Having just returned home to UK from 3 weeks Dubai - Singapore flying, I was a little agitated to find that US$ 15,034 had been transfered out of my account via the Internet Banking facility. The funds were directed to an account in Dubai in the name of Mohammad Ayaz Khan. The police, the recipient bank and my bank, the HSBC were unable to take any action against the thieves. They had cleaned me out!

I was very lucky to happen to log on in time to have the fund transfer interrupted just before the last step in the process.
I was informed by the HSBC bank, during the attempts to recall the money from cyber-space, that having used a shared or public access computer, I had made myself liable for the loss and would be receiving no insurance or reimbursement from the bank.

I would like to warn other crews that the Atrium Internet cafe in Dubai is where my PIN was somehow obtained by these scum bags. Also, I would like to know if anyone has had a similar experience with Internet Banking. The bank proclaims "Worldwide Banking at your fingertips!" but I think they make a mockery of it by adding...only in a closed room on your own computer...... in the small print.

You silly boy! They way those bastards did it is so very simple. No hacking or special techinical skills. All they used was a "key logger" program. That is, a program that records all the keystrokes that a user types. This program can be found all over the net... just search "key logger". The program basically records the keystrokes into a text file. When the perpetrator sees you leaving the cafe, he hops onto the computer and has a look at that text file. If they see www.hsbc.com, then they know every keystroke after that is a gold mine... casue most likely the next few keystrokes is a username followed by a password.

My own bank offers an "enhanced security" mode which handles the session in a new window that is removed from memory after signout -- and they recommend it specifically for cybercafes. Otherwise the next user can retrieve all sorts of interesting banking details via the back button.

I don't know about Dubai, but if a key logger was installed in a cybercafe machine and used to record banking details in North America or Europe, the police and bank fraud investigators would have said cybercafe turned inside out in no time.

Dubai does bill itself an an international banking center; so there might be a possibility the authorities would take action.

Besides a key logger, it is also possible that your userid and password were caught by a video camera or shoulder surfing.

I would go back to the bank and have another go at them. My bank, First Direct, is a subsidary of HSBC and they state in their security guarantee on their web site
We guarantee if any money is taken from your account through a computer crime, we will repay it in full.



Just keep pushing them and good luck

Simple lesson here for all...
Do your banking business at the BANK.
Inconvenient, yes sometimes but then so is having your account cleaned out.

If you have to do confidential business (e.g. online banking) at an internet cafe or similar, a good tip to avoid keystroke logging is to open a text file.

When entering IDs, passwords etc., make a few keystrokes into the textfile, mixed in with a few into the browser where you really want them.

So, say your password is "qwerty1234", whilst typing you would type a few keys (in the middle) which the key logger would pick up, but the browser wouldn't.

Bold letters below into textfile, standard letters into browser password box; you type:-

"nhgqwepoirty09812gf34"

What you see above is what appears in the keylogger. They have no idea (since the logger logs keystrokes, not into which application they are made) what your password is, although they can see it under their noses.

Captain Stable, your method would work against a dumb key logger, but more sophisticated key loggers may be able to record mouse movements and changes in focus.

Like FDRs, some key loggers are more sophisticated than others.

And it's not only in Dubai (http://www.cio.uiuc.edu/security/keylogging.html)

Even some of the very basic and simple keyloggers have that facility, so Capt. Stable's tip won't work.
The one I've used not only logs the key strokes but logs the document or window they were used in if using multiple windows.
Its a very small download and totally free on the net.
Just beware when youre using a non secure computer.

Valuable and interesting posts and info.

What if after the cafe computer was used, I went to:

Tools/Internet Options/Clear History/Delete Files/Delete Cookies.

Would this make things more secure and would it "clear out" the keylogger?

Nope.

'Format C:' might work.... :D

Hobo:

No, it won't work cause the key logger saves the key strokes into a text file that is TOTALLY independent of the web browser. This file is stored at some location on the hard disk that no other program can find (except, of course, the key logger). Clearing the cache does not clear that text file since the browser does not even know of its existence. Also, formatting c: maybe work on some less sophisticated key loggers, but other actually have the ability to stream the text to another IP address or email. This means that whatever you type on the computer gets saved into a file and every five minutes or so, the program sends the text file to the thieve's computer or the thieve's email and this is repeated every five minutes.

A similar problem, when using an Internet cafe or indeed, anybody else's computer.

If you use, say WORD, to write a letter and then print it and copy the file off to diskette, you will leave a partial copy of the file on the machine.

This is because WORD opens temporaty files during the editing process and these are not always deleted automatically. Also, some folks do not check to see if the Auto-Save function is on, this can also leave part files behind. Mind that I say may as different versions do different things and the set up of the machine may also affect it.

A couple of years ago I was staying in the Hyatt in Jo'burg and used their biz facility to do e-mail and write some items. After I had deleted the Internet Cache and checked for stray copies of my documents (Simply using Windows Explorer) I found in the 'My Documents' a whole series of letters that had been written on that PC by a number of different people. One of them was by a company seeking govertment contracts and was addressed to the president of the country!! :)

Not for a moment do I say that the Hyatt were keeping copies of guest correspondence - Microsoft WORD was doing that automatically :rolleyes:

So, please check that you delete and files for WORD or EXCEL etc. One of the best ways is to ONLY use your own floppy disk. When you create the document, start the very first save on the floppy. Although temp files will still be created, WORD responds differently in my experience to documents on floppy disks.

