hacked in even with rapportalliance-leicester

joe134

masonic wrote: »

OK, there is a tiny risk there that something could get on your system and mess with your bookmarks, but if something is on your system, it could also mess around with your hosts file or DNS settings so that even if you typed the url into the address bar you'd end up at the wrong site. Neither method is foolproof and there is little between them... unless A&L know that there is a specific virus doing the rounds that expoits bookmarks, which is possible.

There is only one thing you can do that is completely safe - start up your browser (close it and restart it if necessary), go directly to the relevant https page for your bank *and* check the security certificate when you get there. The certificate needs to show the correct url for the site and be verified by an authority that you recognise (e.g. Verisign). Of course, Rapport does this last bit for you.

As for the bit about clearing cookies - that stops one of the major security features of the A&L banking site from working. A&L places a cookie on your machine, which allows you to log in without entering the answer to a security question as well as your 5 digit PIN. That means you are protected from any keyloggers because they will never obtain the answer to your security question, which is needed to log in to your account from any other machine.

Finally, clearing your history is totally irrelevant.

No, actually it isn't. The customer ID provides zero security. It's just an 8 digit number. Once your PIN is changed, your account is no more vulnerable than any other (the bad guys get three tries to guess the 5 digit PIN, then move on to the next 8 digit customer number...)

According to A&L security guy who phoned me and told me the time of breach etc,then said the culprits failed the personal security questions three times, hence block.If as you say, by removing cookies leaves me more open to keyloggers picking up on these questions, and answers which I shall have to provide, each login, then I am worse off. ICICI bank advise you use their keyboard for password, which changes after each digit entry.I will bring cookie topic up with A&L when I contact security guy,and post reply.

joe134

joe134 wrote: »

According to A&L security guy who phoned me and told me the time of breach etc,then said the culprits failed the personal security questions three times, hence block.If as you say, by removing cookies leaves me more open to keyloggers picking up on these questions, and answers which I shall have to provide, each login, then I am worse off. ICICI bank advise you use their keyboard for password, which changes after each digit entry.I will bring cookie topic up with A&L when I contact security guy,and post reply.

Just had reply from A&L security guy who gave me all the instructions about, history, etc. I posed the cookie quetion, and he said. A&L.s system would recognise my pc when loging in, BUT" if required, only one piece of cherished info would be asked for. In other words, "He don,t know".This is the guy who has me jumping through hoops to get my pin back.If as he says their system detects my pc, why did he ask me if I used my pc at time of compromise, he should then know it was someone else, somewhere else, why did I have to show passport, and screenshot? The mind boggles.

masonic

joe134 wrote: »

According to A&L security guy who phoned me and told me the time of breach etc,then said the culprits failed the personal security questions three times, hence block.

You do realise what this means, don't you... It is entirely possible somebody else was trying to log in to their own account and accidentally entered your customer ID by mistake instead of their own. The security question gets asked *before* you are asked for your 5 digit PIN and before you are shown your unique image and phrase so it's easy to get the customer ID wrong and not know about it. You'd be taken through to the security question, these are standard questions. The person probably typed in their own answer three times and scratched their head wondering why it wouldn't let them in to their account - meanwhile yours gets blocked because it's your customer ID that they have typed in by mistake. It happens all the time. I can't believe A&L think your computer has been compromised because of this!!!

ICICI bank advise you use their keyboard for password, which changes after each digit entry.I will bring cookie topic up with A&L when I contact security guy,and post reply.

Those embedded on-screen keyboards are a really nice security feature - of course they don't protect you if something is taking screenshots - it's a shame more banks don't have anything like that in their login pages.

joe134 wrote: »

Just had reply from A&L security guy who gave me all the instructions about, history, etc. I posed the cookie quetion, and he said. A&L.s system would recognise my pc when loging in, BUT" if required, only one piece of cherished info would be asked for. In other words, "He don,t know".This is the guy who has me jumping through hoops to get my pin back.

