Bank logon via internet - Security aspects

[rredbeak]

Dont worry,
i just set mine up the same and Drag n Drop is much quicker than putting in the numbers by hand.

works well TY

Cheers Rod

[Old Techo]

G'day Rod,

Sorry, old son, I now see your 3 posts. I've been out collecting some road-kill and cooking tucker... and we are still at home.

Not sure that I understand your bank logon technique. You may be talking Westpac? When you use the mouse to highlight numbers do those numbers appear elsewhere in a small window as dots? If so this is the onscreen keyboard method I mentioned and is potentially vulnerable to clever key-loggers that monitor data entry windows. They see what is entered in the window whatever the mechanism for entry.

I don't mean to create any panic about internet banking which is predominantly very safe. Most issues are slack-user related, like everything else in life. I'm merely identifying some of the better techniques to minimise risk. Drag and drop appears to be the last challenge for key-loggers to overcome but they may eventually prevail. I don't have the intimate knowledge of this low level software to appreciate the precise process. I developed my technique merely to stay well ahead of the pack. If you keep your poota as clean as your house there should be bugga-orl risk.

Regards

[rredbeak]

Ho OT,
yes,its westpac logon.

the first bunch of numbers is via MY keyboard.

the second bunch is via my mouse and THEIR website and they come up as black dots.

But im using your method anyway and all is sweet.

Cheers Rod

that roadkill smells great.

[Old Techo]

Further to key-loggers and 'drag and drop' versus 'copy and paste'. You can try this yourself.

Basic key-loggers monitor physical keyboard typing i.e. each key you hit is recorded. To avoid this you may get your password from another file and then use the 'copy and paste' technique to place it into your bank account logon window. When you carry out the 'copy' phase your password is placed on the Windows 'Clipboard' and when you do the 'paste' it is retrieved from the 'clipboard' (and remains there as well). The smarter key-loggers can read the 'clipboard' info as you complete the 'paste' phase so you are still at risk.

Do this test. Open any document file or create an email. Write something like: clipboard dragged. Now use the mouse to highlight only the word clipboard and then use the copy/paste function and a copy of the word clipboard appears. Paste again and another copy appears. The clipboard retains the info.

Now using the mouse highlight the word dragged and then literally drag it to somewhere else on the document. Now perform another paste function. What appears? clipboard still appears, because it is still stored in the Clipboard (not over-written) whereas dragged was not. So a key-logger that reads the Clipboard can see copy/paste contents but not see what is 'dragged and dropped'.

Please note this is my idea and test to demonstrate my point about 'drag and drop'. I am not passing on known techniques developed and proven by experts so please don't accept it as gospel. The facts are key-loggers are real and copy/paste can be monitored. Drag and drop can only be an improvement. You are most vulnerable when using a public internet service. If you do use at home the method I previously outlined you may still be able to do so in public places if they offer USB access. Just keep your encrypted data as a text file on a USB memory stick.

Regards

[Tusitala]

Good topic and very "topical" if you'll pardon the pun.

An added security measure can be found in Trend Micro's Internet Pro suite in the form of keystroke encryption.

A definite must for wi-fi use and not a bad feature for general use when logging on to net banking etc.

In addition to this, if your bank offers an SMS confirmation service please use it.

Unless I have pre-arranged an account to transfer money to, my bank [NAB] will not allow transfer out of any of my accounts until I key in a unique and one time only 9 digit password that they send to me via SMS at the point of transaction.

I suppose if I can actually be hacked and this hacker just happens to have my mobile phone in his pocket then I guess the system is flawed.

Until then its fairly safe.

[Old Techo]

Thanks Dennis for that extra info. I was specifically addressing the key-logger threat and not giving general advice. No harm though in expanding the topical topic. There is a lot of good general advice available from professional sources, including banks. As you mentioned there are various proprietary encryption tools. They range in their ability and convenience of use. The NAB sms technique is excellent but not all banks offer it.

[peter915]

I use Kaspersky Anti Virus on my PC, have done so for many years.
This does work, stops all key loggers and many other forms and types of virus.
Good gear. Has auto update which is usually very quick.
Good support team also.

See
http://support.kaspersky.com/

[BrettAltea]

I agree Peter. I use Norton 360 myself (much more user-friendly than most). A good security suite is the best protection of all.

I have never had a virus or key logger in my life, and I use the computer fairly extensively.

However - make sure you know what programs you are putting on your computer! If you use a lot of free (or even hacked) programs be very careful of the source. Things from Google/Adobe etc are fine but if it is from a company that you have never heard about then Google the program first before installing.

Cheers
Brett

[Old Techo]

I keep a file of all my passwords and that's no good either as if the puter is hacked they have them as well. I have made the folder hidden

G'day DT,

I did that in the old days but was never comfortable with it. I'd prefer to have stuff written on paper and find a good hidey spot well away from the poota. These days I have a security file on a memory stick and keep it locked in my safe. It contains about 50 various logins, some rarely used and they are the ones forgotten.

For regular (daily) stuff like banking I don't hide my password away in another place, I bury it where it is plainly visible. I explained this over 4 years ago. Check here and also the rest of the thread... http://www.candm.com.au/forum/viewtopic ... 412#p44412

More recently I have refined the process having switched to Win 7. In my favourites I have entries such as this ANZ bank logon.... https://www.anz.com/INETBANK/bankmain.asp#1749379105823 and feel free to click on it as a test.

Years ago I found by experimenting that the # character works as a URL delimiter. All I did at the end of the ANZ URL was add a # symbol plus my account number. Now as soon as you click on this URL it brings up the ANZ logon screen. If you take your mouse up to the URL and place it somewhere over the account number and double left click it will highlight just the number (I've shown in red box) now hold and drag it down following the red arrow. So you have entered your account number in about 2 seconds. For the password refer to my old thread link.