Bank-Grade Security

Topic

New Reply

Before you do your online banking next, you might like to check out a website that rates the security of bank websites. It might have you rethinking j
[See the full post at: Bank-Grade Security]

10 users thanked author for this post.

Noel Carboni, Bill C., walker, PhotM, Elly, b, cesmart4125, woody, ch100

Reply | Quote

Replies

There have been a lot of articles on the Chrome 68 https move, incl:

HTTPS Awareness Raised in New Initiative
on infosecurity-magazine.com (by Dan Raywood, July 24, 2018)

Chrome 68 Released With Warnings on HTTP Sites, But Also Other Security Features
on bleepingcomputer.com (by Catalin Cimpanu, July 24, 2018)

4 users thanked author for this post.

Noel Carboni, Bill C., Elly, HiFlyer

Reply | Quote

Kirsty wrote:

Before you do your online banking next, you might like to check out a website that rates the security of bank websites. It might have you rethinking j[See the full post at: Bank-Grade Security]

@Kirsty;

You do good work.  Thank you very much.  Continue the march.🍝😁

5 users thanked author for this post.

Kirsty, Elly, BobbyB, cesmart4125, woody

Reply | Quote

There will be even more articles about Chrome 68 when the “lets render yellow” improvement hits the unsuspecting masses…

https://bugs.chromium.org/p/chromium/issues/detail?id=847024

Reply | Quote

Fairly simple workaround now at Comment 59 there.

Reply | Quote

SO? What should we do to ‘stay safe’?
Does https-everywhere and ublock and additional 3rd party extension helps?
T.I.A.

back top fishing for better dreams

Reply | Quote

I for one do not do anything financial on line because I never did think it was secure.  I would suggest everyone go in to your bank and do your business. Its safer. If you have to save time do it somewhere else.  If you want to buy something on line using a credit card. Never use a debit card for anything, You don’t have the same protection as a credit card. I don’t have a debit card.  I use a ATM card to get cash when I need it.

5 users thanked author for this post.

Elly, Bill C., HiFlyer, BobbyB, Seff

Reply | Quote

This has always been my approach. I don’t handle any banking or investment/pension management online. I use my credit card for online purchases because these days you can’t avoid that, but that’s all, and a single card is easily monitored.

I’ve always avoided online (and telephone) banking mainly for security reasons, but also because it’s no good not using the local bank branch and then complaining when it closes as so many are here in the UK. They serve a very useful role, and are deserving of support.

So far as ATMs are concerned, I always withdraw cash from ATMs inside bank branches wherever possible, external ones are prone to abuse and whilst I’m not paranoid about such things it’s simply common sense to use an internal one where available – another reason to support your local bank branch and keep it open!

5 users thanked author for this post.

GoneToPlaid, David F, Elly, HiFlyer, BobbyB

Reply | Quote

I go one step further than what you describe in your first paragraph. I always order to backup cards for each of my accounts. These are “fall back” cards which are never used, unless I have to kill a card which was used at a location which was subsequently the victim of a data breach. I also have set all cards which my bank issues to alert me for any charges over zero cents. And finally, I implemented a voice only password which my bank requires me to say whenever they call me about anything, so that my bank is further assured that they are talking to me and not to an imposter.

Reply | Quote

If you don’t setup online access to your financial accounts, someone else will. All the information needed to do so is available at low cost to those who will profit by using it.

Plant your flag now, even if you’ll never use the access.

3 users thanked author for this post.

Bill C., Kirsty, HiFlyer

Reply | Quote

@ jabeattyauditor

Are you sure ?

If your information is true, many people with or without online bank accounts would have their accounts drained already.

Reply | Quote

anonymous wrote:

Are you sure ?

Luminaries such as Brian Krebs are of that opinion. From an article he published last month:

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

6 users thanked author for this post.

AlexEiffel, walker, HiFlyer, GoneToPlaid, Elly, Bill C.

