Internet banking fraud

[Rocker]

I have a suggestion whereby the banks could counter internet banking fraud, which I would like to run past any experts in the field who might be on this forum..

As I understand it, much of this fraud results from criminals installing Trojans on computers and then harvesting PIN numbers. It seems to me that this could be countered as follows: When you log in, the bank's computer would generate a random 4-digit number that was smaller than your PIN number, and display it on your screen. Then, instead of entering your PIN number (and thus revealing it to a Trojan), you would enter the number that was the difference between the randomly-generated number and your PIN number. e.g., if your PIN number were 6464, and the randomly-generated number was 4797, you would enter 1667 (6464-4797). In this way it would be impossible for a keystroke-reading Trojan to harvest your PIN number.

I am not sure, though, whether a Trojan would be able to read the randomly-generated number sent by the bank's computer. If so, my idea would be ineffective, of course.

Rocker

[Gingermick]

But I want to check if my balance has risen over $4 quickly and it would take hours to do those sums on my abacus.

[Rocker]

G_mick,

Maybe the banks could also just accept the PIN number for people who were too brain-damaged, or could not be bothered, to do the subtraction, on the understanding that such people would not be compensated, if their PIN number was stolen by a Trojan.

Rocker

[knucklehead]

Rocker, some years ago my bank used an on screen key pad for entering the pin. A keypad would pop up on your screen you then entered your pin by clicking the appropriate buttons with the mouse. This means that no numbers are directly entered or logged on your computer. Every time you logged in the keypad would be in a different spot on your screen so it was difficult to work out what was being entered by the cursor postion.

For some reason they stopped using this system.

[silentC]

Commonwealth Bank's Netbank used to work that way.

Now they put up a code table. You type the corresponding letter from the code table for each number in your PIN. The code table is different each time you log in.

[routermaniac]

Rocker thats a pretty difficult thing to do, what if your PIN was alphanumeric or 8-10 numerals?

Also not sure what you meant by logging in... did you mean getting into the PC or the website or actually logging into the service... because if you meant the latter obviously the PIN needs to be in already... and hence still exposed to the trojan.

A much safer thing to do although albeit not the most convenient is only use your computer for banking and make sure that it is up to date with firewalls, etc

[bitingmidge]

As I have had reinforced in a discussion today, "random number generators" aren't actually generating numbers randomly at all. They are merely generating numbers in a complex sequence or algorithm.

In the course of our business we regularly transfer rather large sums of money, and the bank concerned has taken not of Rocker's advice.

It has issued each of the signaturies (sp?) of the account with a little RNG (random number generator) which is tuned exactly to a parallel generator back in some dark room at the bank. The numbers change every two minutes.

When a transaction is made, there is a two minute time frame to log in the number, do the business and get out.

So now all you need to do is hijack the bank's one, be online at exactly the time the transaction is occurring, and do your criminal business in what's left of the two minutes I guess.

Cheers,

P

[Zed]

being in the industry im in' I can attest that after the holocaust the only survivors will be telco's, banks & cockroaches.

[silentC]

... "random number generators" aren't actually generating numbers randomly at all. They are merely generating numbers in a complex sequence or algorithm.

Interesting point that. Given the same seed, a computer will always generate the same sequence of 'random' numbers. It is the seed that contributes the random aspect to the algorithm. Most computers would use something from the time and date or a 'random' location of memory as the seed. If you can generate the same circumstances, you could conceivably generate the same 'random' numbers.

Those gadgets have been around for a while but are only available to 'certain' clients - ie. the ones who will make the bank lots of money. Fell privileged, Midge.

BTW the 'bank's one' would be a black box in a modem cabinet in the comms room. If you can get in there to hijack it, you probably wont need it

[Zed]

I can feel this thread touching on encryption... Did anyone watch that show on Aunty that discussed military encryption /maths /etc some time back ? I remember the host mentioned (dont know if this is true) that commercial encryption by law lagged military encryption by 20 or 40 yrs - cant remember exactly the time frame..... I dare say in the computer age this may have shortened by definition if not by law.

[bitingmidge]

Those gadgets have been around for a while but are only available to 'certain' clients - ie. the ones who will make the bank lots of money. Fell privileged, Midge.

Ohhhh yeah.... we make the banks LOTS of money, but it doesn't feel like a privilege?? :confused: :confused: :confused:


P

[Rocker]

SilentC,

It seems then that the present Commonwealth Bank system is a rather more sophisticated implementation of my idea. I can't understand why Westpac doesn't adopt the same system. They still just get you to enter an unencrypted PIN number

Rocker

[silentC]

That typo of mine was a bit Freudian:

Fell: adjective fierce; cruel; dreadful: *She thinks a man goes out with a girl for one fell purpose. --SUTTON WOODFIELD, 1960. 2. destructive; deadly: fell poison; fell disease.

The 'strength' of encryption is generally spoken of in terms of bits eg. 128 bit encryption. This describes the length of the keys that are used to perform the encryption. The longer they are, in essence the more permutations there are for an encryption breaker to go through. Given time, all two-way (reversible) encryption can be broken.

There are types of encryption that cannot be broken (hashing) but they are not useful for information exchange because the original message cannot be restored even by the encriptor. These are used for example to encrypt passwords stored in databases. The only comparison ever done is between the encrypted version in the database and the encrypted version of what the user typed in, so it is not necessary to be able to un-encrypt it.

For a long time, the US would not allow the stronger encryption (larger keys) to be exported outside the States. As far as I know that has now been reversed - but probably only because they found something better to use.

[Rocker]

Rocker thats a pretty difficult thing to do, what if your PIN was alphanumeric or 8-10 numerals?

Also not sure what you meant by logging in... did you mean getting into the PC or the website or actually logging into the service... because if you meant the latter obviously the PIN needs to be in already... and hence still exposed to the trojan.

A much safer thing to do although albeit not the most convenient is only use your computer for banking and make sure that it is up to date with firewalls, etc

RM,

When you log on to Internet Banking, you first enter your login-ID, i.e. your customer number, which tells the bank what PIN number to expect. You then enter a 4-digit PIN number. It is not alphanumeric, and is always 4 digits.
However, as SilentC has explained, the Commonwealth Bank already uses a more sophisticated version of my idea. I just wish all banks would.

Rocker

[Daddles]

Does anyone else long for the 'good old days' when secure banking meant you had a large, steel bound oak box in the basement, liberally wrapped with heavy chain interlinked with large padlocks, all capped off with a very large, very hungry and bad tempered mongrel dog.

Sigh
Richard