Internet Banking Warning
Thread Starter
Join Date: Nov 1999
Location: INS 130/55
Posts: 21
Likes: 0
Received 0 Likes
on
0 Posts
Internet Banking Warning
Having just returned home to UK from 3 weeks Dubai - Singapore flying, I was a little agitated to find that US$ 15,034 had been transfered out of my account via the Internet Banking facility. The funds were directed to an account in Dubai in the name of Mohammad Ayaz Khan. The police, the recipient bank and my bank, the HSBC were unable to take any action against the thieves. They had cleaned me out!
I was very lucky to happen to log on in time to have the fund transfer interrupted just before the last step in the process.
I was informed by the HSBC bank, during the attempts to recall the money from cyber-space, that having used a shared or public access computer, I had made myself liable for the loss and would be receiving no insurance or reimbursement from the bank.
I would like to warn other crews that the Atrium Internet cafe in Dubai is where my PIN was somehow obtained by these scum bags. Also, I would like to know if anyone has had a similar experience with Internet Banking. The bank proclaims "Worldwide Banking at your fingertips!" but I think they make a mockery of it by adding...only in a closed room on your own computer...... in the small print.
I was very lucky to happen to log on in time to have the fund transfer interrupted just before the last step in the process.
I was informed by the HSBC bank, during the attempts to recall the money from cyber-space, that having used a shared or public access computer, I had made myself liable for the loss and would be receiving no insurance or reimbursement from the bank.
I would like to warn other crews that the Atrium Internet cafe in Dubai is where my PIN was somehow obtained by these scum bags. Also, I would like to know if anyone has had a similar experience with Internet Banking. The bank proclaims "Worldwide Banking at your fingertips!" but I think they make a mockery of it by adding...only in a closed room on your own computer...... in the small print.
Join Date: Sep 2002
Location: Earth
Posts: 90
Likes: 0
Received 0 Likes
on
0 Posts
You silly boy! They way those bastards did it is so very simple. No hacking or special techinical skills. All they used was a "key logger" program. That is, a program that records all the keystrokes that a user types. This program can be found all over the net... just search "key logger". The program basically records the keystrokes into a text file. When the perpetrator sees you leaving the cafe, he hops onto the computer and has a look at that text file. If they see www.hsbc.com, then they know every keystroke after that is a gold mine... casue most likely the next few keystrokes is a username followed by a password.
Other ways besides key logger
My own bank offers an "enhanced security" mode which handles the session in a new window that is removed from memory after signout -- and they recommend it specifically for cybercafes. Otherwise the next user can retrieve all sorts of interesting banking details via the back button.
I don't know about Dubai, but if a key logger was installed in a cybercafe machine and used to record banking details in North America or Europe, the police and bank fraud investigators would have said cybercafe turned inside out in no time.
Dubai does bill itself an an international banking center; so there might be a possibility the authorities would take action.
Besides a key logger, it is also possible that your userid and password were caught by a video camera or shoulder surfing.
I don't know about Dubai, but if a key logger was installed in a cybercafe machine and used to record banking details in North America or Europe, the police and bank fraud investigators would have said cybercafe turned inside out in no time.
Dubai does bill itself an an international banking center; so there might be a possibility the authorities would take action.
Besides a key logger, it is also possible that your userid and password were caught by a video camera or shoulder surfing.
Join Date: Jan 2002
Location: West Country
Posts: 1,271
Likes: 0
Received 0 Likes
on
0 Posts
I would go back to the bank and have another go at them. My bank, First Direct, is a subsidary of HSBC and they state in their security guarantee on their web site
Just keep pushing them and good luck
We guarantee if any money is taken from your account through a computer crime, we will repay it in full.
Join Date: May 2002
Location: Who can say?
Posts: 1,700
Likes: 0
Received 0 Likes
on
0 Posts
If you have to do confidential business (e.g. online banking) at an internet cafe or similar, a good tip to avoid keystroke logging is to open a text file.
When entering IDs, passwords etc., make a few keystrokes into the textfile, mixed in with a few into the browser where you really want them.
So, say your password is "qwerty1234", whilst typing you would type a few keys (in the middle) which the key logger would pick up, but the browser wouldn't.
Bold letters below into textfile, standard letters into browser password box; you type:-
"nhgqwepoirty09812gf34"
What you see above is what appears in the keylogger. They have no idea (since the logger logs keystrokes, not into which application they are made) what your password is, although they can see it under their noses.
When entering IDs, passwords etc., make a few keystrokes into the textfile, mixed in with a few into the browser where you really want them.
So, say your password is "qwerty1234", whilst typing you would type a few keys (in the middle) which the key logger would pick up, but the browser wouldn't.
Bold letters below into textfile, standard letters into browser password box; you type:-
"nhgqwepoirty09812gf34"
What you see above is what appears in the keylogger. They have no idea (since the logger logs keystrokes, not into which application they are made) what your password is, although they can see it under their noses.
Depends on Key Logger
Captain Stable, your method would work against a dumb key logger, but more sophisticated key loggers may be able to record mouse movements and changes in focus.
