DecComp used Ask the Experts™
 One of my clients had a login attempt to there bank with a password supposedly known only by the one user.  The attempt was made from the companies wan ip (reported by the bank) there was no-one in the building that should have knowledge of the account information.
  My question is can and do hackers mimic other wan ip addresses (i.e. the companies) or is the attempt most likely made by someone in the building or by remote software into the building.
  The last piece of the puzzle is that the password was entered correctly on the second attempt.  An invalid computer was seen by the bank site and reported to us.  I think that is quick for a hacker.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
>supposedly known only by the one user

There's the problem.  With single-password protection, it can be one of the following:

1. actual user typing manually
2. user's computer with password management program entering the password
3. someone else knows the password

The company firewall admin may be able to map the connection with the bank to the actual internal computer that was used.

Without that info, you can't move any further into an investigation.

Has the user already reported this to security/IT at the company?


Thank you for your reply, I have asked the customer and they have no password managers on the system that we know of.   They also tell me that to login to the bank the first step is to log in the company account then login to the individual user in the company account (different permission levels).  So whoever did it logged into the company account with no trouble and then logged into users account and only missed the password once.  So with that information and the fact you didnt think the WAN ip could be masked by an outside hacker tells me that someone inside has done it.
Possible scenarios (and don't rule out #1 unless it's you):

1. user did it
2. somebody else did it from inside
2a. credentials were shared or stolen
2b. credentials were saved in web browser or other password mgmt application
2c. remote control, recording software, or keystroke logger used
3. somebody did it from outside
....well, most of #2 applies except for how they used the company's WAN IP.

But, you'll need to check the company firewall/router to see which computer was used.  From there, investigate that computer.

As for #1 or #2a ... typically a guilty person will not admit that he/she did something wrong or shared secrets with someone for that activity.  Not much you can do about it except gather evidence to find the truth.  Constant questions or browbeating are unproductive.

You didn't say...have you invovled IT/security or law enforcement?
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.


IT/Security have been involved the company has not contacted law enforcement.  LOL i didnt do it.  And I am the IT. I was just wanting a second opinion on such a dangerous situation.  I am checking for keylogging programs on clients system.  I have checked the firewall and found no record of the event but I will look again. We have tightened the security and passwords in the organization and at the bank.  (a bit relaxed) and yes i believe the issue is internal and was shared or stolen by unauthorized user.  Fortunatly no funds were touched.  Thank you very much for your help.
There is a push to isolate bank transactions to a frozen off-line system.  Meaning, a dedicated computer that is not accessible to the rest of the LAN, or even a virtual machine that can accept no alterations.  Re-boot it and it loads a read-only image of an OS.

No way to install malware in the OS.  No way to access remotely or install remote-access software that will last beyond a re-boot.

Then you have fewer items to secure:
1. physical keyboard, video, mouse
2. user's credentials
3. proper encryption in the channel to the bank
4. block any other network/internet access (e-mail, social networking, file dump)
5. any printers that are used by this workstation
6. any files that can be saved/extracted (like PDF or screen captures).

I like the re-booted VM.   Having a dedicate machine with cameras on it and your own secure recording software...tighter.


Thank you very much, we are going to present these ideas for them to consider.  Excelent advice


Makes my job so much easier

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial