PC been hacked how do I protect my bank accounts ?

Sg28

km1500 said:

this might be better moved to the techie board

Yes answers would be much better there.

Sg28

km1500 said:

it would be interesting to know how clicking on a link and downloading an attachment and even running an attachment would lock you out of your Steam account and your google account.

does anybody have any idea how this works?

Downloading an attachment can secretly install malware (a virus) which can do virtually anything imaginable. There are thousands of different malwares which can do whatever you need it to. Hackers can: control your computer, move your mouse and run programs etc, Turn on microphone and camera and record, steal files, log keytrokes to havest usernames/passwords, read and send emails, even access other computers on your home wifi network, access IOT devices on the network such as security cameras, tvs, thermostats etc. Its pretty incredible what is possible. 

booneruk

Sg28 said:

A decent hacker with enough resourses can crack most encryptions.

Technically not - this is off topic really, but if a platform is using reasonably up to date encryption techniques (you'd imagine most banks and big platforms are) such as SHA-256 and other techniques such as salting then brute forcing stolen password hashes would take a powerful computer years depending on the complexity of the password, and when ultra complex passwords are used it would likely take a team of computers thousands of years.

It's when people use dictionary words or common silly passwords such as secret123 etc on platforms with weaker security measures where password hashes can be brute forced in a blink of an eye.

Sg28

booneruk said:

Sg28 said:

A decent hacker with enough resourses can crack most encryptions.

Technically not - this is off topic really, but if a platform is using reasonably up to date encryption techniques (you'd imagine most banks and big platforms are) such as SHA-256 and other techniques such as salting then brute forcing stolen password hashes would take a powerful computer years depending on the complexity of the password, and when ultra complex passwords are used it would likely take a team of computers thousands of years.

It's when people use dictionary words or common silly passwords such as secret123 etc on platforms with weaker security measures where password hashes can be brute forced in a blink of an eye.

Yes which Is why I said most. However an individual sitting at home with one pc is probably not likely to keep up to date with the latest encryption methods and would still be vulnerable. 

I think the most common password is still something like 123456. I remember reading something like the top 5000 most common passwords will give you access 20% of all accounts. Pretty crazy. 

For people forgetful or none tech savvy a good compromise is a pass phrase rather than a single word. Like Housediamondtelevision for example. 

GeoffTF

dunstonh said:

We gave the Yubi keys a go (similar to Titan) but found they just got left plugged into the USB slot, which was fine if there was a remote hack/theft but not pretty useless if it was a physical theft.

You can get YubiKeys that also require a fingerprint for authentication:

https://www.yubico.com/products/yubikey-bio-series/

Both YubiKey and Titan support the Fido 2 protocol.

masonic

Sg28 said:

booneruk said:

Sg28 said:

A decent hacker with enough resourses can crack most encryptions.

Technically not - this is off topic really, but if a platform is using reasonably up to date encryption techniques (you'd imagine most banks and big platforms are) such as SHA-256 and other techniques such as salting then brute forcing stolen password hashes would take a powerful computer years depending on the complexity of the password, and when ultra complex passwords are used it would likely take a team of computers thousands of years.

It's when people use dictionary words or common silly passwords such as secret123 etc on platforms with weaker security measures where password hashes can be brute forced in a blink of an eye.

Yes which Is why I said most. However an individual sitting at home with one pc is probably not likely to keep up to date with the latest encryption methods and would still be vulnerable. 

I think the most common password is still something like 123456. I remember reading something like the top 5000 most common passwords will give you access 20% of all accounts. Pretty crazy. 

For people forgetful or none tech savvy a good compromise is a pass phrase rather than a single word. Like Housediamondtelevision for example. 

The tools mentioned upthread would be suitable, but the Achilles heel of any encrypted vault is that it must be decrypted to access the contents. As you've pointed out, doing that on a compromised device effectively hands the keys and contents to anyone monitoring.

booneruk

Sg28 said:

For people forgetful or none tech savvy a good compromise is a pass phrase rather than a single word. Like Housediamondtelevision for example. 

And of course, people who use simple passwords could well use them for all their services too. Imagine if they used letmein123 for their PC login, email accounts, bank, social media etc and their PC was compromised. Ouch.

tigerspill

Sg28 said:

jimexbox said:

masonic said:

jimexbox said:

sparkiemalarkie said:

Hi DS PC has been hacked how s the best way to protect his bank accounts?

sx

Hopefully they don't save all passwords/log-in infomation in a file?

If anyone does store sentive information on their PC, use something like Veracrypt to strongly encrypt the file. Or better, encrypt the file to a usb stick.

Such a precaution is useful in case the device is lost or stolen, but not much use if the contents are accessed on a compromised device.

An encrypted file is useless to anyone without the key. Be that a hacker or a thief. 

A decent hacker with enough resourses can crack most encryptions.

Unlikely they'd bother with the effort for a random individual, unless its poor encryption. 

This isnt the case if passwords are strong and changed regularly and re-encrypted with the latest algorithms.  Minimum of every year.

km1500

Sg28 said:

km1500 said:

it would be interesting to know how clicking on a link and downloading an attachment and even running an attachment would lock you out of your Steam account and your google account.

does anybody have any idea how this works?

Downloading an attachment can secretly install malware (a virus) which can do virtually anything imaginable. There are thousands of different malwares which can do whatever you need it to. Hackers can: control your computer, move your mouse and run programs etc, Turn on microphone and camera and record, steal files, log keytrokes to havest usernames/passwords, read and send emails, even access other computers on your home wifi network, access IOT devices on the network such as security cameras, tvs, thermostats etc. Its pretty incredible what is possible. 

yes thank you for that I understand what you are saying but what I would like to know is how an executable attachment that you download can lock you out of your Steam and Google accounts ie what would it do to accomplish this

booneruk

km1500 said:

yes thank you for that I understand what you are saying but what I would like to know is how an executable attachment that you download can lock you out of your Steam and Google accounts ie what would it do to accomplish this

Malware could feasibly scan the computer for various accounts, Steam etc and then try at guessing passwords (a password to begin with could have been keylogged, or brute forced from the infected PC).

Enter a password wrong too many times = account locked. This goes for humans or malware.

Quite often online services have activity pages, it might be worth looking here to see what's listed (I wouldn't log into these on a device that might be compromised by the way)

https://help.steampowered.com/en/accountdata/SteamLoginHistory
https://accounts.google.com/ServiceLogin?service=statement
https://account.live.com/Activity

There'll also be account recovery processes that can be completed for each of these services - again, ensure a non compromised device is used.

I suspect you're not being told the full story - downloading something malicious and running it on a Windows machine should have set off all kinds of warnings from the built in Microsoft Defender. "Untrusted program" etc. If these warnings were ignored then it's anything can happen territory.

The warning would have looked something like this: