I just had an unsettling experience with online banking. I recently opened a new account at Washington Mutual, and have been generally very impressed by their friendliness, security policies, and use of new technology. I've been using the account a few weeks. But today I decided to sign up for the optional online banking and see whether a thief could have done it. The first option is to give my ATM card number and PIN; fair enough. But the second merely requires my account number and name, which are on every check, and my date of birth and SSN, which as we all know, are not secret.

This causes me to wonder: what information is necessary to transfer funds between 2 arbitrary accounts over the net or the phone? How do you prove you own the account you're draining? Surely an account number, name, SSN and DOB isn't enough!

Thanks.

-Will Warner geocities.com/wtw0308

THAT, as least as I understand it, is how identity thiefs drain money out of your account. If they can obtain your social security number they can open another account elsewhere. Then they obtain your username and password, usually by using a keylogger Trojan, then transfer money from your legitimate account into the account that they set up for themselves in your name. If I've got that process slightly wrong others can correct me; that is how I currently understand it.

Acadia

-{ Quote: "Then they obtain your username and password, usually by using a keylogger Trojan" }-

Hmm if they can do that, you are screwed no matter what I think.

Hi Will,

That's why I would never, ever do online banking. I won't even give recurring bills access to my bank account numbers to pay bills automatically.

I have first hand knowledge of a small company that had automatic withdrawal from their bank account to pay premiums on heath insurance and after they canceled their policy with them they were still getting funds withdrawn from their account.

Could never understand why people would do online banking. The security factors are outweighed by the convenience factor in my opinion. What's so hard about driving to the bank to deposit checks or calling them up to transfer funds from your savings to checking account.

Regards,

Jaws

I agree, Jaws, but that's the thing: this wasn't an option. Anyone with an account at this bank has web access enabled, so if they've never logged in, a thief with name, account #, DOB, and SSN can hijack the account. Fear of that was why I bothered to log in once and set a real username and password.

Of course, you can always get full access with the username and password, which can be obtained with a keylogger. But without those, what would a thief have to know to move money out of my account? Can anybody who's worked with online or phone money transfers tell me what authentication method is used, assuming it's not a modern username/password pair? Do they at least ask for a PIN?

While it is not impossible, it is extremely difficult to get both a current account number, the ssn#, and password. Clearly, the most likely route to get this information would be either via phishing (probably the most common) or keyloggers (I've seen lots of these on machines lately).

Firewalls, to a degree, help stop keyloggers from sending information "home". But I opted to use ProcessGuard as my primary mechanism for preventing keyloggers from being installed (i.e. stop programs from acquiring global hooks). There are other anti-keyloggers out there that help.

There was an event that may have compromised my security. At that time, I asked my bank to open up new accounts and transfer all money, which they gladly did.

Of course, abstinence is always the most fool-proof measure.

Rich

Will, anyone with these intimate details of you and the bank your dealing with, your screwed anyway. And one of the ways to get those details is creating an online account.

Couldn't you request the bank to lock out any online access to your account? In my opinion this should be an option with any bank.

Good Luck,

Jaws

The fact is however, and this really is a statistical fact, the majority of identity thefts are still done the old fashioned way: going thru mailboxes and trash. If your pc is unsecure, I agree, the old fashioned way may be safer, but on a secure pc online banking and not leaving a paper trail, in my opinion, is MUCH safer.

Acadia

Hi Acadia,

You're assuming that everyone has your knowledge of securing their PC, when in fact, you're in the minority. Not trying to me a smartass but I think we can safely assume most people know to shred critical documents. I,ve been doing it for years.

Regards,

Jaws

-{ Quote: ".

Firewalls, to a degree, help stop keyloggers from sending information "home". But I opted to use ProcessGuard as my primary mechanism for preventing keyloggers from being installed (i.e. stop programs from acquiring global hooks).

Rich" }-

I think the use of Proccessguard has a antikeylogger measure is somewhat misleading.

In this thread http://www.wilderssecurity.com/archive/index.php/t-26109.html , it was pointed out that PG does not cover GetAsyncKeyState and BitBlt which can be used by a program to capture screenshots.

In reply.

-{ Quote: "GetAsyncKeyState and BitBlt are two simple usermode functions that cannot be used to attack processes. They might be useful in some sort of anti-keylogger program or anti-screencapture, but they have nothing to do with Process Guard or process protection, thus are out-of-scope of Process Guard. Note that Process Guard does have some unique and very powerful anti-keylogger capabilities, but it's not a dedicated anti-keylogger program and some of the anti-keylogger capabilities it has are due in part to other protection capabilities, such as hook interception. " }-


So you see, it is not wise to rely on PG as a antikeylogger, since whatever antikeylogging abilities it has are incidental.

Using SetWindowsHookEx to detect keyloggers is getting way too popular, and I suspect it won't work for long as keyloggers adapt, which they have.

