Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Bank-Grade Security

    Posted on July 25th, 2018 at 01:15 Kirsty Comment on the AskWoody Lounge

    Before you do your online banking next, you might like to check out a website that rates the security of bank websites. It might have you rethinking just how secure they are.

    Bank Grade Security
    When companies say they have “Bank Grade Security” they imply that it is a good thing.
    In reality banks have poor security

    Check it out at https://bankgradesecurity.com/

     
    And while you are looking at online security issues, today marks the release of Chrome 68, which marks sites not using HTTPS as insecure. Security Researchers Troy Hunt and Scott Helme have just launched a new website, listing websites not using https. It’s not reassuring to see universities, government departments and many popular sites not using https yet, but there are early reports of sites changing to https as a result.

    You’ll find it at https://whynohttps.com

    If that helped, take a second to support AskWoody on Patreon

    Home Forums Bank-Grade Security

    This topic contains 45 replies, has 18 voices, and was last updated by  Schnarph 4 months, 3 weeks ago.

    • Author
      Posts
    • #205651 Reply

      Kirsty
      AskWoody MVP

      Before you do your online banking next, you might like to check out a website that rates the security of bank websites. It might have you rethinking j
      [See the full post at: Bank-Grade Security]

      10 users thanked author for this post.
    • #205657 Reply

      Kirsty
      AskWoody MVP

      There have been a lot of articles on the Chrome 68 https move, incl:

      HTTPS Awareness Raised in New Initiative
      on infosecurity-magazine.com (by Dan Raywood, July 24, 2018)

      Chrome 68 Released With Warnings on HTTP Sites, But Also Other Security Features
      on bleepingcomputer.com (by Catalin Cimpanu, July 24, 2018)

      4 users thanked author for this post.
    • #205660 Reply

      anonymous

      SO? What should we do to ‘stay safe’?
      Does https-everywhere and ublock and additional 3rd party extension helps?
      T.I.A.

      back top fishing for better dreams

    • #205680 Reply

      anonymous

      I for one do not do anything financial on line because I never did think it was secure.  I would suggest everyone go in to your bank and do your business. Its safer. If you have to save time do it somewhere else.  If you want to buy something on line using a credit card. Never use a debit card for anything, You don’t have the same protection as a credit card. I don’t have a debit card.  I use a ATM card to get cash when I need it.

      5 users thanked author for this post.
      • #205684 Reply

        Seff
        AskWoody Lounger

        This has always been my approach. I don’t handle any banking or investment/pension management online. I use my credit card for online purchases because these days you can’t avoid that, but that’s all, and a single card is easily monitored.

        I’ve always avoided online (and telephone) banking mainly for security reasons, but also because it’s no good not using the local bank branch and then complaining when it closes as so many are here in the UK. They serve a very useful role, and are deserving of support.

        So far as ATMs are concerned, I always withdraw cash from ATMs inside bank branches wherever possible, external ones are prone to abuse and whilst I’m not paranoid about such things it’s simply common sense to use an internal one where available – another reason to support your local bank branch and keep it open!

        5 users thanked author for this post.
        • #205917 Reply

          GoneToPlaid
          AskWoody Lounger

          I go one step further than what you describe in your first paragraph. I always order to backup cards for each of my accounts. These are “fall back” cards which are never used, unless I have to kill a card which was used at a location which was subsequently the victim of a data breach. I also have set all cards which my bank issues to alert me for any charges over zero cents. And finally, I implemented a voice only password which my bank requires me to say whenever they call me about anything, so that my bank is further assured that they are talking to me and not to an imposter.

      • #205687 Reply

        jabeattyauditor
        AskWoody Lounger

        If you don’t setup online access to your financial accounts, someone else will. All the information needed to do so is available at low cost to those who will profit by using it.

        Plant your flag now, even if you’ll never use the access.

        3 users thanked author for this post.
        • #205797 Reply

          anonymous

          @ jabeattyauditor

          Are you sure ?

          If your information is true, many people with or without online bank accounts would have their accounts drained already.

