Victim of online banking fraud with Santander account...

Archi_Bald

I had read the rest of your post before my previous response, and the only thing I would agree with you on is that it is surprising they refunded the money, but they will have had good reason for that.

Other than that,a bank has no responsibility to tell their customers what they should do with their PCs and other devices, and the bank would be on dodgy ground if they did provide such advice. Nor is any bank qualified to give anything but very general advice to anyone about use of computing devices, and they will, IMO, never seek such qualification, for one simple reason: they will have absolutely zero control over what the customer will do.

More than that, a bank cannot normally be sure that the defrauded customer wasn't actually involved in the defrauding themselves. Note I am not suggesting this could have been the case with the OP. To discuss with a customer how a scam works might even be in breach of the law but even if it isn't, it would be downright stupid to discuss the details with Joe Bloggs.

Ashmil

Stevie_Palimo wrote: »

Do Santander need to send out baby sitters then here ? , It is not about being harsh it is about being savvy to the facts of how banking works and for those that fall for this type of scam I do believe are not savvy enough, This is not meant as a put down but simply implying that common sense should prevail in these instances.

In an ideal world, of course, we would all be savvy to all possible permutations of Internet fraud. But this is the real world, and that is not the case. I've been Internet banking for probably about 15 years now, without a glitch. I never respond to phishing, I keep up to date antivirus, I'm as careful as I know how to be. I have an MSc in Music Tech, I can build a computer, I use complex software. But this one was not on my radar. Never heard of MITB techniques. Also, researching now on the web, this aspect of Internet fraud is seen as new, advanced and quite worrying. And good at dodging antivirus technology.

I got caught out. Regret it? Of course. Learnt something? Damn right. Grateful to have the money compensated by the bank? You bet.

Santander did take an interest in my security, online habits etc - asked a load of questions, and in fairness turned things round within 24 hrs. Turns out banks tend to compensate in these situations as a matter of course. Thank God. But yeah, if I was them I think I would be pumping out information to customers about MITB risks. First I've heard of it was after it happened...

Hey we all think we're good drivers but we can still have scrapes on occasion...

ChiefGrasscutter

So experts, how do we think it was done, given that the OP was at home on their own wifi.

Was this a man in the browser hijack type attack from malware on the PC and if so how are we sure it is now clean

...or more worryingly was the 'man' actually within Santander and it was their systems which had been interfered with?

MABLE

Ashmil wrote: »

In an ideal world, of course, we would all be savvy to all possible permutations of Internet fraud. But this is the real world, and that is not the case. I've been Internet banking for probably about 15 years now, without a glitch. I never respond to phishing, I keep up to date antivirus, I'm as careful as I know how to be. I have an MSc in Music Tech, I can build a computer, I use complex software. But this one was not on my radar. Never heard of MITB techniques. Also, researching now on the web, this aspect of Internet fraud is seen as new, advanced and quite worrying. And good at dodging antivirus technology.

I got caught out. Regret it? Of course. Learnt something? Damn right. Grateful to have the money compensated by the bank? You bet.

Santander did take an interest in my security, online habits etc - asked a load of questions, and in fairness turned things round within 24 hrs. Turns out banks tend to compensate in these situations as a matter of course. Thank God. But yeah, if I was them I think I would be pumping out information to customers about MITB risks. First I've heard of it was after it happened...

Hey we all think we're good drivers but we can still have scrapes on occasion...

They normally do refund as a matter of course straight away but this does not mean they may claim the money back again once their investigations are complete.

Ashmil

Well thanks for that cheering thought Mable. You mean when they discover that this whole thing was an evil scheme masterminded by myself?

securityguy

Archi_Bald wrote: »

I had read the rest of your post before my previous response, and the only thing I would agree with you on is that it is surprising they refunded the money, but they will have had good reason for that.

Other than that,a bank has no responsibility to tell their customers what they should do with their PCs and other devices, and the bank would be on dodgy ground if they did provide such advice.

Someone should tell all the banks that advocate and supply Rapport, for example.

http://personal.natwest.com/global/security-centre/rapport.html?DCMP=OTC-rapportFURL

http://www.hsbc.co.uk/1/2/contact-and-support/security-centre/downloadshttp://www.hsbc.co.uk/1/2/contact-and-support/security-centre/downloads

Or that advocate and supply other security software:

http://www.barclays.co.uk/Helpsupport/FreeInternetSecuritySoftwarefromKasperskyBarclays/P1242557966961

Or that provide relatively detailed advice:

https://www.lloydsbank.com/help-guidance/security/what-can-you-do.asp

Now we can argue about the quality and wisdom of some of the advice, and Trusteer Rapport in particular has been the focus of much debate. And we can express concern that those of us that use minority computer platforms might find ourselves having trouble gettings frauds dealt with if we aren't running their recommended security software, even if we can't (although there's no evidence this has happened). But quite what "dodgy ground" do you think these banks are on, and why aren't they as worried about it as you are on their behalf?

securityguy

ChiefGrasscutter wrote: »

So experts, how do we think it was done, given that the OP was at home on their own wifi.

I would guess that it managed to convince the OP to install a browser extension, or it subverted controls on installing them. I'm somewhat surprised the bank didn't want to have a look at the computer forensically, as it's a potentially very nasty attack.

The hard core paranoid, by the way, maintain a separate virtual machine which they only use for banking. I don't bother: I'm willing to gamble on the two-factor requirement involved in setting up new payees, I don't use any of the money transfer services which can circumvent it (ie, I don't have them already set up as payees). So I hope - no-one can be certain, but I hope - that I would only be at risk from a social engineering attack, and my natural scepticism would be enough. Maybe I'm wrong. And of course, using a separate VM doesn't protect you against courier fraud, which is far and away the current most common attack.

Ashmil

securityguy wrote: »

Someone should tell all the banks that advocate and supply Rapport, for example.

What is the thinking about Rapport? Is it not trusted by some?

Kernel_Sanders

MABLE wrote: »

They normally do refund as a matter of course straight away

My understanding is that this is not the case when the victim has set up a new payment to the fraudster's account.

On Wiki it states
'......although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone'

Would using the SIM you have registered for SMS verification in a non-smartphone mean this fraud would be unsuccessful?

grumbler

Ashmil wrote: »

What is the thinking about Rapport? Is it not trusted by some?

AFAIK it protects only from fake copycat websites, not from MitB.

However, now, with pinsentry and other forms of extra authorisations in place, common sense, if used, is sufficient and no software can substitute it. Not sure about SMS verification.