Some weeks ago the central Danish online authentication, NemID, which protects Danish Internet Banking, online tax system, health records, etc. got hacked and 700’000 Kroner was taken from 8 customers at Danske Bank.
Apparently, it was the business customer Simon Jonassen, the guy behind Roust IT, that discovered the irregularity and alerted the bank on 6 February 2012. Simon ran as admin user on a Microsoft Windows XP SP2
The attack was real-time phishing where a trojan, now termed BankTexeasy, made an extra popup-window during netbanking session that would fool the unsuspecting user to type in the one-time pad an extra time.
The trojan was newly developed running under the radar of antivirus software and it was apparently only distributed to Denmark.
The customers who got the trojan had apparently visited a legitimite web-site that was infected. They did not get it from a suspicious website or from following a link in a spam mail.
In summary: A central Danish IT-system has been attacked by a trojan specifically crafted to attack the system. Your antivirus won’t detect it. You may get it from legitimate websites. It will empty your bank account. It will break your computer. You might not get refunded.
The case shows that Denmark is not a too small country for hackers to care about.
To counter the attack a simple suggestion put forward was to keep you computer system updated. This might have saved the hacked customers in this case, but not for future zero-day attacks, – if the criminals bother to “waste” zero-day attacks on the Danes.
Another suggestion was that the banks shouldn’t allow simultaneous sessions from different computers. It is unclear for me whether this is of any use in future attacks. Might the attacker simply not use the trojaned computer as a proxy?
Another suggestion put forward is never to key in login name, password and one-time pad in a popup-window (as the trojan exposed). This is a good suggestion but it is unclear whether the rule suffices. My guess is that a trojan may be able to attack as the user starts the NemID session by manipulating the DNS, meaning that the user need to be alert on the HTTPS and the certificant. But I suppose that a sufficiently nasty attack could change the browser executable making it impossible for the user to see any difference between a phishing website and the genuine website.
Extra check of transactions by two-way mobil phone text messaging (SMS) may help on the bank transaction security as two systems may be needed to be controlled. However, NemID will get applications for smartphones, meaning that “only” the smartphone needs to be hacked.
Another attack I could imaging is a trojan that watches via the webcam that many people have on their laptops. The trojan would open the webcam once the person uses NemID and try to capture a climpse of the NemID one-time pad sheet. It may be a bit optimistic given the poor resolution on laptop webcams. Try to see if you can read the code shown at around 00:23 in this tv news story. Some superresolution research may come in handy there.