A Theft - but Stupid?

An update, and request for ideas.

4 days of stewing on this matter are reducing me to tears. There is no feedback from Police/Bank, and I am not enjoying having to explain to creditors. The account has been locked down by the Bank, and I have no way of establishing the value of further expected deposits. The branch could’nt distance themselves quickly enough from my enquiries – ‘The fraud branch would be asking why I was trying to access the account’ – from the front counter officer.

Can anyone explain the nuts and bolts of tapping into a (apparently protected, non contaminated) network and stealing the details required to access the account? I am not computer literate enough to fully understand the full gamut of the foregoing replies. What sort of spy software is involved, & how close to the computer do you have to be?

Is there any other way this theft could have been carried out?

i might like to mention, i don’t sell to the public, i work for an IT distributor. resellers sell to the public.

caf said :

tylersmayhem: no, they don’t. Web cafe presents you with web page. You submit your username, passcode and tokencode. Web cafe sends you a “login failed” page. Web cafe passes on the credentials to the bank… and empties your account.

All that two-factor authentication achieves against this risk profile is to increase the complexity of the attack (it is now time-limited).

i have to disagree. The other factors in play are that the webcafe would need to provide the bank with the authentication at the same time, ghosting your connection. the encryption keys are significantly complex, and the code is encrypted. (it appears as symbols, not numbers) if the bank’s authentication server doesn’t like the response, or the webcafe is too slow, it asks for a new code. the webcafe will fail, and the ip address is logged.

the authenticators on ebay, on the other hand, are just random number generators, they aren’t synced to the authentication server, as there isn’t one.

This technology is designed to prevent unauthorised access, at any time. The use of tokens is as complex as the backend. if the administrator is compromised, then the tokens will do little to prevent an attack.

in regards to the scenario,

Web cafe presents you with web page. the web page is your bank’s, it cannot be a dummy site, as the authenticator must communicate with the server at the bank, or it will fail.

You submit your username, password, passcode and tokencode. you use your standard login u/n & password, then the pin code and the authenticator code.

Web cafe sends you a “login failed” page. it cannot, as you have authenticated with the bank to gain the connection.

Web cafe passes on the credentials to the bank… and empties your account. unable to do so. they would need your username, password, pin code, and the current authentication code.

keyloggers cannot be deployed through your system if you have AV / AS installed.

If they’re doing it at all they’re probably well practiced.

Sorry, make that 30 seconds. I just counted mine. Still, they’d have to be VERY quick!

RSA token code change every 10 seconds. They would have to be pretty damn quick!

tylersmayhem: no, they don’t. Web cafe presents you with web page. You submit your username, passcode and tokencode. Web cafe sends you a “login failed” page. Web cafe passes on the credentials to the bank… and empties your account.

All that two-factor authentication achieves against this risk profile is to increase the complexity of the attack (it is now time-limited).

Caf – RSA tokens would take away that risk completely.

Two factor authentication doesn’t help a bit against a man-in-the-middle attack. If the web cafe owner is truly dodgy you can’t even trust SSL on those machines unless you know and manually verify the bank certificate’s fingerprint, because they could have fake root CA certificates loaded.

ant said :

It’s a puzzling case though. The wireless thing… they’d have to be located pretty nearby to catch your signal (although people often don’t realise how far their signal is broadcast… useful though when one’s internet goes down!).

Does the OP access their online banking through a saved “favourites” link? re advice abotu phising from other posters. My insitution allows access via a/c number and p/w, but you can’t move money out of the account without clicking on some pre-chosen pictures in a certain sequence, and the pictures are always in a different spot. I don’t know how strong that is, but apparently it’ll foil keyloggers?

The device Jonathan Reynolds mentioned also gets very good raps, I think my institution is moving to something like that, using one’s mobile phone and a text message. I’ll sign up for that.

the product is manufactured by RSA – I sell it. the tokens work on a random number generated code, so if you are at a web cafe, they can keylog you (if the cafe owner is a bit dodgy, not all are) and will get no-where after you have logged out.

the token is classified as two factor authentication, that is, you have a 4-digit pin code (something you know) plus the token’s generated number (something you have). Tokens have on average a 3-year life, after this point, they expire. Then, you need to buy a new one.

