Online Banking Security

[c0br4]

First a little story:

I work in a computer repair shop in the UK, and recently we had a computer come in that had the windows hosts file infected. I immediately noticed the all the major banking websites were in the hosts file and set to be diverted to another IP address. Immediately I contacted the police (who didn't care), then I contacted the customer... but it was too late, they had several thousand GBP taken from the bank. Fortunately for the customer the bank refunded every penny. Then the bank contacted the police at which point they took it seriously, and the fraudsters have been caught and that is all I have heard. The police's argument when I rang them said nothing could be done since the customer would have agreed to some terms and conditions to install some software, free smileys etc. However like I said the bank took it much more seriously.


Anyway I was just saw some TV program about this kind of thing... and they had a security expert in from symantec, that said "He would never use online banking, and that you could ask anyone who knows anything about computer security and they would all say the same" so I thought I would put that to the test.


I personally do use online banking with Barclays who also say they will refund any money lost from result of being hacked. However I take certain precautions, I never use online banking wirelessly or at public computers/public internet connections. I also check the hosts file, running proccesses, BHO's, LSP's, etc... just to be a little more sure that no-ones spying on me.



Anyway I kinda wrote this post in a hurry so please leave me any thoughts and anything I have got wrong or needs adding.... hopefully this should raise awareness too.

[The Grunt]

Well, IMO, if you feel it's worth taking the risk and take what precautions are available, then I see no reason not to... I will probably start using online banking once I have more bills that I have to pay on my own... The important thing is to keep your own records, so if something happens to the banks servers, you know what you're supposed to have...

[slarty]

I would not use online banking on a public machine (cybercafe or something). However, I'd be entirely confident about using it on a wireless LAN (as long as I was on my own machine).

The reason is, I trust SSL to encrypt the session and authenticate my bank's site. If I don't see the padlock, I won't enter my details. If the SSL certificate is not accepted by my browser, again, I won't enter my details.

And I am aware of at least one case where my bank was hacked into - their web site was defaced, but I am confident that that particular web site was just an online brochure and had nothing to do with banking.

Slarty

[Tiger Shark]

There are 3 machines I will bank online from:-

1. My home workstation.
2. My sweety's wireless XP Laptop.
3. My work workstation.

.... because I manage the security on all three. Also, I only connect to them from a shortcut I created.... Why? It only contains the IP address of the bank's site not it's domain name - they stay pretty fixed so it's not a big deal when they change it. Much of the sneaky spyware looks for the domain name of banks too so that they can capture the authentication - they don't recognize the IP address. Lastly, I _never_ allow them to remember my password.

The other bright side is that I leave very little money in my current account.... I pay all the bills and spend the rest on beer... ... so if anyone succeeds in robbing me they are going to be in for a surprise...

Would I recommend it to everyone? Nope.... No chance.... Most people are not capable of determining their "security state" and I don't want some moron coming to me six months down the road and blaming me for their children's questionable surfing habits and their inability to recognize them....

[xierox]

I have enough confidence in my skills to keep my computer from being infected that I personally use online banking, although I won't use it on public wireless and won't use it on anyone's computer except for my own. Once I get my DSL connection up and running in a few weeks, I will probably begin using a Knoppix Live CD to do banking as I'll be able to know without doubt that it is not compromised.

- X

[c0br4]

Thanks for your feedback, interesting results... so far that bloke from symantec has been mostly wrong... has anyone noticed that symantec's main office place thingy is in a ex-nuclear bunker in the middle of no-where, what a waste. Symantec is not one of my best friends, where I work 1in5 computers are in because "I have just installed Symantec internet security and now I can't access the internet/send emails/receive emails/do anything" although alot of the time it is what we call UIAI at work... short for "user is an idiot" :-)

PS never thought of using a live CD... although again wouldn't do it wireless/public to avoid sniffers

[Riot]

I know a bit about computer security and i would not use online banking because it just makes me feel a little uneasy, But i think that what makes me feel so uneasy about it is not as much as the risk of a hacker but the fact that i dont see the transaction happening like if i go to the bank i give them paper and i get some back but with online banking their is no paper its all electronic and i think that that will be one of the biggest hurtles for getting people to switch to online banking. Even tho I said i would neavor use it in the poll i think that i might be switching over to it.

[Tiger Shark]

if i go to the bank i give them paper and i get some back

How do you _know_ the transaction was carried out in the fashion you expected it to be? Because you got a peice of paper? Does paper give you a warm, fuzzy feeling? There are lot's of people that have been defrauded by tellers that are less than honest.... But they still got their little piece of paper....

You still can't trust it...

[frostedegg]

just dont use a bank. Keep all your money in cash in a giant room upstairs.....with a big lock....

[The Grunt]

Till your house catches on fire...