I stopped doing online banking over a year ago due to the uncertainty around keyloggers and rootkits. I contacted my bank, asking about security issues and was assured everything was perfectly safe as long as I had malware protection. I asked about keyloggers, explaining they could capture keyboard data before it was encrypted, and he asked me what a keylogger was. Such is the state of banking online security.

I am running Windows 7 behind a descent router hardware firewall and I plan to add a free software firewall like Comodo, since win7 firewall is still primitive IMHO. It is reported to have improved, but comes with outgoing protection disabled. You have to configure it, and like most micro$oft stuff, it is a convoluted exercise.

What's the latest on keyloggers? Am I being too paranoid, or are there better ways to check for them? I am running a laptop with WPA personal enabled with a good sized password that is not likely to be found in a dictionary.

Howdy,

I can only tell you of my experience.
I have been using online banking for years.
The one thing I like about it is there are
two levels of security.

I tell them I am using a public network
and they ask me the first question.
Once answered properly they ask me the next question.

The old 3 wrong and you have to call follows if you
cant remember your answers.

I have had to call . I forgot my passwords .

I run win 7 and use Comodo right now and have no problems.
I had no problems running XP and Zonealarm.

Key loggers can't hide from a good firewall like Comodo.

I know you are smarter then the bank Waxy.
If there is not at least two layers of security,
find another bank.

Woodmann

Thanks, Woody. The main problem I see with that is that a keylogger could read your answers as well.
That's what I wondered about. From what I have heard, keyloggers have properties like rootkits and can hide from most apps.

I am using free AVG right now and I wonder if that might conflict with the virus checker on Comodo. I know I can use Comodo with no virus check. I wrote to AVG and asked them to consider releasing a standalone virus checker with no bells and whistles. Better check back and see if they did.

Online banking is now safe, at least here on this part of the world.

Two years ago The Banking Regulation Agency issued a new procedure that mandates the use of a 6 digit authentication code for Internet banking purposes, apart from your 'static' logon data comprising of your customer number, PIN number and password. This 6 digit code is generated by a digital key generator which uses RSA 128-bit encryption algorithm. The generated authentication code is valid for 2 minutes only, which then expires for that session and you have to start all over again. After 3 successive failed attempts to logon, your access to your online account is blocked. You have to apply to your bank in person to have it lifted.

This key generator thing is provided by your bank for some $15. Its battery lasts for 5 years, or you may ask a small java application emailed to your compatible mobile phone, the number of which is registered in your account. As a precaution against theft and loss this java app requires a PIN number to be entered before it generates the code, or you may ask that authentication code sent to your mobile phone by a SMS message at the last step of your logon (I picked this option).

This regulation has drastically reduced the number of reported online banking fraud cases. Even if all your 'static' logon data is compromised by keyloggers, trojans, etc. this fourth component-the authentication code-provides peace of mind when you're online. There are some added measures available as well. You may limit your IP address for online access (companies use this feature since they all have static IPs), you may limit the time frame or amount or type of online transactions. These are not menu selectable. You decide and amend it only on the online banking written contract.

Banks are promoting use of Internet banking here. Banking fees applied per transactions and/or annual charges for your CC, account, etc. are either very low or nil if you opt to go online. They're constantly upgrading their online menus as well. You can pay your bills, taxes, and even traffic tickets online, purchase pre-paid mobile phone credits, buy&sell papers at the stock exchange, besides the usual remittance/EFT/SWIFT transactions.

Online banking is safe and it saves great time. I hate getting a Q-Matic number and waiting inside the bank though they choose beautiful female employees working behind the counters.

Call me paranoid when it comes to online banking, but I can't live without it.

I don't trust any general purpose machine for banking, especially one which is left running attached to the network for any period of time. I personally work with people that can waltz right through your machine and you would never know they were there. Given an IP address your phone gets circumvented in under 15 seconds, so I will never consider that option for banking. While I trust my my people, I know that there are others out there that could do the same, and so if you are talking about banking/money, the general rule is 'trust no one'.

