Hit By Online Banking Hacker - Change Login ID and Passwords

Non-investing personal finance issues including insurance, credit, real estate, taxes, employment and legal issues such as trusts and wills
Bongleur
Posts: 2276
Joined: Fri Dec 03, 2010 10:36 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Bongleur » Tue Jan 31, 2012 6:35 am

>we're talking about online access to bank accounts, so the data is already in "the cloud"

I thought it was located in a secure server in a gated & alarmed undisclosed location.
Seeking Iso-Elasticity. | Tax Loss Harvesting is an Asset Class. | A well-planned presentation creates a sense of urgency. If the prospect fails to act now, he will risk a loss of some sort.

User avatar
magellan
Posts: 3471
Joined: Fri Mar 09, 2007 4:12 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by magellan » Tue Jan 31, 2012 8:29 am

FNK wrote:Using a pattern is a bad idea indeed. It's only marginally better than using the same password on multiple sites.
IMO, a base password with a per-site pattern provides a very high return on effort, compared to reusing the same password on multiple sites. It's easy and effective for the vector that's most likely to bite people - an automated re-use attack of data from a compromised site (eg sony). Sure, strong and unique passwords are much better mathematically, but IMO this is still a valid approach.

I use a modified version of this approach with three tiers of unique passwords that I build the patterns on. One tier has all my fun sites like bogleheads, one tier has more important sites like banks and credit cards, and Vanguard is in a tier by itself.

Jim

User avatar
magellan
Posts: 3471
Joined: Fri Mar 09, 2007 4:12 pm

Re: Lastpass Security

Post by magellan » Tue Jan 31, 2012 8:54 am

One area I differ from a lot of folks here is in the use of Lastpass. I wouldn't say it's a terrible sin to use it, but I'd never put critical financial passwords such as Vanguard's into LastPass.

Lastpass has already had a serious security scare and IMO it's very likely that they'll get breached eventually. I don't mean this as a knock on them, but they're just too rich of a target and they get a lot of attention from the hacking community.

The key thing with computer security is that the attacker just has to get lucky one time. The target has to do everything right, all the time. With LastPass, all your eggs are in one basket and if they're breached, especially in a way that isn't detected, you're very vulnerable.

Personally, I wouldn't put financial site passwords into LastPass, other than maybe credit card sites and low balance bank accounts.

Jim

mclvngr
Posts: 41
Joined: Sun May 08, 2011 9:57 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by mclvngr » Tue Jan 31, 2012 9:57 am

If you use it or are considering using it you have to watch what Steve Gibson of Security Now has to say on the subject. Google his podcast. If you're not convinced of the bullet-proof security of Lastpass after hearing Steve you might as well unplug your computer from the wall! I recommend subscribing to Security Now - free, of course!

User avatar
Lbill
Posts: 4997
Joined: Thu Mar 13, 2008 11:25 pm
Location: Somewhere between Up and Down

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Lbill » Tue Jan 31, 2012 12:04 pm

I've used Roboform2Go, which stores passwords on a USB flashdrive. When activated it automatically brings up the site and fills the password without any keystrokes. Easy to create and use different random passwords for your websites. You must use a master password to open Roboform when it's in use. I've had the feeling that it's safer to use the USB version of Roboform rather than the version that resides on your hard drive, although I don't know for sure if it makes any difference. Wondering what others think of Roboform? One drawback is that the USB version does not support Chrome and you have to use the hard drive version instead.
"Life can only be understood backward; but it must be lived forward." ~ Søren Kierkegaard | | "You can't connect the dots looking forward; but only by looking backwards." ~ Steve Jobs

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Tue Jan 31, 2012 7:40 pm

Bongleur wrote:>we're talking about online access to bank accounts, so the data is already in "the cloud"

I thought it was located in a secure server in a gated & alarmed undisclosed location.
Most "clouds" are. Nice secure facility with a big data pipe secured by your vigilance.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Tue Jan 31, 2012 7:48 pm

magellan wrote:
FNK wrote:Using a pattern is a bad idea indeed. It's only marginally better than using the same password on multiple sites.
IMO, a base password with a per-site pattern provides a very high return on effort, compared to reusing the same password on multiple sites. It's easy and effective for the vector that's most likely to bite people - an automated re-use attack of data from a compromised site (eg sony). Sure, strong and unique passwords are much better mathematically, but IMO this is still a valid approach.

