Page 1 of 3 123 LastLast
Results 1 to 15 of 44

Thread: Is online banking safe?

  1. #1

    Is online banking safe?

    I stopped doing online banking over a year ago due to the uncertainty around keyloggers and rootkits. I contacted my bank, asking about security issues and was assured everything was perfectly safe as long as I had malware protection. I asked about keyloggers, explaining they could capture keyboard data before it was encrypted, and he asked me what a keylogger was. Such is the state of banking online security.

    I am running Windows 7 behind a descent router hardware firewall and I plan to add a free software firewall like Comodo, since win7 firewall is still primitive IMHO. It is reported to have improved, but comes with outgoing protection disabled. You have to configure it, and like most micro$oft stuff, it is a convoluted exercise.

    What's the latest on keyloggers? Am I being too paranoid, or are there better ways to check for them? I am running a laptop with WPA personal enabled with a good sized password that is not likely to be found in a dictionary.

  2. #2
    Howdy,

    I can only tell you of my experience.
    I have been using online banking for years.
    The one thing I like about it is there are
    two levels of security.

    I tell them I am using a public network
    and they ask me the first question.
    Once answered properly they ask me the next question.

    The old 3 wrong and you have to call follows if you
    cant remember your answers.

    I have had to call . I forgot my passwords .

    I run win 7 and use Comodo right now and have no problems.
    I had no problems running XP and Zonealarm.

    Key loggers can't hide from a good firewall like Comodo.

    I know you are smarter then the bank Waxy.
    If there is not at least two layers of security,
    find another bank.

    Woodmann
    Learn Or Die.

  3. #3
    Quote Originally Posted by Woodmann View Post
    Howdy,

    I can only tell you of my experience.
    I have been using online banking for years.
    The one thing I like about it is there are
    two levels of security.

    I tell them I am using a public network
    and they ask me the first question.
    Once answered properly they ask me the next question.
    Thanks, Woody. The main problem I see with that is that a keylogger could read your answers as well.
    Quote Originally Posted by Woodmann View Post
    Key loggers can't hide from a good firewall like Comodo.
    That's what I wondered about. From what I have heard, keyloggers have properties like rootkits and can hide from most apps.

    I am using free AVG right now and I wonder if that might conflict with the virus checker on Comodo. I know I can use Comodo with no virus check. I wrote to AVG and asked them to consider releasing a standalone virus checker with no bells and whistles. Better check back and see if they did.

  4. #4
    Condemned geezer
    Join Date
    Oct 2001
    Location
    Ankara, Turkey
    Posts
    138
    Online banking is now safe, at least here on this part of the world.

    Two years ago The Banking Regulation Agency issued a new procedure that mandates the use of a 6 digit authentication code for Internet banking purposes, apart from your 'static' logon data comprising of your customer number, PIN number and password. This 6 digit code is generated by a digital key generator which uses RSA 128-bit encryption algorithm. The generated authentication code is valid for 2 minutes only, which then expires for that session and you have to start all over again. After 3 successive failed attempts to logon, your access to your online account is blocked. You have to apply to your bank in person to have it lifted.

    This key generator thing is provided by your bank for some $15. Its battery lasts for 5 years, or you may ask a small java application emailed to your compatible mobile phone, the number of which is registered in your account. As a precaution against theft and loss this java app requires a PIN number to be entered before it generates the code, or you may ask that authentication code sent to your mobile phone by a SMS message at the last step of your logon (I picked this option).

    This regulation has drastically reduced the number of reported online banking fraud cases. Even if all your 'static' logon data is compromised by keyloggers, trojans, etc. this fourth component-the authentication code-provides peace of mind when you're online. There are some added measures available as well. You may limit your IP address for online access (companies use this feature since they all have static IPs), you may limit the time frame or amount or type of online transactions. These are not menu selectable. You decide and amend it only on the online banking written contract.

    Banks are promoting use of Internet banking here. Banking fees applied per transactions and/or annual charges for your CC, account, etc. are either very low or nil if you opt to go online. They're constantly upgrading their online menus as well. You can pay your bills, taxes, and even traffic tickets online, purchase pre-paid mobile phone credits, buy&sell papers at the stock exchange, besides the usual remittance/EFT/SWIFT transactions.