If you get yourself a known/trusted Live CD and reboot your machine for your banking session you have removed 98% of the problem. Verify that OS image! In order for the malware to be persistent when using a Live CD it would have to reflash the BIOS or some memory of some device (NIC, GPU, bus controller, etc) in your machine and force a real-time reload of the malware package from the Internet to replant a keylogger, system backdoor, or other various data sniffing malware. Consider configuring a firewall in that Live CD image that only permits the bank to be accessed.

If the file system itself is *not* persistent (ie temp ram drive file system and no external drives mounted) then you will leave no information in any cache or temporary directory which can then later be exfiltrated out to a hackers own domain. They can't get in and they can't get it out.

For data needing to be persistent I use a dedicated USB thumb drive that only gets mounted if/when I need to save something important for later. Anything financially related containing account information gets stored on that device encrypted. The one downside I have found is that my banking institution uses cookies to bypass some additional questions I have to answer up front during the login, because the cookies like everything else with this setup is not persistent. I imagine I could tweak the ISO file to contain that cookie, but then I wouldn't want to leave the CD laying around.

Why do internet banking, when you can walk up to the bank on a good summer day, watching the ladies in their short pants and tight tees, to do business?



On a more realistic note, avoiding public places / work places to do your online banking is recommended. Otherwise, I think currently the state of the banking is alright.

How secure your computer is, is up to you, not the bank.

Have Phun

Is that in the States? I don't know if it has spread to Canada yet, but I will check. Thanks for info.

I have been thinking that something needs to be done to interface between the keyboard and the OS. What's the point of encryption after the data has been entered the OS unencrypted?

The system you describe makes sense as well. It's something like the one-time pads developed during WWII for agents in the field. A different cypher was generated each time a message was sent. The cypher you mention that expires within two minutes would prevent a hacker using your bank info unless he had the cypher and access at the same time you were in your account.

There is still the problem of printing off transactions from your account online, as hard proof of your transaction. Such transaction include account numbers. The baks are going to have to develop alternates to sending account info over the net.

thanks for tip on Live CD. I d/l'd a Red Hat Live CD featuring Live KD a few years ago. Wonder if it still works?

That's true to a certain extent but it's akin to the software protection companies bragging that their protections are uncrackable. I'm concerned about the top-notch hackers who understand OSs so well they can write rootkits.

I used free Sygate as a firewall on XP and now I am trying free Comodo, which seems to be good. Although Sygate stopped several Trojans from calling out, no firewall is infallible, especially to rootkits that know their weaknesses.

You have to leave some ports open for your browsers, etc. As I was setting up Comodo, I booted a newsreader to call out to a news server. It stopped the first version of the reader, a version 2, but when I fired up another version, with the same name, a version 4, the firewall missed it, even though it is a different app. The firewall seemed to presume it was a trusted app since it had the same name. That's how easy it can be to get past a firewall.

I'm sure good hackers know how to fool a firewall. When it comes to virus checkers, I find them to be highly inconsistent. IMHO, the best WAS Kaspersky, but even it had false positives and missed some viruses entirely. A keylogger is not a normal virus, having attributes akin to a rootkit. When I researched them in the past, no one could give specific information on how to detect them.

The only real way would be to examine the contents of every packet that went out of your system. Or use softice to check unusual activity at ring 0. That's a thankless job since it's so hard to tell what is legit and what is not.

Well......

There are plenty of ARK's out there.
Some of them are shit and some are way to sensitive.

If Malwarebytes, Comodo, Combofix and something like rootkit revealer
dont give you any peace of mind, you will have to do your
banking in person.

Woodmann

That's the approach I have been taking, but it's getting to the point where you have to suspect ATMs. I was talking to Kayaker about this a while back, and if I remember correctly, he claimed not using online banking for similar reason. When someone with Kayaker's understanding of the Windows OS, under the hood, is suspicious of online banking, that's more than good enough for me.

The reason I posted was to see if anyone had heard of advances in keylogger detection. Rootkit revealer is very basic and you have to do your own research as to what each item flagged means. They are often not sure at the rootkit revealer forum.

Russinovich even admitted it couldn't find every rootkit. So, I tried gmer et al, but each has its limitations. I was hoping by now that a good rootkit/keylogger detector would be available.

