PDA

View Full Version : Internet banking fraud















Rocker
26th July 2005, 07:42 AM
I have a suggestion whereby the banks could counter internet banking fraud, which I would like to run past any experts in the field who might be on this forum..

As I understand it, much of this fraud results from criminals installing Trojans on computers and then harvesting PIN numbers. It seems to me that this could be countered as follows: When you log in, the bank's computer would generate a random 4-digit number that was smaller than your PIN number, and display it on your screen. Then, instead of entering your PIN number (and thus revealing it to a Trojan), you would enter the number that was the difference between the randomly-generated number and your PIN number. e.g., if your PIN number were 6464, and the randomly-generated number was 4797, you would enter 1667 (6464-4797). In this way it would be impossible for a keystroke-reading Trojan to harvest your PIN number.

I am not sure, though, whether a Trojan would be able to read the randomly-generated number sent by the bank's computer. If so, my idea would be ineffective, of course.

Rocker

Gingermick
26th July 2005, 08:04 AM
But I want to check if my balance has risen over $4 quickly and it would take hours to do those sums on my abacus.http://www.woodworkforums.ubeaut.com.au/images/icons/icon10.gif

Rocker
26th July 2005, 09:25 AM
G_mick,

Maybe the banks could also just accept the PIN number for people who were too brain-damaged, or could not be bothered, to do the subtraction, on the understanding that such people would not be compensated, if their PIN number was stolen by a Trojan.

Rocker

knucklehead
26th July 2005, 09:44 AM
Rocker, some years ago my bank used an on screen key pad for entering the pin. A keypad would pop up on your screen you then entered your pin by clicking the appropriate buttons with the mouse. This means that no numbers are directly entered or logged on your computer. Every time you logged in the keypad would be in a different spot on your screen so it was difficult to work out what was being entered by the cursor postion.

For some reason they stopped using this system.

silentC
26th July 2005, 09:55 AM
Commonwealth Bank's Netbank used to work that way.

Now they put up a code table. You type the corresponding letter from the code table for each number in your PIN. The code table is different each time you log in.

routermaniac
26th July 2005, 10:01 AM
Rocker thats a pretty difficult thing to do, what if your PIN was alphanumeric or 8-10 numerals?

Also not sure what you meant by logging in... did you mean getting into the PC or the website or actually logging into the service... because if you meant the latter obviously the PIN needs to be in already... and hence still exposed to the trojan.

A much safer thing to do although albeit not the most convenient is only use your computer for banking and make sure that it is up to date with firewalls, etc

bitingmidge
26th July 2005, 10:21 AM
As I have had reinforced in a discussion today, "random number generators" aren't actually generating numbers randomly at all. They are merely generating numbers in a complex sequence or algorithm.

In the course of our business we regularly transfer rather large sums of money, and the bank concerned has taken not of Rocker's advice.

It has issued each of the signaturies (sp?) of the account with a little RNG (random number generator) which is tuned exactly to a parallel generator back in some dark room at the bank. The numbers change every two minutes.

When a transaction is made, there is a two minute time frame to log in the number, do the business and get out.

So now all you need to do is hijack the bank's one, be online at exactly the time the transaction is occurring, and do your criminal business in what's left of the two minutes I guess.

Cheers,

P

Zed
26th July 2005, 10:24 AM
being in the industry im in' I can attest that after the holocaust the only survivors will be telco's, banks & cockroaches. :D

silentC
26th July 2005, 10:29 AM
... "random number generators" aren't actually generating numbers randomly at all. They are merely generating numbers in a complex sequence or algorithm.
Interesting point that. Given the same seed, a computer will always generate the same sequence of 'random' numbers. It is the seed that contributes the random aspect to the algorithm. Most computers would use something from the time and date or a 'random' location of memory as the seed. If you can generate the same circumstances, you could conceivably generate the same 'random' numbers.