I use a modified version of this approach with three tiers of unique passwords that I build the patterns on. One tier has all my fun sites like bogleheads, one tier has more important sites like banks and credit cards, and Vanguard is in a tier by itself.

Jim
Here's an attack scenario: a component (PHP, Java, whatever) used by multiple sites is breached; attackers get multiple password databases and look for commonalities. Boom, your accounts on other sites (at least in the same "tier") are compromised too.

In terms of return-on-effort, password databases beat everything because they take care of the typing for you.

Disclosure: I used the patterns technique for quite a while, ditched it, used PasswordSafe, KeePass, and now LastPass.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Lastpass Security

Post by FNK » Tue Jan 31, 2012 7:51 pm

magellan wrote:One area I differ from a lot of folks here is in the use of Lastpass. I wouldn't say it's a terrible sin to use it, but I'd never put critical financial passwords such as Vanguard's into LastPass.

Lastpass has already had a serious security scare and IMO it's very likely that they'll get breached eventually. I don't mean this as a knock on them, but they're just too rich of a target and they get a lot of attention from the hacking community.

The key thing with computer security is that the attacker just has to get lucky one time. The target has to do everything right, all the time. With LastPass, all your eggs are in one basket and if they're breached, especially in a way that isn't detected, you're very vulnerable.

Personally, I wouldn't put financial site passwords into LastPass, other than maybe credit card sites and low balance bank accounts.

Jim
That's a perfectly valid personal preference. Use KeePass instead, it keeps the file with passwords local.

For the record, LastPass encrypts everything on your machine (so a site breach would not reveal your passwords) and they did not have a serious security scare; they had an episode of hypervigilance, which is a good thing for them to have.

User avatar
magellan
Posts: 3471
Joined: Fri Mar 09, 2007 4:12 pm

Re: Lastpass Security

Post by magellan » Tue Jan 31, 2012 9:42 pm

FNK wrote:For the record, LastPass encrypts everything on your machine (so a site breach would not reveal your passwords)...
Imagine the scenario where Homeland Security knows there's a bomb in a city that will explode in 24 hours. They need the terrorist's username/password to disarm it. The terrorist is actively using LastPass on his browser while controlling the bomb. Do you think LastPass employees could help DHS get this terrorist's password in time to disarm the bomb?

My guess is that LastPass engineers could update their plugin with a new one that will send a decrypted copy of all the terrorist's passwords back to their own server. The data may be stored locally, but the logic that controls the decryption and data handling comes from LastPass and could presumably be updated by LastPass personnel.

Ok, now imagine it's not DHS that's behind this effort, but instead some incredibly sophisticated hackers. If you're depending on someone else to secure your data and they get compromised, then you're also compromised.

Jim
Last edited by magellan on Tue Jan 31, 2012 11:38 pm, edited 1 time in total.

User avatar
magellan
Posts: 3471
Joined: Fri Mar 09, 2007 4:12 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by magellan » Tue Jan 31, 2012 11:33 pm

FNK wrote:attackers get multiple password databases and look for commonalities. Boom, your accounts on other sites (at least in the same "tier") are compromised too.
It would be very bad luck if multiple sites were hacked AND they all happened to be making the unthinkable/unforgivable security error of storing passwords in the clear. Although I'm sure many sites still do that (not banks I hope), best practice is to only store a one-way hashed version of the password, not the original password in the clear.

Wikipedia does a decent job describing this:
wikipedia wrote:More secure systems store each password in a cryptographically protected form, so access to the actual password will still be difficult for a snooper who gains internal access to the system, while validation of user access attempts remains possible.