There are also software based tokens, that sms you a code for entry to the system. these have a window of 60secs for connection.

my wireless connection is secure, I have a firewall running behind the connection.

Norton 360 isn’t the best, but it does pre-fetch websites and check them for fraud.

Hmmm, that was pretty cool! I’ve recently become a St. George member and I transferred some money today to another Aussie bank account. While the transfer went through, they phoned me a couple of hours later to make sure I wanted this to happen. Not bad.

I guess it’s important to keep your phone details up to date then. Also, apparently if the transaction is more than $2500 – then you need to authenticate with your mobile for the transfer. also great – but better if you could choose what the minimum amount is for this service to kick in.

The NAB system is pretty good and I reckon the perfect way. All they need to do is veryify your phone number when you first set it up.

As for the UK way, yes on someways it is better, but in otherways it leads to more security issues as people are more likly to write their passwords down and choose an internet pin the same as their card pin.

Natwest for example ask for 3 of the 4 digits of your internet pin in a random order and then 3 of the letters/digits in order. If your password is Looser123 can you always remember what the first, 4th and 9th letters are? Natwest also use the card reader, it is a variation where you stick your card in, enter your cards pin, put in a code the bank gives and then put the response back into the bank. It only does it when you first set-up the details of an external payee.

I reckon the best ones are where you don’t type in the password, you just use a mouse. The NAB used to do this years ago, Westpac still does though.

NAB has one time use, passwords sent by SMS for inter bank transfers. Simple, works well

Some interesting comments here. I’m surprised that there are not more comments about the shoddy simple user name and password validation that most banks use in Australia. I spent about 5 years in the UK, and I could rant all day about how much better banks are over there, including the high level of security. They use several methods depending on the bank. Here are some examples:

1. Enter your DOB followed by your unique 4 digit customer code. Then enter 3 alternating numbers from your chosen internet pin number (i.e “enter the 3rd, 4th then 1st number – this alternates at each login). Then you do the same with your chosen 4-12 letter password using alternating letters). This guard well against key logging software.

2. The bank that used that method then upgraded to issuing free card readers which generate unique codes for the particular transaction.

These methods should be used by ALL banks, instead of the shoddy same username & password for each login.

P.S. Yes, I’ve left ANZ – never to go back. I recently took out a mortgage and the best for us was between ANZ and another bank. While ANZ were marginally better, I avoided them out of principal. Before leaving them a couple of years ago, I gave them an opportunity to resolve an issue and let them know I would avoid them as mortgage lenders in the future if they could not resolve the issue. They declined…I walked. They didn’t care!

I had trouble with ANZ over a mortgage. They convinced us to get a mortgage linked to a credit card, and to sign all our funds over to the credit card account, to offset the mortgage.

So we signed over all our money. Only to spend about a week waiting for these credit cards, and with no way to access our money.

The most annoying thing about it was that they claimed they were unable to help us, as we weren’t their customers til we received the credit cards – despite the fact they had all our money.

I would not recommend them.

You said :

Bad idea contacting the police first.

I had the same thing happen to my Commonwealth account a few years ago. I contacted Commonwealth immediately, they put me onto the fraud department, I answered a few questions (one of which was “have you contacted the police”) and then left them to it. A week later I was contacted by phone and advised that the problem had been addressed and the money had been put back into my account.

Bad idea offering advice like that which shows how little you know of the process of the reporting and addressing of criminal matters

anti-spyware software I hope?

Have installed spyware software today, and it discovered a couple of ‘low risk’ applications.

I therefore come back to my original suspicion that the keys have been logged from a site in the near vicinity. If so, someone has gone to a deal of effort for a fairly small gain, and I would suspect, a fairly high degree of prosecution.

“Bad idea contacting the police first”

When the bank asked if you had spoken to Police I bet they asked for a reference/report number. Did you make one up for the bank?

Stupid advice really.

Bad idea contacting the police first.

