Are my computer at work secured?

Hello..Im from Mauritius.  I have noticed something really strange using my internet banking for transaction.  I stored all my money in the most prestigious bank in Mauritius.  Last week i noticed something really amazing, unprofessional and not secured.  
I have done a test to make sure the the banking system is well secured.  I have downloaded a free software called Refog Keylogger (you all know that) to test if my password is shown.  I have installed the software on my pc with hiding mode...So nobody can view the software even under taskbar or program file...I used a shortcut key to launch this program.

I log into my internet banking, put my username and password...and then log off...

i open the software and goes to keystrokes types and i was really shocked...I saw my username and password in full..Also note that i have used a complex password.

I just imagine how many people are using their internet banking at their work and they are not secured.

Do you think that the bank can encript the data? or secure the site? I wanna inform the media about that.

Please let me know what you think.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

EirmanChief Operations ManagerCommented:
If you can log/capture your keystrokes, then any spyware buried in your system can do the same.
Do you use ant type of hand held device when logging in?

I have accounts with three Irish banks.
If I want to add or amend a payee, standing order or direct debit,
I have to enter a password into my handheld device,
then enter the 8 digit on the monitor,
then enter the code given back by the device.

If anyone was logging my keystrokes they just might be able to log into my account,
but would not be able to do anything to compromise it.
I also get text & letter notification of changes to my accounts.

I also have Rapport Security as supplied by one of the banks (RBS/Ulster)
If you don't have any of the above, consider using a dedicated computer for banking and banking alone. Leave it disconnected from the internet when not in use.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Schuyler DorseyCommented:
For a business to protect their users against this attack, they would need to employ defense in depth.

Many antivirus suites will block the use of keyloggers and remove them from the PC if found. Application whitelisting would prevent the keylogger from running if it bypassed AV. Efficient perimeter security could prevent the credentials from being exfiltrated (DLP, content filtering, proper ACLs).

And if your bank supports it, you can opt-in for two factor authentication. So in addition to your password, you would need something else to login. One example being it could text a one time passcode to your mobile phone and you have to type that into the website after logging in with your password.
EirmanChief Operations ManagerCommented:
I forgot to say .... consider a VPN service, especially i f you travel a lot
Protecting & Securing Your Critical Data

Considering 93 percent of companies file for bankruptcy within 12 months of a disaster that blocked access to their data for 10 days or more, planning for the worst is just smart business. Learn how Acronis Backup integrates security at every stage

Schuyler DorseyCommented:
^ I agree this is generally a good idea but does not protect against a keylogger/malware running on the pc.
I saw some german web banking interface that used a two step identification for logging in - first a name/password identification, and afterwards a screen keypad where a random 2 digits of a longer number were to be entered with mouse clicks.

That makes it much nastier to eavesdrop into an account (while it's still not impossible). But that would only allow to take a look onto the account data. Nearly all of the banking interfaces I've seen use a TAN  (TransAction Number) procedure to secure transactions ... "one from a printed list", "a named TAN from a printed list", "a TAN sent by SMS on a mobile phone" or "a TAN generated by a device with data from the interface and a generator device". Those That way some hacker might see how much money is on the account, but he can't transfer it to another account.

The "lousiest" solution I've seen for securing transactions is a separate passwort for transactions.
"I wanna inform the media about that" - you shouldn't. Keyloggers record keystrokes - there's nothing special about that the media doesn't already know. You have learned that you should not use untrusted computers for online banking, be it at work or elsewhere.
SpankinIAM SpecialistCommented:
All has been already said here - keylogger works on your machine, and your machine is not encrypted by bank's certificate. It's exaclty the same as if someone was watching your keyboard behind your back while you type your credentials. Would you inform media about this? :) Secure connection using SSL/TLS protocols protects your username/password on the network - between your computer, where it's encrypted and bank, where it's decrypted. What happens on your computer and in bank computers it's in people's hands.
btanExec ConsultantCommented:
Typically if keylogger is (already) in the machine, the appl whitelisting program like applocker, or anti-malware (or hopefully AV) can flag error and block sniffing attempt but assumed logger is undetected due to "legit" presence (no signature, has signed trusted publisher, no  etc), all keystokes can be siphoned off.

The threat is common and known as "man in the browser" (via bho or plugin etc) with e-banking crimeware (e.g. Zeus is big "leader" in this family) exploiting in browser vulnerabilities or poorly protected client machine, the malicious s/w "infect" and intercept your browser - nothing go covered even for ssl traffic.

Go preventive - this is really locking down that station
e.g. no admin,
e.g. go for app whitelisting (still),
e.g. patch readily and have up to date AV signature in machine, and
e.g.  go for defense in depth (add on to existing security s/w) with endpoint protection using host intrusion prevention or equv
(see invincea and vsentry)

....Even if really internet banking with 2FA which most banks already mandated that...but then again keying that OTP or pincode from 2FA can also be stolen from browser as user still has to key in from keyboard....
EirmanChief Operations ManagerCommented:
Valid/useful suggestions were made. Points should be awarded according to merit.
Don't delete this just because the OP couldn't be bothered to close the question.
btanExec ConsultantCommented:
In short, your machine is unswcured does not mean that the bank is not secured. There is secure channel pt to pt and data is protected abd fraud detection is available. However not all financial institutions are in top tip security composure. Just look at recent Bangladesh FI transacting through SWIFT.
Whether this conjecture is valid or not, SWIFT is now moving to address the issue. Point one of the five point plan is to 'drastically improve information sharing'. "We will demand more information of our customers," said Liebbrandt, "and share that back with the community. The ambition is to do on an international scale what banks in several countries are already doing domestically. We will do it in a confidential way that uses the data while protecting the identity of the institution and customers."

Not one of the other four points was given more than a single sentence. They are, to "harden security requirements for customer-managed software"; to "develop security audit frameworks for customers"; to "support banks' increased use of payment pattern controls to identify suspicious behavior"; and to "introduce certification requirements for third party providers".

There is no silver bullet and it is also customer responsibilities to ensure their security state and not rely only on FI. If the keylogger exist in your machine obviously it doesnt really matter the FI is secured though they can prevent fraud..the obligation is on you as customer too.
btanExec ConsultantCommented:
ID: 40475935
ID: 40476068
ID: 40476154
ID: 40476177
ID: 40792949
ID: 40793318
ID: 41714929
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.