I have d/l'd versions of Live CD from Ubuntu and Fedora. I'll try those to see if I can make a live connection run from the CD only. I also thought about using a VM.

Because you obviously care about security you might think better than to use an old CD, since there have been many many bug fixes since you downloaded yours 'a few years ago'. I much prefer the Fedora "Security Spin" as a starting point, since what better way to know you are safe but to have all the tools you might need to tell the difference?

http://spins.fedoraproject.org/security/
http://fedoraproject.org/wiki/Security_Lab

Note: the browser does not come enabled with flash, and that is a good thing given the number of exploitable bugs in recent years, but you best check to make sure your bank does not depend on flash, in which case I would just get another bank.

As long as you don't get to electronically sign very detailed descriptions of the transactions you want to make, on separate secure hardware, you can indeed be owned, and it is being done today. As long as any malware code is able to enter your computer (which is also extremely common today), you are fuxored, no matter how many anti-*** programs you have.

Believe me, I know what I'm talking about, both from theory and experience...

thanks for links. The two Live CDs I d/l'd are the most current.

Hey, Delta.

Could you expand on that? Electronically sign? Separate secure hardware?

Also, I know you're into VMs. How about keeping an absolutely clean install on a VM, of say XP, and using that? I think I managed an Internet connection through a VM once, but I'm not sure.

Caution Will Robinson! If you are thinking of running the Bank Browser OS from a VM, and your host OS is already rooted, your toast. The key loggers/rootkits in the host OS will still capture all your activity and phone home all your activities. Its better the other way around. Unless ...

If you really want a secure OS using VM technology look at qubes-os.org. The Xen Dom0 host OS by design has no direct link to the network, and the VM's are used for each application needing a connection to the network. The files system is basically read only except you can define certain files to be persistent across sessions, or revert them on each session if you like. The paradigm is that you have one VM instance for general surfing of the Internet and a second one just for banking. Neither VM would have access to any of the resources of the other, and neither can touch anything not explicitly added to that VM. Its still a beta development project, and you need to have a VM-d capable processor (e.g. Intel i7) to prevent cross security domain DMA transfers. The paradigm effectively uses hardware to protect all the application VM's from one another, and runs all the driver level software in a special VM for containment purposes. It's a slick design and I'm getting ready to jump on that with the new hardware I just bought for it. Now I just need the time to set it up.

Electronic signatures (please google if you don't know what it is) of the entire description of the transaction you want to perform is secure in the way that the bank can always verify that you signed exactly this instruction, and nothing else ...which brings us to secure hardware. Without having the signatures being created on secure hardware (= not your infected computer, but rather a standalone device with no or secure interface/connection to the computer, and hardware-bound private signature keys) you can never be sure that you are actually signing what is displayed on the screen, all you'll do otherwise is give the trojan the passphrase to your private key, for it to do whatever it wants with (e.g. unlimited amounts of arbitrary properly signed transactions!).

The problem is that you cannot affect this yourself, but must rather just choose a bank that uses such a security solution.



Yes, my personal solution is exactly that. I do all "normal" surfing (and all other risky stuff too) in a VMware-machine (which also resets to a clean snapshot every time it is turned off) and only do high-security stuff like internet banking in the host. This feels secure enough for me, since the only attack that could succeed then is a three-stage browser-exploit + zero-day VMware-exploit (I always keep VMware patched of course) + host infecting trojan/rootkit. Finally, I also have quite serious measures in the host machine to detect any such thing, in the unlikely event that it would happen.

Don't want to use up your valuable time, but could you give a 'for instance'.

I can google for more info but I am trying to get an idea regarding what you mean by serious measures, beyond what you indicated in your previous post. Of course, I don't expect you to divulge trade secrets or anything that is not for prying eyes. Could you briefly list a few hints, if possible.

I have tried to steer away from modern virus detectors due to the way they interfere with system operation. I have just installed the free Comodo firewall, behind a router hardware firewall, and it's supposed to have a virus detector on there, but it doesn't seem to be standalone. Is there a relatively simple solution to dealing with rootkits and other camouflage viruses? Last time I tried, there was only rootkit revealer, gmer, etc.

