Hackers hijacked a bank's DNS and spent 5 hours raiding its customers' accounts


#1

Originally published at: http://boingboing.net/2017/04/08/all-your-base.html


#2

Well time to move all of my money into bitcoins.


#3

Fortunately, the security of bitcoin has nothing to do with… oh wait, nevermind.


#4

Truly, we will never have security on the internet until we make the banks and service providers 100% liable for security breaches. Not just “you have to pay if your customers get robbed” but also “you have to pay if your customers get their account details or passwords hacked.” Say $1 for each password breached and $10 for each account with compromised details ought to help focus their corporate minds a little better.


#5

I’m sure the bank will be fine - they’ll call it “identity theft” and put the losses on the customers - it’s their fault for banking online in an insecure environment, after all.


#6

Just DNS? Were their website never set up for TLS? Did they never use Strict Transport Security?


#7

Once they hijack the DNS and point it to their server, they could get a Let’s Encrypt certificate pretty fast. On the surface, the connection would look safe.

It’d be a useful browser feature to warn if the certificate changes for certain sites.


#8

My decision to avoid on-line banking is looking smarter all the time. One day it will look positively brilliant.


#9

You would think somebody could make a living maybe teaching companies how to not get robbed?


#10

More likely these days to get a law that bans publicizing such breaches and permitting banks to pretend they never occur and allowing lawsuits for libel against people who try to point out the problems since it might “erode public confidence in the banking system.” Remember, banks in many countries are tightly tied to the central government…

Very large accounts will be quietly reimbursed and Joe and Jane Average can go bank someplace else if they don’t like it.

Like maybe their mattress or a piggy bank.


#11

This plan of shifting costs to customers
has worked for them for decades, no problem when you charge 25 percent interest. The little things that could have been done to prevent normal b&m credit card fraud have been ignored. 27 years ago Citibank put my picture on my credit card. Genius move right? Should have been made the law for every credit card right? Couple years back they took them off.

My current pet peeve is the notion that a signature is some kind of security. Seems couple of centuries out of date. My wife has signed my checks with her name and there’s never been a problem! It’s not security, just forensic evidence for after the crime.


#12

Some kind of twelve step program for companies with bad security?

Step one, they have to admit that they have a problem with security, and that it has made their businesses unmanageable.

Step two, they accept that only by following best practices can they restore their security…

You’re going to have a lot of dropouts from the program around steps 8-10 (make a list of persons harmed, make amends to each one, and continue to promptly admit errors and wrongs in the future).


#13

May be overkill for some, but there’s an addon for that:


#14

I keep thinking of the Mitchell & Webb sketch:


#15

If my experience is any guide, you’re going to have customers dropping out a lot sooner than step 8.

High security is inconvenient and intrusive, and most customers hate it with a passion. Most customers assume that everything is already secure and consider any inconveniences to implement security to be incompetence on your part that your competitors don’t have.

The goal of almost any business is to have security that’s just slightly better than the worst, so that you’re not the main target for the bad guys and you don’t get the reputation of being the company that makes its customers jump through hoops for even the simplest of things.

(And, to be honest, complicated security systems simply have more down-time because they have more moving parts.)

Companies can certainly do more to protect their customers and themselves. But let’s not pretend that it’s usually simple or cheap (except in the most egregious of cases). Otherwise security is something that you end up doing in spite of it making customer less happy with you rather than to increase customer satisfaction.

It’s always tough serving a low-information market. Often the market rewards those who do the minimum and are lucky enough to avoid high-profile victimization rather than the ones who protected themselves in the first place.


#16

Pretty comon attack in Brazil: hack old ladies (i.e., anyone) wifis with factory default credentials, route dns to a controlled DNS server, serve fake bank websites.


#17

That is still my least favourite example of NewSpeak, being nonsenical as well as self-serving. No, I still have my identity, I’m fairly confident that it wasn’t stolen.


#18

Then they’re doing it wrong. Since 99% of data breaches are caused not by bad customer facing security but inexcusable lapses in backend security, I fail to see the relevance of your point.


#19

Do you perhaps not work in IT? How exactly does your idea work at the infrastructure and software level considering that you are asking for banks to assume liability for things they neither made nor can fully understand.

Again you seem to think that banks should be liable for the actions of third parties. Please explain how this works in real life.


#20

Good luck. This thread is full of a lack of understanding of how most of this works.