My [AIB Online Banking] compromised

MajkelBlack · 15-02-2012 01:44AM #1

Was anyone robbed through AIB On-line banking after last Sunday (12/02/2012) ? I received a phone call this morning from AIB Bank support Agent. She asked me if I did any money transfers last sunday (both over 2000 euros). Probably some kind of virus attacked AIB customers.

omahaid · 15-02-2012 09:10AM

Nope, I'm just as broke as I was last week. Was it definitely AIB that rang? Wasn't someone chancing their arm? I see a good few warnings about browser hijacking on their website.

To Alcohol · 15-02-2012 09:15AM

Hope you haven't given your log on details to anyone! AIB have a warning up at the moment advising of fraudulent attempts to get log on details.

MajkelBlack · 15-02-2012 09:40AM

I didn't give any details, just confirmed my address. My online banking is suspended now. 5000e is gone from my account. On Sunday I wanted to log into my account. Usually you have to enter 3 random digits from your (5 digits personal code) but I've been asked for full 5 digits personal code. Everything was exactly the same as always instead of that detail. Spoke again with AIB advisor, I'm not the only one who has been robbed. An information on AIB page popped up on Monday, probably they realised that something is not right when all pending money transfers went through that day. All came back to normal on my laptop yesterday when I checked Login page was exactly same as on Sunday, was asking for 5 digits code, I did a disc format, reinstalled my system and antivirus and now looks fine (asking for random 3 digits). I have a brand new laptop with fresh system, fully secured. I did a system scan and antivirus didn't find any virus.

To Alcohol · 15-02-2012 09:42AM

Wow. So the issue is with them. Have they confirmed you'll get a refund? I'd fight tooth and nail as the issue appears to be their website.

Hope it works out ok for you.

MajkelBlack · 15-02-2012 10:01AM

I will not ask them IF I receive a refund, I will ask then WHEN they give me my money back. Savings of my life gone just like that. Will give more details later..

Kenny Logins · 15-02-2012 10:06AM

That's very unusual, to make a transfer they'd need more than log in details, they'd need code card/reader too...

Kenny Logins · 15-02-2012 10:10AM

This warning is now shown when logging in

frank9901 · 15-02-2012 04:57PM

this has just happened to me today, money was withdrawn over the last 3 days from my account
it is now with aib fraud examination, i use a bookmark to access aib internet banking, i recall some weeks ago i was asked for code card numbers to log in now it seems that may have been a bogus page, i called garda and they said i should wait to see what aib do,i spoke to someone later today from aib
and she is sending out a form to me which i must get stamped at the police station, anyone any idea what will happen from here ? i paid all my bills from the account and am now stony broke

MajkelBlack · 15-02-2012 06:19PM

Exactly the same story. Today AIB sent me a form I have to stamp on Garda Station. We suppose to get our money back but dont know how long it will take.

dotsman · 15-02-2012 07:50PM

To Alcohol wrote: »

Wow. So the issue is with them.

No, as per his post, the issue was with his computer. He was going to the fraudulent page. By wiping his machine and reinstalling, he was then able to get to the actual page.

MajkelBlack wrote: »

I did a system scan and antivirus didn't find any virus.

Was that before or after you formatted the machine? If before, it's interesting that the antivirus didn't pick anything up - was it completely up to date? what antivirus do you use?

Kenny Logins wrote: »

That's very unusual, to make a transfer they'd need more than log in details, they'd need code card/reader too...

This, I find stranger. How did the criminals get various codes required?

MajkelBlack · 15-02-2012 11:45PM

2 weeks ago a bought a new laptop with 30 days Mcafee anti-virus. I did a system scan before I did a disc format.

I checked my account in a bank today. Yesterday all money from my credit card were transfered on my current account to be ready to withdraw.
Happily I closed my Internet banking on Tuesday so I have some money till the end of the month.
There were 3 transactions on my account, you need 2 security codes for each to be done. Just wondering how did it happen, all money from my saving acc has been moved on current and then there were 2 money transfers from current account. I'm not counting the last one that someone prepared money from my Credit Card.

