Becoming invisible: bank account stolen, how to prevent it?

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Becoming invisible: bank account stolen, how to prevent it?

1 | 2 | 3 | 4 | 5

597 posts

Ultimate Geek

#965818 13-Jan-2014 00:27

TimA: I think we can conclude this by saying we all need Norton and CCleaner to get rid of cookies in our PC's. We shall not watch pron or play Java based games or download Linux ISO's.

But the internet was made for pron! Lol
Cookies are fine to have, by themselves they are harmless.
I've given up on being strict about my security, a few passwords and pins and HTTPS are enough for me.

So much work and with all the leaks about the NSA, sounds like all that hassle was for nothing.

Regards
Stefan Andres Charsley

nakedmolerat

4629 posts

Uber Geek

Trusted

Lifetime subscriber

#965819 13-Jan-2014 00:30

charsleysa:
TimA: I think we can conclude this by saying we all need Norton and CCleaner to get rid of cookies in our PC's. We shall not watch pron or play Java based games or download Linux ISO's.

But the internet was made for pron! Lol
Cookies are fine to have, by themselves they are harmless.
I've given up on being strict about my security, a few passwords and pins and HTTPS are enough for me.

So much work and with all the leaks about the NSA, sounds like all that hassle was for nothing.

According to TelstraClear CEO Allan Freeth, the main result of a faster broadband network would be more downloads of pornography and movies, rather than improvements in productivity.

Coil

6614 posts

Uber Geek
Inactive user

#965821 13-Jan-2014 00:35

nakedmolerat:
charsleysa:
TimA: I think we can conclude this by saying we all need Norton and CCleaner to get rid of cookies in our PC's. We shall not watch pron or play Java based games or download Linux ISO's.

But the internet was made for pron! Lol
Cookies are fine to have, by themselves they are harmless.
I've given up on being strict about my security, a few passwords and pins and HTTPS are enough for me.

So much work and with all the leaks about the NSA, sounds like all that hassle was for nothing.

According to TelstraClear CEO Allan Freeth, the main result of a faster broadband network would be more downloads of pornography and movies, rather than improvements in productivity.

freitasm

BDFL - Memuneh
79297 posts

Uber Geek

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#965851 13-Jan-2014 07:48

charsleysa: Well off the top of my head a good way to do it would be to create a temporary PayPal account with spoof details with an anonymous email address, then transfer the money from the bank account to PayPal.

You can can't use a bank account to load a Paypal account in New Zealand. You can only withdrawn to the bank, not from the bank.

The most common scenario I imagine is the one explained a few replies above: someone (Victim B) answers an email with a "work from home" offer. Victim A's login details are stolen via keyloggers, phishing and the thief uses these to transfer money to the Victim B.

An arrangement of this employment is that Victim B will send 90% of the money overseas to the "headquarters" via Western Union. The thief is nowhere to be seen, there are two vicitms (one lost money, the other helped with the operation even without knowing) and hard to get it back.

gundar

488 posts

Ultimate Geek

Trusted

#965873 13-Jan-2014 09:31

nakedmolerat: Same experience here on Westpac. I always wonder why the heck I need to setup those questions if I actually never been asked/challenged.

ANZ bank on the other hand always send a code to the mobile phone to verify your login (I love this).

Edit: after reading this thread, i quickly change my assword. the last time I changed it was in 2012!

LOL, assword.

Rickles

2938 posts

Uber Geek

Trusted

#965896 13-Jan-2014 09:39

Regarding goods iobtained using stolen credit card details, I have a friend in USA whose account details were gained by someone stealing out of post boxes.

They then bought goods online or in a shop giving the same address associated with the cards, BUT asked for delivery to be either very early in the morning or last thing at night. An associate would then park near the address concerned and when the Fedex van turned up would pretend to be "just walking home now", show ID and take the goods.

