Personal Finance

Online banking fraud victim - help needed!

  • Last Updated:
  • Nov 17th, 2017 2:07 pm
Member
Sep 6, 2016
227 posts
49 upvotes
edkate wrote:
Nov 8th, 2017 10:42 pm
installed Kaspersky programs on all last Friday.
I did my day !!!! hahaha

Kaspersky from Russia
They collect all information about you and use it
Penalty Box
User avatar
Mar 23, 2016
753 posts
199 upvotes
Clacker wrote:
Nov 9th, 2017 9:07 pm
Not saying that Kaspersky is good or bad but the actual truth about those files was a bit more nuanced see here. The function that "took" the files was the same function that you find in McAfee, Norton, etc. where suspicious files are sent back for further analysis. And since the files in question were actually exploit files it's no wonder they triggered Kaspersky...
I see. Thanks for that info, Clacker. I guess nothing is safe online now, but it seems most of the developed world is online?
"Obama is the quintessence of all that is wrong with America today.. people looking at the superficial which is skin color and ignoring idiotic behavior." - the poster AndySixx 😲 :facepalm:
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
mech9t5 wrote:
Nov 9th, 2017 10:02 am
i like custom security questions so all I do is create a question that reminds me what password I used. It is meaningless and the answer is also meaningless and not necessary as the question itself is the password reminder.

out of curiousity, OP... do you use BMO debit card to pay for things? Paying using your debit card is the easiest way for someone to get your bank card number.
If you must use debit, attach it to apple pay or android pay as it is much more secure since it uses a temporary number.

I never use debit. Period. The only time I use my debit card is at an ATM. And even then I am very careful to check the reader to see if there are additional devices.

I use my debit everywhere! It's easier for us to do the budgeting. I never use it in ATM machines or suspicious stores though. Use cash or credit card.
Sr. Member
Sep 13, 2016
949 posts
409 upvotes
I think it is unlikely that your Debit card was compromised. It most certainly was your online banking itself. You should be extremely careful not to use online banking (web or app) through Internet connections you don't know much about, like public wifi hotspots in cafes, railway stations, coffee shops etc. You never know which network is being skimmed. Also a good idea to disable SSID broadcast on your wifi router.

Also, don't be paranoid about Kaspersky. It is definitely one of the best AV softwares around. Being from Russian developers, it is quite understandable that US will be paranoid and have issues with it. But almost all anti virus programs collect data and files for further analysis, so it is not uncommon.
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
IndyBeak wrote:
Nov 14th, 2017 4:20 pm
I think it is unlikely that your Debit card was compromised. It most certainly was your online banking itself. You should be extremely careful not to use online banking (web or app) through Internet connections you don't know much about, like public wifi hotspots in cafes, railway stations, coffee shops etc. You never know which network is being skimmed. Also a good idea to disable SSID broadcast on your wifi router.

Also, don't be paranoid about Kaspersky. It is definitely one of the best AV softwares around. Being from Russian developers, it is quite understandable that US will be paranoid and have issues with it. But almost all anti virus programs collect data and files for further analysis, so it is not uncommon.
Never used those connections. So im still trying to find out how they got my info.
Hubby will look into ssid on wifi.

Im Russian myself so i understand Grinning Face With Smiling Eyes
Deal Addict
Feb 21, 2004
1200 posts
82 upvotes
Montreal
I work in infosec and here's my take along with a few takeaways:

A lot of online account credentials these days are obtained by resetting your password and intercepting your emails. They talk to unscrupulous Customer service rep and either reset your password without them asking for additional info OR they use info obtainable via social media or other contacts.

Security measures put in place by banks such as 3 answers to 3 previously identified questions are completely useless and extremely dangerous. This is called knowledge-based authentication. NEVER NEVER use them and it boggles the mind that banks and other organizations use this as a means to reset your password. The amount of data people put online these days is mind boggling so very easy to extract data there.



A few things to do:
-Share as little info as possible online. This starts by IMMEDIATELY REMOVING YOUR BIRTHDAY on Facebook/Twitter/Favorite Social media. Sure people will forget your birthday but who cares, the real loved ones will remember.
-Use a different password for each login/site in your life and store them in a password manager. Do not trust any sites anywhere to properly secure your password and data
-If you MUST use knowledge-based auth, enter bogus answers and save them in a password manager that is secured by a very strong password or other biometric means. My 3rd grade teacher's name is one of the 7 dwarves on one of my favorite sites :)
-Never do online banking in a public wifi or network you do not know. Use a VPN if you can (back to your house if you know how to set it up, not one of those 3rd party VPNs you bought to watch US Netflix in Canada)
-Use a token-based payment system ( Pay, Samsung Pay, etc...) that shields your real card number in case of a breach
Got Heat?
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
HoTiCE_ wrote:
Nov 14th, 2017 7:50 pm
I work in infosec and here's my take along with a few takeaways:

A lot of online account credentials these days are obtained by resetting your password and intercepting your emails. They talk to unscrupulous Customer service rep and either reset your password without them asking for additional info OR they use info obtainable via social media or other contacts.

Security measures put in place by banks such as 3 answers to 3 previously identified questions are completely useless and extremely dangerous. This is called knowledge-based authentication. NEVER NEVER use them and it boggles the mind that banks and other organizations use this as a means to reset your password. The amount of data people put online these days is mind boggling so very easy to extract data there.



A few things to do:
-Share as little info as possible online. This starts by IMMEDIATELY REMOVING YOUR BIRTHDAY on Facebook/Twitter/Favorite Social media. Sure people will forget your birthday but who cares, the real loved ones will remember.
-Use a different password for each login/site in your life and store them in a password manager. Do not trust any sites anywhere to properly secure your password and data
-If you MUST use knowledge-based auth, enter bogus answers and save them in a password manager that is secured by a very strong password or other biometric means. My 3rd grade teacher's name is one of the 7 dwarves on one of my favorite sites :)
-Never do online banking in a public wifi or network you do not know. Use a VPN if you can (back to your house if you know how to set it up, not one of those 3rd party VPNs you bought to watch US Netflix in Canada)
-Use a token-based payment system ( Pay, Samsung Pay, etc...) that shields your real card number in case of a breach
Nice information! Appreciate your help!
As for android pay: i looked into it just now. So if someone steals your phone and gets it unlocked - im screwed right? What are the security measures for Android pay?
Deal Addict
Dec 16, 2005
2701 posts
690 upvotes
IndyBeak wrote:
Nov 14th, 2017 4:20 pm
I think it is unlikely that your Debit card was compromised. It most certainly was your online banking itself. You should be extremely careful not to use online banking (web or app) through Internet connections you don't know much about, like public wifi hotspots in cafes, railway stations, coffee shops etc. You never know which network is being skimmed. Also a good idea to disable SSID broadcast on your wifi router.

Also, don't be paranoid about Kaspersky. It is definitely one of the best AV softwares around. Being from Russian developers, it is quite understandable that US will be paranoid and have issues with it. But almost all anti virus programs collect data and files for further analysis, so it is not uncommon.
Why would you say it is unlikely the debit card was compromised when she uses it everywhere?

To me that is more risky than public wifi
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
I don't do mobile banking or use public Wi-Fi. Im aware of these things.
Deal Addict
User avatar
Aug 4, 2003
2352 posts
819 upvotes
pickles02 wrote:
Nov 9th, 2017 4:52 pm
If you can, use only your home computer -- attached to your modem by an ethernet cable, not by wifi -- for banking. The article below describes a recent method of kracking of wifi (discovered in July but now made public) which strips your privacy and allows access to the contents of your deviceto manipulate and steal data from your device -- passwords, email info, etc.). https://www.forbes.com/sites/thomasbrew ... ca6e972ba9

Android devices , especially with marshmallow or nougat installed are the most vulnerable and a fix is weeks away. Older Iphones are also vulnerable. Windows has already sent out a fix.
While the issue is serious, it is only WiFi security issue exposing your traffic. It is no different than somebody logging traffic between two devices, but if the traffic itself is encrypted, the logging is pretty much useless. It helps knowing what it is before spreading FUD.
Loose lips sink ships.
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
mech9t5 wrote:
Nov 14th, 2017 10:38 pm
Why would you say it is unlikely the debit card was compromised when she uses it everywhere?

To me that is more risky than public wifi
I use it in reputable stores only. If suspicious, i would use cash or credit cards or walk out. Never in non-bmo atms.
Sr. Member
Sep 13, 2016
949 posts
409 upvotes
mech9t5 wrote:
Nov 14th, 2017 10:38 pm
Why would you say it is unlikely the debit card was compromised when she uses it everywhere?