    Online banking is safe and it saves great time. I hate getting a Q-Matic number and waiting inside the bank though they choose beautiful female employees working behind the counters.
    Last edited by wbe; November 2nd, 2010 at 04:08. Reason: a testosterone induced addendum

  5. #5

    Live CD

    Call me paranoid when it comes to online banking, but I can't live without it.

    I don't trust any general purpose machine for banking, especially one which is left running attached to the network for any period of time. I personally work with people that can waltz right through your machine and you would never know they were there. Given an IP address your phone gets circumvented in under 15 seconds, so I will never consider that option for banking. While I trust my my people, I know that there are others out there that could do the same, and so if you are talking about banking/money, the general rule is 'trust no one'.

    If you get yourself a known/trusted Live CD and reboot your machine for your banking session you have removed 98% of the problem. Verify that OS image! In order for the malware to be persistent when using a Live CD it would have to reflash the BIOS or some memory of some device (NIC, GPU, bus controller, etc) in your machine and force a real-time reload of the malware package from the Internet to replant a keylogger, system backdoor, or other various data sniffing malware. Consider configuring a firewall in that Live CD image that only permits the bank to be accessed.

    If the file system itself is *not* persistent (ie temp ram drive file system and no external drives mounted) then you will leave no information in any cache or temporary directory which can then later be exfiltrated out to a hackers own domain. They can't get in and they can't get it out.

    For data needing to be persistent I use a dedicated USB thumb drive that only gets mounted if/when I need to save something important for later. Anything financially related containing account information gets stored on that device encrypted. The one downside I have found is that my banking institution uses cookies to bypass some additional questions I have to answer up front during the login, because the cookies like everything else with this setup is not persistent. I imagine I could tweak the ISO file to contain that cookie, but then I wouldn't want to leave the CD laying around.

  6. #6

    As Needed

    Why do internet banking, when you can walk up to the bank on a good summer day, watching the ladies in their short pants and tight tees, to do business?



    On a more realistic note, avoiding public places / work places to do your online banking is recommended. Otherwise, I think currently the state of the banking is alright.

    How secure your computer is, is up to you, not the bank.

    Have Phun
    Blame Microsoft, get l337 !!

  7. #7
    Quote Originally Posted by wbe View Post
    Two years ago The Banking Regulation Agency issued a new procedure that mandates the use of a 6 digit authentication code for Internet banking purposes...
    Is that in the States? I don't know if it has spread to Canada yet, but I will check. Thanks for info.

    I have been thinking that something needs to be done to interface between the keyboard and the OS. What's the point of encryption after the data has been entered the OS unencrypted?

    The system you describe makes sense as well. It's something like the one-time pads developed during WWII for agents in the field. A different cypher was generated each time a message was sent. The cypher you mention that expires within two minutes would prevent a hacker using your bank info unless he had the cypher and access at the same time you were in your account.

    There is still the problem of printing off transactions from your account online, as hard proof of your transaction. Such transaction include account numbers. The baks are going to have to develop alternates to sending account info over the net.

  8. #8
    Quote Originally Posted by slcoleman View Post
    Call me paranoid when it comes to online banking, but I can't live without it.
    thanks for tip on Live CD. I d/l'd a Red Hat Live CD featuring Live KD a few years ago. Wonder if it still works?

  9. #9
    Quote Originally Posted by Aimless View Post
    How secure your computer is, is up to you, not the bank.
    Have Phun
    That's true to a certain extent but it's akin to the software protection companies bragging that their protections are uncrackable. I'm concerned about the top-notch hackers who understand OSs so well they can write rootkits.

    I used free Sygate as a firewall on XP and now I am trying free Comodo, which seems to be good. Although Sygate stopped several Trojans from calling out, no firewall is infallible, especially to rootkits that know their weaknesses.

    You have to leave some ports open for your browsers, etc. As I was setting up Comodo, I booted a newsreader to call out to a news server. It stopped the first version of the reader, a version 2, but when I fired up another version, with the same name, a version 4, the firewall missed it, even though it is a different app. The firewall seemed to presume it was a trusted app since it had the same name. That's how easy it can be to get past a firewall.

