PDA

View Full Version : Internet banking warning..


1DC
15th Dec 2006, 09:51
Mrs. 1DC got a call from her bank last night, apparantly someone from abroad has been looking at her account since October. Nothing has been taken but she has had to close everything down. She will be able to go back to internet banking when she wants but the warning is this.. The bank say that these people got into the bank via her favourites list and have advised us never to put any details of web sites we may use for money transactions in our favourites. Whenever she accessed the bank via her favourites she still had to put access codes and passwords in but somehow the other people were able to find their way into the account..

GANNET FAN
15th Dec 2006, 11:03
Right, mine comes of the Favourites right now!

haughtney1
15th Dec 2006, 12:00
Also make sure you have up to date anti-virus software, one of the most common virus's is a malware/spyware key stroke log programme.

essentially it logs all the key strokes you make and send them to the virus's controller, and hey presto..they know your passwords!

Grainger
15th Dec 2006, 12:04
Hate to say this, but . . . she was careful to confirm the identity of the caller and make sure they were actually calling from the bank, wasn't she ?

mary_hinge
15th Dec 2006, 12:16
Also make sure you have up to date anti-virus software, one of the most common virus's is a malware/spyware key stroke log programme.
essentially it logs all the key strokes you make and send them to the virus's controller, and hey presto..they know your passwords!

I'm now in the habit of typing in half my user name, then some of the password, then back to the top line etc before logging in, in the hope that it will confuse. The biggest concern though is the Eastern call centres where it is known that details are being sold:eek:

http://www.theregister.co.uk/2006/10/10/data_centre_probe_announced/

Ozzy
15th Dec 2006, 13:43
and just how did they get access to her Favorites list? It's local to the browser on her machine. Sounds bogus to me.

Ozzy

MyData
15th Dec 2006, 13:56
someone from abroad has been looking at her account since October.

Why would they just be 'looking'? To have got access to the account one would expect it to be cleared out asap. Did they actually get access, or were they using a username and trying password combinations?

This has been ongoing since October? Seems like a very long time for something to have been going on, but no actual theft.

Did they give any indication of which country was the source?

got into the bank via her favourites list and have advised us never to put any details of web sites we may use for money transactions in our favourites.

Sounds like bizarre advice. Internet banks are, by definition, publically available. There is no technical difference from using a favourite link and typing in www.mybank.com. So that is duff information. Even if favourite links were siphoned from your machine the criminal might get to know which bank you use. Big deal, it wouldn't take long to guess it in most cases.

Indeed, one might argue that using a favourite link is *safer* because you don't type in the URL of your bank so keyboard loggers wouldn't get to see the details. However if I was a self respecting logger writer I'd also sniff your HTTP packets and get to see your bank URL quite easily.

What you might want to do is carefully check the URL mapped to the favourite. Perhaps an e-mail virus ran a script to subvert the URL and point you to an imposter site which has harvested the log in details.

Always check that the URL is what you expect it to be, and also that when entering password details that it begins with https and that the little padlock is visible.

419
15th Dec 2006, 14:07
I'd also sniff your HTTP packets

I don't have a clue what that means, but it certainly sounds a bit kinky:uhoh:

frostbite
15th Dec 2006, 14:42
Sounds most odd to me.

Is she certain it was actually her bank that called?

Hopefully she didn't divulge any PIN or password info..

1DC
15th Dec 2006, 15:34
Definitely the bank that called, she confirmed her security checks as required.When she went into the bank the next day the teller new about it from notes on her account. The teller also warned her against using favourites.
I don't know how it happened i'm not smart enough to understand the workings of the internet, bit too long in the tooth now.The call from the bank is definitely genuine..

Chimbu chuckles
15th Dec 2006, 15:57
My bank, HSBC, issued me with a small electronic device that gives up 'random' 6 letter code I must use each time I log in..in addition to my own user name and password...without it even I can't access my internet banking. Clearly it is not truly random as the little device is logged to me and must only have x number of combinations and only those combinations will work.

