Yes this does happen, they dont even need to install a trojan on your computer they do it with phishing pages which have a jabber instant messenger client which instantly relays the OTP (one time password) to a server which does an immediate backconnect to the bank etc and logs in. The other way they are bypassing these devices is through a trojan on the computer and they hijack the browser, MITB man in the browser. The OTP security token method is pretty much useless actually not really protecting against much at all which isnt already covered by ssl. The problem with the OTP devices is they are only one way authentication. The MITB attacks defeat just about everything else available even recently the active mutual authentication electronic tokens. About the only online authentication method which isnt vulnerable is the passwindow cards as they are the only online authentication I know of capable of passive mutual authentication. (active means a human has to do something and then gets tricked by the torjan in the browser, passwive is where you just view and dont do anything except enter the password) http://en.wikipedia.org/wiki/Mutual_authentication

Id be interested to know what if any crypto they are using in the cards. Id also like to see them run through these side channel "analysis" kits I saw a very good demonstration of recently http://www.riscure.com/inspector/product-description/inspector-sca.html which includes modules for 3-DES, AES, RSA and ECC and are able to determine the secret keys or ID right off smartcards without damaging them. To my mind the writing is on the wall for smart card technology and in 5-10 years these "analysis" kits will be as small,fast,convenient and cheap as the magnetic stripe reader/writers are today.

I cant believe these sites didnt get immediately mentioned, everyone I know goes to them to get program written and have done for years now. Theres loads of great programmers sitting around with nothing to do in xyz country who will do code at a fraction of the price it would cost me to do it.

While he didnt come to them squeaky clean he did become from their point of view "one of the good guys" working alongside NSA agents, giving talks at their conferences etc all the while in his spare time ripping off millions of credit card numbers even using some of the government servers in the attacks. The Gonzalez trial is such a public spectacle I cant help but think that might have influenced their attitude.

Interesting study however needed a more diverse range of sample testers all of which were early twenties volunteer university graduates. I only bring this up because I see a very different responses to CAPTCHAS. The response and attitude towards CAPTCHAS from young university people hanging around the IT labs where this was most likely advertised will be far far different to the average online citizen. . Im not sure how accurate this is but out in the non IT section of society CAPTCHAS are loathed and hated beyond belief, also the failure rates sound spectacular. Full credit for the new variations on the old warped text captchas but I hazard a guess that those bizarre mental challenges are not going to fly with your average joe. In fact its amazing that captchas have entered mainstream at all. Im sure the study was limited with money and time but I look forward to a more mainstream diverse study.

Many ZeuS packages have an option to remove the outgoing transactions from the user's browser as part of the MITB package, this includes changing the balance total to before the outgoing transactions were made so the user wont know until a paper statement turns up if one ever does as many banks are ditching paper statements in favor of browser based ones. And since they are now using the same trojan tactics on users mobiles to defeat mobile sms authentication I am sure you will see a Zeus mobile trojan upgrade to divert any calls made to the banks hotline number to an even more "helpful" team who will probably need even more user information "to get to the bottom of this please give us your..." /s

More interesting news this week is the gang behind ZeuS, as predicted, have successfully integrated man in the middle attacks against mobile phone two-factor authentication schemes. http://securityblog.s21sec.com/2010/09/zeus-mitmo-man-in-mobile-i.html

I am curious, what sort of authentication is required on their websites to generate the numbers?

I am curious, some people above have mentioned that their online bank account allows them to instantly generate virtual credit card numbers. I am wondering with the trojans like Zeus etc which actively go after online accounts instead of the trojan trying to authenticate an outgoing transfer to a local mule account they could or are switching tactics and going after banks these virtual number generating accounts and then sucking the money out of the accounts from anywhere through the virtual card number charges. I know with the existing schemes they have to bounce the outgoing cash off a local mule and pay him 10% before sending it out overseas but a credit card transaction would rarely be flagged as fraudulent and if the trojan owns the browser like zeus does the account holder wouldnt even know their account was being drained. Can anyone explain why this isnt feasible? Id like some of the above mentioned account holders to explain what authentication is required by the bank websites to generate the card numbers?

