how is it done? intercepting email and bank details.

spud17

NowRetired wrote: »

Am I just lucky that I have never had my email or bank account details compromised in the past 17 years that I have had internet access?

You're not lucky, , just more savvy than the average user.

Unlike most of the youngsters, (allegedly the most knowledgeable), you think before you click. :beer:.
And I'm old (ish) as well, so not intending to sound condescending.

ETA, by asking the question, you've shown you are thinking about keeping yourself safe.

securityguy

patman99 wrote: »

If you intend to use a lot of public WiFi hotspots, then it is worth setting-up an OpenDNS account. By specifying a DNS on a PC's network settings, the data you send/receive is encrypted by the PC at either end. So even if you use unsecured (no password needed) hotspots such as those used by Sainsburys, Tesco & ASDA in their cafes, your data is still safe from interception.

Sorry, but that is complete nonsense. You appear to be confusing OpenDNS's service, which provides approximately no protection when using wireless access points (a hypothetical man-in-the-middle will obviously intercept all DNS traffic, irrespective of which nameserver it is directed to) with a VPN. Using a VPN is a pretty much complete solution to concerns about hotspot security, albeit one that can be operationally tricky. But OpenDNS isn't a VPN.

yangptangkipperbang

securityguy wrote: »

Another attack is via somehow infecting your machine with software which sends a record of your keystrokes and possibly even what's on your screen.

Some AV packages now have a system whereby when you connect to a financial institution website you enter your details on a dummy keyboard so there are no keystrokes to record.
There does not appear to be any way of recording details entered in this way - yet !

Lum

yangptangkipperbang wrote: »

Some AV packages now have a system whereby when you connect to a financial institution website you enter your details on a dummy keyboard so there are no keystrokes to record.
There does not appear to be any way of recording details entered in this way - yet !

Software exists that can silently record what is going on on your screen.

waddler_8

yangptangkipperbang wrote: »

Some AV packages now have a system whereby when you connect to a financial institution website you enter your details on a dummy keyboard so there are no keystrokes to record.
There does not appear to be any way of recording details entered in this way - yet !

Lum wrote: »

Software exists that can silently record what is going on on your screen.

...and banking malware such as ZeuS has been doing it for a while. This (from 3 years ago).

In order to prevent keystrokes and other data from being monitored, many websites use a special virtual keyboard. Users click the left mouse button on the keys of the virtual keyboard, which is visible on their monitors, to enter their password. In this case, ZeuS exploits a different mechanism to intercept user data: as soon as you push the left mouse button, ZeuS takes a screenshot, making it easy to identify the keys that you selected on the virtual keyboard.

It can inject code into the webpage you are seeing in an attempt to phish your smartphone details so it can infect that too.

ZeuS controls all of the data that is transferred via your web browser. If you attempt to open a website that has already been logged by ZeuS' configuration file, the Trojan may modify the website's code before you even see it in the browser window.

http://threatpost.com/en_us/blogs/zitmo-trojan-variant-eurograbber-beats-two-factor-authentication-steal-millions-120612

The key here is the Trojan’s ability to circumvent the second-factor of authentication, or Transaction Authorization Number (TAN) sent via SMS to the user’s mobile. The Trojan gets the SMS and sends the TAN via relay phones and proxy servers to the command and control server’s SQL database. The Trojan uses the TAN to complete its transaction, while the customer sees none of the fraudulent activity.

Search any of the analysis on ZeuS, SpyEye, Ice IX etc - it's makes for interesting reading.

securityguy

NowRetired wrote: »

I would still like to know how someone, one of my neighbours for instance, as there are a few wireless networks around my home, can read my email or see what letter I pick from the drop down menu to access my bank account?

They can't, unless you are remiss in the modicum of precautions you should be taking and they are conducting a full-scale assault on your networking.

So basically all those who complain about their email being hacked and their passwords being stolen are simply victims of phishing or downloading some malicious software?

Almost without exception, yes. For all the talk of hostile access points in cafes, for example, the literature is strangely silent on it actually happening.

Use https for everything that matters (you can turn it on for Facebook and Twitter, too). Check it's operational. Check that your browser marks the certificate as valid (there are attacks on this, but they're exotic and unlikely to trouble you). Run some appropriate security software, depending on your choice of operating systems. Relax.

rockitup

After a close shave with using an internet cafe computer for online banking 5 years ago, I toughened up my internet security after reading up articles on the net.

Am now using a 64 character WPA-2 router password, WPS is disabled, Using a Mac laptop with Witopia VPN installed and setting for stealth mode selected under firewall options. Also have 1Password installed with long, random generated passwords for each account and site. Master password is also very secure.