Like FDRs, some key loggers are more sophisticated than others.
And it's not only in Dubai
Like FDRs, some key loggers are more sophisticated than others.
And it's not only in Dubai
Join Date: Sep 2002
Location: Catalonia
Posts: 11
Likes: 0
Received 0 Likes
on
0 Posts
Even some of the very basic and simple keyloggers have that facility, so Capt. Stable's tip won't work.
The one I've used not only logs the key strokes but logs the document or window they were used in if using multiple windows.
Its a very small download and totally free on the net.
Just beware when youre using a non secure computer.
The one I've used not only logs the key strokes but logs the document or window they were used in if using multiple windows.
Its a very small download and totally free on the net.
Just beware when youre using a non secure computer.
Join Date: Mar 2000
Location: Location Location
Posts: 448
Likes: 0
Received 0 Likes
on
0 Posts
Valuable and interesting posts and info.
What if after the cafe computer was used, I went to:
Tools/Internet Options/Clear History/Delete Files/Delete Cookies.
Would this make things more secure and would it "clear out" the keylogger?
What if after the cafe computer was used, I went to:
Tools/Internet Options/Clear History/Delete Files/Delete Cookies.
Would this make things more secure and would it "clear out" the keylogger?
Join Date: Sep 2002
Location: Earth
Posts: 90
Likes: 0
Received 0 Likes
on
0 Posts
Hobo:
No, it won't work cause the key logger saves the key strokes into a text file that is TOTALLY independent of the web browser. This file is stored at some location on the hard disk that no other program can find (except, of course, the key logger). Clearing the cache does not clear that text file since the browser does not even know of its existence. Also, formatting c: maybe work on some less sophisticated key loggers, but other actually have the ability to stream the text to another IP address or email. This means that whatever you type on the computer gets saved into a file and every five minutes or so, the program sends the text file to the thieve's computer or the thieve's email and this is repeated every five minutes.
No, it won't work cause the key logger saves the key strokes into a text file that is TOTALLY independent of the web browser. This file is stored at some location on the hard disk that no other program can find (except, of course, the key logger). Clearing the cache does not clear that text file since the browser does not even know of its existence. Also, formatting c: maybe work on some less sophisticated key loggers, but other actually have the ability to stream the text to another IP address or email. This means that whatever you type on the computer gets saved into a file and every five minutes or so, the program sends the text file to the thieve's computer or the thieve's email and this is repeated every five minutes.
Paxing All Over The World
A similar problem, when using an Internet cafe or indeed, anybody else's computer.
If you use, say WORD, to write a letter and then print it and copy the file off to diskette, you will leave a partial copy of the file on the machine.
This is because WORD opens temporaty files during the editing process and these are not always deleted automatically. Also, some folks do not check to see if the Auto-Save function is on, this can also leave part files behind. Mind that I say may as different versions do different things and the set up of the machine may also affect it.
A couple of years ago I was staying in the Hyatt in Jo'burg and used their biz facility to do e-mail and write some items. After I had deleted the Internet Cache and checked for stray copies of my documents (Simply using Windows Explorer) I found in the 'My Documents' a whole series of letters that had been written on that PC by a number of different people. One of them was by a company seeking govertment contracts and was addressed to the president of the country!!
Not for a moment do I say that the Hyatt were keeping copies of guest correspondence - Microsoft WORD was doing that automatically
So, please check that you delete and files for WORD or EXCEL etc. One of the best ways is to ONLY use your own floppy disk. When you create the document, start the very first save on the floppy. Although temp files will still be created, WORD responds differently in my experience to documents on floppy disks.
If you use, say WORD, to write a letter and then print it and copy the file off to diskette, you will leave a partial copy of the file on the machine.
This is because WORD opens temporaty files during the editing process and these are not always deleted automatically. Also, some folks do not check to see if the Auto-Save function is on, this can also leave part files behind. Mind that I say may as different versions do different things and the set up of the machine may also affect it.
A couple of years ago I was staying in the Hyatt in Jo'burg and used their biz facility to do e-mail and write some items. After I had deleted the Internet Cache and checked for stray copies of my documents (Simply using Windows Explorer) I found in the 'My Documents' a whole series of letters that had been written on that PC by a number of different people. One of them was by a company seeking govertment contracts and was addressed to the president of the country!!
Not for a moment do I say that the Hyatt were keeping copies of guest correspondence - Microsoft WORD was doing that automatically
So, please check that you delete and files for WORD or EXCEL etc. One of the best ways is to ONLY use your own floppy disk. When you create the document, start the very first save on the floppy. Although temp files will still be created, WORD responds differently in my experience to documents on floppy disks.
Thread Starter
Join Date: Nov 1999
Location: INS 130/55
Posts: 21
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for the informative feedback ppruners - I have written twice to the ME Bank, a subsid of Emirates Bank, detailing the recipient account and the crime.
The reply has twice been that they will not even investigate, to preserve their client's confidentiality, unless they are approached by the relevent authorities. My local police and the Jersey police refuse to record the crime as they don't want to get involved.