A common approach stores only a "hashed" form of the plaintext password. When a user types in a password on such a system, the password handling software runs through a cryptographic hash algorithm, and if the hash value generated from the user's entry matches the hash stored in the password database, the user is permitted access. The hash value is created by applying a hash function (for maximum resistance to attack this should be a cryptographic hash function) to a string consisting of the submitted password and, usually, another value known as a salt. The salt prevents attackers from easily building a list of hash values for common passwords. MD5 and SHA1 are frequently used cryptographic hash functions.
jim

khh
Posts: 300
Joined: Sat Dec 27, 2008 10:31 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by khh » Wed Feb 01, 2012 12:38 am

I had two interactions in the last week with two financial institutions that raised my security concerns. When I changed the email address at one account, they sent confirmation to the new email address but not to the old. They did send notification via snail mail, which I got today. I also changed my password a few days later (after reading this thread!) and was immediately notified via email.

With the other institution, it was the opposite. When I changed my email, they immediately sent confirmation to both the new and old addresses. However, when I changed the password there was no notification. Why in the world would they not send notification when any change is made? It seems like such a no-brainer to me.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Lastpass Security

Post by FNK » Wed Feb 01, 2012 10:13 am

magellan wrote:My guess is that LastPass engineers could update their plugin with a new one that will send a decrypted copy of all the terrorist's passwords back to their own server. The data may be stored locally, but the logic that controls the decryption and data handling comes from LastPass and could presumably be updated by LastPass personnel.
They'd have to push the update to the client, have the terrorist accept the update, and log in after that. And murder their business in the process.

You're right that if you accept software without scrutinizing its source code, you're trusting the vendor. LastPass is only one vendor out of many that you rely on. Microsoft, Google, Apple and Dropbox can do everything LastPass can if they have their software running unrestricted on your machine. LastPass at least has their entire business predicated on keeping your passwords secure.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by FNK » Wed Feb 01, 2012 10:26 am

magellan wrote:It would be very bad luck if multiple sites were hacked AND they all happened to be making the unthinkable/unforgivable security error of storing passwords in the clear. Although I'm sure many sites still do that (not banks I hope), best practice is to only store a one-way hashed version of the password, not the original password in the clear.
That presumes they are conscious about these low-level details, and that passwords are compromised in storage, not in flight. In reality, low-level details are abstracted by higher-level packages (like phpBB we're using right now). My scenario was that several sites install the same server software, and that software becomes compromised. This is very possible.

JeffX
Posts: 208
Joined: Thu Mar 01, 2007 4:28 pm
Location: MI

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by JeffX » Wed Feb 01, 2012 11:26 am

as a security professional, it is very easy to bypass AV and malwarebytes type applications. These use signatures and its trivial to compile your own type of malware to gain control and start capturing credentials.

The best advice I can give is watch what sites you browse too. Use firefox and noscript add on to prevent malicious javascript. Use web of trust add on to help you avoid malicious sites. And watch out for phishing emails. You should not be opening any zip files or executable files in email format. Also when someone sends you a link, put your mouse pointer over it and verify its going to the proper URL.

donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by donttreadonme » Wed Feb 01, 2012 9:51 pm

Mudpuppy wrote:
HongKonger wrote:Dont your banks issue you with those little clicker devices that give you different secure codes every time you log in over there?
This is rarely used by USA banks. It should be used, but either the lawyer (to say the terms and conditions say the client is responsible for keeping their computer clean of infections) or the fraud loss costs must be cheaper than the retrofitting cost of adding a second factor of authentication. TreasuryDirect (US Treasury website) actually moved away from having second factor authentication in their latest redesign. Sad really from a security perspective.
Actually, banking in the US is much more secure than banking elsewhere, due to our legal system. In the US, fraud is the responsibility of the financial institution so of course it is in their best interests to ensure that the level of security and level of financial losses are about equal. When this law is not in place and fraudulent purchases are the responsibility of the account owner (you), you're screwed if your account is compromised by a technical security vulnerability that was completely out of control.