          • #205811 Reply

            Kirsty
            AskWoody MVP

            Are you sure ?

            Luminaries such as Brian Krebs are of that opinion. From an article he published last month:

            Plant Your Flag, Mark Your Territory

            Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

            6 users thanked author for this post.
            • #205841 Reply

              Bill C.
              AskWoody Lounger

              This strategy is recommended by Social Security and Medicare when you apply for benefits. Also remember US Federal agencies generally will NOT initiate contact for business by email, nor will the IRS.

              USPS mail only. Email contacts should be regarded as potentially fraudulent. Never click or reply. Always call by phone to verify any requests for contact by using an official number, not one in an email. Applies to telephone call scams about IRS investigations also.

              3 users thanked author for this post.
            • #205904 Reply

              Noel Carboni
              AskWoody MVP

              And always remember to vet phone numbers left in messages requesting you to call back. Look up their number in a trusted directory and use the one you looked up. If it happens to be the same number they left, you have a better feel for the contact being legitimate.

              -Noel

              3 users thanked author for this post.
            • #205974 Reply

              HiFlyer
              AskWoody Lounger

              Bill C #205841 wrote;
              “This strategy is recommended by Social Security and Medicare when you apply for benefits.”

              Unless there’s a recent change SSA will not allow an online account without a US address.   OCONUS seniors are shut out.

              Go Figure.

            • #205918 Reply

              GoneToPlaid
              AskWoody Lounger

              Very true.

      • #205710 Reply

        anonymous

        I for one do not do anything financial on line because I never did think it was secure.  I would suggest everyone go in to your bank and do your business. Its safer. If you have to save time do it somewhere else.  If you want to buy something on line using a credit card. Never use a debit card for anything, You don’t have the same protection as a credit card. I don’t have a debit card.  I use a ATM card to get cash when I need it.

        That’s all well and good if you are able.  There are multiple reasons doing such isn’t that easy for some people and it has nothing to do with saving time. I suppose I could call an agency and they would come and load me in a van and take me to my bank. The advent of online banking and other services was a huge step in allowing a handicapped person to do what you take for granted.

        There are trade offs for just about everything one does online. With a little forethought you can lean trade off odds in your favor.

        I can agree CC’s are a better bet than a debit card for most activities. I have sworn off using any CC, for me it’s a small trade off as I turn on/off my debit card as I use it. Sure beats my alternatives. Most items I buy online allow me to use PayPal, I don’t need a CC … YMMV

        Nothings perfect.

        1 user thanked author for this post.
      • #205737 Reply

        jstech
        AskWoody Lounger

        Debit cards have the same protection as credit cards if they both are a Visa. Read the fine print, it is there. The only difference is the process of how they deal with it. With a credit card you dispute the charges and they remove them fairly quick. With a debit card the bank will not allow access to your account while they are dealing with the fraud on your account. It is a little more of a hassle with a debit card, you still get your money back though, usually within a 2-3 business days.

        If you don’t like credit cards, have multiple banks. In this case if you become the victim of identity theft you always have your other bank to access funds while the other bank straightens out your account. Prepaid visa cards work well too for online purchases if you don’t want to use a debit card.

        Group A | Windows 7 Pro 64-bit | Windows 10 Pro 1803 64-bit
        1 user thanked author for this post.
        • #205780 Reply

          HiFlyer
          AskWoody Lounger

          @jstech #205737

          Instead of multiple banks why not two accounts with debit cards at the same bank.

          Works for me.😏

          2 users thanked author for this post.
          • #205823 Reply

            Schnarph
            AskWoody Lounger

            Same here. I never use my primary card for anything but ATM deposit/withdraw and only at a branch of my bank. The second card is for online use, it even has “online checking” printed on the card. It does not allow for overdraft, so when the limit is hit the transaction is declined. I only keep enough in that account to cover automatic payments and purchases I intent to make. I get an email every time a charge is made, making monitoring rather easy.

