Hit By Online Banking Hacker - Change Login ID and Passwords

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Topic Author
edawg
Posts: 95
Joined: Mon Jun 13, 2011 8:08 pm

Hit By Online Banking Hacker - Change Login ID and Passwords

Post by edawg » Sat Jan 28, 2012 11:16 am

I work in Information Technology so knew better, but life and complacency with my login ID and password left the door wide open to a hacker who somehow "sniffed" or "cookied" my online banking login and passwords to get into our accounts. The creep then took the account numbers and did a small "test debit" of less than $1 one day to make sure the account was good, then bought American Express Prepaid debit cards the next to the tune of $7K on 3 different linked online accounts! The Online Fraud dept at my bank suggested it was from a "cookie" type of virus that captures IDs and passwords on accounts and suggested virus protection and Superantispyware scans to get rid of all the crud...

So, for y'all to avoid having to close and reopen all your accounts, change direct deposits/payments, sign affidavits that the felon's charges aren't yours, etc., here's the cheapest and easiest tool to reduce your chances of getting hit...

Change your password one one night, then change the actual user ID the next night on your online login accounts and do it regularly (at least twice per year such as when the time changes). Doing it over 2 different days hopefully reduces the chance the felon would be able to follow the changes on the account (but this is by no means a guarantee someone doesn't capture your login and then hit you same day of course). What is does do for you though is shuts out someone who may be waiting to hit you when money hits your account (after pay day for example which is precisely when we got hit). Geez, I hate to have to be paranoid, but there are some real bastages out there. :evil: And of course, run good virus and antispyware programs. Hope it helps.

stan1
Posts: 7977
Joined: Mon Oct 08, 2007 4:35 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by stan1 » Sat Jan 28, 2012 11:20 am

Wow, did you find anything when you scanned your computer?

User avatar
magellan
Posts: 3471
Joined: Fri Mar 09, 2007 4:12 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by magellan » Sat Jan 28, 2012 11:44 am

edawg,

It sounds like the bank will cover all the monetary losses from the fraud and your loss will be the time and aggravation to get everything fixed.

Can you describe the process from when you initially noticed the fraud to when you got everything back in order with new accounts? How long was it before the money was restored to your account? How many phone calls, letters, and total hours do you think it set you back?

Thanks,

Jim

LynnC
Posts: 797
Joined: Thu Mar 01, 2007 7:01 pm
Location: California

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by LynnC » Sat Jan 28, 2012 11:53 am

Was it hacked by keystrokes?

We keep our passwords on a flash drive, then copy, get on line and paste them in. (We keep them written down here, in code, that only we recognize).

I just got an email that my account was hacked at Zappos, but since I only use a Virtual Account Number when shopping on line,(a number that can only be used one time) I was not hurt. That said, I am noticing an uptick of junky phone calls.

LynnC

User avatar
magellan
Posts: 3471
Joined: Fri Mar 09, 2007 4:12 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by magellan » Sat Jan 28, 2012 12:01 pm

LynnC wrote:Was it hacked by keystrokes?

We keep our passwords on a flash drive, then copy, get on line and paste them in. (We keep them written down here, in code, that only we recognize).
That could possibly help against some older less sophisticated attacks, but nowadays most of the viruses are using something called a 'form grabber'. This is a code shim that they insert into your OS to capture anything that gets submitted by your web browser. The shim lives just above the point where the form submittal data is encrypted, so there's no way to thwart it, short of keeping the virus from infecting your computer.

Jim

yobria
Posts: 5978
Joined: Mon Feb 19, 2007 11:58 pm
Location: SF CA USA

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by yobria » Sat Jan 28, 2012 12:08 pm

That's frustrating. I assume anything I type is being keylogged. That's why I like ETrade, which requires an RSA SecurID token for logon (they send you the hardware without charge). While not foolproof (eg the March 2011 hacker incident), they are another layer of protection.

