How safe is online banking?

Funky Munky

Hi,

Im new to all this internet banking malarky and I was wondering how safe it is in relation to someone hacking your account etc? I use AdAware, Spybot S&D and Avast online so hopefully this is enough?

Cheers in advance

Ruu_Old

I have used banking365 for years and other online banking and I have never had a problem with hijacking of accounts nor have I heard of it happening to anyone I know. What service (BOI, AIB?) are you using as a matter of interest?

Black Swan

They have had a serious problem in the States with pfishing and keyloggers.

Ruu_Old

Blue_Lagoon wrote:

They have had a serious problem in the States with pfishing and keyloggers.

Yes its been alot more common nowadays in the Irish banking system also.

Fr0g

I have got several emails in the last two weeks purporting to be from BoI asking me to log on and confirm my banking details. I do not have a BoI account. I have been using online banking for many years now and have never had any problems with it in relation to security. You do have to be aware of phishing scams like this though. Banks will never send you an email or cold call you asking you for your details. Also dont logon to your banks website from a link or bookmark/favourites, always type it in to the address bar manually.

GP

I'd suggest a lot safer than handing over my CC in a restaurant / pub / shop etc. etc..

Ruu_Old

Remember that sites marked with https are your friend.

NutJob

If you get any popups saying that the certificate is invalid RUN AWAY!

Type the URL to the website in manually. No link clicking no favourites

All should be well if ur machine has been swept by the tools you mentioned.

Sleipnir

I would say that it's safer than using your ATM card in a machine these days.

GlennaMaddy

Ruu wrote:

Remember that sites marked with https are your friend.

Yes, but there's more to it than that. There is an emerging trend in computer viruses that can hook into your browser and see what clicks and keys you are using on the website.
These so called key loggers have existed for a while, but rather than capturing every click and keystroke, they now are tailored for specific banking website. For example, they are specifically looking for your on line PIN's and accounts Once sufficient data has been collected the info is passed to the the virus writers.

Https only protects info by encrypting info sent between your PC and the banks website, but the data can be hacked by this type of virus BEFORE the information is encrypted.

liamo

I've been using on-line banking for years with no problem.

To answer the question in a slightly roundabout way ....

The On-Line Banking service provided by banks is safe.
How safe one's experience with On-Line Banking might be depends on how safe one's browsing habits are.

Or, to put it another way, if a user responded to a phishing attempt purporting to be from AIB (for example) and got ripped of as a result, that user might well blame On-Line Banking in general when, in fact, the issue is one of user education.

Ditto for using an On-Line Banking service from a home PC that's riddled with viruses, or using an On-Line Banking service from an Internet Cafe - that's just asking for trouble.

Regards,

Liam

DamoKen

GlennaMaddy wrote:

Yes, but there's more to it than that. There is an emerging trend in computer viruses that can hook into your browser and see what clicks and keys you are using on the website.
These so called key loggers have existed for a while, but rather than capturing every click and keystroke, they now are tailored for specific banking website. For example, they are specifically looking for your on line PIN's and accounts Once sufficient data has been collected the info is passed to the the virus writers.

Https only protects info by encrypting info sent between your PC and the banks website, but the data can be hacked by this type of virus BEFORE the information is encrypted.

true, this is why a good firewall is essential, monitor all incoming and more importantly outgoing traffic. Plenty of good free ones out there.

quinta

Credit Card security for example comes from the Credit Card processing rules not from the use of SSL and so forth. You can safely repudiate false credit card payments.

Ruu_Old

I normally get one of them phishing emails every once in a while, today I got five (one from Natwest, three from Bank of Scotland and one more Lloyds)

matrim

If your browsing habits are safe, then online banking will be safe. By this I mean your computer is reaguarly checked for viruses and malware.

One thing I would like to see introduces is once off pins (I don't know if there is a technical term for this). Banks in Sweden and other countries use these.You get a card with a few hundred pins on it and use them in sequence when you login.

Saruman

Ulster bank is pretty damn secure... Used to be the case you could only log on from a pc that had a certain digital cert. I think AIB is the same.
Now you can log on anywhere however you are never asked for your full details.
You are asked for random parts of your pin and random parts of a password.

