Limbo Dancing in the House of Lords

The UK's House of Lords is calling on the government to make banks legally responsible for losses incurred by customers through electronic fraud (https://www.finextra.com/fullstory.asp?id=18699). That's because today's banking code leaves responsibility on consumers.

In practice the banks do not typically use the code to that effect, and refund fraudulent transactions that manage to pass through their ever-improving defence network. The day when a major bank tells its online customers it won't offer them guarantee against fraud, is the day people will start abandoning the online banking channel, preferring the good old phone and branch venues. Online banking will go down the drain.

But even though the practice is different, the current banking code is still putting the responsibility on the user's shoulders. In my mind, it's tasking the consumer with an impossible mission.  

I'll give you an analogy. Suppose the National Health Service Code said that people should take steps to protect themselves against contagious diseases, and if they happen to catch a virus, then it's their responsibility. They weren't careful enough, so they have to pay the bill.

It sounds mad, right? But that's exactly like expecting the average consumer to protect himself from malicious Trojan viruses and other malware.   

That's because today, almost everyone can be infected, and worse – they won't even realise that until their bank account is emptied.

I promised to dedicate a future blog to infection points. Take my word for it – even if you have the latest anti virus and firewall, you may still get infected, and not just in Internet Cafés but rather in the safety of your home. Trojans are built these days to escape AV detection, very much like stealth planes.   

So lets just assume you got infected despite having the latest firewall and AV protection. Would you be able to spot the malicious Trojan?

I'm willing to bet that 95% of people won’t. And to strengthen this claim, I'd like you to meet Limbo.  

Limbo sells for $350 in select fraud forums. It's been around for a couple of years, and by now has been outperformed by even nastier, more popular malware. But even Limbo will fool everyone infected with it into thinking it does not exist.

As soon as your computer is infected by Limbo, it starts tracing your web activities and when you enter an online banking site, it silently rubs its tiny hands and gets to work.  

Limbo lives in your browser. To be more exact, it's in the twilight zone between the display layer that is presented to you, and the communication layer that gets the information from your bank.

This allows Limbo to ride the SSL session of the browser, so when you look at the URL, you'll see your regular bank website address. No funny URL, mis-spelling or anything else that can raise suspicion.   

Press the yellow lock on your browser, and you'll see the bank's certificate. Use the latest anti-fraud features of your browser, and it will show calming green.

That's because it's really the session you have with the bank.  

But whatever the bank sends to your browser is now intercepted by Limbo, and when the page is presented to you, it looks different. This HTML injection technique allows Limbo to present whatever devious social engineering its controller wants you to see.

So if you login via user name and password, Limbo can just leave that on screen, grab that information and send it to the Trojan operator. It can also add some other innocent fields – like your ATM card number and PIN code - that will now look like part of the official login process.

These may raise some suspicion, but here's the thing with social engineering: once you're convinced you are communicating with the bank, you'll do anything the bank asks you in order to authenticate. And Limbo does not for a moment give you any hints you're talking to a Man in the Middle, and not directly with your bank.  

If you have more sophisticated login process, such as a one-time access code, Limbo can accommodate that as well by making the appropriate changes on the screen. Theoretically it can defeat even transaction signing (but this requires an immediate generation of a transaction to a mule account, and that's difficult to do from an operational perspective).

Trojans such as Limbo also have other fascinating features. My favourite is deleting all your cookies. That's to make sure that whenever you enter a site – say, your free email account or your Facebook – you'll need to re-enter the password, which Limbo will dutifully send to its remote master. Other features include shutting down your firewall (oops!) leaving your computer open to other useful thingies.  

The bottom line is this. The average user cannot be educated to follow this moving target called online fraud. Even if it did, today's malware makes sure he or she won't suspect a thing, and may be infected even if it has the latest end point protection.

Which means the House of Lords is absolutely right in saying that users cannot be responsible for protecting themselves. Not anymore.