Online Banking Safety

[paulfr]

Concerning the use of online banking safely from keyloggers

and spyware ................

I was wondering what the concensus is of the safety of using

a cut and paste of your username and password to avoid

spyware or keyloggers from getting your un and pw.

As long as you create a text file AFTER your scans show the

machine to be clean, isn't a cut and paste of un and pw

safe ?

Going a step further, if you bring a text file [with the un and pw]

on a flash drive to an Internet Cafe,

shouldn't a cut and paste even be safe there ?

A discussion with friends the other night brought

much disagreement.

Thanks

Edited April 24, 2009 by paulfr

[webfact]

Many online banking sites will not allow to paste the password but user name.

Some firewalls like Online Armor have a special "online banking security"

[webfact]

forgot to add something in my previous reply. I personally would never use online banking from a public computer!

Edited April 24, 2009 by webfact

[longball53098]

I use a nice piece of software called RoboForm and RoboForm to Go for all my usernames and passwords and logging in to stuff. Seems pretty secure from a novice perspective.

[lopburi3]

Put the below small/free download on a USB drive and run browser/mail directly from it.

http://portableapps.com/

[Langsuan Man]

longball53098 I am with you. I have used RoboForm for years now and they have a "portable" version that is ideal for thumb drives and leaves no trace on the computer you used it on

Oops, I see now you mentioned RoboForm to Go

Edited April 24, 2009 by Langsuan Man

[doedoe]

Another way to circumvent keyloggers and spywares etc is the KYPS service. They also have an interesting comparison of technologies, including some of the systems that have been mentioned so far, on their website.

Maybe that helps, too.

[Jingthing]

Keyloggers record pasted data.

Edited May 12, 2009 by Jingthing

[webfact]

Keyloggers record pasted data.

Can we fool them?

Press: Start\Run

Type: osk

Press: <Enter>

[Johnxxx]

Concerning the use of online banking safely from keyloggers

and spyware ................

I was wondering what the concensus is of the safety of using

a cut and paste of your username and password to avoid

spyware or keyloggers from getting your un and pw.

As long as you create a text file AFTER your scans show the

machine to be clean, isn't a cut and paste of un and pw

safe ?

Going a step further, if you bring a text file [with the un and pw]

on a flash drive to an Internet Cafe,

shouldn't a cut and paste even be safe there ?

A discussion with friends the other night brought

much disagreement.

Thanks

If you really want you can find out anything what you enter in a field and send over the internet. But I would never do business with a bank that does not provide at least transaction numbers. Whenever I want to move anything on my bank accounts I have to enter such a number and it is valid only for this transaction. Afterwards you have to take a new one out of a list. But it would be a bad idea to send a fax for instance with an order and such a transaction number or a letter. But even transaction numbers could be read and delayed. So they could read your order and change it with your transaction number and forward it.

If a bank does not want to provide transaction numbers simply stay away. They might save cost but you might have the risk - even if it is not the perfect solution. But doing business over the internet is always a risk - endless servers will be involved to handle your data. It is the same with normal mail - just people then. But I see it like this - it is possible to cheat you but not so likely. On the other hand you have to be careful. But I always enjoyed it when I used public internet places to read the love letters of the ladies - when they forgot to close their mail system But I never forgot to close mine

Edited May 12, 2009 by Johnxxx

[bartender100]

Most banks have 2 or 3 levels of random security, if you used one PC several times they may be able to work it out, but how would it be possible when a bank will ask for say, the 3rd and 7th letter of your password, i never worry.

[webfact]

I dealt with many online banking services or payment services and I NEVER came across one which has not provided a transaction number!

Furthermore a bank will not ask the 3rd or 7th letter from a customer password. How could they know these letters to verify it? A password in banking system is 128bit or 256bit encrypted and if you forget your password

no bank in the world can retrieve it. You have to ask for a new online account to be set up!

In most cases a bank will ask for your user name if you have a complain or face some problems with the banking web site.

Transaction numbers are automatically assigned by the system. It is an individual number for each and every transaction! One more remark. No one can "hack" in your bank account with a transaction number!

[Digitalbanana]

Put the below small/free download on a USB drive and run browser/mail directly from it.

http://portableapps.com/

This is just a link to portable programs of common utilities. How does it circumvent key loggers?

[lopburi3]

The thread was general security and that program allows running without using computer browser and risks that entails. Probably more people get caught out with not signing off than by keyloggers. I suspect that unless you type your url each time there should not be any record of where you have been for a keylogger to match up with if everything is done from the USB port and you remove the stick.