Being a computer goat, I will try JET II's suggestion of using a bank who will perhaps not turn their back in times of crisis.
HSBC's claim to provide "Worldwide banking at your fingertips" is a an empty one!
Now in Mojave and often on the road, going home to do banking is unacceptable. There must be a safe way by internet.
The reply has twice been that they will not even investigate, to preserve their client's confidentiality, unless they are approached by the relevent authorities. My local police and the Jersey police refuse to record the crime as they don't want to get involved.
Being a computer goat, I will try JET II's suggestion of using a bank who will perhaps not turn their back in times of crisis.
HSBC's claim to provide "Worldwide banking at your fingertips" is a an empty one!
Now in Mojave and often on the road, going home to do banking is unacceptable. There must be a safe way by internet.
Guest
Posts: n/a
awakevortice, I also bank with the HSBC, this thread got me a tad worried, so I went and read the terms and policy of the HSBC'S internet banking facility.
"Security Assurance
Both you and HSBC play an important role in protecting against online fraud. You should be careful that your bank account details including your User ID and/or Password are not compromised by ensuring that you do not knowingly or accidentally share, provide or facilitate unauthorised use of it. Do not share your User ID and/or password or allow access or use of it by others. We endeavor to put in place high standards of security to protect your interests. If, in the unlikely event, unauthorised transactions have been conducted through your account through no fraud, fault or negligence on your part, we will see that you are covered for your direct loss up to the full amount of the unauthorised transaction. "
I guess that you need to get a definition of what constitutes negligence in this case.
"Security Assurance
Both you and HSBC play an important role in protecting against online fraud. You should be careful that your bank account details including your User ID and/or Password are not compromised by ensuring that you do not knowingly or accidentally share, provide or facilitate unauthorised use of it. Do not share your User ID and/or password or allow access or use of it by others. We endeavor to put in place high standards of security to protect your interests. If, in the unlikely event, unauthorised transactions have been conducted through your account through no fraud, fault or negligence on your part, we will see that you are covered for your direct loss up to the full amount of the unauthorised transaction. "
I guess that you need to get a definition of what constitutes negligence in this case.
Paxing All Over The World
When I am away from base I normally have my own PC with me but, for the occasions that I do not - I use Phone Banking.
It might be more expensive as you have to make the call but most bank's phone access are open 24 hours a day. I try and call when it is night time in the UK, so that I get through quickly! Then I speak directly with the agent, get asked security questions at random and so forth.
I have used First Direct for 12 years, as they had the only international solution (i.e. with Voice) before the Web came along. I also use LLoyds TSB.
With international callingn cards, the cost is not too bad and is secure, not least as your call is tape recorded by the bank!
It might be more expensive as you have to make the call but most bank's phone access are open 24 hours a day. I try and call when it is night time in the UK, so that I get through quickly! Then I speak directly with the agent, get asked security questions at random and so forth.
I have used First Direct for 12 years, as they had the only international solution (i.e. with Voice) before the Web came along. I also use LLoyds TSB.
With international callingn cards, the cost is not too bad and is secure, not least as your call is tape recorded by the bank!
I am surprised that HSBC has failed to involve the police where the transaction originated. If your branch manager and possibly their ombudsman/ customer advocate if any are failing to respond constructively, I would start looking for a friendly local reporter -- phone ther news desk of your local papers/TV outlets. You may be pleasantly surprised once said reporter starts phoning head office.
Or find a junkyard dog tort lawyer with a flair for publicity, but he will likely take 30%.
Or find a junkyard dog tort lawyer with a flair for publicity, but he will likely take 30%.
Guest
Posts: n/a
Just out of curiosity I would be interested to know what one or two of you think of the way my bank works when using online banking. Its probably similar to ASW24's way of doing it.
You don't actually key in your whole password and pin number it simply asks you for example to input the third,first and fourth number of your pin and then the eighth, sixth and second number of your password. I'm assuming this is safer as you also have to log in using a code number before you get to this stage and you never actually input the whole of your password or pin number. You need a memory like an elephant to remember the numbers.
This appears to me to be a very good way of dodging this issue of key loggers.
What does everyone thing and can you see a chink in this armour
You don't actually key in your whole password and pin number it simply asks you for example to input the third,first and fourth number of your pin and then the eighth, sixth and second number of your password. I'm assuming this is safer as you also have to log in using a code number before you get to this stage and you never actually input the whole of your password or pin number. You need a memory like an elephant to remember the numbers.
This appears to me to be a very good way of dodging this issue of key loggers.
What does everyone thing and can you see a chink in this armour
Ditto mainfrog and ASW. The only cock-ups I have had with internet banking were the bank's own mistakes - setting up standing orders with organisations I had never heard of! No money actually left my account, though.
Although these security measures appear to work well, my only misgiving is that the log-in process now involves so many letters and/or numbers that you are forced to write them down somewhere!!
Ho hum....
Although these security measures appear to work well, my only misgiving is that the log-in process now involves so many letters and/or numbers that you are forced to write them down somewhere!!
Ho hum....