BostonB · 16-02-2012 02:00AM

dotsman wrote: »

...This, I find stranger. How did the criminals get various codes required?

Perhaps they crack the codes, found a pattern to them.

AIB should be able to see a pattern in the attacks.

frank9901 · 16-02-2012 04:59PM

in my case it seems i game them 2 codes on a bogus log in page, what puzzles me is how were them 2 codes enough when the required codes while making a transfer are random, any 2 of about 100 codes

dudu · 16-02-2012 10:22PM

Hi, exactly the same happened to us. 5000 eur gone in 2 transactions. We were doing O2 top up on Friday and Monday morning found out that the money from our account are gone. We are still waiting for fraud forms (already 4 days !!!) from AIB to get them stamped by Garda. I have been on the phone today with a lady from fraud department and she mentioned that there is no guarantee that we will get the money back????? because in T&C is stated not to give full 5 digits PAC code to anywhere. We are now in big shock and we can't believe to what she said as whole transaction was done on their web site and all was looking the same apart from the request to enter full PAC number. After all she said she will come back to us on Monday as to wether we will get the money refunded or not.... ridiculous...

MajkelBlack · 17-02-2012 10:14AM

Info alert appeared on AIB page on Monday, i logged into my account on Sunday and there was no warning message. I think bank is fully insured in this case and it shouldnt be any problem to give us a refund, if they dont want to lose thousands of cust.

frank9901 · 17-02-2012 11:26AM

as the pin number and 2 code numbers are not enough alone i am wondering how they bypassed the other security questions. i did notice one weakness in their system, one time my daughter was logging in and it asked for the last 4 digits of her mobile phone, she had changed her number a few weeks previously and confused the number, when the system said not the correct detail, she closed the login page then opened a new page and got a different security question. after that until she changed her number with the bank whenever she got the mobile question she just opened a new login page, i think the security question should stay the same until answered

jmcgold · 19-02-2012 02:50PM

Had the same issue and malwarebytes seems to have fixed it.

Looks like a trojan that was injecting some javascript at the bottom of aibinternetbanking.aib.ie that was pulling code from dbase-security.com. This code basically replaced the PAC prompt on the login page with one of their own looking for all the digits of the PAC.

Look for the following on your machine and remove it (replace XXXX with your account name)

remove the file: C:\Users\XXXX\AppData\Roaming\Vaome\aftibah.exe

Then use regedit.exe to search for and remove any keys referring to the above file.

If you are not confident doing this yourself, download malwarebytes and it will do it for you after a quick scan.

frank9901 · 19-02-2012 05:31PM

jmcgold wrote: »

Had the same issue and malwarebytes seems to have fixed it.

Looks like a trojan that was injecting some javascript at the bottom of aibinternetbanking.aib.ie that was pulling code from dbase-security.com. This code basically replaced the PAC prompt on the login page with one of their own looking for all the digits of the PAC.

Look for the following on your machine and remove it (replace XXXX with your account name)

remove the file: C:\Users\XXXX\AppData\Roaming\Vaome\aftibah.exe

Then use regedit.exe to search for and remove any keys referring to the above file.

If you are not confident doing this yourself, download malwarebytes and it will do it for you after a quick scan.

what do you think the banks stance will be on this ?

dotsman · 19-02-2012 05:40PM

frank9901 wrote: »

what do you think the banks stance will be on this ?

What do you mean? There's only so many times a bank can scream that people should use up-to-date anti-virus scanners and be vigilant to anything out of the ordinary etc. The bank's websites are not the one's being attacked, it's people's computers. What do you think the banks can/should do?

noodler · 19-02-2012 05:43PM

Jesus. This really is scary stuff.

Is there anyway to completely lock out transfers from your account?

Thanks alot for the heads up.