Nick

User avatar
Kenkat
Posts: 5468
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Kenkat » Sat Jan 28, 2012 12:54 pm

I know everyone worries about trojans, viruses and keyloggers that end up on your computer (rightfully so), but it is also very possible that the vulnerability was on your bank's end. One very popular type of attack is a cross site scripting attack. Complicated to explain, but basically a hacker is able to inject code into (in this example) your bank's web application and then can capture information on other user sessions and transmit them to a third party site.

You can google "cross site scripting attack" or here's a Wikipedia link:

http://en.wikipedia.org/wiki/Cross-site_scripting

I spoke to a company that does security penetration testing for large corporations and they said about 90% of the sites they test have this vulnerability - although the vulnerability may not be as severe as collecting security information, for example.

LynnC
Posts: 797
Joined: Thu Mar 01, 2007 7:01 pm
Location: California

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by LynnC » Sat Jan 28, 2012 2:31 pm

DEPRESSING, to say the least!

LynnC

User avatar
rob
Posts: 3070
Joined: Mon Feb 19, 2007 6:49 pm
Location: Here

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by rob » Sat Jan 28, 2012 2:41 pm

Change your id - really.... Why not just use random userid's if your going to do that...... and buy some guns for your ranch.

Everyone should run virus stuff (except the apple fan boys that know they cannot ever be affected :-/ ), scan with maleware software, use hard and different passwords for each site e.t.c. but the changing of id's is too far. The banks like to give off it's your issue - it may well not be.
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien

User avatar
Cloud
Posts: 652
Joined: Wed Sep 12, 2007 12:43 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Cloud » Sat Jan 28, 2012 3:06 pm

LynnC wrote:Was it hacked by keystrokes?

We keep our passwords on a flash drive, then copy, get on line and paste them in. (We keep them written down here, in code, that only we recognize).

I just got an email that my account was hacked at Zappos, but since I only use a Virtual Account Number when shopping on line,(a number that can only be used one time) I was not hurt. That said, I am noticing an uptick of junky phone calls.

LynnC
When you copy to your clipboard any hacker can see it. Typing your password is safer then a cut and past. That's why some banks like ING let you click an onscreen keyboard with your mouse so you don't have to paste or type.

sscritic
Posts: 21858
Joined: Thu Sep 06, 2007 8:36 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by sscritic » Sat Jan 28, 2012 3:16 pm

Cloud will happily answer all your questions about the Cloud, including Cloud security, security in the Cloud, and how the Cloud manages Cloud security.

TheEternalVortex
Posts: 2558
Joined: Tue Feb 27, 2007 9:17 pm
Location: San Jose, CA

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by TheEternalVortex » Sat Jan 28, 2012 3:22 pm

Most common ways to have someone steal your login:

1. Using the same username/password at more than one site (not directly, but with one of the others below)
2. Use unencrypted public wifi or login at a public location
3. Virus/trojan/keylogger/etc.
4. Vulnerability in the site itself (not terribly likely if you are using a major bank, but possible)

User avatar
rob
Posts: 3070
Joined: Mon Feb 19, 2007 6:49 pm
Location: Here

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by rob » Sat Jan 28, 2012 3:50 pm

Cloud wrote:When you copy to your clipboard any hacker can see it. Typing your password is safer then a cut and past. That's why some banks like ING let you click an onscreen keyboard with your mouse so you don't have to paste or type.
The MAIN reason for that is to bypass keyboard loggers.
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien

HongKonger
Posts: 1079
Joined: Tue Jun 21, 2011 10:35 am
Location: Deep in the Balkans

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by HongKonger » Sat Jan 28, 2012 4:11 pm

Dont your banks issue you with those little clicker devices that give you different secure codes every time you log in over there?

User avatar
Cloud
Posts: 652
Joined: Wed Sep 12, 2007 12:43 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Cloud » Sat Jan 28, 2012 4:19 pm

HongKonger wrote:Dont your banks issue you with those little clicker devices that give you different secure codes every time you log in over there?
E*Trade bank does... I'm not aware of any others.