Reply | Quote

This strategy is recommended by Social Security and Medicare when you apply for benefits. Also remember US Federal agencies generally will NOT initiate contact for business by email, nor will the IRS.

USPS mail only. Email contacts should be regarded as potentially fraudulent. Never click or reply. Always call by phone to verify any requests for contact by using an official number, not one in an email. Applies to telephone call scams about IRS investigations also.

3 users thanked author for this post.

walker, HiFlyer, Elly

Reply | Quote

And always remember to vet phone numbers left in messages requesting you to call back. Look up their number in a trusted directory and use the one you looked up. If it happens to be the same number they left, you have a better feel for the contact being legitimate.

-Noel

3 users thanked author for this post.

geekdom, walker, HiFlyer

Reply | Quote

Bill C #205841 wrote;
“This strategy is recommended by Social Security and Medicare when you apply for benefits.”

Unless there’s a recent change SSA will not allow an online account without a US address.   OCONUS seniors are shut out.

Go Figure.

Reply | Quote

Very true.

Reply | Quote

I for one do not do anything financial on line because I never did think it was secure.  I would suggest everyone go in to your bank and do your business. Its safer. If you have to save time do it somewhere else.  If you want to buy something on line using a credit card. Never use a debit card for anything, You don’t have the same protection as a credit card. I don’t have a debit card.  I use a ATM card to get cash when I need it.

That’s all well and good if you are able.  There are multiple reasons doing such isn’t that easy for some people and it has nothing to do with saving time. I suppose I could call an agency and they would come and load me in a van and take me to my bank. The advent of online banking and other services was a huge step in allowing a handicapped person to do what you take for granted.

There are trade offs for just about everything one does online. With a little forethought you can lean trade off odds in your favor.

I can agree CC’s are a better bet than a debit card for most activities. I have sworn off using any CC, for me it’s a small trade off as I turn on/off my debit card as I use it. Sure beats my alternatives. Most items I buy online allow me to use PayPal, I don’t need a CC … YMMV

Nothings perfect.

1 user thanked author for this post.

Elly

Reply | Quote

Debit cards have the same protection as credit cards if they both are a Visa. Read the fine print, it is there. The only difference is the process of how they deal with it. With a credit card you dispute the charges and they remove them fairly quick. With a debit card the bank will not allow access to your account while they are dealing with the fraud on your account. It is a little more of a hassle with a debit card, you still get your money back though, usually within a 2-3 business days.

If you don’t like credit cards, have multiple banks. In this case if you become the victim of identity theft you always have your other bank to access funds while the other bank straightens out your account. Prepaid visa cards work well too for online purchases if you don’t want to use a debit card.

Group A | Windows 7 Pro 64-bit | Windows 10 Pro 1809 64-bit

1 user thanked author for this post.

HiFlyer

Reply | Quote

@jstech #205737

Instead of multiple banks why not two accounts with debit cards at the same bank.

Works for me.😏

2 users thanked author for this post.

JSTechGeek, Schnarph

Reply | Quote

Same here. I never use my primary card for anything but ATM deposit/withdraw and only at a branch of my bank. The second card is for online use, it even has “online checking” printed on the card. It does not allow for overdraft, so when the limit is hit the transaction is declined. I only keep enough in that account to cover automatic payments and purchases I intent to make. I get an email every time a charge is made, making monitoring rather easy.

It might be a somewhat small credit union, but the site has been https since I joined it 6 years ago. Online banking downtime for updates/upgrades announced ahead of time are every couple of weeks. If I try to log in somewhere other than my home PC, I am denied and get an email alert. I didn’t even have to ask for 2 step verification, it was automatic.

However, it doesn’t matter if you use online banking or ever buy anything online. I had a fraudulent charge a few years ago on a card I had never used. It was for $1, probably an attempt made by simply guessing numbers until one works. A few minutes later an attempted $500 charge at the Apple store for iTunes gift cards, which my bank declined as I didn’t have anywhere near that much in that account.

1 user thanked author for this post.