-{ Quote: "Hi Acadia,

I think we can safely assume most people know to shred critical documents." }-
Yes, but people can still go thru your mail box. I was a mail carrier for six months about 25 years ago, and one of my fellow carriers got fired: for stealing mail.

Acadia

-{ Quote: "Hi Will,

That's why I would never, ever do online banking. I won't even give recurring bills access to my bank account numbers to pay bills automatically.

" }-


Everyone's needs are different. People that travel a lot and might not have people at home that they particularly trust to do their banking for them and might use online banking.

I happen to be a Merchant seaman and I travel a lot both for work and vacation. I am currently right now in Singapore on vacation. I have learned over time that it is not so much computer transactions that cause money to be stolen but human nature.

I know so people might say...Well, you don't need to do electronic banking....Why don't you just have your wife do your banking for you. Any good seaman might possibly laugh at that. For every time I go to sea is a time I hear another story of a seaman coming home to a empty bank account and house. Some people think it would never happen to them for they have the "perfect" marriage, just as some people think they have the "perfect" security and often they find out they are wrong. I learned that wives, family, friends also can commit fraud even when people have the "perfect" relationship.

When I was at sea, I used to have checks deposited by the "Mail Teller". My company would mail my checks to the bank with my name and account number on them. I used to think this was a adequate system (although, I admit I used to worry about the Post Office destroying or losing my checks or someone in my bank kicking my check under their desk). Do you think the Mail Teller is a adequate system? Most people I think would think so.

Well, one time I came home and I found one of my checks was not deposited in my account (this was months later mind you). After much back and forth between my job and my bank in which I had to get a cancelled copy of the check from my job, my bank discovered that my check was inadvertently put in another persons account. They never told me whether it was fraud or a simple mistake but I no longer trust the mail teller at the bank and I barely trust the Post Office. I have greater trust that after my first payment from my job goes in with electronic transfer that the transfer of funds will actually make it to my account.

Also, I discovered over time, that one need not have electronic banking set-up on one's account to have fraud take place electronically. Anyone that steals a persons identity has a chance through various means to get the funds out of a person's bank account electronically because in the end virtually all money transfers are electronic these days and if the government had it's way they probably would get rid of paper money all together (It makes it easier to track terrorist money and drug money but I also think government bureaucrats just love being voyeurs into the publics lives).

I don't think it is electronic banking that is so much at fault for fraud but I think it is imperative that people find ways to not become victims of identity fraud.



Starrob

I use online banking and feel that the security and guarantees that my bank uses are as secure as you are going to find with online banking. They require you to change your password every week. and if my account is accessed by someone else and I am cleaned out the bank has insurance for this possibility and it is replaced within fourty eight hours. Plus my check card I use off of this account also has 0% liability policy also. It makes it hard for me to loose anything, it even covers online shopping loss, again 0% liability. I did a lot of checking around before I went with this particular bank chain.

-{ Quote: "I use online banking and feel that the security and guarantees that my bank uses are as secure as you are going to find with online banking. They require you to change your password every week. and if my account is accessed by someone else and I am cleaned out the bank has insurance for this possibility and it is replaced within fourty eight hours. Plus my check card I use off of this account also has 0% liability policy also. It makes it hard for me to loose anything, it even covers online shopping loss, again 0% liability. I did a lot of checking around before I went with this particular bank chain." }-


Here is the guarantee from one online banking site that I use:


XXXXX is dedicated to providing you a safe and dependable service for accessing your financial information online. We are serious about protecting your privacy and the security of your banking information. In the unlikely event that someone establishes unauthorized access to your deposit accounts through Online Services, you are 100% covered for any funds removed from those personal deposit accounts, including loss of interest, insufficient funds and overdraft charges, when you contact us within sixty days of receiving your statement that contains the unauthorized activity.



Starrob

That is pretty close to what mine says ;)

All,
There is a lot in this thread to think about. And I have before creature Will ever pushed the first key. All of you have made very good points. For now the only thing I would add is this is why I always have suggested to the membership here to make sure they use a good quality Anti-Trojan and not rely only on top flight AV (like Nod32 or KAV for example).

I prefer BoClean, but some of the others mention around here would be fine too.
If you do banking online trading, internet commerce of any kind, bidirectional firewall, good AV and anti-trojan is an absolute must in my mind. Then for extra protection quality Spyware program. Then make sure of who you are dealing with and there policies like BigC's experience above. It is tougher to influence a banks policy. And switching constantly to the one with the best at the moment in and of it self can cause security problems.

One final suggestion, never carry your social security card (number) in your wallet or pocketbook. If lost someone will get it and bam! you may have problems.

The Europeans, at least some of the banks, are ahead of the U.S. with online banking. Over there many banks require you to have three, not two, necessary usernames, passwords, etc. You pick out the usual two, but then the bank mails you the third; a list of a dozen or so passwords that are only good for a month, and you can only use each one once. That way even if a hacker does succeed in hacking his way into your system with a keylogger, he would only have 2 out of 3 of the necessary words needed to get into your account. I predict that the American banks will be very slow to catch onto this: too expensive.