User avatar
Cloud
Posts: 652
Joined: Wed Sep 12, 2007 12:43 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Cloud » Sat Jan 28, 2012 4:20 pm

rob wrote:
Cloud wrote:When you copy to your clipboard any hacker can see it. Typing your password is safer then a cut and past. That's why some banks like ING let you click an onscreen keyboard with your mouse so you don't have to paste or type.
The MAIN reason for that is to bypass keyboard loggers.
I know, we're on the same page with key loggers. Just saying, it's not any safer to do a cut and paste...

User avatar
DiscoBunny1979
Posts: 2021
Joined: Sun Oct 21, 2007 10:59 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by DiscoBunny1979 » Sat Jan 28, 2012 5:10 pm

How does someone log on from a different computer, when they will be asked for "answers to questions"? For instance, if I try and access my BofA account from a different in-home computer, they will ask to verify all kinds of information before they will allow me to log on - including the state I'm from. So, the hacker really has to know more information than just user ID and password. Correct?

pcsrini
Posts: 86
Joined: Mon Jan 24, 2011 10:51 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by pcsrini » Sat Jan 28, 2012 5:38 pm

Schwab also provides the Verisign ID protection hardware/key that generates unique keys which are added to your password when logging in.

Also, if you use FireFox you can add NoScript (allowing only specific sites to run scripts) and in the Options menu specify that you don't want to be tracked and clear the cookies when you exit the browser.

This adds a little extra work when logging in, but is probably worth it.

User avatar
rob
Posts: 3070
Joined: Mon Feb 19, 2007 6:49 pm
Location: Here

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by rob » Sat Jan 28, 2012 6:33 pm

pcsrini wrote:Schwab also provides the Verisign ID protection hardware/key that generates unique keys which are added to your password when logging in.
It generates a predictable 6 digit value - possibly from the specific fob - that is known on the server side - It's NOT unique.
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien

pcsrini
Posts: 86
Joined: Mon Jan 24, 2011 10:51 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by pcsrini » Sat Jan 28, 2012 6:44 pm

Thanks, Rob. I read the "Anatomy of an Attack" paper on the RSA site - is the server side key generation any more secure now from outside attacks than it was prior to last years attack ?

bb
Posts: 314
Joined: Wed Apr 25, 2007 10:04 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by bb » Sat Jan 28, 2012 7:23 pm

Anybody been using a live linux boot for online banking?
To what extent is that approach still vulnerable?

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Mudpuppy » Sat Jan 28, 2012 8:36 pm

I use a Linux virtual machine for online banking. Since I do nothing but go to bank and credit card websites, it would need to be a malicious script on one of their pages (and one that knows how to infect Linux) in order for that virtual machine to get infected. I also restrict all random web browsing to a different (Windows XP) virtual machine. The biggest issue with doing random web browsing on your original machine (particularly on Windows) is getting a low-level (bootloader or BIOS) virus, which renders what you do at the OS level rather moot.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Mudpuppy » Sat Jan 28, 2012 8:41 pm

HongKonger wrote:Dont your banks issue you with those little clicker devices that give you different secure codes every time you log in over there?
This is rarely used by USA banks. It should be used, but either the lawyer (to say the terms and conditions say the client is responsible for keeping their computer clean of infections) or the fraud loss costs must be cheaper than the retrofitting cost of adding a second factor of authentication. TreasuryDirect (US Treasury website) actually moved away from having second factor authentication in their latest redesign. Sad really from a security perspective.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Mudpuppy » Sat Jan 28, 2012 8:50 pm

pcsrini wrote:Thanks, Rob. I read the "Anatomy of an Attack" paper on the RSA site - is the server side key generation any more secure now from outside attacks than it was prior to last years attack ?
There is always a possibility of a repeat of last year's attack. In order to know what key sequence the RSA key fob is going to generate, the server has a database that links the fob's ID number to its random number seed. If that database is compromised, then anyone could predict the sequence the key fob will generate. The database is the weakest link in this particular transaction and that is what was stolen last year that enabled the later attacks against sites using RSA key fobs.