HiFlyer

Reply | Quote

The $1 charge is frequently done by the vendor to prove the account is valid before approving a purchase. Once the transaction/purchase goes through, the $1 charge is removed. I know the Apple Store does this b/c I have purchased several items from them.

4 users thanked author for this post.

walker, HiFlyer, Schnarph, Bill C.

Reply | Quote

I’m aware of that practice. In this case the $1 charge was at a BBQ restaurant, followed by the $500 iTunes card attempt a couple of minutes later. Unrelated?

3 users thanked author for this post.

walker, HiFlyer, Kirsty

Reply | Quote

If you use your credit card at a gas pump in the US, they charge you $1, then a few days later the actual amount of purchase.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

2 users thanked author for this post.

Schnarph, HiFlyer

Reply | Quote

Maybe the BBQ restaurant has a gas pump? Maybe it’s on an interstate highway? My point was that I had never used that card anywhere yet it was used somehow. Any point of sale transaction would have require a magnetic strip on a card. That’s fiction movie stuff, but I guess it’s based on something real. BTW, both charges were a few states states way,  over 1,000 miles. I have never been to that state in my life.

I’m not saying any of you that responded to me are factually incorrect. Someone used my card # that I had never used or entered anywhere, that’s the gist.

How’s the Equifax data breach fallout these days?

Reply | Quote

I have never had a problem doing business online.   But, if I’m going to log onto a bank or broker, I don’t use the same browser I’m using now.   Or, if I want to use this browser, I’ll close it first before bringing it up again to access a financial site.    I don’t want other content in the browser while it is being used for financial transactions.

I follow the other rules, unique ID name (when possible) and unique password.   I never pursued 2FA, but now Schwab requires it.

I think it is a very bad policy for Paypal and Amazon to use email addresses as IDs because of all the email dumps out there.

I haven’t done any financial transactions on a cell phone.   I don’t like what I don’t understand.    I understand Windows computer security very well.

1 user thanked author for this post.

HiFlyer

Reply | Quote

I think it is a very bad policy for Paypal and Amazon to use email addresses as IDs because of all the email dumps out there.

I agree using an email addy isn’t the best choice. I don’t use Amazon (getting harder and harder to avoid though) but with PayPal, using the Security Key feature adds a layer of protection. Every online account I use that offer’s  2 point verification I take advantage of.

Might not be the cure all but I think it helps a lot.

1 user thanked author for this post.

HiFlyer

Reply | Quote

jabeattyauditor wrote:

If you don’t setup online access to your financial accounts, someone else will. All the information needed to do so is available at low cost to those who will profit by using it. Plant your flag now, even if you’ll never use the access.

Fantastic point!

1 user thanked author for this post.

HiFlyer

Reply | Quote

The best thing to do is use ATM cards instead of debit cards to withdraw cash. If you want to buy something in a store or online use a credit card.  Remember once the money is out of your account because someone used a debit card good luck getting the bank to give it back to you.  The banks are not your friend.  Why look for trouble?

1 user thanked author for this post.

Mele20

Reply | Quote

Don’t get me started on this. My bank is asking for Flash in order to let me change my spending limit on my credit card. I thought people used to be shot for such security lapses ?

Also, it’s funny how some of the very worst offenders in the realm of Internet security are major government sites, which millions of tech-illiterate people are forced to use, and which hold extremely sensitive, personal information, the type that hackers would love to get their hands on in order to impersonate you or otherwise harm you. (I’m not in the US.)

My favorite trick is running an SSL Labs test on them. The results are sometimes so appalling as to be laughable.

One particular offender is the monopoly utility company which throws a Google captcha in your face, just in order to let you type your username and password. That captcha is in English — not the country’s language. Google’s captchas are exasperating enough for English-speaking geeks ; now figure a lady born in 1940, with no higher education, no knowledge of foreign languages, and who absolutely needs to log in the blasted site to pay her bills.

7 users thanked author for this post.

