Is Windows 11 secure enough for online banking? Bank account emptied.

Topic

New Reply

[WSalgrinch]

My sister sent me this article. It’s worth reading. It’s a good reminder of how bad it can be if someone gets into your computer

Retired at 48 – Book: How Safe Is Your Money? The Tale of Two Banks and a Computer Hack

http://retiredat48book.blogspot.com/2024/11/how-safe-is-your-money-tale-of-two.html

Summary: A criminal gained remote access to their Windows 11 computer and emptied their bank accounts even though they were taking pretty reasonable security precautions. Their main complaint is the one bank not refunding their money. They also get into their current security precautions.

I spent 4 years in IT deploying computers, troubleshooting Windows problems, deploying servers, and doing some networking. I am not an expert by any stretch but have some experience.

My takeaways from the article:

• They might have been targeted because of their blog. It takes money to retire at 48.
• Windows 11 was up to date, and antivirus did not detect the breach (before or after the fact).  It makes me wonder if they were tricked into approving the install of the software that isn’t actually malicious under normal use. Would someone actually waste a zero-day exploit on this?
• I’m guessing their browsing habits weren’t as security-minded as they could have been.
• Rightly so, their security precautions are now pretty extensive and inconvenient. They might go farther than what is needed.

My elderly in-laws use a Windows 11 computer and log into their banking in the Chrome browser. I have everything set to stay updated, and they have Eset anti-virus running. They are pretty good about being suspicious but have very limited computer knowledge. I will likely see if their bank will do landline two factor. They don’t have a cell phone and an authenticator app on the Windows machine won’t help if someone can remote in and use it.

I’m tempted to buy them an iPad and get them to only do their banking in the app on that device. They really don’t want to learn a new device…

What am I missing? I’m hoping the expert knowledge in the forums will have some further insight….

• This topic was modified 5 months, 1 week ago by WSalgrinch.

Reply | Quote

Replies

a hacker somehow gained remote control of our Windows 11 laptop,

No evidence this actually happened, just an assumption:

Whether through monitoring keystrokes or some other unknown method, the hacker was able to access our bank accounts
…
We went to computer virus specialist firms to have our laptop and all other mobile devices including phones and tablets checked for viruses. The suspicion was that the hack happened on the Windows laptop but scans did not reveal anything obvious, which shows how deep the virus or malware was hidden.

My bet is that one of them gave away passwords after phishing emails.

The following legislations might help:

Make two-factor authentication mandatory for all financial institutions, as opposed to leaving it up to the user whether or not to turn it on.

Presumably they weren’t using two-factor authentication before the “hack”, since there’s no mention of it earlier in the story.

2 users thanked author for this post.

WSalgrinch, satrow

Reply | Quote

“b” That’s a good point, I was believing their information that the computer had been compromised somehow. They are only assuming that.

Thanks folks, all good advice and a phishing email makes way more sense than anything else.

I will explore two factor for my in-laws…

Cheers

Al

1 user thanked author for this post.

b

Reply | Quote

In your financial apps there is an alert section.

You turn on alerts so when a new payee is stuck in there, you get an alert.

This is in addition to enabling two factor.  And saying no to the “remember this browser”

This was not caused by the operating system.  Someone tricked them to enter a password. It could have happened on an ipad.

Bottom line you log in on a regular basis and review transactions. You turn on alerts so that when transactions occur, you know.  And the “duh” yes, you turn on two factor.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

WSalgrinch

Reply | Quote

I use my Bank’s app on my iPhone for banking.
Login use FaceID (no user password required) and no two factor.
I use Apple Pay with my Apple Watch. In case of large transactions I do get a verification code from the credit card issuer.

In the case of the “PC hacking” it could be that they were not hacked but directed to a false bank page where they entered their user and password.

1 user thanked author for this post.

WSalgrinch

Reply | Quote

I’m not sure if other banks do this or not, but with my Capital One Bank account, as an added security feature, any withdrawal (check or debit) for a large sum to a payee never used before I am immediately contacted by email and text asking if the transaction is OK. Also, for every single charge to my credit card I am notified immediately on my phone.
All the other security features are in place, but IMO the best security is to keep vigilant eye on your assets. Also, remember that anyone that contacts you (email, phone, web page, etc.) without your request only contacted you so they can get something from you and sees you as a target.

HTH, Dana:))

1 user thanked author for this post.

Cybertooth

Reply | Quote

Alex5723 wrote:

I use my Bank’s app on my iPhone for banking.
Login use FaceID (no user password required) and no two factor.
I use Apple Pay with my Apple Watch. In case of large transactions I do get a verification code from the credit card issuer.

In the case of the “PC hacking” it could be that they were not hacked but directed to a false bank page where they entered their user and password.

That’s what I do for the most part as well.  Refusing to log into banking in a browser, ever, would help.

