A few weeks ago, I was helping a friend shop for a used car. When my friend started asking questions about how to pay, they said they preferred a cashier's check, but if it was on the weekend and you couldn't get one, they would take a personal check if they could verify that your account had the funds to cover the check. The remainder of the conversation went something like this:
Me: So how do you verify?At this point, I'm already shocked, but then it gets worse:
Salesman: Oh - we can just verify it online?
Me: Wow! What service do you use to verify it? [I was shocked such a service might exist.]
Salesman: Oh - there's no service - you verify it for us.
Me: So how do you handle that?
Salesman: We just ask you to sign into your bank account and show us the balance.
Me: So how many people refuse to do that for you? I mean, people turn you down on that offer, right?So, to buy a car on the weekend or after 3pm, I'm supposed to log in to my bank account from a public computer with at least one complete stranger watching over my shoulder, and probably with cameras all over the place?
Salesman: As long as I've worked here, I don't remember it happening once.
There were a couple of attack vectors from this:
- If the computer they want you to do this from is a "shared" computer - i.e., one somewhere central - not the salesperson's computer, walk in pretending to want to buy a car. At home, you set up your fictitious bank account and mention to the salesperson that they require uber-security - so you have to plug in your thumbdrive as another verification factor (or you're uber-paranoid and don't know your own password and put it on a password safe - they evidently don't know that the uber-paranoid wouldn't put their password safe on an untrusted computer anyhow, so it'd fly). Thumbdrive has the keylogger, and you just have it phone home. Since this machine is the only one used for verifying account balances, you'd get a pretty good frequency - particularly on weekends.
- If you're asked to sign in from the salesperson's computer, you just find out the email address policy - how do they construct their addresses. Get as many business cards as you can while you're there, call numerous times getting a different employee name each time you call, divide it up - do you need service? Or to buy a car? Or just general information? You'll probably get a different name each time, assuming the place is big enough. Then email every address you got, include your trojan there. Any place that asks customers to sign onto their bank account on a public computer probably would never know you installed a trojan.