:D Why not try the anti-phishing good & FREE program
"Netcraft", available at http://toolbar.netcraft.com !?
It has been recommended by the leader of castlecop's
anti-phishing group ( "Oldfrog" ) .

Hi,


If some people trust in their antivirus, antitrojan or pro-active prevention soft like ProcessGuard to protect them during an online banking/shoping, then attackers will surely have fun...


Understanding limits of any line defense requires to study all possible attacks.
In this case, many attacks can be used to steal an ID, a password, a cookie (cookies poisonning) or to spoof a bank web site.

Man-In-the Middle attack is the most effective which can be used for ID theft on HTTPS sites; Cross Site Scripting is also very effective (theft on the fly of any data).

For exeample, here's a pdf which explain how a browser can be vulnerable :

http://www.infosecwriters.com/textauthor.php?author=135


More infos and anti-ID theft guides:

http://www.idtheftcenter.org/vguides.shtml


And -why banks HTTPS servers are not 100% secure:

http://www.schneier.com/blog/archives/2005/03/the_failure_of.html

-why "ID theft is Inescapable":

http://www.schneier.com/blog/archives/2005/03/id_theft_is_ine.html


But in the other hand, there is no reason to be paranoiac: statistically, online banking is sure: the user just needs to practise safe surfing (no stored cookies/passwords, temp files cleaning after a payment etc).

regards

Hi kareldjag,

Always nice to read your references. A few thoughts...

-{ Quote: "If some people trust in their antivirus, antitrojan or pro-active prevention soft like ProcessGuard to protect them during an online banking/shoping, then attackers will surely have fun... " }-No argument here, but I think most would agree that those tools are for protection *before* not *during* an online banking session.

From some of the articles:

-{ Quote: "For exeample, here's a pdf which explain how a browser can be vulnerable :

http://www.infosecwriters.com/textauthor.php?author=135

4. After the user has completed his transactions and finished browsing, he
finally clicks on the “Sign Out” button. The logout page, say logout.asp, is
invoked which logs off the user. After the logout.asp is displayed on the
browser, assume the user leaves the machine without closing the browser
window.

5. If a bad guy has access to the same machine as the user, he can see that
a logout page is displayed on a browser window.
" }-It's hard to imagine today 1) anyone conducting business on a computer where a "bad guy" can use her/his computer, or 2) anyone not closing the browser following a session.

-{ Quote: "And -why banks HTTPS servers are not 100% secure:
http://www.schneier.com/blog/archiv...failure_of.html

--The problem with passwords is that they're too easy to lose control of. People give them to other people. People write them down, and other people read them. People send them in e-mail, and that e-mail is intercepted." }-I would hope that no one who frequents Wilders would have such lax security procedures as to do something like that

-{ Quote: "--They're also easy to guess." }-Two of the secure sites I use lock down the site after three attempts with a wrong password. As more sites employ something similar, or use safeguards as do some European banks (as has been mentioned in other threads) password guessing (both dictionary and brute-force attacks) will become less of a security hazard.

-{ Quote: "--Man-in-the-Middle attack. An attacker puts up a fake bank website and entices user to that website." }-The key word, of course, is *entices.* With the various ways of preventing phishing and pharming, I would hope that those frequenting Wilders would have adequate protection; in addition to common sense, 1) an HTTPS firewall rule with custom addresses, 2) bookmarking the IP address rather than the bank name, etc

-{ Quote: "--Trojan attack. Attacker gets Trojan installed on user's computer." }-With all of the security paraphernalia discussed and available in these forums, there is not much excuse any more for a trojan attack.

--------------------
Many articles similar to these jump to conclusions, which increase the level of fear in the non wary reader. I hope that Wilders patrons can be more discerning .

Fortunately, you bring us back to reality:

-{ Quote: "But in the other hand, there is no reason to be paranoiac: statistically, online banking is sure: the user just needs to practise safe surfing (no stored cookies/passwords, temp files cleaning after a payment etc)." }-

Regards,

-rich
________________
~~Be ALERT!!! ~~

Our banks provide you with a token (usually a smartcard with a card reader) and e PINcode to create one time passwords. These passwords are required to login and to authenticate transactions.
A token is only given if you provide ample proof of your identity, your passport. That's the only tricky part... how secure is a passport.

Anyway, online banking in The Netherlands is quite secure (writing your Pin on the token is not a good idea, but that's not the issue here).

Sofar only one major phishing attempt has been recorded: a russian gang tried to persuade some dutch customers of the Postbank to enter confidential information on a fake Postbank lookalike site. They sent the e-mail in the English language.
So pulease: do your phishing in the local language if you want any positive feedback...