(Credentials: Security+, Certified Ethical Hacker, BS in MIS/IA, and pursuing MS in Information Security)

donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Lastpass Security

Post by donttreadonme » Wed Feb 01, 2012 9:58 pm

magellan wrote:
FNK wrote:For the record, LastPass encrypts everything on your machine (so a site breach would not reveal your passwords)...
Imagine the scenario where Homeland Security knows there's a bomb in a city that will explode in 24 hours. They need the terrorist's username/password to disarm it. The terrorist is actively using LastPass on his browser while controlling the bomb. Do you think LastPass employees could help DHS get this terrorist's password in time to disarm the bomb?

My guess is that LastPass engineers could update their plugin with a new one that will send a decrypted copy of all the terrorist's passwords back to their own server. The data may be stored locally, but the logic that controls the decryption and data handling comes from LastPass and could presumably be updated by LastPass personnel.
LastPass uses AES-256 encryption, the same encryption that is approved by the US government for the storage of Top Secret information. https://lastpass.com/support.php?cmd=showfaq&id=1096

It would be impossible for LastPass to somehow implement an update that would retroactively decrypt your stored hashes and retrieve them. That being said, when you open LastPass you must type in your master password to decrypt your password hashes for use. If your computer has a keylogger installed then someone could capture your master password and gain access to everything. Or someone could just hold a gun to your head and make you tell them your password: http://imgs.xkcd.com/comics/security.png

(Credentials: Security+, Certified Ethical Hacker, BS in MIS/IA, and pursuing MS in Information Security)

brianH
Posts: 328
Joined: Wed Aug 12, 2009 12:21 pm

Re: Lastpass Security

Post by brianH » Wed Feb 01, 2012 10:11 pm

donttreadonme wrote: It would be impossible for LastPass to somehow implement an update that would retroactively decrypt your stored hashes and retrieve them.
This isn't correct. Lastpass has your password database encrypted with a hash derived from your password. All they would need to do is update the plugin (extension) or add additional javascript on the web-based portal to capture your password in plain text or after applying the hashing algorithm and send it to the server. Either way, they could then use this to decrypt and view anything in your 'vault'.

As for the browser plugins, the user would have to accept the update, but most would without vetting the code.

donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Lastpass Security

Post by donttreadonme » Wed Feb 01, 2012 10:19 pm

brianH wrote:
donttreadonme wrote: It would be impossible for LastPass to somehow implement an update that would retroactively decrypt your stored hashes and retrieve them.
This isn't correct. Lastpass has your password database encrypted with a hash derived from your password. All they would need to do is update the plugin (extension) or add additional javascript on the web-based portal to capture your password in plain text or after applying the hashing algorithm and send it to the server. Either way, they could then use this to decrypt and view anything in your 'vault'.

As for the browser plugins, the user would have to accept the update, but most would without vetting the code.
This would simply be keylogging, which I mentioned.

User avatar
magellan
Posts: 3471
Joined: Fri Mar 09, 2007 4:12 pm

Re: Lastpass Security

Post by magellan » Wed Feb 01, 2012 10:28 pm

brianH wrote:...or add additional javascript on the web-based portal to capture your password in plain text or after applying the hashing algorithm and send it to the server.
I like this better than the plug-in update.

In either this case or a plug-in update, this is not a generic keylogger and doesn't require a virus to be installed on the victim's machine. It's just a modified version of a web page or plug-in that's been altered to do things it shouldn't do.

Jim

brianH
Posts: 328
Joined: Wed Aug 12, 2009 12:21 pm

Re: Lastpass Security

Post by brianH » Wed Feb 01, 2012 10:31 pm

donttreadonme wrote:
This would simply be keylogging, which I mentioned.

But the point remains, Lastpass, or Lastpass under threat from the government, or a hacker that compromised certain aspects of their systems could access everything in your vault if they chose to. Lastpass is a large and potentially very valuable target, as a successful attack would net hundreds/thousands/millions of user credentials.

