hacked in even with rapportalliance-leicester

evenasus

joe134 wrote: »

My thoughts entirely. I do delete history etc regularly, but to do it before entering bank site is a bit OTT.

I haven't been hacked.

joe134

:eek:

evenasus wrote: »

I haven't been hacked.

Yet;Hope you don,t,like me, you will be the last to know.Why do you think banks are insisting you use Rapport, the onus is then on you;:eek:

evenasus

evenasus wrote: »

I haven't been hacked.

joe134 wrote: »

:eek:Yet;Hope you don,t,like me, you will be the last to know.Why do you think banks are insisting you use Rapport, the onus is then on you;:eek:

joe134 - I wasn't meaning to sound obtuse. It must be scary to have been the target of a hacker, albeit an attempted hacking attack.

I am very security conscious, much preferring having to use pinsentry card readers than pure user name/memorable data type login.

Every window and door in my house is alarmed and I don't even live in a crime problem area.

I think all this came about with having living in Africa for several years some time ago. You sure had to be security conscious there!

someone

@joe134 - You look like you have been very diligent with your security. I would recommend scanning with some online scanner like TrendMicro HouseCall http://housecall.trendmicro.com/uk/

@StevieJ - I'm afraid Googling is a big no-no, search results are dynamic and can be influenced. Also, many users confuse the top sponsors spot on google with 'the first result'.

@evenasus - You may be intrested in 'private browsing' mode most browsers now use, it automates the clearing the browser (but only normally after, not before I think)

Ironically a recent Microsoft research paper pointing out how bad and time consuming current instructions from banks is the thing that comes I can come off the top of my head that shows why that web pages should be bookmarked.

The protection from a MITM attack is a powerful incentive to use SSL. However, to eliminate the possibility of a MITM attack the user must type the entire URL, including the method. For example, consider the following ways of navigating to PayPal:

1) Type https://www.paypal.com
2) Type http://www.paypal.com and get redirected
3) Type paypal Cntrl-Enter (browser adds www. and .com)
4) Search for “paypal” using google and click link
5) Click bookmarked site https://www.paypal.com
6) Click bookmarked site http://www.paypal.com and gets redirected

In 2, 3, 4, and 6 the user goes over the open network un-encrypted and doesn’t get the protection of SSL. Pay-pal redirects requests for http://www.paypal.com to https://www.paypal.com (i.e. directs the browser to use SSL), but by then it could be too late. For example, a bad router can take the user to a spoof site www.paypal.com.bad.com and provide a perfectly valid certificate. Thus, even to get protection from a MITM attack the user must either bookmark the SSL site, or type the full URL and method; i.e. use method 1 or 5. There is evidence that few users do this [6]. Instead typing into the search bar appears to be a main means by which users navigate to sites.

Microsoft Research https://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf

Keep in mind, Paypal is one of the only banking websites to impliment SSL (HTTPS) in the 'proper' configuration. Visit any UK bank's home page and you will (I think) be give a non-encrypted home page. This page could have been tampered with to change the "log-in" link to something like www-paypal-com.evil.com

joe134

someone wrote: »

@joe134 - You look like you have been very diligent with your security. I would recommend scanning with some online scanner like TrendMicro HouseCall http://housecall.trendmicro.com/uk/

@StevieJ - I'm afraid Googling is a big no-no, search results are dynamic and can be influenced. Also, many users confuse the top sponsors spot on google with 'the first result'.

@evenasus - You may be intrested in 'private browsing' mode most browsers now use, it automates the clearing the browser (but only normally after, not before I think)

Ironically a recent Microsoft research paper pointing out how bad and time consuming current instructions from banks is the thing that comes I can come off the top of my head that shows why that web pages should be bookmarked.

Microsoft Research https://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf

Keep in mind, Paypal is one of the only banking websites to impliment SSL (HTTPS) in the 'proper' configuration. Visit any UK bank's home page and you will (I think) be give a non-encrypted home page. This page could have been tampered with to change the "log-in" link to something like www-paypal-com.evil.com

Hi, As I see it, as long as the site bookmarked is verified by Rapport as genuine then I don,t see a problem.Clearing internet files etc, before or after should not alter the bookmarked site? Unless you type in a wrong URL, which is easy done, rapport should show the site as genuine or not, that,s its purpose.to lock you into the genuine website, certificated.

joe134

someone wrote: »

@joe134 - You look like you have been very diligent with your security. I would recommend scanning with some online scanner like TrendMicro HouseCall http://housecall.trendmicro.com/uk/

@StevieJ - I'm afraid Googling is a big no-no, search results are dynamic and can be influenced. Also, many users confuse the top sponsors spot on google with 'the first result'.