Further to that if I wish to use my credit card online I am directed to a HSBC confirmation site which asks me very specific security questions before authorising the payment.

All of course set up in person at the bank.

I guess that is how the bank can be absolutely certain of the security of their service. I feel pretty comfortable about it.

Grainger
15th Dec 2006, 15:57
What you might want to do is carefully check the URL mapped to the favourite. Perhaps an e-mail virus ran a script to subvert the URL and point you to an imposter site which has harvested the log in details.Definitely sounds plausible. Always, always check the actual URL.

Since you mention "Favourites", does this mean you are using Internet Explorer :yuk: ? Might be a good time to consider changing to Firefox.

MyData
15th Dec 2006, 16:56
Chimbu

The token based approach you refer to will probably become more prevalent in the foreseeable, at the moment the issue is one of cost and banks are loath to spend money on this for the masses. Or they could charge customers, but then a customer might ask: "You want me to pay for a more secure service?" "Yes" "Does that mean that the current service is vulnerable?"

Answer: "Yes" - customer leaves and goes elsewhere
Answer: "No" - customer doesn't pay for the token


It will be interesting to see what happens in a few months time (November 2007) when faster payments is launched

http://www.oft.gov.uk/News/Press+releases/2005/94-05.htm

Recall how people complain when cheque clearing and inter-bank transfers take too long? And the greedy banks skim the interest when the funds are 'in limbo'. No longer. When you push the button the transaction will happen asap. Your bank account could be cleared out in seconds!

Join all this up with the Single Euro Payments Area which is due to go live in 2010...

http://www.ecb.int/paym/pol/sepa/html/index.en.html

...and your cash will be whisked off to deepest Eastern Europe (or any other EU state for that matter) just like that! Actually I think this is only for the Euro zone to start with, but the UK financial services will want to get involved so that they can expand out into Europe.

One expects that the organised criminals are already looking at ways to exploit these systems. They do it today with 'instant' global credit card transactions, no reason to think that mundane account transactions will be spared their interest...

arcniz
16th Dec 2006, 20:05
Electronic fraud has become quite industrialised in recent years, so the strategies employed are often more sophisticated than the simple grab & run approach of small-time individuals.

Message and transaction tracing methods permit location of online crooks, followed by freezes on their accounts - if someone with the skills and resources to do tracing can find time to do the work. Tracing takes some of the fun out of slow-bleed style embezzlement, because the various trails eventually will point to an identifiable individual or group.

Being caught is far less likely with a single quick hit. The scaled-up version of SQH requires preparing an advance list of prospective targets that have been penetrated, security-wise, but not otherwise tampered with. Then, one sunny day in Zuzustan, a flurry of fund transfer messages goes out from a single point through relay stations to tap many unrelated accounts for sums that will be cumulatively significant but individually unremarkable. Within a few days the stolen funds are received and retransferred multiple times to leave a difficult trail, and the whole 'project' winds up for good, leaving a dead-end and cold ashes for tracers to eventually uncover.

HOGE
16th Dec 2006, 20:51
<<<< Definitely the bank that called, she confirmed her security checks as required >>>>

<<<<Who confirmed what? She answered basic security questions or verified that it was the bank calling? If it was the first, I would be very worried!>>>>

I was called by a credit card company the other day, who asked me to answer a few security questions. When I pointed out to them that they were the ones who called me, and therefore should prove who they were, they were flummoxed to say the least, and the call ended soon afterwards. One way of fobbing off cold calling anyway!

Rollingthunder
16th Dec 2006, 20:57
Bin divers have been observed here going though every scrap of paper in the bins.....to the point that the city has issued a bylaw requiring all bins to be locked.

stagger
16th Dec 2006, 23:43
Definitely the bank that called, she confirmed her security checks as required.

How did the bank prove they were the bank when they called? Her confirming the security checks proves who she is but not the other way around.

I have to say I'd be a lot more worried about this phone call than any possible exploit involving your "favourites" list.

The warning sounds bogus - as has been pointed out - anyone who has been "looking" at your account would have been able to move money and presumably would have done so already.