Kyanar

4089 posts

Uber Geek

ID Verified

Trusted

#965920 13-Jan-2014 09:53

charsleysa: Well off the top of my head a good way to do it would be to create a temporary PayPal account with spoof details with an anonymous email address, then transfer the money from the bank account to PayPal.

From there I find a few BitCoin trading centres and trade the currency in for BitCoin, then flush it through a few trading centres splitting it up to create some false trails sending them through the black markets.

After that I consolidate them all together again, then transfer it to another fake PayPal account, and from there into my real bank account.

As for a bank account being hacked... Bull. ****.
Can't be done by an amateur, even pros.

As for key logging that doesn't work as NZ banks use 2 stage login in which the second stage can't be key logged.

It's more likely that whoever stole the money knew the victim well enough to guess the password and answer the 2nd stage question.

1. You can't transfer money to PayPal from NZ Bank Accounts. Credit card only. And even then, adding a bank account to PayPal (which is withdrawal only) still requires several days as they do a test deposit and ask you to verify to them how much they deposited to validate that you own it.

2. Bitcoin is traceable. It's not anonymous in the slightest.

3. The banks in NZ with actual 2 factor login are the minority. ASB does not. TSB does not. Westpac does not. ANZ does not. Kiwibank does not. BNZ does. Westpac may (but in my experience, never has) prompt you for your secret question after logging in, but the questions are preset ones that anyone with access to a public library (birth records, electoral roll) or Facebook (your dog's name) will know.

I don't think you researched this at all, did you?

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

trig42

5814 posts

Uber Geek

ID Verified

#965932 13-Jan-2014 10:01

Pretty sure Kiwibank does do 2 factor - it asks for Code and password, then asks you to click to fill in pre-answered questions (so keyloggers will not go).

hashbrown

463 posts

Ultimate Geek

#965940 13-Jan-2014 10:15

Keylogging is stoneage tech for this stuff. Modern malware installs in the browser and connects back in real time. This gives a couple of options for bypassing 2FA.

1. Just generate an fake additional 2FA request via faked failed login or re-authentication required message. Then harvest the 2FA token for a session proxied through the victims computer, so the bank sees everything from the same IP.

2. When the victim goes to login, throw up a fake "We're improving our mobile security" page that asks for the users mobile type and phone number. User is then txt'd a link to an appropriate app that just so happens to require access to their txt messages.

BruceHamilton

77 posts

Master Geek

#965951 13-Jan-2014 10:20

Kyanar..
" The banks in NZ with actual 2 factor login are the minority. ASB does not. TSB does not. Westpac does not. ANZ does not. "

Gosh, I just checked to make sure my ANZ account still had my pennies in it, as I've been using 2 Factor authentication...

From ANZ website....
" OnlineCode is our 'two-factor authentication' system that gives you an additional layer of protection when you're using Internet Banking.

You'll need OnlineCode – two-factor authentication registration if you're making an online transaction over $10,000 or sending money overseas. You can also use it for all your online transactions, for added peace of mind. Transactions needing OnlineCode – two-factor authentication registration mean you need a special code number – called OnlineCode – that's sent to your mobile phone."

Great, but I'm not sure your "research" is sufficient to criticise the lact of research of others.

andrewNZ

2487 posts

Uber Geek
Inactive user

#965954 13-Jan-2014 10:25

Kyanar: I don't think you researched this at all, did you?

Pot, meet Kettle

jbard

1377 posts

Uber Geek

#965963 13-Jan-2014 10:35

Kyanar:
charsleysa: Well off the top of my head a good way to do it would be to create a temporary PayPal account with spoof details with an anonymous email address, then transfer the money from the bank account to PayPal.

From there I find a few BitCoin trading centres and trade the currency in for BitCoin, then flush it through a few trading centres splitting it up to create some false trails sending them through the black markets.

After that I consolidate them all together again, then transfer it to another fake PayPal account, and from there into my real bank account.