I think dELTA's solution is just the best (VM for internet surfing) and... well, you can use this for everyday's work:
http://www.vmware.com/appliances/directory/507083

keep always up the hw firewall SPI and inbound drop, NAT alone isnt enough to stop skilled hackers... and keep your OS patched... and hope there's not some 0-day attack on your machine internet stack...
imho you can use comodo's defense+ behavioral blocking (or any other behavioral blocker) to prevent most not-exploiting dangerous attacks.

...personally, i use an handmade 100% sandbox solution since years, but I still have to finish the GUI for it, so dont expect to see it soon around (damn, still i havent time to finish it )

Sure:

Tight-tuned process behavioral blocking
Process white-listing
Custom developed HIDS
Fine-grained folder encryption
Full-disk encryption with pre-boot boot sector modification detection
Regular harddisk imaging as a last recovery resort

I'd dare say I'm not among the easiest targets out there anyway.

Thanks to Maximus and Delta for recent replies, and to all other peeps for overall replies. I have to go do some research. What's new??

Got my finger veins scanned at the bank today. In a week I'll be able to withdraw money from the ATMs just with a touch of my finger on the machine; no cards, no passwords. I've gone 'biometric'.

I may be a geezer but I love doing techie.

...at least, I'm not the only paranoid around

Personally, I use an encrypted drive mounted as NTFS folder over my documents (the son of good old SUBST) - not as secure as dELTA's solution, but a fine balance to me.

What dELTA didnt say is that he must have a fast SSD hd, because in my experience you cant work seriously with such encryption over spinning hard-drives... and that new intel's CPU with AES instruction set will be a mandatory update for it, x5 faster

Fast SSD disk indeed. I don't think it's that bad without it though with todays processors etc. Why would the disk I/O speed matter so much, it's the same sectors that are being read either way?

And wbe, no matter how cool the biometric stuff is, bunches of those systems are being beaten regularly with simple but inventive hacks. And, it also hurts more when the bad guys decide to "steal your credentials". (there are actually countries where this happens...)

well, it really depends on what you are doing, if your system stays idle most of the time, you wont notice any difference but...

but where are stored your temporary files, and the windows swap file? ask yourself if losing time to en/decrypt that 4kb page every time matters or not
...same for your temporary folder.

a fast ssd has a flat speed of 150-300Mb/s, compared to an effective spin hd of say 15-40Mb/s (try to access many small files and wait all the track-to-track and sector positioning on the inner 2/3 quarter of your HD plate... even lower!)... say you need 0.5 second to load 100mb and 1 second to decrypt: 1,5 second, a blink of an eye.
Now take a 2.0sec hd, add 1 second there=3 seconds. You will notice way more the second more there, as it will make you feel to 'wait more', and everything will start becoming too slow, whereas on ssd the added time is 'eaten' by the huge speed increase.

I noted the slowdown working with compilers, that usually generates lots of small files, access many, many files and makes use of the swap file (i even got once my 4Gb notebook pops the old hatred winmessage 'out of memory', which requires you a reboot..).

Maybe the new intel processor, by speeding up x5, should really really be the feasible to keep it on without an SSD.. without, i had felt the difference when working and (ab)using the system resources. it is just my feeling with it, any way

Online banking is safe now.
It is the tendency to work and buy things through internet, so they have to take actions to protect our rights if they want to go on their business. Including some bad people use keylogger ("http://www.microkeylogger.com/") to steal our passwords.

I think you had better do some research. Ever heard of rootkits or key loggers? They can capture anything you type on your keyboard or anything that appears on your display.

Banks tell you they have software to detect such activity but only at the user level. A well written rootkit lives at system level and bypasses user level apps like the banks use.

Browsers like firefox confirm that you are on the bank's site but that does not do you much good if a keyloggers is recording your keystrokes or display. Neither does it help encryption algorithms if the data is retrieved before it is encrypted.

I told all this to my bank and they had never heard of it.

...i could tell you the tale of a local bank director that got about 8k missing from his bank account -yet he had the RSA-key generator for not-readonly ops sealed in a security box and he did never use it... or should I tell you a tale of a big bank that got his mobile account app 'guaranteed that it works', as one of their engineer answered me to my query 'did you do the security audit?'.