I don't recall ever being asked for 5 digits and theres no unusual activity on my account so I hope I am okay.

noodler · 19-02-2012 05:55PM

dotsman wrote: »

What do you mean? There's only so many times a bank can scream that people should use up-to-date anti-virus scanners and not be vigilant to anything out of the ordinary etc. The bank's websites are not the one's being attacked, it's people's computers. What do you think the banks can/should do?

All I use is AVG Free and SuperAntiSpyWare.

Would that worry you?

dotsman · 19-02-2012 06:04PM

noodler wrote: »

All I use is AVG Free and SuperAntiSpyWare.

Would that worry you?

As long as they are up to date and you use common sense you should be ok. There's nothing to be overly paranoid about. As long as you are careful, the chances of being successfully attacked are very remote - and the bank will refund you in these circumstances anyway (just a bit of hassle regarding paperwork etc).

noodler · 19-02-2012 06:08PM

dotsman wrote: »

As long as they are up to date and you use common sense you should be ok. There's nothing to be overly paranoid about. As long as you are careful, the chances of being successfully attacked are very remote - and the bank will refund you in these circumstances anyway (just a bit of hassle regarding paperwork etc).

Yeah, I might make another account with money transfers disabled to limit this type of possibility in the future.

I have to say I would have been surprised if I'd been asked for my 5 digits. Even more so if it had been from a pop-up window.

This link

http://www.aib.ie/InternetBankingSecurityDemo/index.html?c_id=securitydemo&ad_id=1

seems to indicate that part of last week's scam asked for all 100 of your code card numbers (obviously not in the OP's case) and that would have been quite obviously a scam.

frank9901 · 19-02-2012 06:24PM

no it did not ask for all 100 digits it asked for 2 code card numbers, that why i am wondering how they bypassed the aib security, to transfer money internationaly you will be asked for two random code card numbers ,so they must have cracked the card from those 2 numbers, there is also any of three other measures last 4 digits of work number,last 4 digits of home number or last 4 from credit card, so how did they get past that security

frank9901 · 19-02-2012 06:46PM

dotsman wrote: »

What do you mean? There's only so many times a bank can scream that people should use up-to-date anti-virus scanners and not be vigilant to anything out of the ordinary etc. The bank's websites are not the one's being attacked, it's people's computers. What do you think the banks can/should do?

i gave one example of this in an earlier post, right now if you are asked for a four digit number for example last 4 digits of credit card, if you dont have that information but have the targets phone number you can close and reopen the page until you are asked for the last 4 digits of the phone number. thats something they must share some of the blame for plus their code card is useless if somebody gets 2 digits from it also i have mcafee 2012 total protection and it picked up nothing

noodler · 19-02-2012 06:53PM

frank9901 wrote: »

no it did not ask for all 100 digits it asked for 2 code card numbers, that why i am wondering how they bypassed the aib security, to transfer money internationaly you will be asked for two random code card numbers ,so they must have cracked the card from those 2 numbers, there is also any of three other measures last 4 digits of work number,last 4 digits of home number or last 4 from credit card, so how did they get past that security

Again I specifically said it it wasn't the case for those in this thread.

Amazing someone would actually type all 100 codes though.

frank9901 · 20-02-2012 12:46PM

i was talking to a girl from the fraud dept at aib, she said even the most sophisticated anti virus software may not pick up this virus

BostonB · 20-02-2012 01:11PM

frank9901 wrote: »

i was talking to a girl from the fraud dept at aib, she said even the most sophisticated anti virus software may not pick up this virus

?

jmcgold wrote: »

Had the same issue and malwarebytes seems to have fixed it...

Zab · 20-02-2012 01:35PM

frank9901 wrote: »

no it did not ask for all 100 digits it asked for 2 code card numbers, that why i am wondering how they bypassed the aib security, to transfer money internationaly you will be asked for two random code card numbers ,so they must have cracked the card from those 2 numbers, there is also any of three other measures last 4 digits of work number,last 4 digits of home number or last 4 from credit card, so how did they get past that security

While it's "possible" that the codes were predictable, AIB would have to extraordinarily inept for that to be the case. Another possibility is that while you were logging into the fake page a computer was logging into your account from somewhere else and it simply asked you for the two codes that it was being asked for. Either that or there's a way to transfer money without a code card (to my mind this is more likely than the predictable codes anyway).

bk · 20-02-2012 01:58PM

This sounds like a man in the middle attack to me.

