Computer Related > Internet banking security | Miscellaneous |
Thread Author: Mapmaker | Replies: 22 |
Internet banking security - Mapmaker |
Sparked by a comment by Zero on the MSE AV thread: >>As they do if you can not >> prove the PC you use to access the account is suitably protected, and that includes >> a windows log on password Seriously? To access my bank account (HSBC) I require: 1. An internet banking user id stored only in my head. 2. An internet banking answer to a self-chosen secret question, the answer to which is stored only in my head. My self-chosen secret question is "What is your secret question" and the answer is a mixture of letters and numbers (albethey non random). 3. A passcode that is generated by a magic box device upon entry of a multi-digit number that is stored only in my head. 4. Moreover I always tick the "this is a shared computer" box - which means they accept a computer can be shared. And you think they think that a windows log-on password (which Rattle could compromise in 30 seconds) adds a level of security? The terms and conditions from HSBC state: "keep your personal computer secure by using anti-virus and anti-spyware software and a personal firewall." I presume MSE covers these things. I would never access over a Wifi connection, as I don't understand the security well enough. And I haven't braved mobile banking, again because you can never be sure that you might not be accessing over Wifi. Maybe I'm missing the point? |
Internet banking security - Fursty Ferret |
>> My self-chosen secret question is "What is your secret question" Argh, the paradox! (But a brilliant idea - I shall be adopting it in future if only to confuse call centre drones). I'm with you on this, Mapmaker. Basically, if someone has been close enough to your PC to get unrestricted access to a user account (password or no password) they'd be more than capable of installing a cheap 'n' simple USB keylogger, which makes the whole point moot. Besides, the answer to the bank when asked if you use a password is simply, "yes". :-) My brother's Czech bank has an excellent approach to security. When logging in or making a transaction a one-time code is sent to his mobile as a text message. No faffing around with card readers. Nationwide is the worst for this - I have no idea what my "secret data" is because I've forgotten it, but can still log in with the card reader. If I want to change any of it, I've got to deliberately lock myself out of the account and reset the internet banking by post. Inconvenient? Oh yes. On the bright side, I now have a little flotilla of card readers from various high street banks which follow me everywhere. They're also a useful - and free - source of CR2032 batteries, especially so if you can get one from a bank that's not yours. |
Internet banking security - Crankcase |
>> >> My self-chosen secret question is "What is your secret question" >> >> Argh, the paradox! (But a brilliant idea - I shall be adopting it in future >> if only to confuse call centre drones). You can also try setting your password to be the word "incorrect". That way, if you forget it, the screen will say "your password is incorrect", and there you go. |
Internet banking security - Cliff Pope |
>> >>My self-chosen secret question is "What is your secret question" >> and the answer is .......... >> "If this is the answer, what is the question?" |
Internet banking security - Zero |
>Maybe I'm missing the point? You are indeed. Let us start from a different point than that you have chosen. Firstly you have to understand how banks view IT security. Point 1 is that, at all times, they will insist till the cows come home that their systems are 100% secure. The whole premise of trust in using IT in banking transactions is based on that (flawed) concept. They will never admit, unless proven 100%, that they have been comprised through a failure on their part. So this leads us in to the consumer. Based on the premise above, any moneys taken from your account was taken by you, or due to your negligence. Every time, 100% guaranteed, without fail. Unless you can prove 100% otherwise - the onus being on you to provide the evidence. If you try and prove otherwise they have numerous technical ways to punch holes in your claim. One being the use of Trusteer. Everyone knows its junk, and clogs things up, but they recommend using it, if you don't, anything happens its your fault. Now given this "its your fault" standpoint you can, see how they can and will use any failure on your part to deny your claim. They can, will and have included the failure to use AV on your PC. They can, will and have included the fact that the PC was not password protected. To be fair, that point is probably the only one they have a point with - and here is why. you say. Seriously? To access my bank account (HSBC) I require: 1. An internet banking user id stored only in my head. 2. An internet banking answer to a self-chosen secret question, the answer to which is stored only in my head. My self-chosen secret question is "What is your secret question" and the answer is a mixture of letters and numbers (albethey non random). 3. A passcode that is generated by a magic box device upon entry of a multi-digit number that is stored only in my head. I say, all of those things need to be entered into your PC through an input device - your keyboard. Given 60 seconds access to your PC (at a party at your place say) with a USB stick, I can have every keystoke and web page contents recorded and sent to a another PC of my choice far away from yours. You would never know it was happening. If I am clever I won't try and compromise your online banking account right away, I will wait and build up a foolproof picture of every response to every question. The rest, as they say, his history. you say 4. Moreover I always tick the "this is a shared computer" box - which means they accept a computer can be shared. Again you miss the point. The banks don't care that your account is compromised, they are quite happy for you to use it in a compromised state, they only care that you can be blamed. The very act of ticking this box means its your fault, every time, 100% Bank happy. I would never access over a Wifi connection, as I don't understand the security well enough. And I haven't braved mobile banking, again because you can never be sure that you might not be accessing over Wifi. Maybe I'm missing the point? Yes big time, because ironically your wifi connection (if set up properly) is the most secure part of the whole chain. |