But I won't do it, so yes, I agree 100% with you. Oh, have you ever noted the sun rotates around the earth? Just get out of your house and watch the sky for a day... you can't doubt it.

Maybe you have already done so, but it's worth following through on that thought.

When people come out of their comas, and notice that the Sun is actually not going anywhere, except around its own barycentre, they might begin to wonder about time itself, since it is based on the periodicity of the Earth's rotation. We are actually standing on the timebase, traveling about 800 miles per hour, in case anyone has wondered what it is like inside a clock. If you want to warp your mind one night, take a look at Venus and try to visualize the orbit of the Earth around the Sun wrt to Venus. Hint: you have to remember that up and down to you is not up and down wrt the ecliptic plane, which is at an angle to our tangential plane.

When they investigate time, people might notice that it is contained entirely in the human mind, and that past and future are illusions of the mind related to our ability to store things in human RAM. If they really get into it, they might notice that time dilation and curvature is also an illusion of mind, which actually comes from our dependence on equations we developed with our artificial parameter (time). Somehow, we have managed to suck ourselves into thinking our artificial time parameter is a force of some kind, with real phenomena like force and mass becoming dependent on it. The human mind is a hoot.

I don't know what that has to do with the safety of online transactions, but it's my thread. I guess the relationship might be in the way we allow ourselves to be sucked in by authority figures like financial institutions. Also, this kind of thinking comes in handy for reverse engineering....being able to look at some code and figuring out that's probably not what we think it is.

Hey Woody, whazzup???

Online banking is very safe. You'd better scan you PC periodically to protect you pc from keylogger.

hehe, I smell bots...

I smell bankers...

Nope, you're right, two brand new registrants, very similar Chinese IP's, curious posts, attempt to add embedded commercial link, ...
Wow, Chinese spam, whodathunkit?

Hey Waxy,

You a billionaire yet ?

Woodmann

No Dad, I'm twelve!

Talk to me when you a billionaire



One of my all-time favorites. Closely followed by: "C'mon , Do Math"

Imho use online banking in case of emergency, and stick to a bank that support OTP or any other two-way auth mechanism (SMS validation etc..)

Sorry I missed your post Darkelf.

If you were really 12 I would be your grampy.
And JMI would be your great grampa.

Sincerely, Grampy

Holy shit! NOOOOOO!!!!!

I thought everbody knows what that means:

http://www.youtube.com/watch?v=hVODv8A5-EM

and

http://www.youtube.com/watch?feature=fvwrel&v=RjbiuOs1mCI&NR=1

Although the idea of being 12 again.....

yours grandson

BWAHAHAhahaahahahahaa........

I really need to watch family guy.

Grampy

Here the banks are using windows NT (NT!!!!!) you can clearly see it when your ATM is crashing or rebooted with the bank's front end !

Sad!

About $999.9999999999 million shy but I'm closing on it.

It's no wonder. I was doing a job (not a bank job) in a Royal Bank of Canada head office once, and the head CEO came out of his office wearing striped pants with two inch cuffs that came a couple of inches above his shoes. His shoes were those banana-toed bankers (a form of shoe) old time street fighter favoured. The toe on the shoe had an oval shape like a flattened out banana. He wore the obligatory braces to hold up his pants.

That would be considered good taste among bankers and it is no surprise they still favour NT.

At one time those shoes were the fad back in the fifties and sixties. The french-toed variety had a square toe with a seem about two inches back, just below the laces. You could spit polish the toe to a mirror shine and many a fight started over someone treading on and scuffing the shine.

You remember the song by Elvis:

Well, it's one for the money,
Two for the show,
Three to get ready,
Now go, cat, go.

But don't you step on my blue suede shoes.
You can do anything but lay off of my blue suede shoes.

Those guys meant it. It could cost you your life.

Woody
I got Comodo free antivirus package based on your advice and I am running 7. Works like a charm. Thanks for tip.

It's called Comodo Internet Security Premium ver 5.3.17 and for anyone interested, you have to be sure to get the free one, not the shareware, unless of course you want the pro version.