Thanks for the informative feedback ppruners - I have written twice to the ME Bank, a subsid of Emirates Bank, detailing the recipient account and the crime.
The reply has twice been that they will not even investigate, to preserve their client's confidentiality, unless they are approached by the relevent authorities. My local police and the Jersey police refuse to record the crime as they don't want to get involved.

Being a computer goat, I will try JET II's suggestion of using a bank who will perhaps not turn their back in times of crisis.

HSBC's claim to provide "Worldwide banking at your fingertips" is a an empty one!

Now in Mojave and often on the road, going home to do banking is unacceptable. There must be a safe way by internet.

awakevortice, I also bank with the HSBC, this thread got me a tad worried, so I went and read the terms and policy of the HSBC'S internet banking facility.


"Security Assurance


Both you and HSBC play an important role in protecting against online fraud. You should be careful that your bank account details including your User ID and/or Password are not compromised by ensuring that you do not knowingly or accidentally share, provide or facilitate unauthorised use of it. Do not share your User ID and/or password or allow access or use of it by others. We endeavor to put in place high standards of security to protect your interests. If, in the unlikely event, unauthorised transactions have been conducted through your account through no fraud, fault or negligence on your part, we will see that you are covered for your direct loss up to the full amount of the unauthorised transaction. "
I guess that you need to get a definition of what constitutes negligence in this case.:(

When I am away from base I normally have my own PC with me but, for the occasions that I do not - I use Phone Banking.

It might be more expensive as you have to make the call but most bank's phone access are open 24 hours a day. I try and call when it is night time in the UK, so that I get through quickly! Then I speak directly with the agent, get asked security questions at random and so forth.

I have used First Direct for 12 years, as they had the only international solution (i.e. with Voice) before the Web came along. I also use LLoyds TSB.

With international callingn cards, the cost is not too bad and is secure, not least as your call is tape recorded by the bank!

I am surprised that HSBC has failed to involve the police where the transaction originated. If your branch manager and possibly their ombudsman/ customer advocate if any are failing to respond constructively, I would start looking for a friendly local reporter -- phone ther news desk of your local papers/TV outlets. You may be pleasantly surprised once said reporter starts phoning head office.

Or find a junkyard dog tort lawyer with a flair for publicity, but he will likely take 30%.

This key logger doesn't help if your internet banking-system uses special key number list. So everytime you log again the password or pin code has changed and only you have the list of these. At least here in the north-east corner of Europe.

Just out of curiosity I would be interested to know what one or two of you think of the way my bank works when using online banking. Its probably similar to ASW24's way of doing it.


You don't actually key in your whole password and pin number it simply asks you for example to input the third,first and fourth number of your pin and then the eighth, sixth and second number of your password. I'm assuming this is safer as you also have to log in using a code number before you get to this stage and you never actually input the whole of your password or pin number. You need a memory like an elephant to remember the numbers.

This appears to me to be a very good way of dodging this issue of key loggers.

What does everyone thing and can you see a chink in this armour

Ditto mainfrog and ASW. The only cock-ups I have had with internet banking were the bank's own mistakes - setting up standing orders with organisations I had never heard of! No money actually left my account, though.

Although these security measures appear to work well, my only misgiving is that the log-in process now involves so many letters and/or numbers that you are forced to write them down somewhere!!

Ho hum....

Get your very own Laptop/Notebook computer and make banking transactions in your hotel room. All the big hotels have dataports beside the phone. That way nobody gets to "check your keystrokes."
You can afford one, can't you? :confused:

The 'dash-list' is similar to the first on-line banking that I used, which was in Germany. At the time, I thought the they were being OTT but when I got back to the UK and started on-line banking here - I realised that the Germans had it right!

I have my business account with Lloyds TSB and, for convenience a personal one as well. When I log in, the one log in will give access to both accounts. :eek:

Whilst this may be convenient it is poor security. As far as I can tell, I cannot have two separate IDs. Further, they use the full password everytime so a key-logger would work. Consequently, I cannot use these accounts from anything other than my own computer.

I think that Bugbear should be classed as High Risk, given the way that it has spread and what it can do. I have had two attempts from it this week but Norton has trapped them both within one second of their arriving on my machine. :cool:

ps Make that three attempts :rolleyes:
But the interesting thing was seeing the name of the person who got infected and seeing that, a couple of years on, I was still in her address book!!!! :p

Mainfrog2. Yes - The correct way for the bank to do this is have you select a password. To log-on the bank's internet site asks for a random set of letters from your password e.g.

1. Type the sixth letter of your password here ->
2. Type the second letter of your password here->
etc.

Next time someone logs on a different set/order of letters is asked for. This renders key loggers useless for the kind of attack described above.

What mainfrog describes is what natwest.co.uk do. So move there if your bank doesn't do this or something similar.

Bugbear just sounds like a more virulent strain of viruses that have been around for years. Shows that on your own computer a firewall is more important for many people than a virus killer: a classic virus may wipe your hard drive, if you buy online a trojan like this may wipe out your credit cards and bank account!

For banking away from home, if you used the MS character map to "type" in your details would this foil the keystroke logger?

My bank asks only for two letters from the password, selection altered each time you log in. It also uses a pull down list to enter date of birth etc which they say is to foil such key press logging systems.

It seems to me that the key logger only logs the keyboard activity. So the solution is to type in the incorrect order. So what if you type any number then use the mouse to reposition the cursor either before or after that number, type another number and again use the mouse to reposition where the next number is entered.

The key logger will record 12345678 but by moving where you actually enter the number you can enter 42718356.

Follow me? Will that work?