I used to use A&L as my main current account, so I actually know quite a bit about their set up. I don't think this person really knows how A&L's system works. There are 3 levels...
Level 1: 1 security question (e.g. place of birth) [you need to enter this if there is no A&L cookie returned by the browser to show you've successfully logged in before]
-- This is where you get shown your memorable image and phrase to confirm you are not at a phishing site --
Level 2: 5 digit PIN [you have to enter this every time you log in]
Level 3: 2 random letters/numbers from your password [you need to enter this to set up a new payee or transfer money somewhere new]

For the Level 1 question, I *always* get asked for the same thing - I've tried different computers etc, but there is no variation, which means if my login is keylogged after I clear my cookies, the bad guys will be able to get into my online banking. But, because I keep the A&L cookie in my browser, I never have to answer the level 1 question and so it can never fall into the wrong hands.

If as he says their system detects my pc, why did he ask me if I used my pc at time of compromise, he should then know it was someone else, somewhere else, why did I have to show passport, and screenshot? The mind boggles.

It sounds like this was just a call centre worker. He wouldn't know the full story himself. All that's happened is A&L's systems have flagged your account as 'at risk' because of the failed login attempts and A&L have a policy and a script that details exactly what he has to ask you to do before he can reinstate your access. It's almost not worth having a human being at the other end of the phone

joe134

masonic wrote: »

You do realise what this means, don't you... It is entirely possible somebody else was trying to log in to their own account and accidentally entered your customer ID by mistake instead of their own. The security question gets asked *before* you are asked for your 5 digit PIN and before you are shown your unique image and phrase so it's easy to get the customer ID wrong and not know about it. You'd be taken through to the security question, these are standard questions. The person probably typed in their own answer three times and scratched their head wondering why it wouldn't let them in to their account - meanwhile yours gets blocked because it's your customer ID that they have typed in by mistake. It happens all the time. I can't believe A&L think your computer has been compromised because of this!!!

Those embedded on-screen keyboards are a really nice security feature - of course they don't protect you if something is taking screenshots - it's a shame more banks don't have anything like that in their login pages.


I used to use A&L as my main current account, so I actually know quite a bit about their set up. I don't think this person really knows how A&L's system works. There are 3 levels...
Level 1: 1 security question (e.g. place of birth) [you need to enter this if there is no A&L cookie returned by the browser to show you've successfully logged in before]
-- This is where you get shown your memorable image and phrase to confirm you are not at a phishing site --
Level 2: 5 digit PIN [you have to enter this every time you log in]
Level 3: 2 random letters/numbers from your password [you need to enter this to set up a new payee or transfer money somewhere new]

For the Level 1 question, I *always* get asked for the same thing - I've tried different computers etc, but there is no variation, which means if my login is keylogged after I clear my cookies, the bad guys will be able to get into my online banking. But, because I keep the A&L cookie in my browser, I never have to answer the level 1 question and so it can never fall into the wrong hands.

It sounds like this was just a call centre worker. He wouldn't know the full story himself. All that's happened is A&L's systems have flagged your account as 'at risk' because of the failed login attempts and A&L have a policy and a script that details exactly what he has to ask you to do before he can reinstate your access. It's almost not worth having a human being at the other end of the phone

They claim Id number and pin numberwas used successfully, only cherished data wasn,t.hence lockout.The hacker obviously wouldn,t have a cookie on my details, unless they have been in prior, successfully.Is this not different to your sequence, or am I misreading it. As I have said, I have probably logged into this A/c twice since opening it, only to check on It, as I do on several other A/c,s.They are used for long term bonds , etc, not as a current a/c. All of my a/c,s are linked to my main HSBC current a/c, so I presume by hacking into one a/c , the hacker could backtrack to my HSBC, then forward to other linked a/c,s? If someone inadvertantly used my ID , they still got my pin correct too, quite a coincidence that, and if as you say they usually only ask 1 cherished question repeatedly, deleting my cookie would soon give that question/answer away to any keylogger, if that,s what I have got.l.I Use B/Mid, SAGA, B&B, all now santander, all different security systems.I was given the option of Rapport with hsbc, A&L now won,t give me pin without Rapport.

LeifGR

There is something I don't understand here:

joe134 wrote: »

They claim Id number and pin numberwas used successfully, only cherished data wasn,t.hence lockout.

...but you said earlier that

joe134 wrote: »

According to A&L security guy who phoned me and told me the time of breach etc,then said the culprits failed the personal security questions three times

Why would the "culprits" have been posed any security questions at all if they managed to get both the User ID and PIN right? Then surely they would have successfully logged in? If they did not have the right cookie, they would have been asked security question(s) before they could enter a PIN. Surely A&L wouldn't first capture an incorrect answer to a security question and then go on to ask for the PIN?