@evenasus - You may be intrested in 'private browsing' mode most browsers now use, it automates the clearing the browser (but only normally after, not before I think)

Ironically a recent Microsoft research paper pointing out how bad and time consuming current instructions from banks is the thing that comes I can come off the top of my head that shows why that web pages should be bookmarked.

Microsoft Research https://research.microsoft.com/en-us/um/people/cormac/papers/2009/solongandnothanks.pdf

Keep in mind, Paypal is one of the only banking websites to impliment SSL (HTTPS) in the 'proper' configuration. Visit any UK bank's home page and you will (I think) be give a non-encrypted home page. This page could have been tampered with to change the "log-in" link to something like www-paypal-com.evil.com

Hi, 1 & 5 are to mecorrect, hence me using 5 for all my banking sites. However, A&L say use 1 only, + clear history etc before using 1.HSBC mainly use an unsecured login site, until you get to pin entry, then ssl kicks in, but they claim it,s ssl covered as soon as you enter login page, even though it,s not clearly visible. I bookmarked theit https site, there is no constant with them.Just keep your eyes open and fingers crossed.The banks should be able to trace the IP address of router, I,m hardly likely to compromise my own a/c," just had another phish e-mail, egg c/c statement available, don,t have one. deleted."See what I mean.Beware"the Ides of March"

StevieJ

someone wrote: »

@StevieJ - I'm afraid Googling is a big no-no, search results are dynamic and can be influenced. Also, many users confuse the top sponsors spot on google with 'the first result'.

Aware of the sponsors, also I use site advisor and rapport now, so if a site is green on site advisor, green on Rapport and near the top of the Google search and behaves normally (i.e. you enter the account you expected) my guess is it is probably genuine.

joe134

StevieJ wrote: »

Aware of the sponsors, also I use site advisor and rapport now, so if a site is green on site advisor, green on Rapport and near the top of the Google search and behaves normally (i.e. you enter the account you expected) my guess is it is probably genuine.

Hi Stevie, There,s something just not right about my hack, I cannot put my finger on it, but smell a rat with A&L.I have umpteen a/cs with several banks, all online. When I opened A&L, last year, it,s a linked a/c to my main hsbc a/c , as all others are.I use hsbc every week, A&L never, only to login maybe 2 monthly to check on things.A&L did not ask for passport ID when opening a/c, but insisted I take it to branch now my a/c has been compromised.As they are all changing to Santander, is this a security check that was missed, but now rectified? Why didn,t they notify me of breach when it occurred? A&L have not changed id number, but 5 digit pin only.They didn,t know I had Rapport on when they contacted me, after I rang them first to ask why I was blocked.If money had been taken, how, it,s a linked a/c to hsbc.? Something just aint right::

masonic

joe134 wrote: »

However, they told me to never use bookmarks or favourites, which I have been doing.They insistI clear web browser, history, cookies, before I log in by typing url in address bar only.

OK, there is a tiny risk there that something could get on your system and mess with your bookmarks, but if something is on your system, it could also mess around with your hosts file or DNS settings so that even if you typed the url into the address bar you'd end up at the wrong site. Neither method is foolproof and there is little between them... unless A&L know that there is a specific virus doing the rounds that expoits bookmarks, which is possible.

There is only one thing you can do that is completely safe - start up your browser (close it and restart it if necessary), go directly to the relevant https page for your bank *and* check the security certificate when you get there. The certificate needs to show the correct url for the site and be verified by an authority that you recognise (e.g. Verisign). Of course, Rapport does this last bit for you.

As for the bit about clearing cookies - that stops one of the major security features of the A&L banking site from working. A&L places a cookie on your machine, which allows you to log in without entering the answer to a security question as well as your 5 digit PIN. That means you are protected from any keyloggers because they will never obtain the answer to your security question, which is needed to log in to your account from any other machine.

Finally, clearing your history is totally irrelevant.

As they used my 8 digit ID number and 5 digit pin, A/L are only changing 5 digit pin.third line of security question was not breached, hence no loss? I would have thought bookmarking a secure rapport address would be safe. Any suggestions would be appreciated. Leaving 8 digit ID same seems daft to me:

No, actually it isn't. The customer ID provides zero security. It's just an 8 digit number. Once your PIN is changed, your account is no more vulnerable than any other (the bad guys get three tries to guess the 5 digit PIN, then move on to the next 8 digit customer number...)

masonic

joe134 wrote: »

:eek:Yet;Hope you don,t,like me, you will be the last to know.Why do you think banks are insisting you use Rapport, the onus is then on you;:eek:

The onus isn't on you. If you show you are running Rapport and then fall victim to a fraud site, the bank will have great difficulty blaming you.