Steve, AlexEiffel, Mele20, David F, CADesertRat, Elly, HiFlyer

Reply | Quote

Try surfing to these banking sites with Firefox, with the NoScript add-on installed in Firefox. By doing this, you can see which sites are running scripts on that website. It is appalling to see that some banks are running Google scripts in the background. Why is that appalling, you ask? Because Google is continually vacuuming up as much info as they can; in other words, Google is watching when you are doing online banking! It is as if they are looking over your shoulder taking notes.

Fortunately, NoScript allows you to block all scripts which Google (and others) is running.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

2 users thanked author for this post.

Elly, HiFlyer

Reply | Quote

Umatrix can take the place of NoScript and RequestPolicy.   While there is a learning curve, once learned, all connections to 3rd party sites can be blocked.

1 user thanked author for this post.

HiFlyer

Reply | Quote

The bank where one of my accounts is put a link to a security testing site, suggesting that I see how secure my bank is for online banking. That bank, the one who put the link on their website, rated “F” on the security testing site! I told them about it, and they said, “Our IT people assure us that we are secure.”

If their IT people are so clueless as to post a link to a security testing site which rates them an “F”, then I would say that you can’t depend on what their IT folks are telling you!

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

8 users thanked author for this post.

Steve, AlexEiffel, Kirsty, Cybertooth, CADesertRat, Elly, Seff, HiFlyer

Reply | Quote

wow, scary world. have you considered changing banks? i guess this is the state of the smart security bank it departments. run for the hills …

1 user thanked author for this post.

HiFlyer

Reply | Quote

I have only a savings acct at that bank, and I rarely use their online access.

My other bank, the one with my main checking account, rated almost perfect by that site.

The bank I have the most confidence in in terms of security is USAA Bank. It is for military people and their families. Ironically, I don’t use that bank because I have other accounts elsewhere, and I don’t feel like changing banks.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

1 user thanked author for this post.

HiFlyer

Reply | Quote

@MrJimPhelps #205731

“The bank I have the most confidence in in terms of security is USAA Bank. It is for military people and their families.”

 

https://www.usaa.com/inet/

Extract;
“Membership is open to those who serve and their eligible family members.

We welcome you to join USAA if you are:

Active military, former military, an eligible family member, or a cadet or midshipman.”

Children/grandchildren of members too.   Many free services….worldwide.

IMHO the best bank there is.

Reply | Quote

abine.com offers masking of email, credit cards, etc.

$50 maximum loss protection of credit card (by US law) may not exist with some foreign issuers.  YMMV.

1 user thanked author for this post.

Elly

Reply | Quote

My US bank isn’t even listed on that site although when I go to my bank site it is https.

Don't take yourself so seriously, no one else does 🙂
All W10 Pro at 22H2,(2 Desktops, 1 Laptop).

Reply | Quote

Very few banks are listed on that site.

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

The site is being updated as new results are available. From their Twitter correspondence:

It will be updated every month for now, hoping to make it more frequent soon.

2 users thanked author for this post.

HiFlyer, Elly

Reply | Quote

Yeah I used to do a lot more bill paying and banking online but not anymore. Today much of my bills are paper and I write checks and pay them through the mail system. My bank online system has been hacked at least partially a few times once so bad they had to shut down access. A couple of my utility companies have also noted a couple partial breeches. I am glad Chrome is pushing security, but I also know many sites that should be more protected are not and apparently have not learned from others failures.

1 user thanked author for this post.

HiFlyer

Reply | Quote

Excerpt From Krebs article:

“Hackers used phishing emails to break into a Virginia bank in two separate cyber intrusions over an eight-month period, making off with more than $2.4 million total. Now the financial institution is suing its insurance provider for refusing to fully cover the losses.”

https://krebsonsecurity.com/2018/07/hackers-breached-virginia-bank-twice-in-eight-months-stole-2-4m/

1 user thanked author for this post.

Elly

Reply | Quote

Here’s an open, leading question:

If more security is better, what is the downside of everything having to be encrypted and decrypted?