That is because a random number seed causes the pseudorandom generator to generate a specific, predictable sequence that LOOKS random, but is not actually random. Two random number generators using the same algorithm will produce the exact same sequence of numbers (keys) if given the same random number seed. This is just how "random" number generation works on most computers, hence calling it a pseudorandom generator. If you know the seed, you know the sequence. Now you just have to guess how many keys have already been used or just trick the user into sending you a few current keys, then you can figure out what is the next valid key in the sequence. All bets are off at that point.

clevername
Posts: 278
Joined: Sun Jul 10, 2011 7:13 pm
Location: FL

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by clevername » Sat Jan 28, 2012 9:07 pm

More important than changing your logins and passwords frequently and using insanely complicated passwords, IMO, is using DIFFERENT logins and passwords. Relevant xkcd: http://xkcd.com/792/

Also, I tend to use a live linux session whenever I do any real banking/portfolio management. Download live ubuntu here http://www.ubuntu.com/download/ubuntu/download and burn the image, then restart and boot from your cd drive. That way you don't have to worry about cookies, viruses, or whatever the threat of the week is.

A live session isn't a magic bullet, but there's no upper limit to how paranoid one wants to be and how many countermeasures to use. My #1 primary defense against unauthorized meddling is email alerts after any activity. The longest I go between checking my email is about 6-10 hours (sleeping) so if something happens I'll know about it almost immediately.

pcsrini
Posts: 86
Joined: Mon Jan 24, 2011 10:51 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by pcsrini » Sat Jan 28, 2012 10:35 pm

If you have a strong password, and the Verisign key, what is the probability that a hacker can break into your accounts ?

First, they would need to get the key generator from the server, and also have access to your password with a keylogger. Just having access to one piece of this information will not be sufficient.

The reason I ask is that with both these measures, is there any another loophole that can be exploited that will give the hacker the combined password with one virus/trojan ?

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Sat Jan 28, 2012 10:55 pm

Unfortunately, a lot of advice here is snake oil (not helpful), like changing user ids. The rules are rather simple:

1) If your computer is compromised, all bets are off.
2) If your password is compromised, all bets are off.
3) If your institution is compromised, all bets are off.

That's it. Trying to break it down into keyloggers/sniffers/whatnot is meaningless. If the computer is not compromised and is up to date, all financial operations will go over HTTPS which is immune to sniffers and unencrypted WiFi.

What are some good solutions?
- Booting from CD is an interesting (if overkill) way to make sure there is no spyware watching you. However, it also means the software does not get the latest security updates.
- Make sure all security updates get installed ASAP; this is controlled from OS settings
- Chrome is the safest browser; Internet Explorer is the worst. Consider a Chromebook, too - there's no way to install (evil) software in the first place.
- Each site gets a different long random password; a password manager handles them for you (LastPass is good)
- Your e-mail account is the key to your life, therefore it also gets a long random password, and you don't log in from random machines. Get a laptop or a smartphone if you need to check e-mail on the go.
- When your browser asks you "do you want to run this thing", you answer "no", unless you know what you're doing really well. Pay attention!

User avatar
tc101
Posts: 3249
Joined: Tue Feb 20, 2007 3:18 pm
Location: Atlanta - Retired in 2004 at age 54

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by tc101 » Sat Jan 28, 2012 10:59 pm

I only check financial accounts from a linux computer.
. | The most important thing you should know about me is that I am not an expert.

stan1
Posts: 7977
Joined: Mon Oct 08, 2007 4:35 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by stan1 » Sat Jan 28, 2012 11:12 pm

How does one protect against a "shim" while running latest updates of Mac OS X with the Chrome browser?

