We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

Internet Fraud

Has anyone heard anything about the new internet banking hackers who can gain access even to a'ccounts that have the card reader. Apparently you log on normally to the normal website but then you are redirected for 'training' at which time the hackers can get into your account.

Apparently each hack is a one off but it is difficult to protect against this.
The forest would be very silent if no birds sang except for the birds that sang the best






«1

Comments

  • Any 'redirect' should be treated with caution - so IMO quite easy to avoid.
  • Gromitt
    Gromitt Posts: 5,063 Forumite
    Unless they have cracked the encrypted certificate that banks used to identify themselves, any such redirect will be clearly visible. For example, whilst logged into online banking I can clearly see "first direct Bank (HSBC Holdings plc)(GB)" as part of my address bar. This site has no such text as it does not identify itself.
  • Mikhail
    Mikhail Posts: 262 Forumite
    Part of the Furniture Photogenic Combo Breaker
    tesuhoha wrote: »
    Has anyone heard anything about the new internet banking hackers who can gain access even to a'ccounts that have the card reader. Apparently you log on normally to the normal website but then you are redirected for 'training' at which time the hackers can get into your account.

    Apparently each hack is a one off but it is difficult to protect against this.

    I think you are talking about Man-in-the-browser (MITB or MitB) attack.
  • Mikhail
    Mikhail Posts: 262 Forumite
    Part of the Furniture Photogenic Combo Breaker
    Gromitt wrote: »
    Unless they have cracked the encrypted certificate that banks used to identify themselves, any such redirect will be clearly visible. For example, whilst logged into online banking I can clearly see "first direct Bank (HSBC Holdings plc)(GB)" as part of my address bar. This site has no such text as it does not identify itself.

    A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. A MitB attack is countered by utilising transaction verification.
  • mr_fishbulb
    mr_fishbulb Posts: 5,224 Forumite
    Part of the Furniture Combo Breaker
    Read here - http://www.bbc.co.uk/news/technology-16812064

    Very cool attack. Especially manipulating your online statements so you don't see the money leaving your account.
  • I have read the BBC article along with the posts on here and i do not know what to think about internet banking. I depend on internet banking for business and personal use and have never had a problem. Does anyone know how common these man in browser attacks are? Is anyone considering opting out of internet banking as a result of the latest threats?
    Money is a wise mans religion
  • pqrdef
    pqrdef Posts: 4,552 Forumite
    Mikhail wrote: »
    I think you are talking about Man-in-the-browser (MITB or MitB) attack.
    It can be just a fancy version of a normal phishing attack using a fake website. The normal attack will fail if the customer thinks "why am I being asked for a complete password instead of just 2 or 3 characters?".

    So the fancy version pretends to log the customer in normally, but then tells him there's a website upgrade coming up and he needs to go through this interactive demo - which is where it collects the goods.
    "It will take, five, 10, 15 years to get back to where we need to be. But it's no longer the individual banks that are in the wrong, it's the banking industry as a whole." - Steven Cooper, head of personal and business banking at Barclays, talking to Martin Lewis
  • Broadwood
    Broadwood Posts: 706 Forumite
    Part of the Furniture 500 Posts Photogenic Combo Breaker
    edited 5 February 2012 at 11:19AM
    I saw the MitB report on Click today on BBC News channel.

    This report prompted me to check whether my updated Firefox 10 which was released a few days ago is compatible with my installed version of Trusteer Rapport security software as supplied by my bank/building society. It turns out that they are not compatible without a manual update of the new version of Rapport which does support Firefox 10.

    The result is that I've been doing online banking for nearly a week without Rapport's protection and I didn't know about this flaw.

    Why oh why doesn't security software automatically flag up when it stops being compatible with an updated browser?

    This is a serious security loophole !
    Never trust a financial institution.


    Still studying at the University of Life.
  • Gromitt
    Gromitt Posts: 5,063 Forumite
    Mikhail wrote: »
    A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or Two or Three Factor Authentication solutions are in place. A MitB attack is countered by utilising transaction verification.

    I agree, a MitB attack can be a serious security risk. The original post seemed more like you logged in and hackers got access to your bank account, which is incorrect. The fraud is only active for a single transaction during the 'training session'.
    Read here - http://www.bbc.co.uk/news/technology-16812064

    Very cool attack. Especially manipulating your online statements so you don't see the money leaving your account.

    I do question some of the story however. For example, I've wrote down numbers generated by devices like PINSentry and used them days later, so 30 seconds is clearly false. Secondly, banks such as co-op, Nationwide and Barclays don't require you to use the devices to login.
  • All the security measures put in by the banks are not and cannot be as secure as their marketing people would have you believe.

    If you can get into your online banking, so can someone else who has access to the information you used to login. Multi-factor authentication and software like Rapport makes this substantially harder, but this is just another salvo in the war between the banks and the fraudsters.

    Performing a MitB attack is something that will become more prevalent as banks remove the ability to log in using fixed credentials that can be harvested by fraudsters. And if you have a read of (ahh... new member can't post links, but have a read of Trusteer's Wikipedia page) you will see that there have already been questions over the ability of Rapport to prevent this sort of attack.

    As each bank removes the ability to login using fixed details, they will move focus onto those institutions who still do. If I were a betting man I'd be willing to put money on there being someone somewhere working on some code that can defraud you in real time.

    My advise would be to keep your AV software up to date, and make sure you log off after you have finished what you're doing. If you just close your browser there is a risk of the banking session remaining live until it times out due to inactivity.
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 347.7K Banking & Borrowing
  • 251.9K Reduce Debt & Boost Income
  • 452.1K Spending & Discounts
  • 240.1K Work, Benefits & Business
  • 616.2K Mortgages, Homes & Bills
  • 175.3K Life & Family
  • 253.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.