As for a bank account being hacked... Bull. ****.
Can't be done by an amateur, even pros.

As for key logging that doesn't work as NZ banks use 2 stage login in which the second stage can't be key logged.

It's more likely that whoever stole the money knew the victim well enough to guess the password and answer the 2nd stage question.

1. You can't transfer money to PayPal from NZ Bank Accounts. Credit card only. And even then, adding a bank account to PayPal (which is withdrawal only) still requires several days as they do a test deposit and ask you to verify to them how much they deposited to validate that you own it.

2. Bitcoin is traceable. It's not anonymous in the slightest.

3. The banks in NZ with actual 2 factor login are the minority. ASB does not. TSB does not. Westpac does not. ANZ does not. Kiwibank does not. BNZ does. Westpac may (but in my experience, never has) prompt you for your secret question after logging in, but the questions are preset ones that anyone with access to a public library (birth records, electoral roll) or Facebook (your dog's name) will know.

I don't think you researched this at all, did you?

Kiwibank does, they ask for some letters from a series of predefined questions.
Pretty sure TSB does as well, they have had those keychain dongles for years but this might only be for business accounts.

Bitcoin is pretty anonymous. Yes it is completely traceable and all transactions are publicly viewable but it is very hard/immpossible to trace a transaction to a person assuming they have taken reasonble precautions. Do you really think sites like Silk Road would be around if the police could trace all those transactions?

ghettomaster

387 posts

Ultimate Geek

#965965 13-Jan-2014 10:37

I didn't know ANZ uses two-factor, I'll have to go turn that on.

As for BNZ. I find their 2-factor excellent as I only need to use it when sending money to someone else. For all my internal transfers (I love YouMoney) I don't have to bother which is 90% of the time I log in there. Perfect!

jpoc

1043 posts

Uber Geek

#966054 13-Jan-2014 11:51

As two folks have mentioned above, the classic money-mule sending money offshore via WU is often used. Money mule recruitment ads are one of the most common types of scam.

There is another similar technique used in NZ. People lend their bank account and ATM card to another person on the understanding that they will get it back in a couple of weeks and there will be an extra $200 in the account. That has been written up in the Herald.

As far as getting valuable stuff delivered goes, that is pretty easy. Get it delivered to an address that will be unoccupied during the day. Perhaps that parcel will just be left on the veranda and you can just drop by and pick it up. If not, perhaps you can get the courier's delivery card from the mailbox. Or, recruit a mate who lives in apartment 76 in some block. He needs a window or balcony overlooking the entrance. Have the parcel delivered to number 71 and wait at your mate's place. When you see the delivery man arrive and ring the bell you stick your head out of the window and shout out "Hi, is that for me at 71? I'll be right down." Go down, meet the courier and take the parcel. Explain that the intercom is not working in your flat. Wait for the courier to go and then take the parcel out to your car and off you go. This has been a standard MO in London for over 20 years so I expect that it works worldwide by now.

charsleysa

597 posts

Ultimate Geek

#966134 13-Jan-2014 13:38

This debate should iron out all the issues for the people stealing bank details. We're doing their work for them! Lol

On a serious note, my response about the method was based off the top of my head which means I didn't validate every single component of the method.

There probably are a few flaws but they could be ironed out if given some good thought.

I also made the statement that it was most likely someone who knew the victim because the victim seemed (I made the assumption) to be of young age and most likely wouldn't respond to money making spam (again I'm making the assumption that they knew the basics of internet security to stay away from their spam box unless they know what they're doing).

And because of this and the fact that all major (if not all) banks in NZ use 2 factor authentication, I ruled out key logging from malicious software to be a cause of the penetration.

As for plugins / malicious browser software trapping the details directly from the Web Page, that is very hard to do since browsers such as Chrome alert you to the fact that the plugin will access certain Web pages, though it's not impossible.

Regards
Stefan Andres Charsley

1 | 2 | 3 | 4 | 5