User avatar
magellan
Posts: 3471
Joined: Fri Mar 09, 2007 4:12 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by magellan » Sat Jan 28, 2012 11:17 pm

pcsrini wrote: The reason I ask is that with both these measures, is there any another loophole that can be exploited that will give the hacker the combined password with one virus/trojan ?
The most likely way an attacker would thwart this security approach is to first infect your computer with their virus. The virus would lay in wait until the next time you authenticate to your banking website. Once you're authenticated, the virus will create a hidden browser window that inherits the session information from your authenticated connection to the banking website. Then, the hidden browser window would either be remotely controlled in real time by an actual human, or smart enough to schedule fraudulent transfer(s) unattended, probably after you think you've logged off.

The key is that if they have full control of your computer with a virus, and you can get into your banking website, then they can get into your banking website too.

Jim

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Sat Jan 28, 2012 11:22 pm

stan1 wrote:How does one protect against a "shim" while running latest updates of Mac OS X with the Chrome browser?
What is that "shim" and where does it come from? Just don't run random downloaded software.

Topic Author
edawg
Posts: 95
Joined: Mon Jun 13, 2011 8:08 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by edawg » Sat Jan 28, 2012 11:27 pm

Just scanned the thread and will try to answer the questions raised to hopefully help others avoid coming to similar grief.

The bank identified the threat from seeing 3 different debit transactions on different accounts to pay for 3 American Express prepaid cards. My guess is I wasn't the only one as there was almost a tone of certainty from the fraud department representative I talked to. The ironic thing was that initially I was told "they logged in once and didn't do anything"on the accounts. That's the evil part because the perp hadn't done much other than a small transaction of a few cents that was credited immediately to partially cover their tracks so the initial rep I talked to said nothing was wrong (since the balances had zero net change) and that a "Identify Theft" consultant would call me to unlock the account after we ran virus scans. What happened though was the perp waited a few days and when the account wasn't closed, they hit us hard since they already had the bank routing code and account numbers and didn't need the login anymore after that when they bought prepaid cards from wherever it was they did! And they made sure NOT to hit accounts that had low balances so we wouldn't notice from failed debit transactions or bounced checks too soon! Most banks (and cellular carriers) look for duplicate transactions/like transactions from multiple locations/similar transactions that are unlikely in certain timeframes and I was lucky the bank spotted it despite the grief we're dealing with. It could have been worse. The bank proactively shut down my electronic login, but it only prevents the perp from gathering intel on the accounts in question after the crime has occurred. The login happened from a different state than I live in which tells me it was a screen-scraper type of attack. Or a cross-site scripting attack on the bank's site (though it's a https "secure" type of site theoretically tested against such scripting attacks on the actual web-site itself. Of course, an insider who allowed a back door on the bank's site or who otherwise worked in banking could do this...

The frustration level has taken roughly 8 hours considering time at the bank to move funds, create all new checking/savings accounts, etc. and then move all debit transactions for mortage, insurance, credit card companies, etc. to new accounts so far. To make matters worse, I run finances for my father who is in nursing care and yes, the bastages hit him hard as well which had to be reversed. So I have another 8 hours at least with Social Security, Veterans Administration and his creditors to deal with. My guess in the end is that the end merchants who accept the debit cards are going to get screwed out of their money. Someone who knows the rules of ACH transactions in banking can probably tell better what the rules are when AMEX has to cancel/renig on the clearing of their prepaid cards... Now I know why the "credit challenged" pay such a premium for prepaid cards due to fraud...

Changing the login ID on accounts regularly is usually simple on e-commerce sites and you don't have to close your account per se just to change the online login ID and then password. Frequency of change is more important than complexity of the ID or password. And the next time a website asks you for a PIN # or "security question", instead of being annoyed, thank that institution's IT and customer service departments for looking after you!

And for anyone who doesn't believe in changing logins regularly this after reading this thread... good luck cause you'll need it.