Those gadgets have been around for a while but are only available to 'certain' clients - ie. the ones who will make the bank lots of money. Fell privileged, Midge. ;)

BTW the 'bank's one' would be a black box in a modem cabinet in the comms room. If you can get in there to hijack it, you probably wont need it ;)

Zed
26th July 2005, 10:36 AM
I can feel this thread touching on encryption... Did anyone watch that show on Aunty that discussed military encryption /maths /etc some time back ? I remember the host mentioned (dont know if this is true) that commercial encryption by law lagged military encryption by 20 or 40 yrs - cant remember exactly the time frame..... I dare say in the computer age this may have shortened by definition if not by law.

bitingmidge
26th July 2005, 10:42 AM
Those gadgets have been around for a while but are only available to 'certain' clients - ie. the ones who will make the bank lots of money. Fell privileged, Midge. ;)

Ohhhh yeah.... we make the banks LOTS of money, but it doesn't feel like a privilege?? :confused: :confused: :confused:


P :D

Rocker
26th July 2005, 10:48 AM
SilentC,

It seems then that the present Commonwealth Bank system is a rather more sophisticated implementation of my idea. I can't understand why Westpac doesn't adopt the same system. They still just get you to enter an unencrypted PIN number :(

Rocker

silentC
26th July 2005, 10:56 AM
That typo of mine was a bit Freudian:

Fell: adjective fierce; cruel; dreadful: *She thinks a man goes out with a girl for one fell purpose. --SUTTON WOODFIELD, 1960. 2. destructive; deadly: fell poison; fell disease.

The 'strength' of encryption is generally spoken of in terms of bits eg. 128 bit encryption. This describes the length of the keys that are used to perform the encryption. The longer they are, in essence the more permutations there are for an encryption breaker to go through. Given time, all two-way (reversible) encryption can be broken.

There are types of encryption that cannot be broken (hashing) but they are not useful for information exchange because the original message cannot be restored even by the encriptor. These are used for example to encrypt passwords stored in databases. The only comparison ever done is between the encrypted version in the database and the encrypted version of what the user typed in, so it is not necessary to be able to un-encrypt it.

For a long time, the US would not allow the stronger encryption (larger keys) to be exported outside the States. As far as I know that has now been reversed - but probably only because they found something better to use.

Rocker
26th July 2005, 10:59 AM
Rocker thats a pretty difficult thing to do, what if your PIN was alphanumeric or 8-10 numerals?

Also not sure what you meant by logging in... did you mean getting into the PC or the website or actually logging into the service... because if you meant the latter obviously the PIN needs to be in already... and hence still exposed to the trojan.

A much safer thing to do although albeit not the most convenient is only use your computer for banking and make sure that it is up to date with firewalls, etc

RM,

When you log on to Internet Banking, you first enter your login-ID, i.e. your customer number, which tells the bank what PIN number to expect. You then enter a 4-digit PIN number. It is not alphanumeric, and is always 4 digits.
However, as SilentC has explained, the Commonwealth Bank already uses a more sophisticated version of my idea. I just wish all banks would.

Rocker

Daddles
26th July 2005, 11:00 AM
Does anyone else long for the 'good old days' when secure banking meant you had a large, steel bound oak box in the basement, liberally wrapped with heavy chain interlinked with large padlocks, all capped off with a very large, very hungry and bad tempered mongrel dog.

Sigh
Richard

silentC
26th July 2005, 11:03 AM
You can still do that if you want. Nothing that a pair of bolt cutters and a shotgun or a steak laced with arsenic wouldn't take care of though. :D

Ashore
26th July 2005, 11:27 AM
Does anyone else long for the 'good old days' when secure banking meant you had a large, steel bound oak box in the basement, liberally wrapped with heavy chain interlinked with large padlocks, all capped off with a very large, very hungry and bad tempered mongrel dog.
Don't know how you got in to see it but i'm changing the locks on the basement door

Silent

I saw a conspiracy show once that said US stopped at 128 encryption for public use was because any stronger and the FBI computers then wouldn't be able to crack it.




