Skip to content Skip to main navigation

News

Buying off the plan?
View our developments

A Theft – but Stupid?

By cranky 1 August 2008 47

Discovered today that someone has overnight managed to empty one of my bank accounts to the tune of $1500+. Bank (ANZ) and Police advised.

In the absence of any other explanation, it would appear that access details were probably garnered by tapping into our home wireless network.

The transaction popped up as an Internet bank transfer, so both access code and password were required to do the deed.

If anyone knows of a Benjamin John McKay, the name of the apparent recipient of this transaction, who is walking around with a $1500 smile on his gob, the Police would be very interested.

I’ma bit less than impressed with the ANZ’s method of dealing with this occurrence. No feedback, and more interested that the fraud is in Police hands and stat decs (very carefully worded) are received than apparently tracking down the above perp.

Bank holiday Monday cannot help.

Police were excellent.

What’s Your opinion?


Please login to post your comments, or connect with
47 Responses to
A Theft – but Stupid?
Filter
Showing only Website comments
Order
Newest to Oldest
Oldest to Newst
caf 10:51 am 05 Aug 08

You are talking a load of rubbish, peterh. In the threat model under discussion (using a PC at an untrusted web cafe), you can trust NOTHING that the PC says to you. It’s trivial for the administrator of the PC to generate their own CA certificate and install that as a trusted certificate on the PC; hell, they could even have installed a their own hacked-up web browser that lies to you.

So all you know is, you are entering your username, pincode and tokencode into a web page that looks like your bank’s. If you are in fact talking to a proxy controlled by a malicious party, there is nothing stopping them from forwarding those authentication details on to the real bank’s server, and entering any transactions they wish from that point.

As I pointed out, the attack is time-limited – they can only authenticate to the bank as you during the time that the tokencode remains valid. “They would have to be pretty damn quick!” you say – well, I hear that computers are pretty good at doing things quickly.

Comments about “the complexity of the encryption” are just handwaving – you might well be using encryption, but that doesn’t help you if you can’t verify who is on the other end of that encrypted connection. The only way you can have any certainty of this is if your endpoint (that is, the PC you’re using) is secure.

Note that almost everything in the “PC owned by webcafe” threat model also applies in the “home PC 0wned by trojan” threat model.

It so happens that the system I manage uses RSA tokens (SID700s) to authenticate users, so I too know something of what I speak. Two-factor authentication can help, and it does increase the complexity of an attack, and it does ensure that attacks are time limited. But it’s also important to understand that it is not a magic bullet.

To cranky: I would not be 100% confident in the anti-spyware tool finding everything – some malware is pretty clever at hiding itself. Another possibility is that your ISPs nameservers are/were vulnerable to the recent “Kaminsky attack”.

peterh 9:40 am 05 Aug 08

Woody Mann-Caruso said :

What sort of spy software is involved, & how close to the computer do you have to be?

You pretty much sit anywhere within wireless range of your computer (which can be a long way away if you’ve got a decent antenna) and run something like Kismet. Bit by bit, your network gives up its secrets – it’s like listening to a conversation in another room, and slowly piecing together the number of people, their genders, who they’re talking to, what they’re talking about and so on. It can be pretty fast if you launch an active attack – something that makes your network generate more traffic than it usually would, thus giving up more information about itself more quickly. With dictionary attacks and hash tables, simple passes fall almost instantly, while even decent passes can fall in time. If it was somebody in your neighbourhood, they’ve had all the time in the world.

More likely that you’ve been owned by malware or phishing, though – or even through physical access to the machine. Who else has access to your computer?

Good luck!

the best defence, I have found is to run several AS / AM packages simultaneously. ad aware is a good one, if you want a basic protection package. avast! is another one, as is the commercial Symantec and CA products. I am extremely paranoid, and have dual av scanners, as & am scanners running on my system at any given time. The info on my home pc is both sensitive, and, as my wife runs a business from home, the client details she has are irreplaceable.

peterh 9:35 am 05 Aug 08

Madman said :

Jonathon Reynolds said :

With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring.

Jonathon, where do I get myself one of these?

speak to your bank. I know, they may not be up on technology, but, considering that the Bendigo Bank, CBA, NAB and a few others have gone down this path, they may already be investing in the technology. The issue of kismet is defeated by the 2 factor authentication token. it is smart, but when confronted by a 3DES encryption algorithm, it is pretty much dead in the water.

I use symantec endpoint protection at home, as it provides me with the tools to back-trace an attack, and identify with WHOIS, once the ip address has been confirmed. It also prevents spoofing attacks, as well as some other insidious methods out there now.

Madman 9:13 am 05 Aug 08

I had by bank cancel my credit card a few months ago because I made a transaction in Fyshwick at a gas station then 2.5 hours later I made a transaction at another gas station in Nowra.

They thought it was a fradulent transaction as I had only just filled up with fuel in a different State – didn’t think of calling me to check and didn’t think that maybe I had driven there and the fuel was empty again…. GRRR!

At least I had enough fuel to get through the weekend and back home and enough money for food in my wallet to do with. They also re-ordered me a new card straight after cancelling the current one – so I only had to wait 4 days till payday!

Madman 9:06 am 05 Aug 08

Jonathon Reynolds said :

With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring.

Jonathon, where do I get myself one of these?

tylersmayhem 8:59 am 05 Aug 08

I would be extremely pleased if anyone could find a “Branch Manager”, as opposed to the shift supervisor/leading hand/person who has been there the longest and can work the coffee machine.

I have to say that I was very surprised to have so much to do with my new branch manager. Granted, we have recently taken out a mortgage with them – but he is available on the end of the line, or face to face with no trouble at all.

I really feel for you Cranky. I’d be so…well, cranky! And pissed off to the max. Keep on at the bank, go in to your local branch and sit there until you can talk to the manager. Ask them to refund the money to you on a good will basis so you can pay your bills, and if there is any reason that you are liable in the future, that they have the right to take the money back. While this sounds quite bull*hit, my bank in the UK did this when an international ATM debited my account, but dipensed no cash.

That was good advice by DJ to contact the ombudsman. Do that too!

Something came to mind yesterday, mind you I think you’ve already ruled this out. I received an e-mail from ANZ prompting me to update my details. The email looked very legit, and was sent from anz.com.au. Have you provided ANY updates to your details to an email from “ANZ”?

MelonHead 8:51 pm 04 Aug 08

All this is good and sage advice and was going well till someone mentioned “Branch Manager”

I have had occasion over the years to ask for one of these, only to be told that they don’t exist anymore.

I would be extremely pleased if anyone could find a “Branch Manager”, as opposed to the shift supervisor/leading hand/person who has been there the longest and can work the coffee machine.

Seriously, though, good luck with the problem. As much as I wish I had some great advice, I can just hope it resolves in your favour.

Related Articles

CBR Tweets

Sign up to our newsletter

Top
Copyright © 2018 Riot ACT Holdings Pty Ltd. All rights reserved.
the-riotact.com | aboutregional.com.au | b2bmagazine.com.au | thisiscanberra.com

Search across the site