Reply | Quote

I didn’t thoroughly read the article but will convey 2 incidents that happened to customers of mine this past year. Unrelated and months apart. Not sure if both used the same store. Both use iphones and the same provider.

Traded in their iphones for new ones. Had the provider transfer their data to the new phone. Within hours their bank accounts, paypal, venmo and more were wiped out. Over $100,000 between the both of them.

Can’t prove it, but I’m guessing someone at the provider’s store was involved.

My advice, transfer your own data and securely wipe your device and/or destroy it.

5 users thanked author for this post.

SueW, Cybertooth, Alex5723, WSalgrinch, CraigS26

Reply | Quote

This is why you MUST have 2FA for your banking. If the 2FA is also on your phone it needs to have a separate password which is not stored by the phone.

cheers, Paul

Reply | Quote

I’m assuming a successful phishing attack, or at least it has the signs of a successful phishing attack.  As for how one deals with a banking institution, a lot depends on their end.  If I restore a drive image from a couple of days ago and try to log in at my bank, I’ll get a popup that my device is not recognized, with an offer to text my phone with an authorization code.

For me, telling the bank to remember my device works as well as two-factor authentication without having to go through two-factor authentication every time.  My credit union has this (my main site), Chase has it, U.S. Bank has it, and Capital One has it.

I never click on a link in an email.  I check the email address of the sender as well.  If the address is phony (not directly from the bank), so is the email.

And no, I have no fear of being hacked.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We all have our own reasons for doing the things that we do with our systems; we don't need anyone's approval, and we don't all have to do the same things.

We were all once "Average Users".

Computer Specs

2 users thanked author for this post.

WSbobby-p, WSalgrinch

Reply | Quote

bbearren wrote:

I never click on a link in an email.  I check the email address of the sender as well.  If the address is phony (not directly from the bank), so is the email.

The cardinal rule.

iPhone 13, 2019 iMac(SSD)

2 users thanked author for this post.

WSbobby-p, WSalgrinch

Reply | Quote

I’m glad to know that those same exact tactics that bbearran described & uses are the same that work so well for me also.

 

Reply | Quote

The fact they got compromised at two separate banks at the same time is bothering me.

It would require a two phishing attempts hitting them at the same time, and falling for both of them and the phishing attempts happened to match two banks they use….

Its very strange…

Reply | Quote

Well, there was this:

• Note that we had 2-factor authentication for TD Bank but it only sporadically sent an OTP (One Time Password) code as opposed to on every login.  The last time we were verified was in April

For the OTP request to seem sporadic as they claim, either TD’s authentication is fundamentally flawed at its core, or most of the time the user’s browser was recognized as a returning authorized one. The latter opens up the possibility of a bad actor capturing their browser session to get into the user’s account. Maybe that was done with a proper hack, or maybe it was by phishing – there’s no way to know from just the details presented in the article.

Recently I had changed my online banking account’s security settings so that OTP is required for every login, regardless of whether my browser is recognized. And I always use the log out link at the end of each session.

1 user thanked author for this post.

WSalgrinch

Reply | Quote

SB9K wrote:

Recently I had changed my online banking account’s security settings so that OTP is required for every login, regardless of whether my browser is recognized. And I always use the log out link at the end of each session

I find apple’s private relay service or the anti tracking features in safari seem to stop my bank from remembering the browser so I’ve been needing OTP every time.

I’m thinking two factor for every log in if you’re using a browser or the dedicated banking app with face id… anything less is seems to carry more risk..

Reply | Quote

bbearren wrote:

I never click on a link in an email. I check the email address of the sender as well. If the address is phony (not directly from the bank), so is the email.

A few years ago for a few weeks I received emails from ‘WellsFragoo’ alerting me there had been suspicious activity in my accounts. Never mind that I had no accounts at the bank they were impostering. An ironic twist of an attempt at phishing.

Reply | Quote

Standard phishing technique. Send 1000s of emails and hope 1% hit.

cheers, Paul

Reply | Quote

If you remember nothing except this, you will still be ahead of the scammers. Rules of the Road [h|t Michael Horowitz]

Important links you can use, without the monetization pitch = https://pqrs-ltd.xyz/bookmark4.html

4 users thanked author for this post.

wavy, Cybertooth, SueW, RetiredGeek

Reply | Quote

Non techies should probably use a Chromebook in Guest mode. This insures no malware, and, for someone already using the Chrome browser, no learning curve.

2FA via a phone call to a land line is also an excellent option for people with no smartphone . I know of multiple financial institutions that do this.

Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

1 user thanked author for this post.

TechTango

Reply | Quote

Michael432 wrote:

2FA via a phone call

Or get a second email at a different provider just for 2FA. Almost zero chance of that being compromised as well as your standard.

cheers, Paul

Reply | Quote