Online Banking and Virus Protection

[Tom B]

Something to be worried about?

(It's the front page article in today's Technology Guardian, in case you're wondering whether or not to click)

[rogerzilla]

Something to be worried about?

(It's the front page article in today's Technology Guardian, in case you're wondering whether or not to click)

I saw that.  One issue is that the bank would ask to inspect your PC, at which point many people would give up and go away.

[Polar Bear]

Good reason to remain a branch user methinks.

[Charlotte]

Just another way for them to weasel out of paying up after a fraud.

Now I know not do any online banking unless it's on my company network at work or at home on Linux.

[pcolbeck]

The banks could start using security posture assessment software.  Basically when you connected to the banks on line banking gateway it would download a small java client to your PC which would do a quick check for the existence of a firewall and ant virus and if said anti virus was up to date. If your PC complied it would be allowed to continue if not they could instead connect you to a page detailing how to turn your firewall on and how to obtain free anti virus or updates for your current one. We already sell appliances that doe this for corporate use.

[sas]

That still wouldn't work for all non-Windows systems, or for any 64 bit system (AFAIK there still isn't a 64-bit Java plugin available), and presumably it also requires the user to give trusted permissions to the applet. Fine for internet banking, not such a good idea if they get into the habit of accepting everything. Have you got a Java stupidity detector?

More seriously, does anyone have stats for what proportion of online thefts are due to malware vs. phishing vs. bank lost a laptop with your details vs. card copied when at the local restaurant?

[Jezza]

I have a Nationwide account I use for online banking. When I was in New Zealand I logged on to be informed that they were cancelling all cards for online accounts and reissuing them due to a security flaw. As it turned out, they didn't reissue the cards - instead they sent a card reader to my home address to be connected to the PC. I'm fairly computer literate but I'm damned if I can get the thing working. And that's with Windows. Heaven help you if you use Linux.   

[andyoxon]

I have a Nationwide account I use for online banking. When I was in New Zealand I logged on to be informed that they were cancelling all cards for online accounts and reissuing them due to a security flaw. As it turned out, they didn't reissue the cards - instead they sent a card reader to my home address to be connected to the PC. I'm fairly computer literate but I'm damned if I can get the thing working. And that's with Windows. Heaven help you if you use Linux.   

  Jezza, I  have one of those new NW card pin generators(?) looks like a calculator - but not had to use it yet.  My NW card was put on 'watch' (though no one told me) when I made a payment online the other week, subsequently a  direct debit payment was refused.  They sorted it out in the end, but to be honest I don't know if I can rely on it - used my debit card to buy cinema tickets the other day.

On another occasion online with this NW cc I agreed to sign up for one of those immediate visa checks, with added password validation etc.  Think I've now forgotten the new password.   

I know there is a lot of fraud, but they do seem very jumpy.

[Jaded]

More seriously, does anyone have stats for what proportion of online thefts are due to malware vs. phishing vs. bank lost a laptop with your details vs. card copied when at the local restaurant?

Interesting question and my guess would be that physical copying would be the main source.

[hellymedic]

I have an RBS card reader (NatWest are just the same).

You do not physically connect it to the computer. You use it during an online banking session, when so instructed (eg when specifying a new payee).

Switch on
Put card into card reader
Enter PIN
Follow instructions on both PC and card reader.

[Valiant]

I like those machines

I agree with the banks though, people should always have upto date anti virus et all. Why should the bank have to pay for peoples stupidity? FFS AVG Free and Windows/Mac firewall and jobs a good'un.

[rogerzilla]

The card reader is a time-dependent hashing device.  With chip and PIN, your PIN is already on the card (I know, I know) so it can use that to validate you.  It then creates a hash of the current time, challenge code and details of the transaction, providing you with a response code to give the Internet Bank for certain transactions - generally setting up a new bill payment.

This has two security benefits:

1) you need a card and card reader as well as the passnumber and memorable data, so Igor in Lithuania will find it harder to use your phished account details;

2) the response code can't be re-used later, nor can the transaction be intercepted* and the amount or destination changed, because the response code incorporates all those variables.

*very hard with SSL anyway, but there could be a trojan on your PC capturing keystrokes.

[Cunobelin]

I like those machines

I agree with the banks though, people should always have upto date anti virus et all. Why should the bank have to pay for peoples stupidity? FFS AVG Free and Windows/Mac firewall and jobs a good'un.

Some ISPs provide firewalls etc as part of the service, but they can be breached.BT for instance use Norton and the Homehub is firewalled. However there is no "operator" input.  What happens if there is a problem - are BT responsible or the user?

[Valiant]

In which case you are covered cos you have in effect an upto date firewall.

[Yorkshireman]

The security that Barclays recommend won't work with Windows ME (and ME's working for me). I have AVG, SpywareBlaster and Spybot-Search and Destroy, only use the on-line banking thing to check the balance ... before indulging myself buying bike related stuff ont'internet ... so stuff Barclays (I can have a five minute ride to the nearest ATM to check my balance anyway). I also notice (from a recent letter) that they are 'looking after my best interests' by changing the charges (and explaining them in fairly plain language) if I am 'short of funds' in my account and a payment is due (hasn't happened in the past 20 years  )... I assume that's due to people (successfully) demanding money back due to banks ripping off overcharging in the first place  .

[rogerzilla]

The security that Barclays recommend won't work with Windows ME (and ME's working for me). I have AVG, SpywareBlaster and Spybot-Search and Destroy, only use the on-line banking thing to check the balance ... before indulging myself buying bike related stuff ont'internet ... so stuff Barclays (I can have a five minute ride to the nearest ATM to check my balance anyway). I also notice (from a recent letter) that they are 'looking after my best interests' by changing the charges (and explaining them in fairly plain language) if I am 'short of funds' in my account and a payment is due (hasn't happened in the past 20 years  )... I assume that's due to people (successfully) demanding money back due to banks ripping off overcharging in the first place  .

Me is unsupported, I think, so they wouldn't recommend it; Micro$oft have no obligation to release security patches for it anymore.

[Yorkshireman]

Me is unsupported, I think, so they wouldn't recommend it; Micro$oft have no obligation to release security patches for it anymore.

Indeed, Microshaft have 'washed their hands' of Me. It still works for me (in fact I find this old desktop easier to use than a new laptop I have somewhere). I don't find any shortage of things that will run on this old thing, so as I mentioned  ... Stuff Barclays  .