Solved

Are my computer at work secured?

Posted on 2014-12-02
13
68 Views
Last Modified: 2016-07-20
Hello..Im from Mauritius.  I have noticed something really strange using my internet banking for transaction.  I stored all my money in the most prestigious bank in Mauritius.  Last week i noticed something really amazing, unprofessional and not secured.  
I have done a test to make sure the the banking system is well secured.  I have downloaded a free software called Refog Keylogger (you all know that) to test if my password is shown.  I have installed the software on my pc with hiding mode...So nobody can view the software even under taskbar or program file...I used a shortcut key to launch this program.

I log into my internet banking, put my username and password...and then log off...

i open the software and goes to keystrokes types and i was really shocked...I saw my username and password in full..Also note that i have used a complex password.

I just imagine how many people are using their internet banking at their work and they are not secured.

Do you think that the bank can encript the data? or secure the site? I wanna inform the media about that.

Please let me know what you think.

Thanks
0
Comment
Question by:techlabtest
  • 3
  • 3
  • 2
  • +3
13 Comments
 
LVL 23

Accepted Solution

by:
Eirman earned 74 total points
ID: 40475935
If you can log/capture your keystrokes, then any spyware buried in your system can do the same.
Do you use ant type of hand held device when logging in?

I have accounts with three Irish banks.
If I want to add or amend a payee, standing order or direct debit,
I have to enter a password into my handheld device,
then enter the 8 digit on the monitor,
then enter the code given back by the device.

If anyone was logging my keystrokes they just might be able to log into my account,
but would not be able to do anything to compromise it.
I also get text & letter notification of changes to my accounts.

I also have Rapport Security as supplied by one of the banks (RBS/Ulster)
=====================================================
If you don't have any of the above, consider using a dedicated computer for banking and banking alone. Leave it disconnected from the internet when not in use.
0
 
LVL 10

Assisted Solution

by:Schuyler Dorsey
Schuyler Dorsey earned 71 total points
ID: 40476068
For a business to protect their users against this attack, they would need to employ defense in depth.

Many antivirus suites will block the use of keyloggers and remove them from the PC if found. Application whitelisting would prevent the keylogger from running if it bypassed AV. Efficient perimeter security could prevent the credentials from being exfiltrated (DLP, content filtering, proper ACLs).

And if your bank supports it, you can opt-in for two factor authentication. So in addition to your password, you would need something else to login. One example being it could text a one time passcode to your mobile phone and you have to type that into the website after logging in with your password.
0
 
LVL 23

Expert Comment

by:Eirman
ID: 40476082
I forgot to say .... consider a VPN service, especially i f you travel a lot
http://www.pcadvisor.co.uk/features/internet/3469301/why-you-need-vpn/
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40476112
^ I agree this is generally a good idea but does not protect against a keylogger/malware running on the pc.
0
 
LVL 13

Assisted Solution

by:frankhelk
frankhelk earned 71 total points
ID: 40476154
I saw some german web banking interface that used a two step identification for logging in - first a name/password identification, and afterwards a screen keypad where a random 2 digits of a longer number were to be entered with mouse clicks.

That makes it much nastier to eavesdrop into an account (while it's still not impossible). But that would only allow to take a look onto the account data. Nearly all of the banking interfaces I've seen use a TAN  (TransAction Number) procedure to secure transactions ... "one from a printed list", "a named TAN from a printed list", "a TAN sent by SMS on a mobile phone" or "a TAN generated by a device with data from the interface and a generator device". Those That way some hacker might see how much money is on the account, but he can't transfer it to another account.

The "lousiest" solution I've seen for securing transactions is a separate passwort for transactions.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 71 total points
ID: 40476177
"I wanna inform the media about that" - you shouldn't. Keyloggers record keystrokes - there's nothing special about that the media doesn't already know. You have learned that you should not use untrusted computers for online banking, be it at work or elsewhere.
0
 
LVL 2

Assisted Solution

by:Spankin
Spankin earned 71 total points
ID: 40792949
All has been already said here - keylogger works on your machine, and your machine is not encrypted by bank's certificate. It's exaclty the same as if someone was watching your keyboard behind your back while you type your credentials. Would you inform media about this? :) Secure connection using SSL/TLS protocols protects your username/password on the network - between your computer, where it's encrypted and bank, where it's decrypted. What happens on your computer and in bank computers it's in people's hands.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 142 total points
ID: 40793318
Typically if keylogger is (already) in the machine, the appl whitelisting program like applocker, or anti-malware (or hopefully AV) can flag error and block sniffing attempt but assumed logger is undetected due to "legit" presence (no signature, has signed trusted publisher, no  etc), all keystokes can be siphoned off.

The threat is common and known as "man in the browser" (via bho or plugin etc) with e-banking crimeware (e.g. Zeus is big "leader" in this family) exploiting in browser vulnerabilities or poorly protected client machine, the malicious s/w "infect" and intercept your browser - nothing go covered even for ssl traffic.

Go preventive - this is really locking down that station
e.g. no admin,
e.g. go for app whitelisting (still),
e.g. patch readily and have up to date AV signature in machine, and
e.g.  go for defense in depth (add on to existing security s/w) with endpoint protection using host intrusion prevention or equv
(see invincea and vsentry)

....Even if really internet banking with 2FA which most banks already mandated that...but then again keying that OTP or pincode from 2FA can also be stolen from browser as user still has to key in from keyboard....
0
 
LVL 23

Expert Comment

by:Eirman
ID: 41714777
Valid/useful suggestions were made. Points should be awarded according to merit.
Don't delete this just because the OP couldn't be bothered to close the question.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 142 total points
ID: 41714929
In short, your machine is unswcured does not mean that the bank is not secured. There is secure channel pt to pt and data is protected abd fraud detection is available. However not all financial institutions are in top tip security composure. Just look at recent Bangladesh FI transacting through SWIFT.
Whether this conjecture is valid or not, SWIFT is now moving to address the issue. Point one of the five point plan is to 'drastically improve information sharing'. "We will demand more information of our customers," said Liebbrandt, "and share that back with the community. The ambition is to do on an international scale what banks in several countries are already doing domestically. We will do it in a confidential way that uses the data while protecting the identity of the institution and customers."

Not one of the other four points was given more than a single sentence. They are, to "harden security requirements for customer-managed software"; to "develop security audit frameworks for customers"; to "support banks' increased use of payment pattern controls to identify suspicious behavior"; and to "introduce certification requirements for third party providers".
http://www.securityweek.com/swift-bolsters-threat-intelligence-sharing

There is no silver bullet and it is also customer responsibilities to ensure their security state and not rely only on FI. If the keylogger exist in your machine obviously it doesnt really matter the FI is secured though they can prevent fraud..the obligation is on you as customer too.
0
 
LVL 61

Expert Comment

by:btan
ID: 41714932
Consider
ID: 40475935
ID: 40476068
ID: 40476154
ID: 40476177
ID: 40792949
ID: 40793318
ID: 41714929
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Skype is a P2P (Peer to Peer) instant messaging and VOIP (Voice over IP) service – as well as a whole lot more.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
This video demonstrates basic masking and how to edit the mask to reveal the desired image.
XMind Plus helps organize all details/aspects of any project from large to small in an orderly and concise manner. If you are working on a complex project, use this micro tutorial to show you how to make a basic flow chart. The software is free when…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now