Internet banking security - Mapmaker |
Thank you for that. >> If I am clever I won't try and compromise your online banking account right away, I will >>wait and build up a foolproof picture of every response to every question. You can't get the response out of the magic box device though; that's different every time - according to some magic formula. >>Yes big time, because ironically your wifi connection (if set up properly) is the most secure part of the whole chain. More the thought that you might be accessing over a non-secure wifi connection. |
Internet banking security - Bromptonaut |
The one time my account was compromised Santander reinstated the loss without quibble. Money was moved from savings to current then transferred out to a Mr XXXX. Very cagey about telling me what happened but suggestion was it might have been telephone banking. I haven't used that since internet banking became available although it was probably set up. Possibly an inside job and they knew it. To log in I need and ID then two PIN numbers. While those could be compromised by keyloggers any new or changed payee needs a One Time Passcode sent by SMS to my mobile. A pain if your out of mobile coverage but otherwise it works well. Changing the registered mobile requires further security. |
Internet banking security - Dulwich Estate |
A family member had £1700 or so nicked from their HSBC account by internet fraud a couple of years ago. It was just before they introduced the little plastic keypad thingy. She noticed on a Friday and by Tuesday it had been refunded. No nasty / tricky questions, no hassling but nevertheless an anxious weekend. |
Internet banking security - Zero |
>> You can't get the response out of the magic box device though; that's different every >> time - according to some magic formula. Ah the little box that can be used to find the pin number on someones card you mean? I won't tell you how to do that, not on here. |
Internet banking security - Focusless |
www.theregister.co.uk/2009/02/26/bank_reader_insecurity/ |
Internet banking security - Mapmaker |
>>Ah the little box that can be used to find the pin number on someones card you mean? I won't tell you how to do that, not on here. No, this is an HSBC box. Not a card reader. It's married to my account and I have to enter my secret code into it, and it churns out a magic number. More seriously, I've downloaded Rapport as instructed. It's a blimmin nuisance as it has disabled the Snipping Tool, which is one of the best applications I have. Use it several times a day. |
Internet banking security - Manatee |
Someone I know was recently scammed out of over £30,000 in a banking fraud. The gist was that he got a phone call supposedly about suspicious activity on his account and ultimately he gave them information that they were able to use to make online transfers from his account. Now this bloke is not, as may be supposed, an idiot. Apart from being plausible, the scammers gained his confidence by actually giving him detailed information about Direct Debits on his account and other details that he would only have expected his bank to have, which persuaded him they were in fact the bank. He still has no idea how they would have such information unless they had seen his bank statements, which he does categorically not put in his dustbin. Soon after the call, he looked at his account online and could actually see money going out, with transactions appearing one after another - all just below £300 which presumably is some sort of threshold for referral. While this was happening he rang the bank who blocked access to the account immediately. The big loss was because the scammers actually took a £30,000 loan which was available to him, with the money being transferred away immediately. The bank has refunded all the money with surprisingly little discussion. He thinks they might actually have got quite a lot of it back, but that has not been disclosed, and wonders if they had actually had a security breach themselves. |
Internet banking security - No FM2R |
>>and ultimately he gave them information that they were able to use.... Never tell anybody anything. There is no conceivable benefit to you. If your Bank / Credit Card / Other Financial Institution wishes to speak with you, then the proof/information should be the other way around. And it should be proof, not simply informed and convincing. |
Internet banking security - Crankcase |
Certainly I have over the last couple of days had fun'n'games with my bank. My debit card got rejected. I rang the call centre and fell foul on the very first automated security check - entering my date of birth. It fell through to a real person. After some discussion, it became obvious the only way I could progress was to pass the security check, for which he needed my postcode and date of birth. Delightfully, neither had been recorded correctly by the bank, although of course he couldn't tell me what HAD been recorded. So he couldn't talk to me in order to correct them, as they are the security questions... His inspired solution was to send me a code to enable phone banking (which I don't want) but he would, of course, only send it to the address they had on file... Went into the local branch today and they sorted it there and then. I can fully understand the hoops and appreciate their use but it was a bit of a chase me charlie for a few days. Last edited by: Crankcase on Tue 8 Apr 14 at 15:18
|
Internet banking security - DP |
As well as a customer number and password, Lloyds Internet Banking then asks for three random characters from a longer passcode. This entire passcode is never asked for or entered at any point, and is chosen from drop-down boxes, leaving no keyboard traces. I suppose it's conceivable that someone could use malware to have web page content forwarded over a period of time which would eventually build up a trace of the individual characters of the password and guess the content (or get lucky and be asked for the same character combination they saw before), but that's going to take quite a bit of time. They would also need to enter the ID and first password before getting to that point, and frequent logins and incorrect entry of the passcode characters does eventually lock the account completely (don't ask me how I know this) :-). My passcode is an entirely random sequence of letters and numbers that I wrote down, memorised and destroyed 30 mins later. I just accept when dealing with financial transactions over the internet, that security isn't perfect. I've never had an issue with internet transactions (touching wood), but I have had cards cloned and fraudulently used after face to face transactions in a retailer on two separate occasions. All you can do is use strong passwords (memorising random sequences is not that difficult), and take reasonable precautions with your PC in terms of frequent malware and virus scanning with up to date databases, not installing unknown software etc etc. Last edited by: DP on Tue 8 Apr 14 at 16:00
|
Internet banking security - NortonES2 |
Password based on a foreign language helps. Ideally Sioux indian, but I have to make do with a different system. |
Internet banking security - Manatee |
>> >>and ultimately he gave them information that they were able to use.... >> >> Never tell anybody anything. There is no conceivable benefit to you. >> >> If your Bank / Credit Card / Other Financial Institution wishes to speak with you, >> then the proof/information should be the other way around. And it should be proof, not >> simply informed and convincing. I imagine we have all had that conversation in which the bank rings you, then asks "Can you confirm your address?" Me: "Yes, of course" (Silence) Bank: "Er, so what is your address? It's so we know we are speaking to the right person." Me: "You asked me to confirm my address. You tell me what it is, and I'll confirm it. I know I'm the right person, but I don't know who you are". and so on. If at this point they were to tell you the details of the last two cheques paid and list the direct debits on your account, you might just start to trust them. Bad idea of course. |
Internet banking security - No FM2R |
I have no idea of the severity or veracity of this, seems apropos though. www.bbc.com/news/technology-26935905 |
Internet banking security - Bromptonaut |
>> I have no idea of the severity or veracity of this, seems apropos though. >> >> www.bbc.com/news/technology-26935905 >> Reported in this article too: www.bbc.co.uk/news/technology-26954540 Now it seems to me that tricks like that are far more lucrative for the crooks than fishing about for odd old timer still using XP. |
Internet banking security - Zero |
>> Now it seems to me that tricks like that are far more lucrative for the >> crooks than fishing about for odd old timer still using XP. Alas that reveals your lack of appreciation of the issue. Odd old timer? do you know how many XP licences are still in use globally? do you know what percentage of the worlds affected "zombie" PCs are running XP? Any idea how naturally insecure XP is compared to 7 or 8? Any idea if the SSL problem has compromised anyone? Clue there is the word "potential" |
Internet banking security - Mapmaker |
>>I imagine we have all had that conversation in which the bank rings you, then asks Yes indeed I have. It's always the fraud department ringing of course. And then when they realise that you aren't going to give them any information they give you a telephone number to call back. Me: "I don't recognise that number." Them: "Well if you call it you'll speak to us." Me: "I will only call the number on the back of my bank card." OK: "Ask to be put through to X at Y department." So I do... and eventually a message is left for X as obviously they've taken on another call by this stage. Me: "Thanks Jane, please send them an email to say to me 'Jane asked me to call you back' and I'll know that it's really from the bank." So X calls back. "Can you confirm your address." Me: "No, we've just had this conversation. Tell me the name of the person who told me to call you." Them: "I can't do anything until you confirm your address." Me: "This is really stupid isn't it. I called you and you didn't answer, and the person who did sent an email to you. And now I'm going to have to call back and we'll go round the same circle again." Them: "I can't do anything until you confirm your address." Me: "Oh go away and give me the number for your complaints department." Alternatively. Me: "I'm sitting in front of my computer now, and I am logged into online banking. A DD went out of my account yesterday for £101. Please tell me the pennies figure and then I'll know it's you." Them: "I can't do anything until you confirm your address." |
Internet banking security - Slidingpillar |
If you think that's bad, you try being deaf! I had to visit the branch after they put a stop on my bank card after I made two fairly big transactions with it on successive days. I would have only made one transaction, but bumped into the anti-money laundering limit they impose. |