My [AIB Online Banking] compromised

dotsman

Zab wrote: »

eh ... what were you asking for then?

What I was wondering is whether frank9901 was asked for the 2 codes at the same time as his log-on information or was it (possibly immediately) afterwards?

For example:

1. frank9901 enters logon information
   • attacker logs on using these details
   • attacker attempts to set up payee
   • AIB Online prompts for 2 codes
2. frank9901 prompted for both codes by attacker
   • Attacker uses both codes to confirm set-up of payee

(all this happening in the space of a few seconds, even less...)

OR

was frank9901 asked for codes on the same page (ie at the same time) as he was asked for his logon details (in which case, I don't understand how the attacker knew what codes to prompt for as it could not have begun to set up the payee yet and therefore would not know which codes to prompt for)

frank9901

very first page i was asked for the usual 8 digit registration number (normal)

next page was a security warning and asking me for two codes and pac (not normal)

then i was asked for my home phone number (normal)

then i was in my account, i was just topping up a phone so probably less that 3 minutes and logged out

bk

frank9901 wrote: »

next page was a security warning and asking me for two codes and pac (not normal)

Interesting, then I assume what is happening is:

1) The trojan is sitting on your PC for a few weeks, monitoring each time you login and storing your login details (PIN, phones numbers, etc.)

2) Once is has gathered enough info (all 5 digits of your pin, all your phone numbers, etc.) it carries out the attack:

- You go to the AIB website and enter your 8 digit customer ID
- While you do this, the trojan is in the background, using your login details it has previously gathered to secretly login and ask AIB to setup the international transfers.
- AIB responds, asking the trojan for the two code card entries.
- The Trojan now asks you for your PINs and the two code card entries during the second step of your login.
- You enter the code card entries and the trojan sends them to AIB to authorize the international transaction.
- The trojan now lets you see that you have logged in and you are non the wiser.

As for the two different dates of the transfers, remember that you can set a particular date for a transfer to happen. Both transfers could have been entered during the same session, but set for different days. The trojan might spread the transfers over two different dates in order to reduce suspicion or avoid daily transfer limits.

As I said a very sophisticated and clever attack.

frank9901

yes that would work,it would mean they were one step ahead of me at the login stage,
although they would have to be working very fast, it means
when i entered my 8 digit registration in the seconds it took to get to the bogus page, then a few more seconds for the phone number challenge
they would have had to log in with the previously gathered details, open the prepared transfer application and wait to be prompted for code numbers
it would work, it would all have to be done in 30 seconds or so

edit
no it would have to be done in 10 seconds,when i entered the 8 dig reg number i was immediately taken to the page requesting the codes so they would not have the time to log in and get code prompts in the 2 or 3 seconds it took to get from reg page to code prompt page
each time i think i have the answer it doesnt fit

28064212

frank9901 wrote: »

yes that would work,it would mean they were one step ahead of me at the login stage,
although they would have to be working very fast, it means
when i entered my 8 digit registration in the seconds it took to get to the bogus page, then a few more seconds for the phone number challenge
they would have had to log in with the previously gathered details, open the prepared transfer application and wait to be prompted for code numbers
it would work, it would all have to be done in 30 seconds or so

There wasn't someone sitting at the other end of a computer waiting for you to log in so they could set a transfer up. This was all totally automated

frank9901

28064212 wrote: »

There wasn't someone sitting at the other end of a computer waiting for you to log in so they could set a transfer up. This was all totally automated

thanks i can accept that,
it is the only way it could happen

frank9901

i knew if i started thinking about it i woulld not be 100% sure thats the way it happened
if the trojan was in residence on my computer and watching, had equipped itself with the info needed to access my account, they could at an earlier stage have logged in and set up the transfer details needing only to click ok or send to be prompted for the codes, then when i put my reg in and a couple of seconds later was prompted for codes, how could they ,even with software enter the account and speed up the aib prompt, that would only work if they
were lurking inside the account,the two seperate aib prompts which they would have no control over would cause a delay there was no delay between opening my bookmark and entering the reg then receiving the prompt.
automating everything from outside the aib site could be done but i cant see how they could speed up the two aib prompts,i am probably miles off track and i
dont know why i keep looking for the answer,i recognise it was totally my fault

Stereomaniac

Well, you weren't to know man. But it does seem like the answers you're looking for probably aren't coming to you. Kinda turns you off banks moreso. Well, certainly for me anyway. Your head must be wrecked.

Zab

frank9901 wrote: »

i knew if i started thinking about it i woulld not be 100% sure thats the way it happened
if the trojan was in residence on my computer and watching, had equipped itself with the info needed to access my account, they could at an earlier stage have logged in and set up the transfer details needing only to click ok or send to be prompted for the codes, then when i put my reg in and a couple of seconds later was prompted for codes, how could they ,even with software enter the account and speed up the aib prompt, that would only work if they
were lurking inside the account,the two seperate aib prompts which they would have no control over would cause a delay there was no delay between opening my bookmark and entering the reg then receiving the prompt.
automating everything from outside the aib site could be done but i cant see how they could speed up the two aib prompts,i am probably miles off track and i
dont know why i keep looking for the answer,i recognise it was totally my fault

You're underestimating how quickly a computer can do these things. Don't forget that from the time you hit the bookmark and are served the page asking for your account number, the attacker can log in to the real aib site and set things up. This includes the time taken for you to type in your account number. The computer can do all the things that a human would have to do here (enter numbers, click buttons) in less than a millisecond. The only thing holding it back would be the network delay and responsiveness of the real AIB site.

However, from looking at your story some questions are raised. Are you POSITIVE that there were only three separate pages and that they were: Account Number->PAC & 2 Code card codes->Digits in phone number? Note that usually it's Account Number->PAC (part) & Digits in phone number (the phone number doesn't get its own page).