Basically a trojan installed on your PC, which is injecting Javascript code into your web browser that makes it look like the real AIB website, but when you actually log in and interact with the AIB website it is taking your responses to the security questions and actually doing different things in the background (such as sending money to their account), then what it shows you it is doing.

It doesn't actually need all your codes and passwords, it probably only carries out the attack each time you login to AIB and it asks you then for the specific codes it needs for that session.

While it might ask for the codes at times when it wouldn't normally ask, most people probably wouldn't realise this and just accept that what they are seeing is legit.

The responsibility of this lies partly with the customer. After all it is there PC that got infected, probably due to lack of up to date anti virus software.

However if the banks didn't actually cover the cost of these frauds and it happened to a lot of people, then the bad PR from it would have a much worse and costly effect for the banks as people lose trust in their online banking services.

The banks can however fix this issue, by improving the security of their online banking service, by implementing two factor authentication and alternative authentication channels.

AIB are already doing this with their new Card Reader device (which looks like a calculator and reads your ATM card), this device uses two form authentication and alternative authentication channels, which makes online banking much safer and protects against these sort of attacks.

I highly recommend everyone requests a Card Reader device:
http://www.aib.ie/servlet/Satellite?c=SC_Content&cid=1296736790579&pagename=SecurityCentre%2Fsc_main&section=S003

Zab · 20-02-2012 02:20PM

bk wrote: »

The banks can however fix this issue, by improving the security of their online banking service, by implementing two factor authentication and alternative authentication channels.

With the code card AIB already had two factor authentication. I'm unsure about these Card Readers as opposed to the PIN accessed type of Secure Token that can be used to sign transactions. The chips used on Chip and PIN cards are apparently quite flawed ( http://www.youtube.com/watch?v=6lI56XXeV8g ).

bk · 20-02-2012 02:44PM

Zab wrote: »

With the code card AIB already had two factor authentication.

Yes, but it doesn't have the alternative authentication and verification channel, which is what the card reader adds.

The problem with the old code cards is that it still had to be entered in the browser and was therefore vulnerable to the classic man in the middle attack.

The card reader eliminates this attack channel. It isn't possible for the man in the middle to add a new account and making transfers without AIB and the customer knowing.

Zab wrote: »

I'm unsure about these Card Readers as opposed to the PIN accessed type of Secure Token that can be used to sign transactions. The chips used on Chip and PIN cards are apparently quite flawed ( http://www.youtube.com/watch?v=6lI56XXeV8g ).

The card readers use a PIN too and are actually more secure then the one time password generator Secure Tokens.

Such Secure Tokens are actually still completely vulnerable to Man In The Middle (MITM) attacks.

The card readers defeat the MITM attacks because when you add a new account or make a payment, you enter the account's details or payment in the card reader which generates a hash code that you enter in the website. If the MITM tries to change this code, the bank will know that it is a fraudulent transaction.

The only way (assuming it is all correctly implemented) the MITM can work is if he gets both your ATM pin and can physically access your ATM card and infect your PC with a trojan!!

Yes, it certainly is possible, but it becomes much, much more difficult. Basically it eliminates the faceless criminal attacking you from across the world on the web. Now the only practical attack is to physically attack you, which is possible, but much less likely.

In computer security there is no such thing as perfect security, there is only adding layers of protection that make it more difficult. Security is always a balance between security versus cost and convenience.

BTW yes chip and pin has been cracked, but that is a different issue, as the attacker would still need physical access to your ATM card.