User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Lastpass Security

Post by FNK » Thu Feb 02, 2012 12:17 am

brianH wrote:But the point remains, Lastpass, or Lastpass under threat from the government, or a hacker that compromised certain aspects of their systems could access everything in your vault if they chose to. Lastpass is a large and potentially very valuable target, as a successful attack would net hundreds/thousands/millions of user credentials.
Yes. But the same point applies to any software you use. How is LastPass more dangerous than Microsoft?

donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Lastpass Security

Post by donttreadonme » Thu Feb 02, 2012 6:29 am

FNK wrote:
brianH wrote:But the point remains, Lastpass, or Lastpass under threat from the government, or a hacker that compromised certain aspects of their systems could access everything in your vault if they chose to. Lastpass is a large and potentially very valuable target, as a successful attack would net hundreds/thousands/millions of user credentials.
Yes. But the same point applies to any software you use. How is LastPass more dangerous than Microsoft?
Exactly. Or even TrueCrypt, for that matter. When studying information assurance you have to know how much security is "enough". Your level of security should match what you're defending against. If you want to defend against the neighborhood dogs, you put a fence up. If you want to defend against the average joe, you lock your screen before leaving your desk and use good passwords. If you want to defend against the US government, you're probably better off not owning a computer, not using a phone, and paying cash for everything.

donttreadonme
Posts: 71
Joined: Sun May 15, 2011 8:30 am

Re: Lastpass Security

Post by donttreadonme » Thu Feb 02, 2012 6:34 am

brianH wrote:But the point remains, Lastpass, or Lastpass under threat from the government, or a hacker that compromised certain aspects of their systems could access everything in your vault if they chose to. Lastpass is a large and potentially very valuable target, as a successful attack would net hundreds/thousands/millions of user credentials.
You may find this relevant: http://abcnews.go.com/blogs/technology/ ... -password/

It is unlikely that companies like LastPass are going to secretly and maliciously break their software under threat of the US government without a legal battle. It hasn't happened AFAIK. From the court cases I've read about, the government goes after that person committing the crime as opposed to threatening the software companies that the person chose to use. The government needs a warrant to access your computer and personal information on it. Stealing your passwords covertly and remotely would likely fall under this requirement.

brianH
Posts: 328
Joined: Wed Aug 12, 2009 12:21 pm

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by brianH » Thu Feb 02, 2012 9:39 am

I'm less concerned about the government than the large target painted on the back of LastPass for any would be hackers. It's also a bit of a stretch to compare not fully trusting a very small company with 2 years in the business to one of the largest and oldest software companies in the world.

No system is 100% secure, but to obtain locally stored passwords, a hacker would need to obtain my pw database, keyfile (not readable unless privileged), and log my password. That's a lot of effort for a specific user's passwords. Lastpass, being a central point, only needs to be hacked once to reveal many users' passwords.

As I've mentioned before, the fact that they were not using a key stretching algorithm prior to their 'questionable activity on our network' problem last May is sloppy beyond belief. That showed me all I needed to know about the level of experience, or cost-saving priorities, these guys have.
We're also taking this as an opportunity to roll out something we've been planning for a while: PBKDF2 using SHA-256 on the server with a 256-bit salt utilizing 100,000 rounds. We'll be rolling out a second implementation of it with the client too. In more basic terms, this further mitigates the risk if we ever see something suspicious like this in the future. As we continue to grow we'll continue to find ways to reduce how large a target we are.

Mudpuppy
Posts: 5890
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Hit By Online Banking Hacker - Change Login ID and Passw

Post by Mudpuppy » Fri Feb 03, 2012 12:19 am

It's a perfectly valid concern to not want your encrypted password file "in the cloud" or all of your passwords in one file. Luckily, LastPass is not the only software that does password management. There are other options that use local files and can segment the passwords so they're not all sitting in one "pot", like KeePass. Lovely thing about software, there are always options, even if unpopular.

Post Reply