My wife's got an A&L account so I am keen to understand what has gone on here.

masonic

joe134 wrote: »

They claim Id number and pin numberwas used successfully, only cherished data wasn,t.hence lockout.The hacker obviously wouldn,t have a cookie on my details, unless they have been in prior, successfully.Is this not different to your sequence, or am I misreading it.

As LeifGR has said, the sequence of events that have been described to you isn't possible. If the hacker failed the security question 3 times then they wouldn't even get the opportunity to guess the PIN. I have serious doubts about the accuracy of what you have been told. It sounds to me like none of your security details were compromised and A&L is just 'laying it on thick' to try and push Rapport on to you (which is a bit pointless given you are already using it).

masonic

LeifGR wrote: »

Why would the "culprits" have been posed any security questions at all if they managed to get both the User ID and PIN right? Then surely they would have successfully logged in? If they did not have the right cookie, they would have been asked security question(s) before they could enter a PIN. Surely A&L wouldn't first capture an incorrect answer to a security question and then go on to ask for the PIN?

Just as a quick sanity check I tested this out. I already know that the security questions are never asked *after* the 5 digit PIN has been entered. I can now confirm if you get the security question wrong at login you cannot get as far as the page where it asks for your PIN. Therefore, it is not possible to get the security question wrong and the 5 digit PIN right.

DanK_3

I have also had problems with my A&L account recently. Not from being hacked (well I hope not) but from being unable to login because it says access is blocked and to call their support number. This appears to happen quite regularly and I would agree entirely with masonic.

For example, I have got the blocked message on the first attempt at logging in whereas I am told it should only happen after 3 failed attempts. I know I am definitely putting in the correct information so the most likely explanation is that someone else is trying to login to their account but somehow typing my ID in and then answering the security questions with their answers which obviously don't match and hence lock out the account.

My experience is the same as masonic in that if you have cookies stored in your browser you only get asked for the ID followed by pin. Whereas if you clear your cookies you will always be asked an additional security question inbetween the ID and pin. I too have found that this is always the same security question regardless of the computer used. Assuming you keep the cookie on your computer as soon as you have entered your customer ID you should see your memorable image and phrase. You then know you are definitely logging in with your correct ID and that it is not a phishing site as it has come back with the correct image and phrase (and if not you have not entered any further security information).

To answer LeifGR's post you would have to make quite a few assumptions. E.g. if it was a hacker and not just a simple case of the account being locked out by mistake as described above they would have to have already managed to capture the customer ID, the answer to the security question which appears if you don't have the cookie stored and the pin. If they didn't have the cookie it would definitely ask the first security question and failing this does not take you to the pin stage. Therefore if they claim the 'culprits' did manage to use the customer ID and pin successfully they would have either have to have retrieved the cookie from the persons computer or answered the security question correctly as well. However, if they were caught/locked out for failing a personal security question three times this could be another security question (different to the one asked at login) which would have been asked if they tried to setup a new payee. It could have been this password which they did not have so couldn't continue. Failing this three times would also lock out the account.

It can be hard to deal with the call centre staff sometimes but seems to depend on who you get. When I explained about the problems I was having with logging in (eg. blocked access on first attempt) it was immediately put down as a mistake I was making which I tried to explain couldn't be the case as I had only tried once whereas by their own admission it should only block access after three failed attempts. When it was suggested that someone else was maybe entering my customer ID by mistake the first response was to reset my pin which would take three days to be sent out. I said that this is unlikely to help since if someone continues to do it my account will simply be locked out again before I get a chance to try the new pin.

As for the advice about bookmarking the site and clearing cookies I have had different representatives give different advice. One claimed clearing cookies each time was the most secure so that you were always asked for three pieces of security information whereas another said keep cookies so you only ever type the security question answer in the first time. On making sure you are using the correct site I have been advised to bookmark the site once you know it is the correct one to minimise the chance of typing it incorrectly on followup visits. However, the last time I spoke to someone when they asked me to read out the address it was showing in the browser they said it wasn't the right one and that I had just put my details in to a phishing site. However, on closing the browser completely, going to the main site first, then clicking login, it was actually the correct one after all it's just where it changes to https and adds the additional mybank part into the address which they didn't recognise at first :mad:

Anyway good luck getting it sorted out.

joe134

masonic wrote: »

As LeifGR has said, the sequence of events that have been described to you isn't possible. If the hacker failed the security question 3 times then they wouldn't even get the opportunity to guess the PIN. I have serious doubts about the accuracy of what you have been told. It sounds to me like none of your security details were compromised and A&L is just 'laying it on thick' to try and push Rapport on to you (which is a bit pointless given you are already using it).

