Computer Security Patch Problems- OnlineBanking

[+ Lucky]

Recently Dan Kaminsky, a researcher for the security firm IOActive, revealed a huge security problem in the internet. I am no expert, but essentially I think he says that a flaw in the system could allow bad guys to redirect your computer from a legitimate website to a fraudulent website that used the same address. (No doubt someone here who is smarter about computers can state the problem better.)

 

At any rate, he proposed a patch for this problem and in no time a flaw in the patch itself was found.

 

So, if I have this right, I could go online to my bank's website, and be inadvertently redirected by crooks to their website with the same address. Okay, but how would that crooked website have all of my banking information? Wouldn't I know as soon as I got there that it was a phony site?

 

As it is, my bank has a site key that I have selected, so if I don't see it when I get to the site, I don't sign in. (That's never happened.) The bank has also instituted an option, which I took, of having a text message sent to my cellphone which gives me a personal code necessary to log in. Yet I have read that even that can be phonied up.

 

The upshot of what the experts are saying is that online banking isn't nearly as safe as the banks would have us believe. I, like others, have grown quite used to it. I'd hate to think that someday someone could come along and steal my $42 balance by using internet fraud. I'd much rather spend it on a night with Rick Munroe!

[KMEM]

So, you can hire Rick for $42? Care to share your secret?

 

I hope I am obviously just kidding. It is overwhelming to consider how little protection there is on the internet or anywhere else. All those who think there is real protection for anything by anyone, raise your hands. All those who raised their hands must be Democrats. The rest might be "others", but not Republicans necessarily. Whoops, sorry to interject "politics" into a banking/internet issue. Are they the same?

 

Best regards,

KMEM

[+ Lucky]

Thanks, Anton, it is a technical story, but also a scary one. We read more and more about hijackings of government sites and thefts of passwords or social security numbers. I hate to think what will happen if a huge criminal intervention takes place.

 

The British government has today released a report listing the biggest threats to their country. The second most likely threat is attempts to penetrate and subvert vital computer networks by foreign governments and others. (Besides putting on spectacular ceremonies, the Chinese are expert hackers.)

 

And, as for Rick Munroe's rates, I threw that in to lighten up the thread, knowing that if I didn't, Rick would. I guess I should have added the smiley face, but hey, with the senior rate he offers, Rick can be had for just over $42!! :)

[Guest zipperzone]

I could be wrong but I think most banks would reimburse you for any theft from your account. It would be good to get their policy on this in writing.

 

One way around the threat is to have two accounts at two different banks. Your main account, where you have the biggest $$$ is one where you don't use their interned banking facilities.

 

Your second account (this one at a different bank) would be the one you use for bill paying and have a much smaller balance. The only problem would be the inability to transfer money from one account to the other via the internet.

 

A precaution I use myself is to check each of my accounts daily. If something fishy goes down I know about it immediately and the bank appreciates the quick notification of a problem (not that I've ever had one).

[+ honcho]

I'm going to speak out of both sides of my mouth. The problem reported by Kamensky is real, but it is being addressed, so in that respect I'm not overly concerned. (In fact there was a panel discussionon this at the Usenix security conference, that I mentioned in another thread w.r.t. to voting).

 

However, just for the sake of argument, if somebody had put a fradulent middleman between you and your bank, they could equally well phoeny up the balencies that they were reporting to you.

 

Seems unlikely in the extreme, but not impossible.

[+ Lucky]

The new issue of Consumer Reports explains how it's done. I read it at the store since I am too cheap to buy a whole magazine for one article!

[Lankypeters]

>I could be wrong but I think most banks would reimburse you

>for any theft from your account.

 

Twice in the past year rather large amounts were fraudulently charged to my credit card. In both cases the bank called me at once to make sure I wasn't making the charges (they were made far from where I live) and then cancelled the card immediately. I was not billed for the charges.

 

Yesterday I logged in to my banking account to see a screen name that was not mine already logged in. Does this suggest someone tried to hack into the account? Should I report this? My funds remain in place as of today.

[KMEM]

Yes, you should report it right away while it is fresh in your mind. If you get email requesting credit card numbers or account numbers or SS number, those emails should be forwarded to your bank. Most banks have a web site like, "abuse@nameofbank.com", but you can check directly with your bank for this info.

 

Best regards,

KMEM