            It might be a somewhat small credit union, but the site has been https since I joined it 6 years ago. Online banking downtime for updates/upgrades announced ahead of time are every couple of weeks. If I try to log in somewhere other than my home PC, I am denied and get an email alert. I didn’t even have to ask for 2 step verification, it was automatic.

            However, it doesn’t matter if you use online banking or ever buy anything online. I had a fraudulent charge a few years ago on a card I had never used. It was for $1, probably an attempt made by simply guessing numbers until one works. A few minutes later an attempted $500 charge at the Apple store for iTunes gift cards, which my bank declined as I didn’t have anywhere near that much in that account.

            1 user thanked author for this post.
            • #205824 Reply

              PKCano
              AskWoody MVP

              The $1 charge is frequently done by the vendor to prove the account is valid before approving a purchase. Once the transaction/purchase goes through, the $1 charge is removed. I know the Apple Store does this b/c I have purchased several items from them.

              4 users thanked author for this post.
            • #205942 Reply

              Schnarph
              AskWoody Lounger

              I’m aware of that practice. In this case the $1 charge was at a BBQ restaurant, followed by the $500 iTunes card attempt a couple of minutes later. Unrelated?

              3 users thanked author for this post.
            • #205973 Reply

              MrJimPhelps
              AskWoody MVP

              If you use your credit card at a gas pump in the US, they charge you $1, then a few days later the actual amount of purchase.

              Group "L" (Linux Mint)
              with Windows 8.1 running in a VM
              2 users thanked author for this post.
            • #206483 Reply

              Schnarph
              AskWoody Lounger

              Maybe the BBQ restaurant has a gas pump? Maybe it’s on an interstate highway? My point was that I had never used that card anywhere yet it was used somehow. Any point of sale transaction would have require a magnetic strip on a card. That’s fiction movie stuff, but I guess it’s based on something real. BTW, both charges were a few states states way,  over 1,000 miles. I have never been to that state in my life.

              I’m not saying any of you that responded to me are factually incorrect. Someone used my card # that I had never used or entered anywhere, that’s the gist.

              How’s the Equifax data breach fallout these days?

      • #205753 Reply

        anonymous

        I have never had a problem doing business online.   But, if I’m going to log onto a bank or broker, I don’t use the same browser I’m using now.   Or, if I want to use this browser, I’ll close it first before bringing it up again to access a financial site.    I don’t want other content in the browser while it is being used for financial transactions.

        I follow the other rules, unique ID name (when possible) and unique password.   I never pursued 2FA, but now Schwab requires it.

        I think it is a very bad policy for Paypal and Amazon to use email addresses as IDs because of all the email dumps out there.

        I haven’t done any financial transactions on a cell phone.   I don’t like what I don’t understand.    I understand Windows computer security very well.

        1 user thanked author for this post.
        • #205786 Reply

          anonymous

          I think it is a very bad policy for Paypal and Amazon to use email addresses as IDs because of all the email dumps out there.

          I agree using an email addy isn’t the best choice. I don’t use Amazon (getting harder and harder to avoid though) but with PayPal, using the Security Key feature adds a layer of protection. Every online account I use that offer’s  2 point verification I take advantage of.

          Might not be the cure all but I think it helps a lot.

          1 user thanked author for this post.
    • #205688 Reply

      BWB8771
      AskWoody Lounger

      If you don’t setup online access to your financial accounts, someone else will. All the information needed to do so is available at low cost to those who will profit by using it. Plant your flag now, even if you’ll never use the access.

      Fantastic point!

      1 user thanked author for this post.
      • #205765 Reply

        anonymous

        The best thing to do is use ATM cards instead of debit cards to withdraw cash. If you want to buy something in a store or online use a credit card.  Remember once the money is out of your account because someone used a debit card good luck getting the bank to give it back to you.  The banks are not your friend.  Why look for trouble?

        1 user thanked author for this post.
    • #205690 Reply

      Clairvaux
      AskWoody Lounger

      Don’t get me started on this. My bank is asking for Flash in order to let me change my spending limit on my credit card. I thought people used to be shot for such security lapses ?

