Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /var/www/hosts/cases/inc/refcount.php on line 23
CASEScontact - solutions, tools & skills against latest security, cybercrime, hacking & malware threats
Just the facts
     
Title   CASEScontact.org guide - 10 commandments for more secure online banking
Description   Following these best practice guidelines, while exercising safe computing practices, reduces risks for becoming the victim of Internet fraud
CyTRAP LABs ID   CT210014
Date   2005-12-30
Systems affected  
Select language  
Version number   1.0
ISSN   1603-9866
Verify tip   http://casescontact.org/tips/210014
Risk assessment   High
Impact/Severity   High
Audio/Podcast files   CyTRAP PodCast show - Protecting your digital assets - Thursday, December 30, 2005
 

Why not get new tips and alerts by e-mail directly to your in-box? It's much more convenient:

Your email: or press here.
 

What's up?
     
   
Real life scenario Internet & PC scenario
What is the threat or vulnerability?    
In our lifes we sometimes experience people that find out all kind of information without much effort. For instance, they appear to ask questions that appear innocent and if asked of different people do not raise suspicion.

For instance, one may secure a person's phone number from an associate, find out about the individual's absence from a noisy neighbour and so on. In fact, the latter may even tell one that the spare key to the apartment can be found ....

Finding information about a person's username and password required to do some online banking from an unsuspecting phone operator, family member and so on.

A more malicious way is to have particular spyware installed on the 'victim's' PC to collect this information before launching a criminal activity.
 
 

Problem & Solution
     
Admin  

We appreciate you looking at one of our tips. However, to assure that you have the latest version in front of you, please always click the link above to visit the website, because small changes are made without e-mailing the tips out again.

Please share this information with your colleagues, because they will appreciate it very much.

  • You can receive these tips directly in your e-mail in-box - subscribe now - you will be glad you did
    PS. Please subscribe with an e-mail address that you have access to from home and even once you change your employer.
    •      
    What does it mean to me? Am I vulnerable?  
    So why should you care about safer online banking? Because: With little effort you can make your online banking so much more secure and avoid a lot of pain that you will experience otherwise.

    1. The Threat may come in a variety of forms, including malicious code exploiting a known vulnerability (see also below).

    2. Vulnerability is that a malicious user could try to steal your password or other important information to conduct certain transactions on the internet, thereby causing grief if not financial losses.

    3. Impact is severe if the malicious user gains access to one's operating system. Regardless about how severe your losses are you will defnitely spend much time and effort to correct the problem if it ever occurs. Some people estimate that it could take more than 20 hours of your time to rectify a problem regarding a hacker having made unauthorized transactions using your account and the bank's online portal
    ==> So you want to avoid experiencing such or other mishaps. A little protection and prevention goes a long way - read on and get a few hands-on tips on how to reduce your risks regarding internet fraud.
         
    If I fix the problem - will it help me?
    How    		  
    Your bank may have stated in the Electronic Access Agreement things similar to:
    ...In addition, you agree to implement and maintain safe computing practices which will include, at least, the following security measures:
    1. an Internet browser with at least 128-bit encryption technology;
    2. up-to-date virus scanning software; and
    3. a firewall system.
      ... We will not be responsible for any loss, damage, delay or inconvenience suffered or incurred by you with respect to (i) this Agreement,....'
    The above indicates that in most if not all user agreements regarding online financial transactions, in case something goes wrong, very likely it will be the customer's job to proof otherwise or incurr the loss. Hence, it is wise to minimize the risks while being able to proof one has followed best practice by using our commandments.
         
    How can one describe the solution?  
    The solution is outlined in the rules given below. Following these will minimize your risk for becoming victim to unauthorized transactions on your account.
         
    Does Microsoft offer me a solution?  
    • Rule 1 - Install a program written by a Microsoft programmer. The program is called DropMyRights.

      This program allows you to use your computer as an administrator, while opening programs with limited rights, please proceed as follows:

      1. Download DropMyRights - Browsing the web, doing online banking and reading e-mail safely as an administrator,
      2. install the program,
      3. then move the .exe file to another folder, "c:\lowrights" for example, therafter,
      4. right-click on your desktop and create a new shortcut. To create a shortcut that loads Internet Explorer with limited rights, this is what you would put as the location:
        • c:\lowrights\dropmyrights.exe "c:\program files\internet explorer\iexplore.exe".

      PS1. Yes you can create a user account with limited rights that you use when surfing the internet and doing online banking. As a limited user, it becomes very difficult for malware to attack the browser and install itself. But as it turns out, the above approach is much easier and more user friendly.

      PS2. When you launch Internet Explorer with that shortcut, the DropMyRights program will give it the same permissions as a limited user. You cannot install or run ActiveX and most of the methods used to install malware, such as a keylogger, will simply fail. I tested this program on a couple of very nasty web sites and absolutely nothing happened... neither malware, spyware nor a keylogger managed to get onto our test systems.

         
    Where can I get more help?  
    Extend your browser for a more secure online-banking experience visiting:
  • UPDATE 2 - Yes Virginia - phishing attacks are on the rise and getting meaner - we tell you how to surf safer
    • Go to the section called 'Does Microsoft offer me a solution', download either the toolbar for Microsoft Internet Explorer (IE) or for Firefox. The Tool will help you to make sure that you have landed on the correct Website and not on a malicious one where you may be exposed to a phishing or hacking attack.... it is easy to install and really helps, check it out (of course, both tools are FREE)!
     


    What is the solution to this problem ?
         