The trouble with life is there's no background music.

DanP
26th July 2005, 11:38 AM
Commonwealth Bank's Netbank used to work that way.

Now they put up a code table. You type the corresponding letter from the code table for each number in your PIN. The code table is different each time you log in.

I'm with them and I've never seen anything but an ID and password login. :confused:

Doesn't matter anyway the true theives are the banks. :mad:

station-rat
26th July 2005, 11:40 AM
I am with you DanP, only a Client Number and then the Password?
Station-rat :)

silentC
26th July 2005, 11:42 AM
Oops, my mistake :o

It's not Netbank, it's our other bank that does that - IMB. Yes, Netbank has a userid and password setup, not a PIN number.

You also have to move your mouse until a yellow bar runs right across the screen. Another way of making sure it's a real person looking at the screen.

Stuart
26th July 2005, 01:30 PM
Perhaps the bank should move towards smart cards- you can buy keyboards commercially that accept them, just plug the smartcard in and away you go (banks have been using this system in-house for ages).

"The trouble with life is there's no background music."
Buy an iPod!

Ashore
26th July 2005, 01:38 PM
"The trouble with life is there's no background music."
Buy an iPod!
Don't you Mac guys never give up trying to get us to convert.http://www.woodworkforums.ubeaut.com.au/images/icons/icon6.gif

I'll bet you had a beta video toohttp://www.woodworkforums.ubeaut.com.au/images/icons/icon10.gifhttp://www.woodworkforums.ubeaut.com.au/images/icons/icon10.gifhttp://www.woodworkforums.ubeaut.com.au/images/icons/icon10.gif



The trouble with life is there's no background music.

silentC
26th July 2005, 01:42 PM
Perhaps the bank should move towards smart cards
There's been talk of that for years. I've seen the keyboards that take them (Australian invention - Keycorp) and they use them in the branches.

At the end of the day, it's a matter of calculated risk. Is it worth the money to develop a water tight system vs. the cost of coping it sweet when someone rorts it? If you're making a 2 billion dollar profit p.a., at what point do losses to fraudulent activity become more than a nuisance?

Stuart
26th July 2005, 01:54 PM
I'm PC actually. No wait, I'm not very PC at all, but I use PCs... Course, I do have an Apple ][e in my office, and a Mac Mini, and an iPod...... However, that is balanced against the 4 PCs, so I'm still non PC enough to say that I favour PCs, so long as its not PC to mention this........

If anyone actually understands the mixed TLAs here then more power to you!

silentC
26th July 2005, 01:58 PM
You do know what TLA stands for, don't you Stuart? :D

Daddles
26th July 2005, 02:19 PM
If anyone actually understands the mixed TLAs here then more power to you!

Stuart, the bottle of thinners is for cleaning BRUSHES :D

Richard

Ashore
26th July 2005, 02:36 PM
Stuart the question stands " were you a beta looser or not"http://www.woodworkforums.ubeaut.com.au/images/icons/icon10.gifhttp://www.woodworkforums.ubeaut.com.au/images/icons/icon10.gifhttp://www.woodworkforums.ubeaut.com.au/images/icons/icon12.gif







The trouble with life is there's no background music.

silentC
26th July 2005, 03:09 PM
Mr Ashore, do you type your signature line in every time?

Sturdee
26th July 2005, 05:01 PM
RM,

When you log on to Internet Banking, you first enter your login-ID, i.e. your customer number, which tells the bank what PIN number to expect. You then enter a 4-digit PIN number. It is not alphanumeric, and is always 4 digits.
However, as SilentC has explained, the Commonwealth Bank already uses a more sophisticated version of my idea. I just wish all banks would.

Rocker


Rocker, for my internet banking with the Commonwealth I have a 6 digit pin, for the ANZ and Westpac an 8 digit alphanumeric pin.

Only on eftpos cards have they numeric pins with 4 digits for ANZ and Westpac and 6 digits for Commonwealth.

