RJFH{}{F9fjd the possibility of getting hacked is ZERO. So when the hacker knows your Username the server is verifying the password is correct/wrong. Take e-mails as an example. Many e-mails are the Username! They are relying on the servers 3 hit/miss policy to protect your account. That is not 100% protection.

 

 

1) My comment was for the Active Directory account of the employee. But your advice seems to be for the bank account?

 

2) Are you serious? Is this how banks in the US operate?

Their home banking server is vulnerable to a Denial Of Service (DOS), and then you need a password reset to unlock the account?

 

I know that banks in the US don't use 2-factor authentication.

 

Your example is for a weak password: username=STEVENS password=DOB#

A hybrid dictionary attack will eventually find this in a reasonable time.

But a hybrid dictionary attack will never find a strong password: username=STEVENS password=fNS0fuh8DXEfCCSCDCsF

 

Many e-mails are the Username! They are relying on the servers 3 hit/miss policy to protect your account. That is not 100% protection.

 

You mean the e-mail address is the username, I suppose?

Your e-mail account is protected by your password (and maybe with a second factor if you enabled this in Gmail, for example).

You can not have 100% protection. Never.


Edited by Didier Stevens, 22 February 2015 - 02:52 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#13 Aura

Aura

    Bleepin' Special Ops

  • Topic Starter

  • Malware Response Team
  • 19,662 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:20 AM

Posted 22 February 2015 - 04:17 PM

I do not recommend changing the username. This can cause many unwanted side-effects.


I don't have the power to change the username of a user on Active Directory, I'm not a Sysadmin but I wouldn't anyway haha :P

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#14 technonymous

technonymous

  • Members
  • 2,490 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:20 PM

Posted 23 February 2015 - 05:35 AM

Well if a user is continously calling their online banking to reset the password because the account is locked out then it might be a good idea to change the username as well. However, if their computer is compromised in some way and they use the same info on the computer, then that would also need to be addressed. I was making a point that login username is important as well. Many online login webportals will actually confirm if the username you have entered is an account or not. lol Think about that for a moment. That's powerful information to a hacker.



#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:20 AM

Posted 23 February 2015 - 01:52 PM

I don't understand what you try to say. You don't need to reset a password when an account is locked. You just inlock it.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users