    Tip 1  
    • Rule 2: do not store a digital certificates or digital credentials from your bank on the hard drive of your computer. Instead, save it on a memory stick or a disk if you still have that possibility. However, do not keep the memory stick with your digital certificate in your USB port, unless you are required to do so because you are about to start conducting a financial transaction right now.

      This approach will prevent others from accessing the certificates.   

         
    Tip 2  
    • Rule 3: Besides keeping these certificates in a safe place, in order to prevent anybody else from taking advantage of them they must be encrypted whilst being stored.
         
    Tip 3  
    • Rule 4: In most instances, your bank will not only ask you to provide a digital certificate, username and password to authenticate yourself but, as well, you will be required to provide a one-time transaction code or pin.

      This might happen whereby you were mailed via the post office a list of one-time transaction codes. The system will then ask you to provide a certain code on the list (e.g., 10th code on the list from the top) which, in turn, will authorize the transaction you want to make. Without providing such an authorization code you may neither be given access to the account balance nor be able to authorize a transaction.

      Keep this list in a safe place at home - not the office.   

     


    Take another 2 minutes - More tricks to safeguard your information better
         
    Tidbit 1  
    • Rule 5: Following the above 4 rules is vital in reducing your risk for having malicious code or phishing attacks result in mishaps that can be costly.

      However, besides the one time transaction code you will very likely have to type in your:

      1. username or customer number,
      2. password.

      as well. Neither the username nor password should be typed but instead copied into the appropriate fields, thereby making it tougher for a program, such as a keylogger, to steal such information.

      You were provided a link for obtaining an easy to install and administer program that allows you to copy this encrypted information quickly, thereby reducing the risk for having your username and password stolen under Rule 3 above.   

    Tidbit 2  
    • Rule 6: Do not use shared computers to conduct financial transactions. Neither are computers in public places suitable such, as those in the library, because they are likely far more vulnerable and exposed to threats than your work or home computer ever will be.

    • Rule 7: Do not click on a URL or web address provided in an e-mail message. Instead, use the web address that you stored under your favorite bookmarks last time when you conducted a financial transaction on your bank's web site. Else, just type in the web address.

    • Rule 8: Always use the button 'Logout' (sometimes called Logging off or Sign-out, when you are finished with your online banking session and close your broswer => re-start browser if you want to cintinue surfing.

         
    Tidbit 3  
    • Rule 9: Activate 'Do not save encrypted pages to disk' in Internet Explorer (IE) by doing as follows:
      1. click on Tools > Internet Options > Advanced, AND
      2. move cursor down to Security, mark the box with the above text.

      3. Regel 10: If something appears suspicious to you, it probably is and most certainly the message did not originate from your bank, such as your bank:
        1. does not send you e-mails that contain a hyperlink connecting you to the logon page of your bank's online banking portal or a message that asks you to provide username and codes,
        2. does not ask for sending via e-mail your credit card number, access codes, PIN or transaction codes.
           
    Watch out   Based on our review of about 20 online banking agreements customers submit and agree to implement IT security measures that meet basic standards, such as:
    1. a firewall check if yours works properly ,
    2. anti-virus software choosing the right anti-virus software - choose the best for free, and
    3. anti-spyware check if your computer is infected and get the best solution here
    Failure to follow best security practice by implementing the above measures properly could cost you several hundred or even two thousand Euros and more.

    Why? Because your bank will point out that you have not followed best practice... thereby failing to fulfill any of your obligations under the online banking agreement that you signed.

    This means you will have to absorb the losses and damages you may have experienced due to a hacker succeeding in penetrating your computer's defenses. So check how your computer's security measures stack up regarding online banking and best practice NOW please. Better safe than sorry.   

     


    CYTRAP resources - check it out - because it will help you better protect yourself
         
    Related tips  
    Alerts  
    Glossary   Please either sign in by clicking on 'Login as a guest' to get the definition, no registration required or else get a free registration to get access, its worth it.

    DEUTSCH

    Administrative
         
    Author   Urs E. Gattiker - CyTRAP Labs
         
    Revisions  
  • 1.0 - 2005-12-30 - First Version
    • Contact details   Web: http://CASEScontact.org
    E-mail: support01@CASEScontact.org

    Tel: +41(0)76-200-7778 or + 44(0)70-9237-6036
    Fax: +44(0)70-9237-6036, dial 3 send fax
     

    --END of ADVISORY - Important Info Below--
     
    We recommend that you VERIFY ALL ADVISORIES you receive IMMEDIATELY, by clicking on the link provided at the top of this alert.

    NO WARRANTY
    Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

    Ride the rollercoaster successfully by subscribing to our alerts, tips, tools and skills training receiving them either via:

    1) e-mail
    2) RSS feeds, or else, just get a
    3) free skills tune-up


    NO WARRANTY
    Any material furnished by CASEScontact.org is furnished on an 'as is' basis. CASEScontact.org, writers & sponsors make no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material.

    CASES writers & sponsors do not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
    Full DISCLAIMER notice at: http://www.casescontact.org/terms.php

    UNSUBSCRIBE
    If you no longer wish to receive this TIP ADVISORY, please Unsubscribe at:
    http://www.casescontact.org/unsubscribe.php

    QUESTIONS, comments, ideas? Cheer us up at:Tips-Comments at CASEScontact.org

    CASEScontact.org -- Threat Alerts and Security Notices --clear and precise, no compromise -
    --currently hosted by Flashcable
    -- END of TIP & Tricks ADVISORY--
    Copyright (c) 2007 by CyTRAP labs - Urs E. Gattiker. All rights reserved.