Hi, both, as I said, I smelled something not right.Had 2 E-mails today from Rapport @A&L.first asking for ID number to reactivate A/c and second saying account reactivated, pin arriving next 5 working days.As I only used that A/c a couple of times since opening it, only to check no compromise has taken place, I could not say yhe sequence to login, only that ID number is first.A&L told me that, ID&Pin numbers were breached, but 3 failures to cherished data caused block.I have said all along no breach took place, as I already have Rapport, then why invent a breach.They even told me date and time of breach.I still cannot understand why I, after anwering all their security questions on the phone, had to take my passport to branch.10 miles away for proof of ID, something I didn,t have to submit when opening the A/c.I bow to yourknowledge of sequence of login as using it only twice, I cannot argue the point, I honestly do not know.It,s a hell of a way to get me to download Rapport.Screenshots, passports, blocking a/c, security questions,phone calls to them, and from their security, e-mails to download Rapport, delete history, cookies etc.WHY? How do I prove it,s a scam on A&L,s behalf? When my pin arrives I can confirm login sequence, but I believe you both. I have no proof to accuse A&L of lying.I can post the e-mails from them if you want. I would love to throw the book at them, it,s not nice to know you have been compromised by something maybe I had done wrong,but as a scam it,s hard to swallow. There,s no logic to it.

joe134

joe134 wrote: »

Hi, both, as I said, I smelled something not right.Had 2 E-mails today from Rapport @A&L.first asking for ID number to reactivate A/c and second saying account reactivated, pin arriving next 5 working days.As I only used that A/c a couple of times since opening it, only to check no compromise has taken place, I could not say yhe sequence to login, only that ID number is first.A&L told me that, ID&Pin numbers were breached, but 3 failures to cherished data caused block.I have said all along no breach took place, as I already have Rapport, then why invent a breach.They even told me date and time of breach.I still cannot understand why I, after anwering all their security questions on the phone, had to take my passport to branch.10 miles away for proof of ID, something I didn,t have to submit when opening the A/c.I bow to yourknowledge of sequence of login as using it only twice, I cannot argue the point, I honestly do not know.It,s a hell of a way to get me to download Rapport.Screenshots, passports, blocking a/c, security questions,phone calls to them, and from their security, e-mails to download Rapport, delete history, cookies etc.WHY? How do I prove it,s a scam on A&L,s behalf? When my pin arrives I can confirm login sequence, but I believe you both. I have no proof to accuse A&L of lying.I can post the e-mails from them if you want. I would love to throw the book at them, it,s not nice to know you have been compromised by something maybe I had done wrong,but as a scam it,s hard to swallow. There,s no logic to it.

Thank you for your e-mail confirming successful installation of the
Rapport software. However you have not included your 8 digit customer ID
number. In order to reset your Internet Banking access, can you please
reply to this e-mail confirming your 8 digit customer ID number.

Once we have received this e-mail we will be able to reset your Internet
Banking access.
Thank you for your e-mail confirming installation of the Rapport software. I can confirm that your Internet Banking access has been reset and a new PIN has been sent, which you will receive within five working days. Once this has been received you will need to change it to a number of your own choice.
If you need to contact us whilst waiting for the PIN, please only key your 8 digit Customer ID into the telephone. Do not enter anything when asked to enter a PIN and do not attempt to access your account via internet banking until your new PIN arrives.
Kind regards,
Thank you for your e-mail confirming installation of the Rapport software. I can confirm that your Internet Banking access has been reset and a new PIN has been sent, which you will receive within five working days. Once this has been received you will need to change it to a number of your own choice.
If you need to contact us whilst waiting for the PIN, please only key your 8 digit Customer ID into the telephone. Do not enter anything when asked to enter a PIN and do not attempt to access your account via internet banking until your new PIN arrives.
Kind regards,