      Also, it’s funny how some of the very worst offenders in the realm of Internet security are major government sites, which millions of tech-illiterate people are forced to use, and which hold extremely sensitive, personal information, the type that hackers would love to get their hands on in order to impersonate you or otherwise harm you. (I’m not in the US.)

      My favorite trick is running an SSL Labs test on them. The results are sometimes so appalling as to be laughable.

      One particular offender is the monopoly utility company which throws a Google captcha in your face, just in order to let you type your username and password. That captcha is in English — not the country’s language. Google’s captchas are exasperating enough for English-speaking geeks ; now figure a lady born in 1940, with no higher education, no knowledge of foreign languages, and who absolutely needs to log in the blasted site to pay her bills.

      7 users thanked author for this post.
      • #205692 Reply

        MrJimPhelps
        AskWoody MVP

        Try surfing to these banking sites with Firefox, with the NoScript add-on installed in Firefox. By doing this, you can see which sites are running scripts on that website. It is appalling to see that some banks are running Google scripts in the background. Why is that appalling, you ask? Because Google is continually vacuuming up as much info as they can; in other words, Google is watching when you are doing online banking! It is as if they are looking over your shoulder taking notes.

        Fortunately, NoScript allows you to block all scripts which Google (and others) is running.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        2 users thanked author for this post.
        • #205760 Reply

          anonymous

          Umatrix can take the place of NoScript and RequestPolicy.   While there is a learning curve, once learned, all connections to 3rd party sites can be blocked.

          1 user thanked author for this post.
    • #205691 Reply

      MrJimPhelps
      AskWoody MVP

      The bank where one of my accounts is put a link to a security testing site, suggesting that I see how secure my bank is for online banking. That bank, the one who put the link on their website, rated “F” on the security testing site! I told them about it, and they said, “Our IT people assure us that we are secure.”

      If their IT people are so clueless as to post a link to a security testing site which rates them an “F”, then I would say that you can’t depend on what their IT folks are telling you!

      Group "L" (Linux Mint)
      with Windows 8.1 running in a VM
      8 users thanked author for this post.
    • #205695 Reply

      HiFlyer
      AskWoody Lounger

      abine.com offers masking of email, credit cards, etc.

      $50 maximum loss protection of credit card (by US law) may not exist with some foreign issuers.  YMMV.

      • This reply was modified 4 months, 3 weeks ago by  HiFlyer.
      1 user thanked author for this post.
    • #205711 Reply

      CADesertRat
      AskWoody Lounger

      My US bank isn’t even listed on that site although when I go to my bank site it is https.

      • #205713 Reply

        MrJimPhelps
        AskWoody MVP

        Very few banks are listed on that site.

        Group "L" (Linux Mint)
        with Windows 8.1 running in a VM
        • #205874 Reply

          Kirsty
          AskWoody MVP

          The site is being updated as new results are available. From their Twitter correspondence:

          It will be updated every month for now, hoping to make it more frequent soon.

          2 users thanked author for this post.
    • #205754 Reply

      jescott418
      AskWoody Lounger

      Yeah I used to do a lot more bill paying and banking online but not anymore. Today much of my bills are paper and I write checks and pay them through the mail system. My bank online system has been hacked at least partially a few times once so bad they had to shut down access. A couple of my utility companies have also noted a couple partial breeches. I am glad Chrome is pushing security, but I also know many sites that should be more protected are not and apparently have not learned from others failures.

      1 user thanked author for this post.
    • #205793 Reply

      HiFlyer
      AskWoody Lounger

      Excerpt From Krebs article:

      “Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses.”

      https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

      1 user thanked author for this post.
    • #205906 Reply

      Noel Carboni
      AskWoody MVP

      Here’s an open, leading question:

      If more security is better, what is the downside of everything having to be encrypted and decrypted?

      It takes more communications time to manage the security handshake and more CPU time to encrypt and decrypt data, both on the sending end and on the receiving end.

      Thus we are waiting longer for results and things cost incrementally more.

      How much more?