To me that is more risky than public wifi
Because cracking online banking with a compromised Debit Card is highly unlikely, in fact almost impossible. A compromised debit card can still cause you monetary loss, but it will be done by the fraudster swiping the clone at numerous places. Since OPs online banking was compromised, it was most definitely a case of someone getting access to her email account or a keylogger installed on one of the computers she used to login.
[OP]
Deal Addict
User avatar
Feb 16, 2004
1461 posts
44 upvotes
York Region
HoTiCE_ wrote:
Nov 14th, 2017 7:50 pm
I work in infosec and here's my take along with a few takeaways:

A lot of online account credentials these days are obtained by resetting your password and intercepting your emails. They talk to unscrupulous Customer service rep and either reset your password without them asking for additional info OR they use info obtainable via social media or other contacts.

Security measures put in place by banks such as 3 answers to 3 previously identified questions are completely useless and extremely dangerous. This is called knowledge-based authentication. NEVER NEVER use them and it boggles the mind that banks and other organizations use this as a means to reset your password. The amount of data people put online these days is mind boggling so very easy to extract data there.



A few things to do:
-Share as little info as possible online. This starts by IMMEDIATELY REMOVING YOUR BIRTHDAY on Facebook/Twitter/Favorite Social media. Sure people will forget your birthday but who cares, the real loved ones will remember.
-Use a different password for each login/site in your life and store them in a password manager. Do not trust any sites anywhere to properly secure your password and data
-If you MUST use knowledge-based auth, enter bogus answers and save them in a password manager that is secured by a very strong password or other biometric means. My 3rd grade teacher's name is one of the 7 dwarves on one of my favorite sites :)
-Never do online banking in a public wifi or network you do not know. Use a VPN if you can (back to your house if you know how to set it up, not one of those 3rd party VPNs you bought to watch US Netflix in Canada)
-Use a token-based payment system ( Pay, Samsung Pay, etc...) that shields your real card number in case of a breach
What would be the VPN i could use? we subscribe to Private Internet access...
Deal Addict
User avatar
Sep 10, 2005
3106 posts
492 upvotes
GTA
edkate wrote:
Nov 15th, 2017 9:33 am
What would be the VPN i could use? we subscribe to Private Internet access...
He is saying to not use a commercial VPN for this purpose but rather, to set up a VPN at home. This way, when you're out somewhere on public WiFi, you connect to your home VPN and your traffic is encrypted between those two points.

This is because commercial VPNs like PIA is essentially another "unknown" network. Whereas, if you set one up at home, you're just connecting to your home internet.

This can be done in a variety of ways. I have a raspberry pi at home that accomplishes this. I just installed OpenVPN on it.

If you don't use public WiFi or log onto unfamiliar networks at all then you may not need it
Deal Addict
Feb 21, 2004
1200 posts
82 upvotes
Montreal
edkate wrote:
Nov 14th, 2017 10:44 pm
I don't do mobile banking or use public Wi-Fi. Im aware of these things.
This is an excellent behaviour that everyone should be aware of.
edkate wrote: I use it in reputable stores only. If suspicious, i would use cash or credit cards or walk out. Never in non-bmo atms.
The problem here is that even so-called reputable stores with formidable budget for IT security are subject to being compromised. Target, TJ Maxx (Winners/HomeSense), Home Depot are all "reputable" and they all had CC info stolen right under their nose. Some from incompetency, some from social engineering, some due to lack of physical security. This is why I recommended using token-based payments (Samsung Pay or Apple Pay or Android Pay) that every bank is so afraid of.

These systems create a "virtual" card and use a token system that is transmitted only if you auth securely to your phone. Even in case of a breach, no credit card number was ever transmitted so even if the retailer stored your number (and this is most of the time illegal per their merchant's agreement) and the thieves got a way with it, they would have squat.

Dave98 wrote:
Nov 15th, 2017 10:26 am
He is saying to not use a commercial VPN for this purpose but rather, to set up a VPN at home. This way, when you're out somewhere on public WiFi, you connect to your home VPN and your traffic is encrypted between those two points.

This is because commercial VPNs like PIA is essentially another "unknown" network. Whereas, if you set one up at home, you're just connecting to your home internet.

This can be done in a variety of ways. I have a raspberry pi at home that accomplishes this. I just installed OpenVPN on it.

If you don't use public WiFi or log onto unfamiliar networks at all then you may not need it
Exactly, dont use any of those commercial systems. The best is to set one up at home but granted, this is not the easiest thing to do if you dont work in that field.
Got Heat?

Top