I had the same thing happen to my Commonwealth account a few years ago. I contacted Commonwealth immediately, they put me onto the fraud department, I answered a few questions (one of which was “have you contacted the police”) and then left them to it. A week later I was contacted by phone and advised that the problem had been addressed and the money had been put back into my account.

It’s a puzzling case though. The wireless thing… they’d have to be located pretty nearby to catch your signal (although people often don’t realise how far their signal is broadcast… useful though when one’s internet goes down!).

Does the OP access their online banking through a saved “favourites” link? re advice abotu phising from other posters. My insitution allows access via a/c number and p/w, but you can’t move money out of the account without clicking on some pre-chosen pictures in a certain sequence, and the pictures are always in a different spot. I don’t know how strong that is, but apparently it’ll foil keyloggers?

The device Jonathan Reynolds mentioned also gets very good raps, I think my institution is moving to something like that, using one’s mobile phone and a text message. I’ll sign up for that.

I’m pretty sure you’ll get your money back, as it was an un-authorised transation.

The same if someone stole your credit card and went on a shopping spree.

DJ said :

I had huge problems years ago with ANZ causing me to take my business elsewhere. I traveled to Africa in 1997 and used my ANZ Visa while over there. .

That is amazing. I was in Africa in 1997 with an ANZ card and had a similar issue when the ‘merchant’ (in this case a bank for a cash advance!) decided to process it with an extra zero on the end (old paper based transaction with the ‘clacker’). Only noticed when back in Australia and despite having my clear copy of the handwritten voucher I had enormous problems getting ANZ to reverse it. They said they could do nothing about it and the now accruing interest until they sighted the original from Africa which could take weeks (by now this was the only transaction left to pay on the account). I said fine, I just wont pay anything until you sort it out, they said we will have to apply penalty fees and it could affect your credit rating and could take you to court. I said yes please and they suddenly decided to place it in a ‘hold’ and then eventually reversed it. Needless to say I cancelled the account and have had nothing to do with them since!

About a year ago the bank (Commonwealth) spotted a fraudulent international call on my credit card and automatically refused the payment and froze the account.

Yes it was a pain getting the card re-issued but can’t fault them for dilligence.

Also the day I went to civic and bought $1,000 in clothes from John Hanna and a new Playstation it was nice to get a phone call from the bank checking it was me going on a shopping spree.

Banks aren’t interested in fraud, unless they lose money themselves.

A friend of mine had a cheque taken out of her chequebook and then used to steal $2000. When she got the cheque back from the bank, the signatures were obviously completely different. The attitude of the bank was “not our problem, refer the matter to the police for court action”. So much for checking a supposed security device.

That being said, I once had some transactions charged to a visa card by an overseas party. No idea how they got the number, it could have been from a credit card generator (these were the days before CVV2 validation). When I rang Commbank they said to fax them a written declaration that they weren’t my purchases, and they put a hold on those specific items. I was told that they would request a signature for the purchases and if one wasn’t forthcoming that they’d be removed from my account. All very easy to deal with.

JC,

1) I would like some indication from the bank that they have the means to track the transaction.
2) I would like some indication from the bank on the chances of my being reimbursed the missing amount.
3) I would like to know if the bank is going to honour or bounce my rent cheque.

ANZ have a fairly effective wall between their fraud department and the customer. It would appear that all contact after the initial complaint is to be conducted by e-mail and fax.

I am 100% certain I have never been to a spoof page. I have a well developed scepticism for the strange.

Agree with JC here – the network used to access the bank website won’t have been particularly relevant simply because the SSL session encrypts the data (including logon credentials) independently of the network itself. You have probably been stung with a keylogger. These days, it’s critical to keep antivirus and antimalware up to date, and bear in mind that not all antivirus products are created equal, so ask around a bit to find one people generally regard as good.

All the wireless security advice is very valid, but when logging into a bank or any other secure site the data, including the passwords etc would be encrypted anyway so no great worry there. In cases like this it is more likly that a keylogger has found it’s way onto a PC used to access the bank or the person has gone to a spoofed web page where the deatils were stolen.

As for the bank, what do you want them to do? It is a police matter more than anything now.