      – If every message is encrypted, servers aren’t able to handle as much traffic, leading to web site slowdowns and the potential need by those running sites to purchase more expensive service.

      – An older client system might be acceptable for use for a little less time.

      How much longer are we waiting for websites? How much more are we paying for things? How much more of our lives are wasted?

      Food for thought.

      -Noel

      3 users thanked author for this post.
      • #205912 Reply

        b
        AskWoody Lounger

        And all emails and web pages should be text only because we waste money, space and time with pictures.

        How much more?
        How much longer are we waiting for websites?
        How much more are we paying for things?
        How much more of our lives are wasted?

        Not enough to worry about.

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant "Toxic drinker"

        • #205937 Reply

          anonymous

          ASCII art is due for a revival.

          1 user thanked author for this post.
    • #205908 Reply

      Tiny
      AskWoody Lounger

      To me, it looks like a list of a few banks with some numbers in pretty colors.  What I don’t see is any information on where the numbers come from or what they  mean.  I assume the numbers might be rating a banks online security instead of physical security.  My bank tracker shows the opposite results.

      Where am I? What am I doing in this hand basket?

      • #205920 Reply

        Kirsty
        AskWoody MVP

        I assume the numbers might be rating a banks online security

        Yes. If you click on those results, it takes you to the bank’s detailed results, i.e. for Bank of America

    • #205939 Reply

      anonymous

      https://www.bleepingcomputer.com/news/security/leader-of-carbanak-cobalt-hacker-group-who-stole-over-1bil-arrested-in-spain/ ( (Leader of Carbanak (Cobalt) Hacker Group Who Stole Over €1BIL Arrested in Spain – 26 Mar 2018)
      https://www.zdnet.com/article/europol-tracks-down-suspected-leader-of-carbanak-malware-campaigns/ (26 March 2018)

      Europol announced today that Spanish police has arrested a man suspect of being the mastermind behind the Carbanak hacking group, known for some of the biggest bank cyber-heists in recent years.

      Europol said the Carbanak gang —also known as Cobalt— had carried out over 100 hacks across 40 different countries, stealing over €1 billion ($1.24 billion), with a hack average of €10 million ($12.4 million) per heist. …

      Once they gained access to these systems, hackers choose one of three methods of stealing money.

      The first was to coordinate with money mule groups and make ATMs spit out cash at a predetermined hour and day. Money mules would pick up the funds, some of which would end up back with the Carbanak group after intermediaries took their cuts.

      Second, the Carbanak group would transfer money from legitimate accounts to the ones they or their money mules owned, who would then empty accounts at ATMs, or use the accounts to buy expensive products and launder the money.

      Third, crooks would use their access to the bank’s internal network to artificially inflate the money balance of accounts created by money mules in advance, without transferring funds from other accounts. Same as before, money mules would empty accounts as soon as possible.

      https://www.zdnet.com/article/the-dark-web-how-much-is-your-bank-account-worth/ (20 March 2018)

      The Dark Web: How much is your bank account worth?

      Researchers explore just how much our bank accounts, identities, and more are worth to customers in the web’s underbelly. …

      While card numbers are big business, access to accounts is also hot property.
      According to the researchers, accounts with a balance of roughly $3,000 from Bank of America, JPMorgan Chase and Wells Fargo are being hawked for $300, while bank login information for accounts belonging to the same banks with balances of up to $15,000 is being sold for between $200 and $1,000.

      http://www.bbc.com/news/business-37891742 (7 Nov 2016 – Tesco Bank’s chief executive has blamed “a systematic, sophisticated attack” for the money taken from 20,000 of its customer accounts.)
      https://thehackernews.com/2013/05/the-biggest-bank-robbery-in-history.html (10 May 2013 – A gang of cyber-criminals operating in 26 countries stole $45 million by hacking their way into a database of prepaid debit cards.)

      Isolated cases of individual online banking accounts being hacked, identity stolen and drained/looted may not be refunded by the banks, eg … http://says.com/my/news/man-online-banking-account-hacked

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Bank-Grade Security

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: