Ask HN: How do you protect yourself from bank fraud?
A friend of mine recently had €1600 stolen from his account in Germany, despite two-factor authentication (SMS Tan is the norm over here), which I always assumed was pretty secure.
Turns out the thieves first hack your web browser (through the usual means) and then alter the web page of your bank to display instructions to install a "security" app on your smartphone (MITB attack). So then they have access to both factors and you're boned. Google "Eurograbber" to find out more.
What I find kind of scary is the usual caution is likely to fail. After all, this is the correct URL and the correct SSL cert, so if the fake visuals are well produced it will appear completely legit.
I suppose one approach is to make sure you always logon with a clean browser, so I was thinking of a portable VirtualBox with a copy of Linux used solely for the purpose of online banking. I could even hand out keys to my friends.
Do you think this would be effective? And what precautions do you take with online banking? While a virtual machine used only to access online banking would probably work, would your friend actually stick with it? And be honest - if he wouldn't there's not much point. The best option is education. Help him understand how the malware was installed and how he can try and prevent it from happening in the future (don't allow applications to be installed if they weren't specifically expecting it, keep their AV running - no matter what an installer says, always install Java and Adobe updates, and avoiding dodgy streaming video and proxy sites). I recently had to help a friend clean ransomware off his system, and found a bunch of other crap while I was at it. --I think I got it all, but I still warned him that it was possible we missed something and a full format and reinstall would be safer. In his case I'm pretty sure it came from one of the many dodgy sites used to stream TV shows and such, although he had also downloaded and installed VLC from one of those sites that rebundled it with additional crap, so that could have compromised the system as well. You make a good point. Though this particular friend might well stick to it - €1600 tends to focus the mind. But to be honest, I'm asking primarily for myself and my family. I'm not sure anyone can really be sure there is no malware on their browser (via Flash zero days or what have you), especially if several members of the family use the computer. This gets much worse with teenage kids. So gambling the entire contents of my bank account on the assumption I'm malware free isn't quite doing it for me. That's why I'm thinking that a straightforward setup is appealing: "When I bank, I use the OS on this USB key and don't use it for anything else". But I also wanted to know what people around here do. Simply assume their machine is clean or take further steps? Eurograbber is a variation of the Zeus/Sopilka family of malware. I'm surprised his AV didn't pick it up because it's the most popular financial malware after SpyEye and Citadel. What bank was this with? Did they cover the losses? I'm assuming something like the following happened: I'm not sure if it was Eurograbber itself, but a similar attack in any case. Bank is "trying to help recover the funds" but won't cover if that fails. Part of the problem is that it took him a while to realise this had happened. I think it was the Sparkasse, but not 100% sure. No idea what state his AV in. He's a smart enough fellow, but definitely non-technical. EDIT: Missed your line about the live CD. I considered that, but I find rebooting a major PITA, hence the VM-on-stick idea. How is it working out for your parents? It seems to me that using the same device to access banking website and receive SMS Tan is asking for trouble. If your smartphone is compromised you are toast. If you use 2 different devices than the hacker has to compromise both of them to get you. My bank offers hardware tokens for authentication and I am glad to pay 1-2 additional euros a month for enhanced security. this is a good blog to follow: http://www.lightbluetouchpaper.org/category/banking-security... instead of security app, I paid about $20 for a physical device from my bank. it seems more secure.
I tell my parents to use a linux Mint or Ubuntu live disk whenever they're banking online. It seems to have worked so far. Your friend → (direct) Mule in your country → (Western Union) to the criminal