The best thing you can do is, when you connect to your bank’s web page:

1. Make sure that the connection is using SSL.

2. Check the SSL certificate, and make sure it is valid matches the expected domain name for your bank.

Even this isn’t enough if your computer is infected with a keylogging trojan.

A few more things to ponder: “Benjamin John McKay” is quite possibly an innocent party, whose account has also been hijacking and is being used to launder the amounts, and the criminal(s) are quite possibly outside Australian jurisdiction.

It’d be worth checking your PC for spyware/trojans as well – it could be they got your details directly from your PC, rather than the network. In fact, given that the communication between you and your bank would be encrypted by HTTPS even over an unsecured wireless network, it’s the most likely line of attack. Try Lavasoft Adaware (which is free), Spybot Search and Destroy (which is free), or the Windows Malware removal tool (which comes with Windows). Bear in mind some of these sneaky little beggars will hide through all that.

If you really want to be sure, back up your data (just data, not programs), make a list of your applications, reformat the hard drive, re-install your OS and apps, update them (to patch up any security flaws) and then load your data back on.

I had huge problems years ago with ANZ causing me to take my business elsewhere. I traveled to Africa in 1997 and used my ANZ Visa while over there. In 2001 some smart cookie in Botswana started using it again. The ANZ eventually suspended the account after the same amount was charged five days in a row and then on the sixth the limit was reached and the transaction declined.

It took me over four months to convince them that it wasn’t me and that I wouldn’t pay them anything more than what the balance was before the African fraud occurred. They threatened court action and I welcomed it… they eventually advised me they were not proceeding and that I only had to pay the outstanding balance on my original purchases plus some interest… ok I said but when I asked for the calculations for the interest it included interest on the amount I was not responsible for! Eventually all was sorted but it wasn’t nice dealing with them.

Keep at the bank. They’re usually pretty keen to maintain trust in their internet banking services and your case sounds like a breach of security beyond anything you could control or foresee.

I’d be interested to see what happens.

Hidden SSID’s can affect performance though and still can be found.

MAC addresses can also be spoofed.

Basically having WPA-PSK with a strong phrase (eg. This is a very long phrase!!! is better than cat) is what you want.

Tons of posts on Whirlpool about security.

Base minimum for security for Wireless networks:

-turn off SSID (it doesn’t help to be openly broadcasting that you have an access point)
-turn on encryption (if your Access Point and wireless access nic that doesn’t support the newer WPA standards buy one that does)
-ensure that you only allow access via known MAC addresses (nothing to do with Apple systems – this is the “unique” identifier of the network adapter in your PC – if your access point doesn’t support locking down access by MAC address get one that does)
-ensure that you are using strong password encryption on the Access Point (the password you use to log in to your access point is something like “P@Ss\/\/0rd” – all your password should be ‘strong’)
-enable the event log on your Access Point (will allow you to see who and what is connecting and when)

The other thing to watch is “spoofed” internet banking login pages. It is a well know ploy for hackers to spoof the login page, you enter the correct details as if you are logging in. In this process the hacker grabs your login and password, directs your to a page as if you have entered the wrong details (in the mean time they have your details). You are then dropped back to the genuine log in page where you enter your credentials again and this time you get to log in. How to avoid this… make sure you are running latest Anti Virus, firewall and anti-spam software. Never accept that the bank will email you to update or confirm your details.

Finally the banks are just as much to blame by allowing simple authentication credentials. (just username/password). They could fix this by using insisting of token identification as part of the log in process. With my ebay/paypal account I have a $5.00 device that ebay/paypal have supplied that generates a unique token (a 6 digit number). This number must be entered in conjunction with my correct username and password – the token is uniquely generated by the device each time I log in and only valid for 30 seconds before expiring. I enquired about getting something similar from my bank and they advised it was only available for a “business” account.

Hope that helps.

Cranky wrote “Police were excellent.” Nyssa76 please take careful note. I don’t believe there is anything ambisguous about this. ;P

I really don’t know. I’m checking – but I believe the network is well locked down.

Was your network encrypted Cranky?