[Johnxxx]

I dealt with many online banking services or payment services and I NEVER came across one which has not provided a transaction number!

Furthermore a bank will not ask the 3rd or 7th letter from a customer password. How could they know these letters to verify it? A password in banking system is 128bit or 256bit encrypted and if you forget your password

no bank in the world can retrieve it. You have to ask for a new online account to be set up!

In most cases a bank will ask for your user name if you have a complain or face some problems with the banking web site.

Transaction numbers are automatically assigned by the system. It is an individual number for each and every transaction! One more remark. No one can "hack" in your bank account with a transaction number!

A transaction number what I was talking about is a number YOU have to enter when you want to do a transaction. You have a list from the bank with many numbers on it. And for each transaction (or session) you have to use a number like a code. You can use a number only one time. This is used by many banks in Europe for instance but I never had this with a bank account in the USA.

Of course there is an internal transaction number for the posting in the bank. But this I did not mean. Perhaps I did not translate it correctly from German where it is called "Transaktionsnummer". Please forgive me and let me know what the correct word is. As I said I never had anything like this with one of my US accounts and so I don't know a better English word for it.

[david96]

This is a good question and keyloggers may be installed on some public computers. But they could be installed on many work computers also. But one must trust that any responsible

public internet operator would not employ them.

At times this is the only way to access your bank account.

Banks have increased their security.

There are first two levels of security, the client number and the password.

You may also have a third security level and you enter this one time number from a token

supplied by your bank and linked to your client number. This number has to be entered.

You are now in an encrypted secure webpage of your bank.

You may have to enter this third number again (a new number generated) if you carry out

an international money transfer or create a new payee.

Some banks will send you a sms message with the one time number to your mobile phone.

There are variations to the method of entering the one time number, it depends on the bank.

The bank website also has a timeout period for added security. They also record your last log on.

Banks do not need to know your account numbers or passwords, but you will have to identify

yourself to them when calling by telephone.

You will not have admin. rights for the computer you are using so make sure you can delete

browsing history and delete autocomplete history before you start.

Note the date and time with the transaction number if you complete a transfer.

Edited May 16, 2009 by david96

[aussiebebe]

It depends how the keylogger program is deployed. Most commonly, keyloggers are installed software, however you can buy small widgets; flashdrives with keylogger programs installed - you plug them into the keyboard port on the PC and then plug the keyboard into them, such as www.keyghost.com. These may be defeated by entering passwords in a cut and paste fashion or bringing up the on-screen keyboard funtion and clicking in your password that way.

However, many installed spyware programs such as WebWatcher can include keyloggers and record screen shots at pre-determined intervals, so they would see anything cut and pasted and also save any text that was copied.

[david96]

When you consider the number of public computers why would a keylogger be installed on any of them?

Keyloggers are installed to coverly spy on an individuals computer terminal to obtain their

login and password for tracking. eg. emails.

The chances that you access a computer with a keylogger has a very low risk factor.

This is one of the reasons why the one time random number was introduced.

Look at the risk factors here.

1 Using your own computer.

2 Using a public computer.

3 Using a work computer.

4 Carrying out a transaction at an ATM.(possible card skimming)

5 Carrying out a transaction over the telephone with a CC.

6 Carrying out a transaction on the internet using a CC on a secure site.

I will be checking with my bank to obtain their opinion on using public computers.

[robertthegreat]

Just get yourself a small netbook computer and carry it with you for when you need to do online banking

I have a small Asus Eepc 701 weights less than a 1kg

[nikster]

When you consider the number of public computers why would a keylogger be installed on any of them?

Keyloggers are installed to coverly spy on an individuals computer terminal to obtain their

login and password for tracking. eg. emails.

The chances that you access a computer with a keylogger has a very low risk factor.

Not sure what you are saying.

But here's my advice: Don't do banking in your internet shop. Because the machines can't be trusted there, you don't know where they have been, safety first.

On your own machine at home, you have more control as you can do virus scans etc. If you keep everything in top shape, and stay away from bad websites, you won't have a virus.

I don't think copy/paste is a particularly good protection because there are too many other ways in which malware can get your info. It's a bit like showering after sex...

[webfact]

Make a habit to change your password regularly

[adammike]

I got an Nokia N810 internet tablet just so I would not have to use the computers in cafes,

WI.FI .