Interesting, no doubt there will be more of that type of fraud in the future. So what exactly were in the boxes? fake credit cards? Sorry Im a little confused about the CDRW drives. I work in fraud prevention and after my last post here sure enough I had had a report of exactly what I described. Some African guy in Italy sending out paper letters around the world simply asking for cash. "To the responsible, Honest, humble, handicapped italian man. Financially needy. Open to any proposal, Western union or credit card. Blah Blah.. Thanks.." So yeah they went ahead and did it, cut out all the complexity and just went straight for the money, I guess they did drop in the handicapped angle for sympathy. If I thought I would get a straight answer id almost pay just to know what his ROI is.

Your right, someone could ask for the person to mail their card and they would also need to include their online username and password but for my liking this is getting too close to a rubber hose attack. It would only take one of the billion people who get such a letter to report the physical address to police and the whole scam goes down and also the attacker must start physically injecting himself into the scam which generally isnt the reason they got into online fraud in the first place.

Still its an interesting point I have often wondered if you sent out a billion letters just saying Hello, please send me your money. signed Matt what sort of return on inventment you would get.

Dont forget me with my PassWindow :)
*Works on any device irrespective of OS or software.
*Doesnt matter if a trojan or malware is present on the device, assumes malware is present.
*Costs practically nothing to implement.
*Not vulnerable to phone based extensions of the above attack where users are called and socially engineered out of their authentication keys.

Yes, when the whitepaper was done and PassWindow was initially featured on Slashdot it was a static challenge with several digits in the static challenge, these were interceptable in say 30 interception so a month or 2 worth of normal use. However since then weve had some major breakthroughs beyond just switching to the purely animated cyclical method, weve been able to easily achieve interception rates of 10K plus with very little usability obfuscation. A side benefit of this new method is the analysis doesnt actually give the attacker a clear probablistic determination at say 80% of the necessary number of interceptions, actually its only until the last few interceptions that it all falls into place for the attacker so a guess at 80% isnt knowing 80% of the key pattern. Of course since the whole key process has been pre analyzed its managed and a new card can be issued before it gets anywhere near this number of authentications which might compromise the key pattern. Once you start talking thousands of interceptions required by a normal user even if they authenticate every single day of the year and the attacker is prepared to analyze over a number of years he still wont get anywhere near the numbers required and the average membership card usually only has a few years of life in it anyway. But beyond that the EMV chip doesnt help online based authentication as was shown in the article, its not even helping much of the atm fraud it was desgined for where most ATM's in the world dont even check the EMV chip. The associated CAP readers which use the digital key off an EMV chip for their online authentication use the exact same method of authentication as provided in the article and we can see that has failed.

re telephoto lens attack etc, you are incorrect, it is not trivial to copy as we simply tint the key pattern, in normal lighting conditions it appears black but screens are quite bright and still allow the user to see quite clearly. This is without even going into transflective laminates etc, really the only way would be with a rubber hose or physical interception and there EMV will fail too. A piece of transparent plastic card costs less than a few cents and so if a bank was really paranoid about their user's waving their credit cards around in public they could easily issue a separate card. A digital version could also be constructed however the costs outweigh the benefits.

There is no simulation, it is a real airgap, the PassWindow is just printed onto an ordinary piece of plastic card just like any barcode. There is no electronics, or software or hardware. The challenge is just an animated gif it works on any device regardless of the situation. The transaction information is encoded into the gif so the trojan only has one avenue of attack which is a long term statistical analysis but we assume every terminal is already compromised like this so we do our own analysis at key generation and determine exactly how many interceptions would be required by the theoretical trojan. With some simple tweaks we can get 10K+ interception rates so it would take decades of normal user interceptions to get enough data to analyse. Of course the server issues a new card to a user if their use rate goes anywhere near the interception rate. In short you end up with semi passive transaction verification so the user cant be tricked into entering in the mule account details because its all done serverside, its also much easier to use, the devices from the article are a major pain and take forever to use.