Zab · 20-02-2012 02:52PM

Well, I agree with you except about chip and pin being cracked being a separate issue. Also, I wasn't referring to a one time password type of secure token. In fact there's nothing that a secure token can't do that this card reader can except require a (flawed) card and be shared between users. Which isn't to say it's worse than not having it.

frank9901 · 20-02-2012 04:18PM

just got a call from the bank money is being refunded as a gesture of goodwill

frank9901 · 20-02-2012 04:20PM

i asked the lady from the fraud dept about the reader card, she said it would not stop this type of attack

Zab · 20-02-2012 05:29PM

frank9901 wrote: »

i asked the lady from the fraud dept about the reader card, she said it would not stop this type of attack

I don't have one but assuming that you're entering the details of what you're trying to do into the reader and it's generating a code from that, then she's wrong. The attacker would have your ID and pin but would have no way of transferring money to their account without you entering their account number into the device and typing in the code it gives you, something you hopefully would not do.

bk · 20-02-2012 08:23PM

Excellent article on the possible weaknesses * in the new Card Readers being issued by AIB and how they maybe attacked, for anyone interested:

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

* I Saw possible, because this article is about the system being deployed by the UK banks, which I assume is the same as being deployed by AIB.

Nonoperational · 21-02-2012 10:11PM

Sometime a bank won't pay out in this situation, and it would be hard to fight them on it. At the end of the day there HAS to be some malicious code on your machine for this to happen. Granted I'd have more sympathy for people the victim of these attacks than a poor looking phishing page, but still... Never ever ever ever ever give codecard details when logging in. If there's anything other than the usual 3 digits of the PAC then run.

frank9901 · 22-02-2012 11:51AM

i realize i was a complete idiot to be caught out, but i still feel the fraudsters should not be able to make international money transfers with just 2 codes of the card, as they are asked to enter two random codes from 100 so i feel their code card must have been cracked from just two numbers, i was to blame and i feel extremely lucky to be refunded,it just bugs me that the code card became useless when just 2 numbers were revealed

Zab · 22-02-2012 12:36PM

Are you saying it requires more than two codes to make an international transfer?

Zab · 22-02-2012 12:40PM

bk wrote: »

Excellent article on the possible weaknesses * in the new Card Readers being issued by AIB and how they maybe attacked, for anyone interested:

http://www.cl.cam.ac.uk/~sjm217/papers/fc09optimised.pdf

* I Saw possible, because this article is about the system being deployed by the UK banks, which I assume is the same as being deployed by AIB.

That was quite interesting. The AIB one looks the same as the NatWest one in the report. I'm always amazed by how often banks screw this stuff up. Saying "REF" when it's asking for an account number is particularly brilliant.

frank9901 · 22-02-2012 06:13PM

Zab wrote: »

Are you saying it requires more than two codes to make an international transfer?

it takes two codes, for example if the fraudster has codes 4 and 7 it may ask them for code 89 and 67 or any two from 100, so your 4 and 7 would be no good unless you cracked the card and could figure any code number they may ask for

dotsman · 22-02-2012 07:45PM

frank9901 wrote: »

it takes two codes, for example if the fraudster has codes 4 and 7 it may ask them for code 89 and 67 or any two from 100, so your 4 and 7 would be no good unless you cracked the card and could figure any code number they may ask for

As a matter of interest, can you remember if you were asked for the codes on the first page when you logged in, or was it afterwards (ie a second page)?

bk · 22-02-2012 10:08PM

frank9901 wrote: »

i realize i was a complete idiot to be caught out, but i still feel the fraudsters should not be able to make international money transfers with just 2 codes of the card, as they are asked to enter two random codes from 100 so i feel their code card must have been cracked from just two numbers, i was to blame and i feel extremely lucky to be refunded,it just bugs me that the code card became useless when just 2 numbers were revealed

Do you mean two codes from your 4 digit PIN or two separate 4 digit codes from your code card?

If it is the latter, then that is all that is needed to do an international transfer without the code card having been cracked in anyway.

Remember the trojan is doing "stuff" and communicating with the AIB website in the background while you are logged in.

When you log in, it is also logged in. It then tries to setup an international transfer in the background when you are logged in, AIB ask it for code 55 from the code card and the trojan thus asks you for code 55 and enters code 55 thus authorising the transaction, meanwhile it tells you that the AIB site is doing what you suspect it to be doing.