I sometimes have to use a Coffee shop, Hotel or Airport wi-fi when travelling so would all this (less home router security) be enough to stop anyone grabbing my log-in details?

Always a little worried as day trading regularly and use the online banking a couple of times a week. Also have a separate email address just used for banks and trading, so no spam in that account.

edit: Witopia VPN has 128 bit and 256 bit connections, I use the 256 bit for financial sites

securityguy

rockitup wrote: »

I sometimes have to use a Coffee shop, Hotel or Airport wi-fi when travelling so would all this (less home router security) be enough to stop anyone grabbing my log-in details?

Yes. Obviously, there are weaknesses, but you need to judge how serious they are. For example, someone able to obtain your 1Password vault in its encrypted form (a reasonable assumption for a strong attacker) and also able to point a camera at your keyboard would be able to get passwords. Lastpass supports the use of Yubikey one-time password generators for this, which would stop that vector, but I've not seen a formal analysis of its security (given formal analysis of security protocols is my research activity, perhaps I ought to do it!)

edit: Witopia VPN has 128 bit and 256 bit connections, I use the 256 bit for financial sites

Doesn't make much difference. Whatever the threats are to your VPN, frontal attacks on AES and other bulk ciphers aren't amongst them. After all, 192 bits is considered sufficient for TOP SECRET, and the only reason why 128 bits aren't is about policy ("TOP SECRET is more valuable than SECRET, so there should be more bits") rather than anyone seriously believing that 128 bit encryption is tractable. If AES is broken, the number of bits in the key probably doesn't matter; if it isn't broken, then 128 bits is more than sufficient.

For what it's worth, an attacker able to make a billion, billion trial decryptions per second (ie, who had access to a million graphics cards, each substantially more powerful than the current best in class) would be able to break a 128 bit key, by brute force, in on average 5000 billion years, or around a thousand times the current lifespan of the universe. I'm comfortable with that risk.

As Seagate put it some years ago:

If you assume:
Every person on the planet owns 10 computers.
There are 7 billion people on the planet.
Each of these computers can test 1 billion key combinations per second.
On average, you can crack the key after testing 50% of the possibilities.
Then the earth's population can crack one (128 bit) encryption key in 77,000,000,000,000,000,000,000,000 years!

There are reasons to use 256-bit AES, but they're not terribly convincing. There's a good analysis here: http://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/

danthemoneysavingman

NowRetired wrote: »

I know about phishing and such, what I want to know is if I go to a wireless hot spot/internet cafe or even MacDonalds and use my Kindle or laptop to connect to my bank, for instance, how can someone get my log-in details?

Not to forget, by looking over your shoulder

rockitup

securityguy wrote: »

Yes. Obviously, there are weaknesses, but you need to judge how serious they are. For example, someone able to obtain your 1Password vault in its encrypted form (a reasonable assumption for a strong attacker) and also able to point a camera at your keyboard would be able to get passwords. Lastpass supports the use of Yubikey one-time password generators for this, which would stop that vector, but I've not seen a formal analysis of its security (given formal analysis of security protocols is my research activity, perhaps I ought to do it!)



Doesn't make much difference. Whatever the threats are to your VPN, frontal attacks on AES and other bulk ciphers aren't amongst them. After all, 192 bits is considered sufficient for TOP SECRET, and the only reason why 128 bits aren't is about policy ("TOP SECRET is more valuable than SECRET, so there should be more bits") rather than anyone seriously believing that 128 bit encryption is tractable. If AES is broken, the number of bits in the key probably doesn't matter; if it isn't broken, then 128 bits is more than sufficient.

For what it's worth, an attacker able to make a billion, billion trial decryptions per second (ie, who had access to a million graphics cards, each substantially more powerful than the current best in class) would be able to break a 128 bit key, by brute force, in on average 5000 billion years, or around a thousand times the current lifespan of the universe. I'm comfortable with that risk.

As Seagate put it some years ago:



There are reasons to use 256-bit AES, but they're not terribly convincing. There's a good analysis here: http://blog.agilebits.com/2013/03/09/guess-why-were-moving-to-256-bit-aes-keys/

Thanks for the detailed info, I was thinking maybe I should keep the 1Password encrypted file out of dropbox, and just place it back in whenever I am syncing it. Would that make things safer?

I try to keep keyboard covered when entering the master password anyway. When I had the close shave 5 years ago, the proceeds from sale of my house had just been deposited to my account and they had the Zeus like trojan on their computers in the net cafe. Nearly lost 400k that day, hence my wish for best security...