HuggieBear
Posts: 64
Joined: Sat Aug 20, 2011 7:06 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by HuggieBear » Sat Jan 28, 2012 11:39 pm

I work in IT, and my bank credentials were compromised at one point....I was lucky in that my bank required the person to answer a random security question answer in addition to id/pass, and the individual failed to answer the question correctly.

I took several actions in response to that issue...first, i wiped my main computer access point. Then, I started using an "algorithm" for all passwords on all sites. Its an algoritm that i can calculate easily, and it involves using the domain name of the site I'm on. For example, something like "my password is every other letter of the domain name + a fixed pin"....that way, i have a different password for every site i use, plus some memorable pin (e.g. my body weight or some such).

I made sure i changed all my passwords from a clean computer, and now every site i use has a different password that I can easily calculate without using memory.


Next, I started using lastpass.com, mostly for convenience.


Also, I am pretty sure I was compromised by having an out of date version of java on my comp, which allowed a trojan downloader to get installed.


To prevent this going forward, I now use Secunia PSI to help me keep all my software up to date and avoid known security holes.

With all this, I now believe I can only be hacked with a zero day flaw targeted against my key accounts...much smaller "bullseye" than what I once was, and very little additional effort on my part, aside from transitioning to this security framework.

Feel free to ask if my approach outlined above isn't clear. In most cases, YOU got compromised, not your financial institution.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Mudpuppy » Sat Jan 28, 2012 11:53 pm

Frequent changing of login credentials will do nothing if you have not adequately eliminated whatever vector they used to steal the login credentials in the first place. Changing the credentials will only stop phishing attacks (where they obtain the login credentials once), but will not stop keyloggers or other live scraping of information. So the first priority should be protecting the system from attack.

mnaspbh
Posts: 204
Joined: Fri Sep 09, 2011 12:26 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by mnaspbh » Sat Jan 28, 2012 11:55 pm

The only way that changing your username and password helps stop hackers is if they're relying on having both to access the account. In other words, changing your username and/or password helps only if they've captured or obtained both username and password but not used them yet, and they don't have any way to obtain the new ones. If one is logging in from a compromised machine (e.g., one with some kind of malware), it's pretty much guaranteed they can trivially obtain both the new username and password. There are so many different ways for malware to circumvent pretty much any kind of security that the only useful protective measure is to never have malware in the first place.

It also sounds like they didn't need either username or password to commit the actual fraud, after they'd accessed the account and obtained the necessary information to issue multiple ACHs. Those don't need any account credentials, just the account number and bank's routing information (just like one would find on a check).

Changing one's password can be important if the password has been compromised and the attacker can't just get the new one the same way they got the old one. For example, if an attacker stole a bunch of usernames and passwords all at once by compromising a merchant's or bank's computers, changing your password makes the stolen information useless if it hasn't already been used. The same goes for changing one's username. In effect, both username and password are secrets, but the username is all-too-often very easy to guess or obtain.

khh
Posts: 299
Joined: Sat Dec 27, 2008 10:31 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by khh » Sun Jan 29, 2012 12:45 am

FNK wrote:Unfortunately, a lot of advice here is snake oil (not helpful), like changing user ids. The rules are rather simple:

1) If your computer is compromised, all bets are off.
2) If your password is compromised, all bets are off.
3) If your institution is compromised, all bets are off.

That's it. Trying to break it down into keyloggers/sniffers/whatnot is meaningless. If the computer is not compromised and is up to date, all financial operations will go over HTTPS which is immune to sniffers and unencrypted WiFi.