Also I have to put my card in a small device that generates numbers ,so no passwords

I am looking into getting a smart phone so I can combine "convergence" i believe its called

The ability to get on the web via wi.fi ,a music player,a phone and a camera all in one,

a single device and a single charger, heaven.

The only real reason I want wi.fi is for safe banking.

[nikster]

I got an Nokia N810 internet tablet just so I would not have to use the computers in cafes,

WI.FI .

Also I have to put my card in a small device that generates numbers ,so no passwords

I am looking into getting a smart phone so I can combine "convergence" i believe its called

The ability to get on the web via wi.fi ,a music player,a phone and a camera all in one,

a single device and a single charger, heaven.

The only real reason I want wi.fi is for safe banking.

That's very safe for two reasons:

- There's no known malware that runs on a Nokia N810, in stark contrast to Windows-based PCs

- The key fob number generator is safer than a password

I am not a big fan of changing passwords often because IMO you will end up either cheating the system so you can remember the password, e.g. append a counter to your normal password, so you have pass1, pass2, pass3.. etc. Or you choose easy to remember passwords that are then also easy to crack. I think it's safer to have one very complicated password that nobody will be able to breach. Forcing users to change passwords will decrease security. Of course if you are a concerned systems admin, you can do what the IT guys did at our university - they'd run a password cracking program all day and all night, and point out those accounts who had passwords that were too weak.

As for convergence, the iPhone works well for websurfing, I think it could replace the internet tablet easily. Smaller screen of course, but zooming and panning is so quick and easy that it's not too much of a problem. Works pretty well with my banking website even though they don't have any special code to make it appear nice for mobiles. Your bank may be more advanced. In Europe they even have this fancy home banking protocol standard, so you can use any software for your mobile phone to access the account. There must be several out for iPhone, but I am sure also for other platforms. U.S. banks of course are busy scanning in hand-written paper checks, so don't expect that from them any time soon.

[david96]

I telephoned my bank today and asked about security on internet banking from public computers and the reply was that it was safe because of the third level of security, the one time random number or SMS code

sent to your mobile. I mentioned Thailand and the fact that keyloggers may be installed on some computers.

The one time code is your security. The tokens to generate a one time number are supplied by your bank.

One might add that my bank is an Australian one.

Contact your bank for further information on security, it will be on their website.

[nikster]

The one time tokens from an unsecured machine are safe only so long as nobody has figured out how to exploit them in real time. And frankly that's only a matter of time.

We have seen in the past that from the very beginnings up to now, security has been getting better and better, but malware has also gotten more sophisticated and we are now approaching the time when the holy grail of security researchers becomes mainstream - the man in the middle attack.

Let's assume I have automated control over your computer, and a backend system that can process bank transactions (think organized crime). Now you enter your website securely and your OTT (one time token) authenticates a transaction. I can see all that, and I use your (valid) OTT to make another transaction, to my own bank accounts. Then, if I am devious enough, I show you a website that tells you the transaction succeeded. Or I show you one where it says to use another OTT, then let you really make your transaction. Either way, I am squirreling money out of your account in the background.

Admittedly there is currently no malware that can do this so OTT is pretty safe for now. But one day, it will happen.

What the banks should do to prevent this - and some already do that, I believe- is send a confirmation SMS to your phone any time you have an outgoing transaction. Then you'd see transactions you didn't authorize, and call in and have them reverted. Why all banks don't do this already, I don't know.

[doedoe]

What the banks should do to prevent this - and some already do that, I believe- is send a confirmation SMS to your phone any time you have an outgoing transaction. Then you'd see transactions you didn't authorize, and call in and have them reverted. Why all banks don't do this already, I don't know.

I know. Because its not worth the investment for them.

As for one-time passwords, the kyps service already provides that for "normal" websites, also via SMS. But I seem to get ignored on this thread....

[vagabond48]

Put the below small/free download on a USB drive and run browser/mail directly from it.

http://portableapps.com/

I have used USB flash drives in the past while traveling but find that they are too venerable to infections at internet cafes even when they say they have up to date AV protection. I also use most of the portable apps from that site.

On my last trip to India, I decide to burn a CD with all my programs. I moved the sensitive data to a separate folder, rename them and encrypted them. Where I can (I need admin rights) I add a key scrambling program to my FF browser. I just copy my CD to their hard drive which takes up to 15 minutes if I include open office. This worked quite well for me.

[saintofsilence]

I use norton 360 on my pc and have never had a problem with my internet banking