Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Buying anything on Amazon? Please use the Geekzone Amazon aff link.




58 posts

Master Geek


Topic # 138667 12-Jan-2014 22:57 Send private message

My daughter was upset tonight that her friend had had his bank account hacked and all his money nicked. She asked how that could be done. We had a good discussion but we didn't have a complete answer as to how this could be done and I wondered if anyone could enlighten me?

I understand phishing and key logging and ways to get an person's details. But what i don't understand is how they get away with the stealing?

Senario1:
I nick a few dollars from someone's bank account. Simply transfer it into my account. But the Police would know it's me since it's gone to my account. Caught red handed.

Senario2:
Same deal. Only the money goes into a spoof bank account. Now how do I set that up since I need my passport, electric bill, a reference and what I had for breakfast as ID before I can set up the account. Can't be done?

Senario3:
I simply use the stolen account details to buy good on-line. 100" TV lands at my place. A few days later the Police arrive too as they have my address from the purchase.

Senario4:
Same deal. Only I have a place I just use for deliveries. Again, how do I set that up and really! - I'd need to establish a different delivery address for my ongoing theft.

I can see there being some controversy with me asking this question, but it just confounds me how people can establish a spoof identity/location and become invisible.

I think I'd fail MI5 trials.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3 | 4 | 5
2635 posts

Uber Geek
+1 received by user: 363

Trusted
Microsoft NZ

  Reply # 965785 12-Jan-2014 22:58 Send private message

What did the bank say?

what do their statements show?

866 posts

Ultimate Geek
+1 received by user: 283


  Reply # 965786 12-Jan-2014 23:00 One person supports this post Send private message

Transfer the money to an unsuspecting person who you ask to transfer 90% via western union and keep the 10% as commission.

Pretty common, and as a bonus, you get to screw 2 people over in he same transaction.
Once the money's offshore it's pretty hard to follow. 

Another possibility, is the person is known and was "vaguely" given permission. Once there is a suggestion of permission, things get murky.

564 posts

Ultimate Geek
+1 received by user: 110


  Reply # 965801 12-Jan-2014 23:48 Send private message

Well off the top of my head a good way to do it would be to create a temporary PayPal account with spoof details with an anonymous email address, then transfer the money from the bank account to PayPal.

From there I find a few BitCoin trading centres and trade the currency in for BitCoin, then flush it through a few trading centres splitting it up to create some false trails sending them through the black markets.

After that I consolidate them all together again, then transfer it to another fake PayPal account, and from there into my real bank account.

As for a bank account being hacked... Bull. ****.
Can't be done by an amateur, even pros.

As for key logging that doesn't work as NZ banks use 2 stage login in which the second stage can't be key logged.

It's more likely that whoever stole the money knew the victim well enough to guess the password and answer the 2nd stage question.




Regards
Stefan Andres Charsley

5305 posts

Uber Geek
+1 received by user: 800


  Reply # 965803 12-Jan-2014 23:55 Send private message

charsleysa: Well off the top of my head a good way to do it would be to create a temporary PayPal account with spoof details with an anonymous email address, then transfer the money from the bank account to PayPal.

From there I find a few BitCoin trading centres and trade the currency in for BitCoin, then flush it through a few trading centres splitting it up to create some false trails sending them through the black markets.

After that I consolidate them all together again, then transfer it to another fake PayPal account, and from there into my real bank account.

As for a bank account being hacked... Bull. ****.
Can't be done by an amateur, even pros.

As for key logging that doesn't work as NZ banks use 2 stage login in which the second stage can't be key logged.

It's more likely that whoever stole the money knew the victim well enough to guess the password and answer the 2nd stage question.


westpac doesn't



564 posts

Ultimate Geek
+1 received by user: 110


  Reply # 965805 12-Jan-2014 23:59 Send private message

According to the Westpac website they do, maybe you haven't set yours up.

http://www.westpac.co.nz/branch-mobile-online/online-banking/safety-and-security-online/how-we-keep-you-safe-online/




Regards
Stefan Andres Charsley

5305 posts

Uber Geek
+1 received by user: 800


  Reply # 965806 13-Jan-2014 00:00 Send private message

charsleysa: According to the Westpac website they do, maybe you haven't set yours up.

http://www.westpac.co.nz/branch-mobile-online/online-banking/safety-and-security-online/how-we-keep-you-safe-online/


sorry yes, but they don't always ask you the second stage.  In fact they rarely seem to ask me.

because:

"Online Guardian is a fraud detection system that will learn your normal Online Banking activity, and will only ask to check your identity if something changes dramatically (like logging on from a different country or making a large payment to someone you haven’t paid before). Almost all of these checks will be in the form of one of your challenge questions, but a very small number will need a one time verification code that we will send to your registered mobile number by txt. These challenges will be fairly rare, but important."

70Mb/s VDSL @ Home
3302 posts

Uber Geek
+1 received by user: 926

Trusted
Subscriber

  Reply # 965807 13-Jan-2014 00:01 Send private message

charsleysa: Well off the top of my head a good way to do it would be to create a temporary PayPal account with spoof details with an anonymous email address, then transfer the money from the bank account to PayPal.

From there I find a few BitCoin trading centres and trade the currency in for BitCoin, then flush it through a few trading centres splitting it up to create some false trails sending them through the black markets.

After that I consolidate them all together again, then transfer it to another fake PayPal account, and from there into my real bank account.

As for a bank account being hacked... Bull. ****.
Can't be done by an amateur, even pros.

As for key logging that doesn't work as NZ banks use 2 stage login in which the second stage can't be key logged.

It's more likely that whoever stole the money knew the victim well enough to guess the password and answer the 2nd stage question.


This guy has been watching too much Sherlock Holmes




 


70Mb/s VDSL @ Home
3302 posts

Uber Geek
+1 received by user: 926

Trusted
Subscriber

  Reply # 965808 13-Jan-2014 00:02 Send private message

NonprayingMantis:
charsleysa: According to the Westpac website they do, maybe you haven't set yours up.

http://www.westpac.co.nz/branch-mobile-online/online-banking/safety-and-security-online/how-we-keep-you-safe-online/


sorry yes, but they don't always ask you the second stage.  In fact they rarely seem to ask me.

because:

"Online Guardian is a fraud detection system that will learn your normal Online Banking activity, and will only ask to check your identity if something changes dramatically (like logging on from a different country or making a large payment to someone you haven’t paid before). Almost all of these checks will be in the form of one of your challenge questions, but a very small number will need a one time verification code that we will send to your registered mobile number by txt. These challenges will be fairly rare, but important."


Maybe its done via IP address. If you IP is the same each time maybe not?
I always have a code sent to my phone.




 


564 posts

Ultimate Geek
+1 received by user: 110


  Reply # 965809 13-Jan-2014 00:04 Send private message

TimA:
charsleysa: Well off the top of my head a good way to do it would be to create a temporary PayPal account with spoof details with an anonymous email address, then transfer the money from the bank account to PayPal.

From there I find a few BitCoin trading centres and trade the currency in for BitCoin, then flush it through a few trading centres splitting it up to create some false trails sending them through the black markets.

After that I consolidate them all together again, then transfer it to another fake PayPal account, and from there into my real bank account.

As for a bank account being hacked... Bull. ****.
Can't be done by an amateur, even pros.

As for key logging that doesn't work as NZ banks use 2 stage login in which the second stage can't be key logged.

It's more likely that whoever stole the money knew the victim well enough to guess the password and answer the 2nd stage question.


This guy has been watching too much Sherlock Holmes


Haha Maybe...

I'm a software developer so it's good for me to know about security and a good way to learn about good/bad practices is how to get around security measures that are in place.




Regards
Stefan Andres Charsley

1296 posts

Uber Geek
+1 received by user: 12


  Reply # 965810 13-Jan-2014 00:08 Send private message

TimA:
NonprayingMantis:
charsleysa: According to the Westpac website they do, maybe you haven't set yours up.

http://www.westpac.co.nz/branch-mobile-online/online-banking/safety-and-security-online/how-we-keep-you-safe-online/


sorry yes, but they don't always ask you the second stage.  In fact they rarely seem to ask me.

because:

"Online Guardian is a fraud detection system that will learn your normal Online Banking activity, and will only ask to check your identity if something changes dramatically (like logging on from a different country or making a large payment to someone you haven’t paid before). Almost all of these checks will be in the form of one of your challenge questions, but a very small number will need a one time verification code that we will send to your registered mobile number by txt. These challenges will be fairly rare, but important."


Maybe its done via IP address. If you IP is the same each time maybe not?
I always have a code sent to my phone.


Over the last 4 weeks I have logged in from over 6 different countries and never had 2 stage verification to login. 
I do have online guardian setup though as if i try and transfer large amount ($1000+) then I have to verify via txt.

Edit: Just used my VPN to login from Russia and it still let me straight in. 

564 posts

Ultimate Geek
+1 received by user: 110


  Reply # 965811 13-Jan-2014 00:14 Send private message

jbard:
TimA:
NonprayingMantis:
charsleysa: According to the Westpac website they do, maybe you haven't set yours up.

http://www.westpac.co.nz/branch-mobile-online/online-banking/safety-and-security-online/how-we-keep-you-safe-online/


sorry yes, but they don't always ask you the second stage.  In fact they rarely seem to ask me.

because:

"Online Guardian is a fraud detection system that will learn your normal Online Banking activity, and will only ask to check your identity if something changes dramatically (like logging on from a different country or making a large payment to someone you haven’t paid before). Almost all of these checks will be in the form of one of your challenge questions, but a very small number will need a one time verification code that we will send to your registered mobile number by txt. These challenges will be fairly rare, but important."