At least that is what I assume is happening, a very sophisticated attack.

dotsman · 22-02-2012 10:22PM

bk wrote: »

Do you mean two codes from your 4 digit PIN or two separate 4 digit codes from your code card?

If it is the latter, then that is all that is needed to do an international transfer without the code card having been cracked in anyway.

Remember the trojan is doing "stuff" and communicating with the AIB website in the background while you are logged in.

When you log in, it is also logged in. It then tries to setup an international transfer in the background when you are logged in, AIB ask it for code 55 from the code card and the trojan thus asks you for code 55 and enters code 55 thus authorising the transaction, meanwhile it tells you that the AIB site is doing what you suspect it to be doing.

At least that is what I assume is happening, a very sophisticated attack.

Yes, that is what I suspect is happening. The only thing I'm not clear on is how it is doing this if the logon and giving the codes was all done at the same moment.

Surely it would need to take the victims log on details, then submit the transfer request and then ask the victim for the relevant 2 codes that AIB has challenged.

Zab · 22-02-2012 11:06PM

dotsman wrote: »

Yes, that is what I suspect is happening. The only thing I'm not clear on is how it is doing this if the logon and giving the codes was all done at the same moment.

Surely it would need to take the victims log on details, then submit the transfer request and then ask the victim for the relevant 2 codes that AIB has challenged.

I haven't seen the trojan so I don't know if it's asking for the codes immediately but if it is it just means that the transaction have already been set up in the background between you submitting the PAC and it asking you for the codes. I think what you're overlooking is how quickly this can be done by a computer rather than a human.

dotsman · 22-02-2012 11:15PM

Zab wrote: »

between you submitting the PAC and it asking you for the codes

Yes, that is how I imagine it must be done.

Zab wrote: »

I think what you're overlooking is how quickly this can be done by a computer rather than a human.

Oh, I fully appreciate that.

Zab · 22-02-2012 11:22PM

eh ... what were you asking for then?

frank9901 · 22-02-2012 11:45PM

bk wrote: »

Do you mean two codes from your 4 digit PIN or two separate 4 digit codes from your code card?

If it is the latter, then that is all that is needed to do an international transfer without the code card having been cracked in anyway.

Remember the trojan is doing "stuff" and communicating with the AIB website in the background while you are logged in.

When you log in, it is also logged in. It then tries to setup an international transfer in the background when you are logged in, AIB ask it for code 55 from the code card and the trojan thus asks you for code 55 and enters code 55 thus authorising the transaction, meanwhile it tells you that the AIB site is doing what you suspect it to be doing.

At least that is what I assume is happening, a very sophisticated attack.

no, i am just logging in to top up a mobile phone, the fraudsters get the two 4 digit code card numbers from me (stupid) but aib are not asking me for card numbers when i am in the site, i would only be asked for numbers if doing an international money transfer so all they have is the two numbers i gave them, there is nothing else for them to watch or to copy regarding code card numbers, so when they did the transfer they would be asked for
two randow 4 digit code card numbers which i have never used
they transfer the money over the next two days, not when i am logged in

just to add i foolishly gave the two 4 digit code card numbers on the 12/2/12 the money was transferred on the 13th and again on the 14th

Zab · 22-02-2012 11:56PM

You're misunderstanding what bk is saying Frank. An example timeline of how this works would be:

You go to the "AIB" website and enter your account number and PAC
The attacker (very quickly, a computer not a person) logs into the real AIB site with your details and starts to do an international transfer. AIB asks the attacked for codes 7 and 42.
The "AIB" site then asks you for the same two codes (7 and 42). This could happen right after you log in.

The idea is that you aren't asked for the two codes until the attacker is already in the middle of creating the transfer, and thus knows which codes to ask for.

With respect to your edit at the end, I believe you can set up a payee with two codes (in real-time as above) and then you won't be asked for the codes again.

My [AIB Online Banking] compromised

Comments