What are some good solutions?
- Booting from CD is an interesting (if overkill) way to make sure there is no spyware watching you. However, it also means the software does not get the latest security updates.
- Make sure all security updates get installed ASAP; this is controlled from OS settings
- Chrome is the safest browser; Internet Explorer is the worst. Consider a Chromebook, too - there's no way to install (evil) software in the first place.
- Each site gets a different long random password; a password manager handles them for you (LastPass is good)
- Your e-mail account is the key to your life, therefore it also gets a long random password, and you don't log in from random machines. Get a laptop or a smartphone if you need to check e-mail on the go.
- When your browser asks you "do you want to run this thing", you answer "no", unless you know what you're doing really well. Pay attention!
Are Chromebooks immune from the types of attacks being discussed on this thread? What about ipads and android based tablets?

jda
Posts: 152
Joined: Sun Nov 21, 2010 4:03 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by jda » Sun Jan 29, 2012 1:43 am

Just out of curiosity, how safe is Ubuntu? Assuming everything is installed from the repository and the WIFI is secured .

Bongleur
Posts: 2276
Joined: Fri Dec 03, 2010 10:36 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Bongleur » Sun Jan 29, 2012 5:50 am

pcsrini wrote:Schwab also provides the Verisign ID protection hardware/key that generates unique keys which are added to your password when logging in.
They haven't offered anything like that to me.
Seeking Iso-Elasticity. | Tax Loss Harvesting is an Asset Class. | A well-planned presentation creates a sense of urgency. If the prospect fails to act now, he will risk a loss of some sort.

User avatar
linuxuser
Posts: 1107
Joined: Mon Jan 24, 2011 9:15 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by linuxuser » Sun Jan 29, 2012 11:48 am

jda wrote:Just out of curiosity, how safe is Ubuntu? Assuming everything is installed from the repository and the WIFI is secured .
Don't use Wifi; use cabled Ethernet.

Ubuntu is Linux.

User avatar
linuxuser
Posts: 1107
Joined: Mon Jan 24, 2011 9:15 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by linuxuser » Sun Jan 29, 2012 11:52 am

FNK wrote: If the computer is not compromised and is up to date, all financial operations will go over HTTPS which is immune to sniffers and unencrypted WiFi.
If the computer is not compromised. That is the big if. It is well-known that the hackers target Windows machines just because there are more of them.
Why put effort into the 10% PCs running Linux when 50% gets you more victims?
I personally prefer to use Ubuntu Linux when surfing the internet.
It doesn't take that much more effort, and is one preventive measure.
FNK wrote: Trying to break it down into keyloggers/sniffers/whatnot is meaningless.
I disagree. If the computer OS is more prone for rogue software to capture your password and username, then using a more "secure" OS it not meaningless.

User avatar
linuxuser
Posts: 1107
Joined: Mon Jan 24, 2011 9:15 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by linuxuser » Sun Jan 29, 2012 11:59 am

khh wrote: Are Chromebooks immune from the types of attacks being discussed on this thread? What about ipads and android based tablets?
Chromebooks run Chrome OS which is Linux-based.

iPads runs a version of iOS. iOS is derived from Mac OS X. Mac OS X is Unix-like.

Android is another Linux-based OS.

pcsrini
Posts: 86
Joined: Mon Jan 24, 2011 10:51 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by pcsrini » Sun Jan 29, 2012 2:37 pm

For the Schwab token, they don't offer it proactively, but you can ask for it. I found this information on the Schwab Site by navigating the flow below after logging into your account:

1. Click the Service Tab
2. Navigate to Accounts and Fees
3. Click on the link for "these additional steps" under the SchwabSafe page
4. Click on "How you can prevent unauthorized access ...."
5. At the bottom of the page, you should see instructions to request this token.

User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Epsilon Delta » Sun Jan 29, 2012 11:48 pm

bridenour wrote:Then, I started using an "algorithm" for all passwords on all sites. Its an algoritm that i can calculate easily, and it involves using the domain name of the site I'm on. For example, something like "my password is every other letter of the domain name + a fixed pin"....that way, i have a different password for every site i use, plus some memorable pin (e.g. my body weight or some such).

I made sure i changed all my passwords from a clean computer, and now every site i use has a different password that I can easily calculate without using memory.


