Internet banking security

toastydave · 5 March 2011 at 8:26AM

Any address you use either typed in or bookmarked has to be resolved (have the name turned into numbers) for example to get google.co.uk you type http://www.google.co.uk, but really your computer turns this into http://74.125.230.145/ (put the number in the address bar and you will see)

This is done by your DNS (Domain Name Resolution Server), normally you get this from your internet service provider.

This kind of Virus is called a DNS redirect, because instead of asking your Service provider to resolve the address, its contacting some spyware site.

to check if this is the case, open the start menu, and type in the run box CMD

A black window should now open, now type "ipconfig /all" without the inverted brackets you should see

Default gateway & DNS Servers, the numbers after both should be the same, if not can you post them and what version of windows are you using?

Sedated · 5 March 2011 at 10:10AM

Toasty
thanks for that
I did what you said and both Default gateway and DNS server numbers are the same.

I have a screen shot of what info that turned up. But I suspect thats too much info to make public???

BTW Vista

GunJack · 5 March 2011 at 11:23AM

sedated - to check things out from the DNS side, try using OpenDNS and see if you get the same problem. In your router settings, untick the "Get DNS Automatically" and tick "use This DNS" or similar options.

Use:-

Primary - 208.67.222.222
Secondary - 208.67.220.220

then, in your internet conection properties (on computer) ensure your DNS server settings point to your router's IP address, e.g. 192.168.1.1

if this works okay, fine. If still getting redirected it indicates you are still infected with something and we may need to do further work to remove it

Mr_Oink · 5 March 2011 at 11:29AM

JustPassingBy wrote: »

Easy. If you type in the URL of your bank or use a bookmark of the URL there is no chance of your going to a fake site.

That's not true. If someone has control of the DNS, or put a static entry in the hosts file to resolve the domain name to a spoof server - using a bookmark will make no difference at all.

People always blame viruses and malware for this kind of fraud, and I'm not saying it is not a common problem. However, far too many people leave their systems W I D E open for others to read, with back ups of their banking {and other} credentials in text and excel files left available for the whole wide world to do as they will with.

tweeter · 5 March 2011 at 12:13PM

It's a bit of a fag but I do banking from a linux live cd. HTH

toastydave · 5 March 2011 at 12:23PM

Ok, so on Vista you can do this;
Go Start menu ==> Control Panels ==> Network and Sharing Center
Click Manage Network connection from the menu on the left hand side.
Right Click on the network adaptor you use to connect to the internet and choose properties
Click once on Internet Protocol Version 4 then click properties
Click the USE following DNS Server address
Enter
Primary - 208.67.222.222
Secondary - 208.67.220.220
Then Click Advanced
Then Click the WINS tab
Then uncheck Enable LMHOSTS lookup
Then ok all boxes as you close

JustPassingBy · 5 March 2011 at 1:25PM

Mr_Oink wrote: »

That's not true. If someone has control of the DNS, . . . .

Sounds tricky. Happens all the time, I expect.

. . . . . .or put a static entry in the hosts file to resolve the domain name to a spoof server - using a bookmark will make no difference at all.

You've got big problems if just anyone can write to a system file. Root only access here.

Mr_Oink · 5 March 2011 at 1:39PM

JustPassingBy wrote: »

Sounds tricky. Happens all the time, I expect.

Your misinformed sarcasm to one side - Yes, it does. It's a very common vector.

JustPassingBy wrote: »

You've got big problems if just anyone can write to a system file. Root only access here.

Indeed, but privilege escalation to 'system' (on windoze) on a compromised machine is usually trivial.

Like all things in security - any good exploit relies -in part - on ignorance from users who have gaps in their understanding and , ideally, who have a false sense of security.

ChiefGrasscutter · 5 March 2011 at 2:10PM

Now I also wonder how the scammer did the original fraud.

Assuming they got access to the account via the compromised PC which gave them the passwords and memorable info.......
Even so, you cannot authorise a payment to a "new recipient" without going through the lloyds automated telephone authorisation system to approve it being added to your payees list....and no, the scammers can't change the registered telephone numbers on the lloyds system to the scammers own ones and immediately authorise the "illegal" payment: lloyds block that one!
The lloyds system also confirms all new payments set up by text message to your mobile.
So I wonder how the scammers set up a new payment?

What version of "Norton" is the OP running (is it for example Norton internet security 2011 or something much older like Norton anti-virus 2005)?
you say you "ran a scan" did you ask for a quick or full scan?
Modern versions of norton will be doing daily scans both quick and full as appropiate in the background anyway.

JustPassingBy · 5 March 2011 at 2:50PM

Mr_Oink wrote: »

Your misinformed sarcasm to one side - Yes, it does. It's a very common vector.

DNSSEC goes a long way to mitigating the problem so to characterise DNS spoofing as 'common' is alarmist. Also, a login to a banking site will involve an https link and its associated, checkable certificate. Yes, all things may be capable of being circumvented but a direct link (or a bookmark) is the best you are going to get if you want to manage your finances over the net.

Internet banking security

Comments

Confirm your email address to Create Threads and Reply

🚀 Getting Started

Categories

Is this how you want to be seen?

Get our FREE Weekly email full of deals & guides - and it’s spam-free