    I'm sure good hackers know how to fool a firewall. When it comes to virus checkers, I find them to be highly inconsistent. IMHO, the best WAS Kaspersky, but even it had false positives and missed some viruses entirely. A keylogger is not a normal virus, having attributes akin to a rootkit. When I researched them in the past, no one could give specific information on how to detect them.

    The only real way would be to examine the contents of every packet that went out of your system. Or use softice to check unusual activity at ring 0. That's a thankless job since it's so hard to tell what is legit and what is not.

  10. #10
    Well......

    There are plenty of ARK's out there.
    Some of them are shit and some are way to sensitive.

    If Malwarebytes, Comodo, Combofix and something like rootkit revealer
    dont give you any peace of mind, you will have to do your
    banking in person.

    Woodmann
    Learn Or Die.

  11. #11
    Quote Originally Posted by Woodmann View Post
    If Malwarebytes, Comodo, Combofix and something like rootkit revealer
    dont give you any peace of mind, you will have to do your
    banking in person.Woodmann
    That's the approach I have been taking, but it's getting to the point where you have to suspect ATMs. I was talking to Kayaker about this a while back, and if I remember correctly, he claimed not using online banking for similar reason. When someone with Kayaker's understanding of the Windows OS, under the hood, is suspicious of online banking, that's more than good enough for me.

    The reason I posted was to see if anyone had heard of advances in keylogger detection. Rootkit revealer is very basic and you have to do your own research as to what each item flagged means. They are often not sure at the rootkit revealer forum.

    Russinovich even admitted it couldn't find every rootkit. So, I tried gmer et al, but each has its limitations. I was hoping by now that a good rootkit/keylogger detector would be available.

    I have d/l'd versions of Live CD from Ubuntu and Fedora. I'll try those to see if I can make a live connection run from the CD only. I also thought about using a VM.

  12. #12

    Live CD; part II

    Quote Originally Posted by WaxfordSqueers View Post
    thanks for tip on Live CD. I d/l'd a Red Hat Live CD featuring Live KD a few years ago. Wonder if it still works?
    Because you obviously care about security you might think better than to use an old CD, since there have been many many bug fixes since you downloaded yours 'a few years ago'. I much prefer the Fedora "Security Spin" as a starting point, since what better way to know you are safe but to have all the tools you might need to tell the difference?

    http://spins.fedoraproject.org/security/
    http://fedoraproject.org/wiki/Security_Lab

    Note: the browser does not come enabled with flash, and that is a good thing given the number of exploitable bugs in recent years, but you best check to make sure your bank does not depend on flash, in which case I would just get another bank.

  13. #13
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    As long as you don't get to electronically sign very detailed descriptions of the transactions you want to make, on separate secure hardware, you can indeed be owned, and it is being done today. As long as any malware code is able to enter your computer (which is also extremely common today), you are fuxored, no matter how many anti-*** programs you have.

    Believe me, I know what I'm talking about, both from theory and experience...
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  14. #14
    Quote Originally Posted by slcoleman View Post
    Because you obviously care about security you might think better than to use an old CD
    thanks for links. The two Live CDs I d/l'd are the most current.

  15. #15
    Quote Originally Posted by dELTA View Post
    As long as you don't get to electronically sign very detailed descriptions of the transactions you want to make, on separate secure hardware, you can indeed be owned
    Hey, Delta.

    Could you expand on that? Electronically sign? Separate secure hardware?

    Also, I know you're into VMs. How about keeping an absolutely clean install on a VM, of say XP, and using that? I think I managed an Internet connection through a VM once, but I'm not sure.

Similar Threads

  1. Replies: 0
    Last Post: April 15th, 2014, 15:25
  2. Replies: 1
    Last Post: May 23rd, 2011, 22:19
  3. Is RSA safe in software protection ? - on XP crypto.api example
    By popierdulka in forum RCE Cryptographics
    Replies: 8
    Last Post: September 19th, 2008, 17:21
  4. how to terminate debugee in safe mode
    By zqBugZ in forum The Newbie Forum
    Replies: 6
    Last Post: June 26th, 2008, 10:12
  5. disable memory func in safe key
    By foffa in forum The Newbie Forum
    Replies: 9
    Last Post: September 22nd, 2007, 18:06

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •