Hi all, (Also posted to DC404.)
I've been hearing more and more lately on podcasts and such about banking trojans. While this is not news, apparently they're becoming more prevalent and clever. The basic idea is that you get a virus in your pc somehow that is a banking trojan. It sits in the background and monitors your login to your bank, and memorizes the credentials. Then, it logs in behind your back and transfers your money to a foreign bank or something. The problem is, as far as the bank records are concerned, YOU logged in and did the deed. The bank says YOU did it. It's very hard to prove otherwise. I talked to reps at two banks I deal with yesterday. One had no CLUE how such a virus could work, even after I explained it a couple of times. "We have extensive security precautions and all kinds of firewalls. You're completely safe." etc. I wasn't impressed. However, she eventually got it and explained to me that there was no way to do an external money transfer from my PC unless I had put in paper work and pre arranged it. So, I guess I'm safe by default with that bank. If I cannot do external transfers using online banking, then, neither can a virus. At the other bank, the lady hadn't heard of banking trojans either, or at least hadn't heard of any occurrences of them in their system. Again, not impressive. But she got the concept and started to give me some relevant data. She also mentioned their firewalls and security measures. On their system, apparently, interbank transfers (external) ARE available from my pc online banking system. You can transfer to other people in their bank, or to other banks. She said she couldn't disable them. However, she did give me the phone number of their online banking department. She said they could help me. I called them and had them completely disable external transfers from the online banking system via my pc. She said "You realize you won't be able to transfer money to other customers here at the bank, or to any other bank." I said "Yes, that's what I want." So now, if a trojan gets into my system, and logs into my bank, all it can do is move money around to my own accounts. Of course, I stay pretty paranoid about security and try my best not to catch any viri. Note that this external transfer feature was on by default, and I had to ask to have it turned off. Your debit card is a great vector into your account. I checked with my main bank. On my debit card, it's possible to do up to $ 3000 per day in purchases or $ 500 in atm withdrawals. If a trojan can steal your bank login credentials, it can steal your credit card number, date, and verification code when you're shopping. It IS true that you get your money back in the event of fraud as an individual. This may not be true if you're a business. But, if $ 3000 vanishes from your account while you've entered a whole bunch of valid bill payments against that account, for example, you're still going to be in hot water with your vendors until you get things straight. One way to protect yourself is to segregate your debit cards for different purposes. Jim P mentioned this in an email, and I had already taken some steps in that direction. During the Target debacle, when I had to replace my debit cards anyway, I went to the trouble of acquiring 5 debit cards and setting up 3 bank accounts. I spent some time with the rep and verified exactly what each card can access. When I originally got the debit cards, I tested them to make sure they were right. I have a main account, that we use for most things. I also have a Ron's personal account, and a checking account used generally for savings for car repairs and other unplanned things. We call it savings, but since it is checking, there are less withdrawal restrictions. My wife's and my debit cards can access the main account, and that's what we use for daily purchases around town, food, gas, household goods, etc. I also use my card for bill payments. Then, I have another card tied to the main account for automatic payments only. This is for things that bill me every month, and automatically take money, like the garbage company or my techstarship.com ISP. Then, I have one card that can only access the Ron account and one that can only access the savings account. This gives several advantages. If any one card is compromised, it only affects those vendors and purposes that it's designated for. Granted, if it were one of the main ones, that would still be a pain. But, even then, I can have the bank deactivate the compromised card and attach other accounts to one of the other cards in a matter of an hour or two. I don't have to wait for a new card delivery. If the auto payments card were compromised, for example, I only have to give that subset of vendors a new card. What I have now decided to do, as an additional step, is to do all online purchases on the Ron card only. That account has very little money, unfortunately. I had been a bit sloppy before, and amazon, for example, had my main card. With the help of LastPass, I logged into all couple of dozen or so vendors that I've ever given my debit card number. For some, I deleted the card from their records (if there was an option for that). For others, including amazon, I deleted the main card and entered the Ron card. Now, to make any not trivial purchases online, I have to log into the bank and transfer money to the Ron account. If any online vendor's credit card database is compromised, my losses are minimal, even if I do get the money back later. I also went through and verified that all entities, like paypal, that have any of my bank account numbers, only have the Ron account. I'm also considering 2 factor authentication for vendors that have it. That way, when I log into the bank, I'll get a text on my cell phone with a code I have to enter, or something. This is more inconvenient than a simple login, especially if the cell phone service is flaky on that day or location. But, definitely more secure. (My cell phone is a dumb phone, so it can't run google authenticator, etc.) I don't think my banks offer 2 factor authentication. I have a 2 factor security system for Paypal (and Ebay) that they were offering years ago. It uses a key fob which has a button you press to get the second factor while logging in. When you press it, you get a 6 digit code which you enter into the website. I really like that system. It's not as handy as the cell phone, if you don't have the fob. But, it is immediate, whereas text messages sometimes take 20 minutes to reach my cell phone once a vendor like Paypal sends them. As of now, I don't think Paypal sells the key fob any more. However, they sell a similar device shaped like a credit card. They can also use cell phone text messages as a 2nd factor, as well as an app on a smart phone. The following links (not easy to find) gives some info. https://www.paypal-community.com/t5/Tips-from-Moderators/PayPal-Security-Key/m-p/433633#M17 https://www.paypal.com/us/cgi-bin?cmd=xpt/Marketing_CommandDriven/securitycenter/PayPalSecurityKey-outside&bn_r=o I'd be interested to know what you guys think is the most widely usable form of non smart phone 2nd factor id. The Yubikey: https://www.yubico.com/products/yubikey-hardware/yubikey/ is a very interesting one time password device. But, I don't think any of my vendors use it. By the way, I don't mail checks either. Anyone who intercepts the check and gets your routing number and bank account number can drain your account. I had my ID stolen once by someone who somehow got those numbers. He picked up a cheap check printing program at an office store, printed MY id information on some blank checks, and went and bought some appliances at Lowe's on MY bank account. That was loads of fun. Fortunately, I was monitoring my bank account about 2 hours after the bogus checks cleared and was able to take quick action. This should give you some food for thought as to how to help protect your financial assets from crackers, both inside and outside of your computer. Sincerely, Ron -- Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail. Please excuse my potential brevity if I'm typing on the touch screen. (PS - If you email me and don't get a quick response, you might want to call on the phone. I get about 300 emails per day from alternate energy mailing lists and such. I don't always see new email messages very quickly.) Ron Frazier 770-205-9422 (O) Leave a message. linuxdude AT techstarship.com _______________________________________________ tech-chat mailing list [email protected] http://lists.linuxmoose.com/mailman/listinfo/tech-chat