It takes more communications time to manage the security handshake and more CPU time to encrypt and decrypt data, both on the sending end and on the receiving end.

Thus we are waiting longer for results and things cost incrementally more.

How much more?

– If every message is encrypted, servers aren’t able to handle as much traffic, leading to web site slowdowns and the potential need by those running sites to purchase more expensive service.

– An older client system might be acceptable for use for a little less time.

How much longer are we waiting for websites? How much more are we paying for things? How much more of our lives are wasted?

Food for thought.

-Noel

3 users thanked author for this post.

Steve, walker, Cybertooth

Reply | Quote

And all emails and web pages should be text only because we waste money, space and time with pictures.

Noel Carboni wrote:

How much more?
How much longer are we waiting for websites?
How much more are we paying for things?
How much more of our lives are wasted?

Not enough to worry about.

Reply | Quote

ASCII art is due for a revival.

1 user thanked author for this post.

Steve

Reply | Quote

To me, it looks like a list of a few banks with some numbers in pretty colors.  What I don’t see is any information on where the numbers come from or what they  mean.  I assume the numbers might be rating a banks online security instead of physical security.  My bank tracker shows the opposite results.

Where am I? What am I doing in this hand basket?

Reply | Quote

Tiny wrote:

I assume the numbers might be rating a banks online security

Yes. If you click on those results, it takes you to the bank’s detailed results, i.e. for Bank of America

Reply | Quote

https://www.bleepingcomputer.com/news/security/leader-of-carbanak-cobalt-hacker-group-who-stole-over-1bil-arrested-in-spain/ ( (Leader of Carbanak (Cobalt) Hacker Group Who Stole Over €1BIL Arrested in Spain – 26 Mar 2018)
https://www.zdnet.com/article/europol-tracks-down-suspected-leader-of-carbanak-malware-campaigns/ (26 March 2018)

Europol announced today that Spanish police has arrested a man suspect of being the mastermind behind the Carbanak hacking group, known for some of the biggest bank cyber-heists in recent years.

Europol said the Carbanak gang —also known as Cobalt— had carried out over 100 hacks across 40 different countries, stealing over €1 billion ($1.24 billion), with a hack average of €10 million ($12.4 million) per heist. …

Once they gained access to these systems, hackers choose one of three methods of stealing money.

The first was to coordinate with money mule groups and make ATMs spit out cash at a predetermined hour and day. Money mules would pick up the funds, some of which would end up back with the Carbanak group after intermediaries took their cuts.

Second, the Carbanak group would transfer money from legitimate accounts to the ones they or their money mules owned, who would then empty accounts at ATMs, or use the accounts to buy expensive products and launder the money.

Third, crooks would use their access to the bank’s internal network to artificially inflate the money balance of accounts created by money mules in advance, without transferring funds from other accounts. Same as before, money mules would empty accounts as soon as possible.

https://www.zdnet.com/article/the-dark-web-how-much-is-your-bank-account-worth/ (20 March 2018)

The Dark Web: How much is your bank account worth?

Researchers explore just how much our bank accounts, identities, and more are worth to customers in the web’s underbelly. …

While card numbers are big business, access to accounts is also hot property.
According to the researchers, accounts with a balance of roughly $3,000 from Bank of America, JPMorgan Chase and Wells Fargo are being hawked for $300, while bank login information for accounts belonging to the same banks with balances of up to $15,000 is being sold for between $200 and $1,000.

http://www.bbc.com/news/business-37891742 (7 Nov 2016 – Tesco Bank’s chief executive has blamed “a systematic, sophisticated attack” for the money taken from 20,000 of its customer accounts.)
https://thehackernews.com/2013/05/the-biggest-bank-robbery-in-history.html (10 May 2013 – A gang of cyber-criminals operating in 26 countries stole $45 million by hacking their way into a database of prepaid debit cards.)

Isolated cases of individual online banking accounts being hacked, identity stolen and drained/looted may not be refunded by the banks, eg … http://says.com/my/news/man-online-banking-account-hacked

Reply | Quote