Next, I started using lastpass.com, mostly for convenience.
Using a pattern to generate passwords to multiple sites is a bad idea. The failure mode of your method is that a thief gets one or more of your passwords for low value sites and figures out the pattern.

You are already using lastpass so it would be far better to generate a true random password (e.g. using diceware) for each site.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Mon Jan 30, 2012 9:36 pm

khh wrote:Are Chromebooks immune from the types of attacks being discussed on this thread? What about ipads and android based tablets?
The security advantage of Chromebooks is that they don't have a concept of "installing software" altogether, so there's no way for a virus to put itself onto the machine.

(There is the concept of installing Chrome extensions, but these are more visible - don't install what you don't trust.)

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Mon Jan 30, 2012 9:47 pm

jda wrote:Just out of curiosity, how safe is Ubuntu? Assuming everything is installed from the repository and the WIFI is secured .
And assuming you tell it to install security updates automatically - fairly secure. These days, the two greatest threats to all systems are (1) not installing security updates and (2) (unwittingly) installing untrustworthy software.

An advantage of Ubuntu (and the more recent versions of Windows) is that it will ask you for your account password before installing anything, which should hopefully give you a pause.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Mon Jan 30, 2012 9:47 pm

linuxuser wrote:Don't use Wifi; use cabled Ethernet.
Use HTTPS and you're good to go.

If we go really paranoid, it's possible to hijack a wired connection too.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Mon Jan 30, 2012 9:47 pm

linuxuser wrote:
khh wrote: Are Chromebooks immune from the types of attacks being discussed on this thread? What about ipads and android based tablets?
Chromebooks run Chrome OS which is Linux-based.

iPads runs a version of iOS. iOS is derived from Mac OS X. Mac OS X is Unix-like.

Android is another Linux-based OS.
I'm a linux user too, but you're beginning to sound like a spambot. ;-)

Linux is a kernel. It's perfectly possible to put an insecure userland on top of it. You need an organization that watches for zero-day exploits and patches them up in real time. Canonical (Ubuntu) will do that. But lately, M$ has been mending its ways too.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Mon Jan 30, 2012 9:47 pm

Epsilon Delta wrote:
bridenour wrote:Then, I started using an "algorithm" for all passwords on all sites. Its an algoritm that i can calculate easily, and it involves using the domain name of the site I'm on. For example, something like "my password is every other letter of the domain name + a fixed pin"....that way, i have a different password for every site i use, plus some memorable pin (e.g. my body weight or some such).

I made sure i changed all my passwords from a clean computer, and now every site i use has a different password that I can easily calculate without using memory.


Next, I started using lastpass.com, mostly for convenience.
Using a pattern to generate passwords to multiple sites is a bad idea. The failure mode of your method is that a thief gets one or more of your passwords for low value sites and figures out the pattern.

You are already using lastpass so it would be far better to generate a true random password (e.g. using diceware) for each site.
Using a pattern is a bad idea indeed. It's only marginally better than using the same password on multiple sites.

The easiest and perfectly good enough way for a Lastpass user to generate secure passwords is to use Lastpass. It has a tuneable random password generator that will fill them into forms for you and update the stored version.

Bongleur
Posts: 2276
Joined: Fri Dec 03, 2010 10:36 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Bongleur » Mon Jan 30, 2012 10:12 pm

Seeking Iso-Elasticity. | Tax Loss Harvesting is an Asset Class. | A well-planned presentation creates a sense of urgency. If the prospect fails to act now, he will risk a loss of some sort.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Tue Jan 31, 2012 1:13 am

Bongleur wrote:Chromebook security flaws:

http://www.abs-cbnnews.com/lifestyle/ga ... chromebook
Summary: Kaspersky weaving FUD because it stands to lose business.

For what it's worth, we're talking about online access to bank accounts, so the data is already in "the cloud". The question is who's better at securing your machine, Google or you. For most values of "you", it's not you.

Post Reply