Internet banking fraud

[Rocker]

Rocker, for my internet banking with the Commonwealth I have a 6 digit pin, for the ANZ and Westpac an 8 digit alphanumeric pin.

Only on eftpos cards have they numeric pins with 4 digits for ANZ and Westpac and 6 digits for Commonwealth.

Must be different up north.


Peter.

Sturdee,
You are of course correct; I must have been having a senior moment. Well, actually my Westpac online banking password is 6-digit alphanumeric.
Rocker

[Gingermick]

The Credit union I'm with has a log-in code and a separate code for external transfers.

[Ashore]

Mr Ashore, do you type your signature line in every time?

Silent
No I use a free ware program I found called 101 clips it allows you to retain up to 30 things , text , pictures, web pages etc on your clipboard instead of just the last thing you saved
You just line up your curser open 101 clips from task bar and click on the entry you want
Find it under Google 101 clips



Rgds
Russell




Don't take life too seriously; No one gets out alive.

[knucklehead]

Several people have mentioned that their pin numbers are sent unencrypted.

Every bank in Australia will be using an encrptyed web session. This is visable via the little padlock on the bottom right of the browser. The web address will probably start with https://.
This means that the whole session should be encrypted in either 64 bit or 128 bit (depending on browser) key.
These sessions have many short commings and ways to crack them, but by far the way most people get stung is by following a link to a dodgy website. Always go to your banking site via your favourite links (never via an email) and check that the padlock appears.

[MathewA]

As I have had reinforced in a discussion today, "random number generators" aren't actually generating numbers randomly at all. They are merely generating numbers in a complex sequence or algorithm.

In the course of our business we regularly transfer rather large sums of money, and the bank concerned has taken not of Rocker's advice.

It has issued each of the signaturies (sp?) of the account with a little RNG (random number generator) which is tuned exactly to a parallel generator back in some dark room at the bank. The numbers change every two minutes.

When a transaction is made, there is a two minute time frame to log in the number, do the business and get out.

So now all you need to do is hijack the bank's one, be online at exactly the time the transaction is occurring, and do your criminal business in what's left of the two minutes I guess.

Cheers,

P

Funny I heard the same thing this morning

[kiwigeo]

Commonwealth Bank's Netbank used to work that way.

Now they put up a code table. You type the corresponding letter from the code table for each number in your PIN. The code table is different each time you log in.

When I log into CBA netbank I enter the password directly....I dont see any code tables. Are you sure youre not logging into a fake netbank site run bythe Russian mafia???

[silentC]

You must've missed this:

Oops, my mistake

It's not Netbank, it's our other bank that does that - IMB. Yes, Netbank has a userid and password setup, not a PIN number.

[Sturdee]

I must have been having a senior moment.

Love that phrase. I seem to get them too these days.


Peter.

[Gingermick]

The other thing that may be possible is to have email confirmation for external transfers.

maybe

[BrianR]

Rocker,

I don't think a Trojan would find it difficult to record the banks random querey to you and your reply and so reveal your pin at one go. Bendigo bank uses a little key pendant that generates a one-time verification number, when you press a button, that has a valid life of 1 minute. You use your user name, pin and then this verification. Doesn't matter if a hacker got the pin and user name as they are useless without this verification number.

[Rocker]

Brian,

Sounds good; if a Mexican bank can use a trojan-proof system, why not the Big Four?

Rocker

[Gra]

I will have to reveal my hand here, I work in one of the 4 majors, no I wont reveal what one. I dont use their net banking but I do work from home and to sign into their VPN from home I have one of those dongles that generates a random number every two minutes, this is run by an outside contractor, so to sign on you need your user id, a pin number and the number from the number generator. Why they dont use a similar system for their internet banking I dont understand, but then again I have worked for this bank for 18 years and still dont understand some of the menagement ideas....

[silentC]

Why they dont use a similar system for their internet banking I dont understand

Cost.

[Dr Dee]

Cost.

SilentC,
I am sure that if they did a real analysis of the costs the major banks would see it is worth it.

I currently work for a big Aus University and we use a SecureId which is a small device like a USB memory stick, which displays a number for about 2 minutes. You have to enter this when logging into the financial systems etc with name and p/w etc.

At first (~5 years ago) the external company charged about $300ea. The Uni negotiated to buy in batches and now they are down to less than $100. I am told they have a simpler non-display type that you plug into the USB port and this can be interrogated by the login script. Saves the errors of input. These devices could easily be supplied by the banks.

Even though there would be a cost, think of the cost of investigating and covering just one fraud case. I will be very surprised if we don't see this happening soon.

cheers

[silentC]

Only if they charge the user for it.

There is no way a bank is going to buy a $100 dongle for every online customer. I don't have any figures on how many Netbank users there are for example, but you would have to guess it to be in the tens of thousands. For 10,000 users it would cost them $1,000,000. Not to mention the cost of distributing them, supporting them, and changing the systems to handle them. I can just see the reaction in the boardroom when someone proposes that.

As for cost of investigating fraud, they hand that over to the Feds. Banks just write losses off.