Maybe its done via IP address. If you IP is the same each time maybe not?
I always have a code sent to my phone.


Over the last 4 weeks I have logged in from over 6 different countries and never had 2 stage verification to login. 
I do have online guardian setup though as if i try and transfer large amount ($1000+) then I have to verify via txt.

Edit: Just used my VPN to login from Russia and it still let me straight in. 


It's probably done by cookies, that's how most of the Web does it, and it's quite secure as well if you encrypt the cookie so the client computer can't read the contents of the cookie. And since all banks use HTTPS for their online banking then that's the transit encryption sorted.




Regards
Stefan Andres Charsley

1296 posts

Uber Geek
+1 received by user: 12


  Reply # 965813 13-Jan-2014 00:15 Send private message

charsleysa:
jbard:
TimA:
NonprayingMantis:
charsleysa: According to the Westpac website they do, maybe you haven't set yours up.

http://www.westpac.co.nz/branch-mobile-online/online-banking/safety-and-security-online/how-we-keep-you-safe-online/


sorry yes, but they don't always ask you the second stage.  In fact they rarely seem to ask me.

because:

"Online Guardian is a fraud detection system that will learn your normal Online Banking activity, and will only ask to check your identity if something changes dramatically (like logging on from a different country or making a large payment to someone you haven’t paid before). Almost all of these checks will be in the form of one of your challenge questions, but a very small number will need a one time verification code that we will send to your registered mobile number by txt. These challenges will be fairly rare, but important."


Maybe its done via IP address. If you IP is the same each time maybe not?
I always have a code sent to my phone.


Over the last 4 weeks I have logged in from over 6 different countries and never had 2 stage verification to login. 
I do have online guardian setup though as if i try and transfer large amount ($1000+) then I have to verify via txt.

Edit: Just used my VPN to login from Russia and it still let me straight in. 


It's probably done by cookies, that's how most of the Web does it, and it's quite secure as well if you encrypt the cookie so the client computer can't read the contents of the cookie. And since all banks use HTTPS for their online banking then that's the transit encryption sorted.



Yep I thought so as well but I tried the same thing from inside a VM and it still let me through. 


3133 posts

Uber Geek
+1 received by user: 373

Trusted
Subscriber

  Reply # 965814 13-Jan-2014 00:16 Send private message

Same experience here on Westpac. I always wonder why the heck I need to setup those questions if I actually never been asked/challenged.

ANZ bank on the other hand always send a code to the mobile phone to verify your login (I love this).

Edit: after reading this thread, i quickly change my assword. the last time I changed it was in 2012!






564 posts

Ultimate Geek
+1 received by user: 110


  Reply # 965816 13-Jan-2014 00:21 Send private message

Hmm maybe they have a fuzzy logic algorithm that uses multiple parameters to determine a possible fraud.

The parameters could include things like data from cookies, IP address, geo lookup of IP address, frequency of visits from location, browser types, operating system types, platforms, activity while logged in, etc.




Regards
Stefan Andres Charsley

70Mb/s VDSL @ Home
3302 posts

Uber Geek
+1 received by user: 926

Trusted
Subscriber

  Reply # 965817 13-Jan-2014 00:21 Send private message

I think we can conclude this by saying we all need Norton and CCleaner to get rid of cookies in our PC's. We shall not watch pron or play Java based games or download Linux ISO's.




 


 1 | 2 | 3 | 4 | 5
View this topic in a long page with up to 500 replies per page Create new topic




Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





Trending now »

Hot discussions in our forums right now:

Netflix officialy launching in NZ in March
Created by jarj, last reply by tdgeek on 21-Nov-2014 19:08 (97 replies)
Pages... 5 6 7


Gull Employment Dispute.
Created by networkn, last reply by richms on 23-Nov-2014 23:05 (71 replies)
Pages... 3 4 5


Which one is right for me? M8, Z3, S5 or other?
Created by makiomoto, last reply by makiomoto on 20-Nov-2014 13:52 (40 replies)
Pages... 2 3


Free 1gb data with $19 combo until end of Jan 2015 (1.5gb total)
Created by eXDee, last reply by Shoes2468 on 23-Nov-2014 23:01 (16 replies)
Pages... 2


Slingshot line speed
Created by Frankiej45, last reply by Frankiej45 on 20-Nov-2014 14:38 (14 replies)

Little Wins labour Leadership
Created by MikeAqua, last reply by Aredwood on 21-Nov-2014 18:47 (53 replies)
Pages... 2 3 4


Orcon: Why did you cancel my email account without telling me??
Created by old3eyes, last reply by old3eyes on 21-Nov-2014 17:03 (13 replies)

My connection is too fast
Created by ckc, last reply by Geektastic on 20-Nov-2014 11:30 (25 replies)
Pages... 2



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.