Join our investing community

Bank account fraud .. it happened to me

Discussion in 'Off Topic' started by Punter, 4th Aug, 2008.

  1. Punter

    Punter Punter

    Joined:
    29th Jun, 2006
    Posts:
    23
    Location:
    Perth
    Thought of sharing this fraud.

    I have been (happily) using internet banking for last many years with one reputed bank in Australia.

    Two internet fund transfer trasactions took place from my account last week. Bank noticed some thing wrong and stopped the internet banking immidiately .. by then around 8,000 dollers were transferred out of my account in two transactions. The receiving party names are there in Bank record. Bank did contact me but I was out of station. I noticed that I had no internet access to my bank account over the week end.

    I am completing police report formalities etc. and hoping to get the money back.

    But this is scary. I now will have to thoroughly learn all this virus and trajorn, fire wall ... and may be I will now be scared to use public computer for bank access!!

    Any tips on securing the internet transfers? I am just not able to digest this as I was very happy to line up all my trasctions related to investment properties, company etc through many accouns and downloading account history quarterly.

    How are you people handling this?

    Rgds

    Punter
     
  2. Simon Hampel

    Simon Hampel Co-founder Staff Member

    Joined:
    9th Jun, 2005
    Posts:
    4,623
    Location:
    Sydney, Australia
    Some basic rules:

    Rule 1: Only ever use a computer you trust - never ever ever use a public access computer to log into your internet banking. Keystroke loggers are easily installed to record your username and password.

    Rule 2: make sure you have good antivirus on your computer ... I use Eset Nod32.

    Rule 3: Always make sure you have the latest virus updates!

    Rule 4: only ever open attachments sent to you by email if you trust the sender and are expecting them to send you something.

    Rule 5: only ever download software off the internet from a site you trust

    Rule 6: use passwords that are difficult to guess - randomly generated passwords are best, but aren't great if you need to write them down to remember them (I use a secure password management program to manage all of mine). Long passwords are better - use a phrase containing numbers and letters that you are likely to remember (helps if you are good at typing quickly!)

    Rule 7: never write your passwords down

    Rule 8: ideally, change your passwords frequently - but this can be counter-productive, since it is difficult to remember frequently changed passwords, hence people are likely to choose simpler passwords (eg password01, password02, etc)

    Rule 9: don't use the same password for multiple accounts

    Rule 10: only ever let people you trust use your computer

    Rule 11: don't let your kids use your computer - especially if they download stuff from the internet or share files with friends.

    Rule 12: keep your computer updated with the latest patches

    ... just some suggestions!
     
  3. voigtstr

    voigtstr Well-Known Member

    Joined:
    24th Jan, 2007
    Posts:
    679
    Location:
    Hobart
    Another tip, I would consider using a router that has a decent firewall implementation in it, rather than being directly exposed to the internet. At worst a denial of service attack on your ip address will crash and reboot your router with out giving access to your pc

    Another tip so you dont have to worry as much about trojans and virii, is to use a Mac computer instead of a windows based computer. The virus writers really dont bother with macs at the moment because they are still a very small part of the market.

    if you are using windows, use a good free anti virus program such as avast.
    use a good anti spyware program regularly such as spybot The home of Spybot-S&D!
     
  4. jabba_jones

    jabba_jones Well-Known Member

    Joined:
    2nd Dec, 2007
    Posts:
    60
    Location:
    Sydney
    I'd strongly recommend against ever using a public computer for internet banking or anything that uses a password you wouldn't be happy with sharing with a random person.

    Always type the full website for your Internet banking or load it from a favourite. Never follow a link from an email / another website site to login.

    Most banks use SSL encryption which will stop people from 'listening in' to the details you send while internet banking. Always check for the 'Padlock icon' before typing any login information.

    Recently there was a DNS exploit, which even if you think you're going to your banking website your computer can be tricked into going to another site by someone attacking your ISP's servers.

    To check if you're ISP is vulnerable to this goto Dan's Blog

    If you don't already have an antivirus program and an anti-spy ware program I'd recommend these two free programs:

    Download AVG Anti-Virus Free Edition for Windows

    Download Ad-Aware for Windows

    Both of the above are free for personal use.

    Lastly ensure your computer has all Windows Updates installed, it is now possible to have your computer hacked just by viewing a website. By having the latest updates and a virus scanner this can greatly reduce the chances of your computer being compromised.

    To check for updates open Internet Explorer and click on Tools-> Windows Update
     
    Last edited by a moderator: 5th Aug, 2008
  5. Billv

    Billv Getting there

    Joined:
    15th Jul, 2007
    Posts:
    1,796
    Location:
    Sydney, NSW
    I agree with the others
    never use a public computer
    use phone banking
    use a mobile or go into a bank

    One more thing
    If you already have a virus on your computer it could be dissabling your antinirus program.
    If you do a computer scan and can't find a virus then try an online antinirus scanner such as bitdefender

    BitDefender Online Scanner - Free Online Virus Scan
     
  6. myarhidia

    myarhidia Member

    Joined:
    12th Oct, 2006
    Posts:
    21
    Location:
    Kingsgrove
    Use firefox or safari for web browsing instead of Internet Explorer. As stated above, most trojans & hijacks are written for the microsoft applications.
     
  7. jabba_jones

    jabba_jones Well-Known Member

    Joined:
    2nd Dec, 2007
    Posts:
    60
    Location:
    Sydney
    Saw an article on SMH today which explains the DNS exploit refered above in simple terms.


    "...The flaw that Kaminsky discovered is in the domain name system, a kind of automated phone book that converts human-friendly addresses like google.com into machine-friendly numeric counterparts.

    The potential consequences of the flaw are chilling. It could allow a criminal to redirect web traffic secretly, so that a person typing a bank's actual web address would be sent to a fake site set up to steal the user's name and password. The web user would have no clue about the misdirection..."

    Full article can be found here:

    Blowing the cover on flawed domain security
     
  8. Punter

    Punter Punter

    Joined:
    29th Jun, 2006
    Posts:
    23
    Location:
    Perth
    thanks all

    That was so nice of you all to give tips on this subject!

    I sincerily believe that there is infinite knowledge within this group members and they all are so nice that they don't charge for this.

    I feel ashemed as I come here on the forum only when I have some thing to ask. I have always got the best of the replies and almost always either side of a point.

    I also think that I am not a guru like you people to make comments on other posts .. I do have sometimes some of my own views .. may be I will start posting them ..

    I also am going to tell my friends to come to this site for help.

    Thanks again and Regards

    Punter
     
  9. crc_error

    crc_error The Rule of 72

    Joined:
    1st May, 2007
    Posts:
    1,367
    Location:
    Melbourne, VIC
    with netbank, I get sent a new PIN via SMS to my mobile each time I try to transfer money into a account not in my address book.. so even if someone does hack my account, all they can do is move money around between my accounts! Or prehaps pay some of my bills in my address book!

    I think there is also a token with random pin numbers you can get for added security.
     
  10. Billv

    Billv Getting there

    Joined:
    15th Jul, 2007
    Posts:
    1,796
    Location:
    Sydney, NSW
    Unless they add their account number in your address book....
     
  11. crc_error

    crc_error The Rule of 72

    Joined:
    1st May, 2007
    Posts:
    1,367
    Location:
    Melbourne, VIC
    they can't do that without the random PIN which gets sent to my mobile.. so they would need to steal my mobile first.. and they would have to know which mobile I get the SMS sent to as well..
     
  12. Sacko

    Sacko Well-Known Member

    Joined:
    20th Aug, 2007
    Posts:
    69
    Location:
    Central Coast, NSW
    Which one is it then?
     
  13. bcruik

    bcruik Member

    Joined:
    24th Jul, 2008
    Posts:
    6
    Location:
    Brisbane, QLD
    Yes - this is very handy. Sucks when your carrier is having SMS delays but as it times out the request in 3 mins or something.

    I had this forced on me, by one of my banks. I'm not sure how safe this really is. It generates the same code around the same time of day in fact in my browser, it has saved a previous code and it always works when I don't have the token on me, so I'm not 100% if I've found a loop hole or the system just generates a random number based on a check number or something.
     
  14. crc_error

    crc_error The Rule of 72

    Joined:
    1st May, 2007
    Posts:
    1,367
    Location:
    Melbourne, VIC
    thats interesting.. so it looks like the SMS to mobile would be the best bet.
     
  15. Simon Hampel

    Simon Hampel Co-founder Staff Member

    Joined:
    9th Jun, 2005
    Posts:
    4,623
    Location:
    Sydney, Australia
    That sounds like a poor implementation.

    BankWest and a few other banks use random number generators by RSA called SecureID - you have a little device (about the size of a small USB key) that just has a small LCD display with 6 digits which change every 60 seconds. You use this plus an additional PIN number which you choose, and the combination is pretty secure.

    The problem is that these devices are expensive and you need to remember to carry it with you if you want to be able to access online banking while you are away. Sure they are more secure - but they are a complete pain in the backside in my opinion.

    We used to use these at IBM for logging on to our VPN, but it became so expensive to manage it and so many people had problems with losing their devices, that they just gave up and moved to a strict password policy with complex password requirements and forced changes every couple of months (which can actually be more counter productive, since people will then just write the passwords down and paste it to their computer since they have no chance of remembering it - ideal for "social engineering hackers") :rolleyes:
     
  16. bcruik

    bcruik Member

    Joined:
    24th Jul, 2008
    Posts:
    6
    Location:
    Brisbane, QLD
    This is Bank of New Zealand so maybe they are just inheriting bad practices from their parent NAB :)

    Bank West's Security Token looks different. Bank of Queensland uses a very similar looking device to BNZ from what I could see on their website.

    I just think these security tokens are silly. It completely locks you out if internet banking if you don't have them which totally removes any advantages of using Internet Banking.

    I'm a little paranoid with my CBA Netbank and remove accounts from my address book if they are no longer a supplier or would not likely to receive payments from us within the next 60 days etc. CBA also emails you a copy of any address book additions etc as well as sending SMS code so CBA's implementation of this security is much better I think. I also have push email to my smart phone so if my account was hacked, I'd know almost instantly as soon as I get the email and I'd be on the phone right away to them :)

    Citibank like CBA and have the same procedure for adding a new payee (both SMS and Email) and they also send you a letter in the mail saying you've added a new payee, etc so they are just as on the ball as CBA.

    Westpac on the other hand, have the most insecure system I've ever seen! You have to put in your password by using the on screen keyboard (don't use if somebody is looking over your shoulder), and you can add/remove/payee's and make instant payments. There security procedure is to hang on to funds for new payee's for 2 days before sending it on just in case you didn't make it, so if you make a payment on Friday, the payee can expect it on Wednesday next week, rather than Saturday Morning / Monday Morning like any other bank...
     
  17. Simon Hampel

    Simon Hampel Co-founder Staff Member

    Joined:
    9th Jun, 2005
    Posts:
    4,623
    Location:
    Sydney, Australia
    As with most things, there is a fundamental conflict between security and usability.

    Indeed, the most secure online systems are those which are simply not connected to anything - but that kind of defeats the purpose.

    If you want to start getting serious about security, you begin to look at systems like three-factor authentication ... simply put: you need three things to be allowed access - something you have (eg ID card, security token, phone, etc), something you know (eg password, PIN or pass phrase), and something you are (eg biometrics - fingerprint, retinal pattern, DNA, voiceprint etc). But of course, this starts to become unusuable for the general population.

    I like the SMS verification mechanism used by NAB and other banks. I think it strikes a good balance between usability and security - indeed a mobile phone is something you are always likely to have with you, and generally works worldwide ... and is easy to use.

    Of course, if someone can work out a way to impersonate your SIM card and intercept your SMS messages - then that whole system falls down :rolleyes:
     
  18. handyandy

    handyandy Well-Known Member

    Joined:
    6th Jun, 2006
    Posts:
    312
    Location:
    Sydney Nsw
    Absolutely agree.

    I like the SMS solution the only problem is if somehow the hackers can change the phone number by impersonating you. All it takes is a gullible bank phone operator who lets them change the number because they don't understand the importance.

    St George have the same system but have been unable to use it so far as they have my office number as the contact rather than the mobile which they were also provided.

    Cheers
     
  19. bcruik

    bcruik Member

    Joined:
    24th Jul, 2008
    Posts:
    6
    Location:
    Brisbane, QLD
    That can be fixed by requiring customers to be authenticated with 100 points of ID at their local branch to change it, or have an SMS sent to the old mobile number explaining that their mobile number with the bank has been updated and if you didn't authorise this call them asap etc :)
     
  20. crc_error

    crc_error The Rule of 72

    Joined:
    1st May, 2007
    Posts:
    1,367
    Location:
    Melbourne, VIC
    if that would happen, then I think the customer would have a case to say the number change wasn't authorized by them, hence the bank is liable.