Must be different up north.


Peter.

Gumby
26th July 2005, 05:08 PM
RM,

When you log on to Internet Banking, you first enter your login-ID, i.e. your customer number, which tells the bank what PIN number to expect. You then enter a 4-digit PIN number. It is not alphanumeric, and is always 4 digits.


The 3 I use for internet banking are:

The NAB is a 6 digit alpha/numeric

Bendigo Bank is same,

CBA is 6 but only numeric

Rocker
26th July 2005, 06:54 PM
Rocker, for my internet banking with the Commonwealth I have a 6 digit pin, for the ANZ and Westpac an 8 digit alphanumeric pin.

Only on eftpos cards have they numeric pins with 4 digits for ANZ and Westpac and 6 digits for Commonwealth.

Must be different up north.


Peter.

Sturdee,
You are of course correct; I must have been having a senior moment. Well, actually my Westpac online banking password is 6-digit alphanumeric.
Rocker

Gingermick
26th July 2005, 07:55 PM
The Credit union I'm with has a log-in code and a separate code for external transfers.

Ashore
26th July 2005, 09:09 PM
Mr Ashore, do you type your signature line in every time?Silent
No I use a free ware program I found called 101 clips it allows you to retain up to 30 things , text , pictures, web pages etc on your clipboard instead of just the last thing you saved
You just line up your curser open 101 clips from task bar and click on the entry you want
Find it under Google 101 clips



Rgds
Russell




Don't take life too seriously; No one gets out alive.

knucklehead
26th July 2005, 09:39 PM
Several people have mentioned that their pin numbers are sent unencrypted.

Every bank in Australia will be using an encrptyed web session. This is visable via the little padlock on the bottom right of the browser. The web address will probably start with https://.
This means that the whole session should be encrypted in either 64 bit or 128 bit (depending on browser) key.
These sessions have many short commings and ways to crack them, but by far the way most people get stung is by following a link to a dodgy website. Always go to your banking site via your favourite links (never via an email) and check that the padlock appears.

MathewA
26th July 2005, 09:55 PM
As I have had reinforced in a discussion today, "random number generators" aren't actually generating numbers randomly at all. They are merely generating numbers in a complex sequence or algorithm.

In the course of our business we regularly transfer rather large sums of money, and the bank concerned has taken not of Rocker's advice.

It has issued each of the signaturies (sp?) of the account with a little RNG (random number generator) which is tuned exactly to a parallel generator back in some dark room at the bank. The numbers change every two minutes.

When a transaction is made, there is a two minute time frame to log in the number, do the business and get out.

So now all you need to do is hijack the bank's one, be online at exactly the time the transaction is occurring, and do your criminal business in what's left of the two minutes I guess.

Cheers,

P


Funny I heard the same thing this morning

kiwigeo
26th July 2005, 10:50 PM
Commonwealth Bank's Netbank used to work that way.

Now they put up a code table. You type the corresponding letter from the code table for each number in your PIN. The code table is different each time you log in.
When I log into CBA netbank I enter the password directly....I dont see any code tables. Are you sure youre not logging into a fake netbank site run bythe Russian mafia???

silentC
27th July 2005, 09:58 AM
You must've missed this:


Oops, my mistake

It's not Netbank, it's our other bank that does that - IMB. Yes, Netbank has a userid and password setup, not a PIN number.

Sturdee
27th July 2005, 05:27 PM
I must have been having a senior moment.


Love that phrase. :D I seem to get them too these days. :D


Peter.

Gingermick
27th July 2005, 07:29 PM
The other thing that may be possible is to have email confirmation for external transfers.

maybe

BrianR
29th July 2005, 03:55 PM
Rocker,

I don't think a Trojan would find it difficult to record the banks random querey to you and your reply and so reveal your pin at one go. Bendigo bank uses a little key pendant that generates a one-time verification number, when you press a button, that has a valid life of 1 minute. You use your user name, pin and then this verification. Doesn't matter if a hacker got the pin and user name as they are useless without this verification number.