I believe that AIB has always asked for the two codes in separate stages/pages. Therefore it actually shouldn't actually be possible for an attacker to know the numbers of both codes they're going to require before they enter the first code. Unless, of course, AIB dropped the ball and their website doesn't function as it should (allowing a user to resubmit a new first code after seeing the second one for instance).

frank9901

my explanation of the sequence was slightly wrong

it was reg code
next page
code card code
next page 3 numbers of pac +last 4 digits of phone number
enter site
so they were ready for card codes just about 3 seconds after i entered reg and it only took less than 10 seconds to enter the reg
now matter the speed of their software doesnt seem possible that they got to the aib prompt so quick
but fact is they did

Zab

In my opinion you are extremely wrong about the speed.

So, BOTH of the code card numbers were requested at the SAME time on a single page?

frank9901

Zab wrote: »

In my opinion you are extremely wrong about the speed.

So, BOTH of the code card numbers were requested at the SAME time on a single page?

no, one code, new page second code, but the speed is correct i opened the login page i know my reg off by heart a few seconds entering it then code card request, thats how quick they were able to do it,
the time it takes to enter a well know 8 digit number and click next, thats exactly the time they had before asking for the first code
(the 8 digit reg was actually my birth date with 2 digits on the end ), so no need to look at anything, and another 5 seconds for the page to turn
they must have the means to do it in that time

Zab

Ah, okay. That changes everything. There's ample time for them to set up a transaction between you clicking okay and the next page coming up. If I was to guess I'd say that you're misremembering and you were asked for the PAC+phone before the code card codes, but at this stage I don't think that point is too important. The time it took you to type in that number is an eternity to a computer. In fact it probably didn't even log in until you hit next.

frank9901

Zab wrote: »

Ah, okay. That changes everything. There's ample time for them to set up a transaction between you clicking okay and the next page coming up. If I was to guess I'd say that you're misremembering and you were asked for the PAC+phone before the code card codes, but at this stage I don't think that point is too important. The time it took you to type in that number is an eternity to a computer. In fact it probably didn't even log in until you hit next.

i really think that is the answer but it was after the reg number, because i am inside the account after the phone number, it just puzzles me no matter how fast they are they still must get inside open the transfer document and WAIT for the aib prompt
they are good and must have very good software,i have up to date mcafee total protection and still did not catch it

dfdream

Just got stung by this one...At least it was rejected by AIB....
What an eye opener.
I had noticed subtle changes when logging into aib.ie last week.
I rang AIB helpdesk and was told there was no chnages and noting unusual about what I saw.
I then tried to log in again but got incorrect info when I was 100% it was correct and then was asked to enter again. Looking back it was probably digging for more info.
Then it logged in and said something like "This is the first time you have used this computer to access aib and we need to confirm the following info"
It asked me for 2 codes from the card and looking back how stupid was I to comply with the request. It did look so convincing though...

Then I tried to log in yesterday and it was all locked out..

Bit disappointed for a few things.
1- why no one from AIB contacted me.
2 - Why the AIB secure site didnt complain anbout code being buried into it in the web browser.
3 - Why AIB dont have an notification system (email or txt) to notify user that transaction has been requested and give them a few hours to contact AIB to correct. (doesnt need to have alot of info just "transfer has been requested on one of your accounts check in www.aib.ie or 18xx xxxxxxx".
4 - They have ordered a card reader for me...But why dont they just send them to everyone...

This must be getting popular since OP as they now flag these types of transfer...

noodler

All I ever have on my computer is AVG Free and superantispyware.

But this has never happened to me.

How exactly do you get targeted?

dfdream

TBH I dont have a clue.
These things never bothered me before as I stayed away from those dodgy emails and sites (BTW how do you know a site is dodgy in advance).
I always type in aib.ie and dont use links on emails etc.
This one was good though. Very slick looking. It seems to embed itself into the aib page itself. Talked to a tech person in AIB the other night and was told that they no longer have to direct you to a fake website they can side load what they need into your browser while you are on the aib.ie site. It does what it needs in the background while you interact with the foreground.

I have AVG Free too and its runnig all the time. Thing is though it never reported a thing but when I did a manual scan it for 26 items...
Malware bytes found alot too...

I work in IT with 20 years experience and Im stumped by this one. The future is not bright for most internet bank users would might not have a clue what to look out for me included.

I asked the helpdesk how I could be better prepared and the answer I got was. Keep AV upto date (I had), dont click on emails or textx claiming to be from AIB, Dont give all your 5 digit pin no. (I didnt) but still "nearly" got caught.

He finished up by saying Im solely responsible for any issue as per T&C, interesting times ahead me thinks...

They did advise the AIB app is safer, wait for a hacked version of that too.
All it takes is another app to be installed that uninstalls the real app and installs a fake one....

noodler wrote: »

All I ever have on my computer is AVG Free and superantispyware.

But this has never happened to me.

How exactly do you get targeted?

noodler

I better apply for that code reader.

Jesus, to think I could type in www.aib.ie and go from there and still be scammed is a serious worry.

edanto

Very interesting thread guys.

I just went to do a transfer to a new payee recently and was told that the 'code card' is no longer an available option, and only the card reader was acceptable, and did I want to order one?

It just arrived today, so hopefully I'm not as vulnerable as I might have been. I wonder if AIB could slow down these attacks by including some captchas - at the very least, the ba$tards would have to employ someone 24/7 to wait for the captchas and that might make the method less viable?

Zab

Nah, the victim would just do the captcha for them

noodler

Just reading through the FAQs for the Code Reader...they seem t be very careful about making sure they are no actually recommending it over the code card.

I mean something straight forward from them saying "get a code reader it is better".

Made a transfer to a new account about a month ago and code card let me do it.