I doubt even the best keylogger can figure out what these random letters and numbers mean as they are never put in any order. And im pretty sure they cant read the question off the net so they would not know im typing in the 5th letter of my password and the 2nd digit of my pin etc.

JohnnieM

once you see the ssl certificate your fine...
Never use on line banking in an internet cafe and if you have to do something and your afraid a key logger you could have your passwords pre saved on a different word documents and cut and paste them.in to another word doc to make up your passwords etc . beats key loggers

swiss

I doubt even the best keylogger can figure out what these random letters and numbers mean as they are never put in any order. And im pretty sure they cant read the question off the net so they would not know im typing in the 5th letter of my password and the 2nd digit of my pin etc.

True, but two phase authentication (which I believe is the correct term for this type of login procedure) isn't a panacea either. There have been cases of phishing sites that ask you for a "random" three numbers of your PIN - if for example you have a 6 digit PIN - then gives a warning "error" when you submit, asking you for the other three. Although yes, it would certainly cut down on the risk from keyloggers, if you log in multiple times to your banking website you could see how a diligent fraudster could similarly try to reconstruct your PIN.

SSL certificates aren't perfect either. I believe there was a case some time ago where a company registered a certificate with a name similar to that of a bank and registered with a root CA (Thawte if memory serves). That company then proceeded to use phishing attacks to redirect people to their similar sounding and looking website - SSL secured - and steal their login details.

I don't mean to make it sound as if banking is inherently insecure. But it certainly isn't inherently secure as it currently stands. As long as you take sensible security precautions you should be fine, but bear in mind that attack vectors exist.


[edit]
As for keyloggers, what I would suggest is using charmap on a windows system to copy/paste in a few characters of your password if you're suspicious
[/edit]

i71jskz5xu42pb

bedlam wrote:

Not always, it is trivial to perform a Man in the middle attack on SSL sessions.

Really? Step five of the site
>5. It’s time to create a fake certificate for hotmail
How exacly do you suggest this is done? A fake certificate i.e. one not generated by a root certificate (installed in the browser) will throw all kinds of security warnings to the user when browsing.
One of the major points of SSL is to prevent MITM attack.

DamoKen wrote:

true, this is why a good firewall is essential, monitor all incoming and more importantly outgoing traffic.

If the keylogger is insalled on your machine then it'd be pretty trivial for it to transfer the data out via your browser - there's not a lot your firewall is going to do about that. In fact if anything has been maliciously installed on your machine most bets are off.

Funky Munky - If your looking for really secure online banking you should be looking at a bank that provides a hardware based authentication like RaboDirect do now and BOI used to do when they launched initially (don't know if any of the other banks do this).

But all the security in the world is not going to guarantee you anything unless your machine is well protected against viruses, etc per the advice from other posters.

NutJob

PaschalNee wrote:

Really? Step five of the site
>5. It’s time to create a fake certificate for hotmail
How exacly do you suggest this is done? A fake certificate i.e. one not generated by a root certificate (installed in the browser) will throw all kinds of security warnings to the user when browsing.
One of the major points of SSL is to prevent MITM attack.

How many users will say yes to an invalid cert?

Average users tend not to care as long as it works.
And i have run ssl man in the middle as a demo.
Plus there are commercal proxys that preform SSL man in the middle to scan the content for crapware.

Also mirroring the site using no cert and destination natting/or dns poisoning on a lan is just as valid an an attack vector. Kind like lan fishin

These attacks require access to your lan.

As for keylogers + crapware thats down to how secure you keep ur pc and how securely your pc is used.

I have yet to have problems on my xp system.

themole

matrim wrote:

If your browsing habits are safe, then online banking will be safe. By this I mean your computer is reaguarly checked for viruses and malware.

One thing I would like to see introduces is once off pins (I don't know if there is a technical term for this). Banks in Sweden and other countries use these.You get a card with a few hundred pins on it and use them in sequence when you login.

With AIB if you want to add an account to transfer money to online you need to have a code card.
its a card with a a list of numbers. the system ask you for ie code 23 and then you lookup the 4 digit corresponding number. each number is used only once. when you are close to running out they post you out a new card.

not a bad system.

Another thing about aib is that if you enter you pin wrong three times you are locked out of the system and you have to wait for a new code to be posted out. This happened to me before. it was a pain in the whole. there was no warning , but in theend they are just being cautious, which is probably worth my inconvenience.