Rocker
29th July 2005, 06:31 PM
Brian,

Sounds good; if a Mexican bank can use a trojan-proof system, why not the Big Four?

Rocker

Gra
29th July 2005, 08:14 PM
I will have to reveal my hand here, I work in one of the 4 majors, no I wont reveal what one. I dont use their net banking but I do work from home and to sign into their VPN from home I have one of those dongles that generates a random number every two minutes, this is run by an outside contractor, so to sign on you need your user id, a pin number and the number from the number generator. Why they dont use a similar system for their internet banking I dont understand, but then again I have worked for this bank for 18 years and still dont understand some of the menagement ideas....

silentC
1st August 2005, 09:32 AM
Why they dont use a similar system for their internet banking I dont understand
Cost.

Dr Dee
1st August 2005, 09:58 AM
Cost.
SilentC,
I am sure that if they did a real analysis of the costs the major banks would see it is worth it.

I currently work for a big Aus University and we use a SecureId which is a small device like a USB memory stick, which displays a number for about 2 minutes. You have to enter this when logging into the financial systems etc with name and p/w etc.

At first (~5 years ago) the external company charged about $300ea. The Uni negotiated to buy in batches and now they are down to less than $100. I am told they have a simpler non-display type that you plug into the USB port and this can be interrogated by the login script. Saves the errors of input. These devices could easily be supplied by the banks.

Even though there would be a cost, think of the cost of investigating and covering just one fraud case. I will be very surprised if we don't see this happening soon.

cheers

silentC
1st August 2005, 10:39 AM
Only if they charge the user for it.

There is no way a bank is going to buy a $100 dongle for every online customer. I don't have any figures on how many Netbank users there are for example, but you would have to guess it to be in the tens of thousands. For 10,000 users it would cost them $1,000,000. Not to mention the cost of distributing them, supporting them, and changing the systems to handle them. I can just see the reaction in the boardroom when someone proposes that.

As for cost of investigating fraud, they hand that over to the Feds. Banks just write losses off.

Rocker
1st August 2005, 01:52 PM
Perhaps this is a case where the government regulator of the banks should force them to introduce secure systems, for the general benefit of the customers. As Dr Dee suggests, it is probably in the real interest of the banks to do so anyway, and it is only because they are adopting a short-sighted view of the costs and benefits that they are not doing so.

Rocker

silentC
1st August 2005, 02:01 PM
Then you would probably see online banking systems shutting down left, right and centre!

Banks only ever and always do things that are in their own interests (or the interests of their shareholders as it is put these days). The whole push to ATMs, phone banking and now online banking was not, as some people might think, a way of delivering better service. It was to get people out of the branches. First they got people hooked on it, then they started putting up the charges for teller transactions so that it was too expensive to go back to the old habits, then the fees for ATM withdrawals and online transactions were introduced.

Someone did the sums and worked out that a teller transaction cost the bank something like 10 times what it cost to do an ATM withdrawal. The end result and logical conclusion of that is what you see today. If it suddenly becomes more expensive to provide online banking, it will suddenly become not in the Bank's interests to offer it.

Rocker
1st August 2005, 02:15 PM
SilentC,

You might want to call me some sort of pinko, but I can't see why the government cannot force the banks to provide proper security for internet banking as a condition of their retaining their licence to trade as banks. This is not America, where the government tends to be in the pockets of the big corporations, at least while there is a Republican administration.

They could easily frighten the banks into submission by threatening to open up the Australian banking market to competition from overseas banks, many of which manage to make a profit without charging the exorbitant fees that Australian banks do.

Rocker

bitingmidge
1st August 2005, 02:19 PM
Someone did the sums and worked out that a teller transaction cost the bank something like 10 times what it cost to do an ATM withdrawal. The end result and logical conclusion of that is what you see today.

So this morning MrsMidge rocks into one of the big three to organise some US Dollars.

2 days by phone banking, 10 over the counter (of course we need it by Friday which is a bit less than 10)

We haven't been set up for phone banking, so the ever so pleasant young lady at the counter (teller) assisted, then dialled the number, guided my beloved through the process right up to the point where the person in Melbourne on the other end of the phone said "you can't do that"...... at that point the "live" assistant confirmed one could, so the person in Melbourne put the whole thing on hold while she rang for confirmation.

Phone goes "ring ring" at the next teller's desk.

"Yes" .... "Yes" ....."Yes" "That's correct".....

"Look; She's right here next to me, and that's correct!"

The Melbourne experts had rung the people she was dealing with for assistance!

Transaction completed shortly after.

So two phone calls to Melbourne and three people involved and it takes 8 days less!

Work that out!!

Cheers,

P

silentC
1st August 2005, 02:20 PM
I'm not saying that the government might not be able to pass legislation to force the banks to do something they don't want to do. They did it with the Consumer Credit Code legislation a few years ago which forced the banks to do a whole lot of extra paper work on lending.

However, there is nothing that says a bank HAS to offer online services. So if the government passed legislation forcing banks to introduce expensive hardware at their own cost, then the banks might decide that it was no longer profitable to provide online access to accounts.

Daddles
1st August 2005, 05:45 PM
My bank's easy. They just ask you whether you're being naughty or not. If you can give a reference number from your parole officer, they don't even ask that. :D

Richard

Sturdee
1st August 2005, 05:52 PM
For a bank to operate in more than one state they need a federal government's banking licence. The government can, and used to, attach many conditions to these licences, in particular untill the 1980's the requirement to operate a substantial rural branch network.

Then in the name of globalisation and rationalisation the government dropped that and many other requirements leaving the banks free to provide less and less service for more and more costs to their customers.

So whilst the government could insist on a net banking system with proper security measures they won't because they are a spineless mob without the guts to ensure consumers are not ripped of by banks. :mad:

As far as the banks are concerned it is cheaper to pay insurance premiums to cover any fraud than to provide proper security measures. This trend started when I was working in a major bank in the 1970's, when you were not embarrassed to admit to working in a bank, and has become worse and worse over the years.

Peter.

Rocker
1st August 2005, 06:01 PM
SilentC,

I doubt whether any bank these days would have to chutzpah to cease offering internet banking - they would certainly lose my custom if they did. And anyway it would be easy enough for the government to mandate that internet banking must be part of the service provided and that it must be as secure as can reasonably, in the view of a government banking expert, be provided. I see it as one of the most important functions of government to ensure that large corporations do not abuse their power, particularly if they are in the privileged position of an oligopoly, as the big four are.

Rocker

silentC
2nd August 2005, 09:03 AM
I doubt whether any bank these days would have to chutzpah to cease offering internet banking
Banks have a lot of audacity. Who else would get away with charging people to access their own money? Remember when banks only earned income on the difference between the interest rates?

However, you are probably right, they wouldn't do it - it's too good an opportunity to make money. They would just pass the cost on to us in the form of increased fees and charges. You would have to buy your own dongle and the service fees would go up to accommodate the extra costs of the secure system.

Gra
4th August 2005, 12:06 AM
Sturedee,

I remember the days when you were willing to admit you worked for a bank.

Silentc.

You got it in one word. Cost, they have a too short term veiw

1 A record profit, even after large loss (caused partly by low staffing, though they will never admit that)
2. further staff cuts to lower costs
3. Large sponsership for a sporting event costing millions...

I have seen endless projects going off track because of bad management, and people so busy pushing their own ideas to the cost of the project. One project I was on in the beginning, I proposed a solution, that could be implimented in weeks. Was told this didnt meet the requirements, I was moved to anther project, they then spent six months studing the problem to come to the conclusion that what I proposed was the best solution. six months work for three people wasted because someone wanted to cover their own job.

This happens endlesssly, it is a problem with all bureaucracies.

Cant offer any solutions, just my observations from inside.