Preventing Online Banking Access.

kelly

Member
I recently had my bank account compromised when someone attempted to transfer money into a fake paypal account but failed, I would like to get some basics on how these hacker techniques work, I have a new bank account and I closed my paypal, before I do anymore online banking I have a few questions.

1. Do Unicode characters make a more secure password ?

2. Am I safer if I copy/paste the Unicode password from a USB instead of using the keyboard ?

3. My computer has an optional desktop keyboard which uses the mouse, is that any safer than the usual keyboard in regards to someone detecting key strokes ?
 

tremmor

Well-Known Member
If my account was compromised i would surely clean it up and likely do a wipe and new install if someone is sniffing.
You can include unicode characters also and can be good. We always used a virtual keyboard also. Its built into my
windows 7 pro and our virus program Kaspersky. When going to the site make sure its secure. https.
 

beers

Moderator
Staff member
Two factor authentication would solve most of this.

Did you use the same password on other sites? If you aren't aware of the attack vector I'd probably go ahead and reformat to remove any malware or malicious dependencies.

1) Adding additional character sets improves security against brute force or dictionary attacks, however if you are using HTTPS to your bank (most all should) then this hash shouldn't be captured on the wire.

2) Depends on the malware on the local host, many of them capture clipboard events.

3) I'm pretty sure the on-screen keyboard generates the same key press events that a USB driver would call from a hardware keyboard, but it might be worth some more research.

Does your bank offer 2FA?
 

kelly

Member
Thank you tremor and beers.

I only used that password at one location but it was not a very good password and was similar to the one I used at the ATM, my new password is much longer completely random using Unicode characters with no words at all, it rated well over 100% with loads of security bonus points from one of the password strength checkers.

I'm just in the last stages of cleaning the computer, I've run CCleaner, RM Tool, RST Host, Zemana, Malwarebytes and Pre Scan, I'm not sure if my bank offers 2FA but I'll check.

I don't use paypal very often but just as a precaution I'll only be opening an account when I need it and then closing it afterward.

Thank you again for your input !
 

voyagerfan99

Master of Turning Things Off and Back On Again
Staff member
I don't use paypal very often but just as a precaution I'll only be opening an account when I need it and then closing it afterward.
Don't do this. It will be far too big a pain in the ass to always get re-verified when you sign up again. Just use a strong password and use 2FA if possible.
 

Punk

Moderator
Staff member
For a bank hack I'll clean install my computer. Have you called your bank to know if they have ways or tips to be more secured? They should be prepared to give you advice on how to stop this.
 

kelly

Member
I'm glad you brought that up Punk, I'm getting the impression that banks are much less secure than they want people to know, I expected them to have a security specialist but all I got was an employee with the usual canned replies about how secure the bank is, she passed me off to her supervisor who was no better, I'm convinced all bank employees are clueless about security, they do have links on the website to the usual computer safeguards but otherwise nothing, I was thinking the banks website designer might be more helpful but there is no mention of them on the banks website.
 

Geoff

VIP Member
You aren't going to be able to get in touch with the designer of the banks website and ask them questions.

What probably happened is you were a victim of a phishing attack, where you receive an email or redirected to a website that looks like it came from PayPal or your bank, and you proceeded to enter in your login information. The chances of a banks security being compromised is very low, especially the larger banks.

Using special characters in a password makes it more secure from brute force attacks, however if you enter your password as part of a phishing scam or you have a keylogger installed, it won't make a difference.
 

kelly

Member
I'm not convinced the banks are all that secure, in my case I would never participate in any requests for my information, I would never trust anything I didn't initiate on my own behalf, last time I used my paypal was almost two years ago it was sitting at zero, I'm also really careful to check the address bar making sure it's correct before I make any transactions.
 

Geoff

VIP Member
I'm not convinced the banks are all that secure, in my case I would never participate in any requests for my information, I would never trust anything I didn't initiate on my own behalf, last time I used my paypal was almost two years ago it was sitting at zero, I'm also really careful to check the address bar making sure it's correct before I make any transactions.
Do you ever click on links in email to either PayPal or your bank, and enter in your login information?
 

kelly

Member
No I've never opened email that I don't recognize, the only time I use my password is when I'm at the bank or paypal website, people are usually reminded that these institutions will never contact you requesting information.
 

kelly

Member
I posted a shortened less secure version of my super secure password on a pw strength site and it scored very well, this included Unicode symbols from the character map, I used the password on various social media sites to make sure it works and all of them accepted it.

Password_Strength1.jpg
 

kelly

Member
I opened my new bank account today and discovered just how insecure the banks website is, it turns out they won't accept my good password or anything containing Unicode, none of the familiar one's like $ @ # ( % ^ are acceptable, amazingly they only accept the usual keyboard numbers and letters, so while social media sites accept passwords that look like this: ýT¾‰j*f2S9. something as important as a bank, won't ! unbelievible. it looks like the password I used using letters and numbers appears to be strong, but I really wanted to use characters that don't appear on any keyboard.
Password_Strength2.jpg
 

Geoff

VIP Member
I've seen many sites, some financial, that simply don't allow anything other than numbers and letters as well. Even with just those two, you can make a very complex password. Just be certain you use a completely different password for each site, the passwords are 100% random and not a word, and be sure you don't even enter your password in a phishing scam.
 

Punk

Moderator
Staff member
Phishing is sometimes very hard to see. Maybe you got scammed and didn't see it coming, I think it happened to me a while ago, and I am very careful (even more now). I have addons on chrome that check for malicious websites and got malwarebytes pro a while ago (it was very cheap on G2A) so it also tells me if the website is not right.
 

Agent Smith

Well-Known Member
If your bank does offer two-factor Auth, do use it.

Do NOT enter your password into those password strength test websites.

PayPal can use two-factor with a Yubi key.

If you set your DNS to OpenDNS, this can help prevent a phish URL.

If you use the Firefox browser or a variant of FF, there is an addon called PWDhash which WILL defeat phishing and many other things. https://crypto.stanford.edu/PwdHash/

Where PWDhash doesn't work, use Keepass. http://keepass.info/

Scan the crap out of your computer. I use many scanners. Some are; Herdprotect portable (won't work with OpenDNS on.) ADwcleaner, TDSSkiller, GMER, Rougekiller, Malwarebytes, Superantispyware, and many others. You may want to run Rkill before running any of those. Hijackthis can help and you can paste the log at hijackthis.de. Freefixer offers a Hijackthis approuch, but you need to know what you are doing.

Consider Using VooDooShield and/or Sandboxie for your browser. With Sandboxie you have to set things up like maybe full access to the browser's profile folder. If you update the browser you can't use Sandboxie.

There are some so-called anti keylogger software out there, but I tested them all and some help for some attacks while others don't work for other attacks. So you have to run multiple anti-keylogger programs and then I discovered they played hell on my computer. So a better approach is a sandbox environment with VooDooShield or using Sandboxie for your browser. Prevent the crap from getting on your PC in the first place approach.

I posted a shortened less secure version of my super secure password on a pw strength site and it scored very well, this included Unicode symbols from the character map, I used the password on various social media sites to make sure it works and all of them accepted it.


Never use the same password for multiple sites.

https://www.leakedsource.com/main
 
Last edited by a moderator:

kelly

Member
Thank you again tremmors, beers, Geoff, Punk, voyagerfan99 and Agent Smith for all of your advice and recommendations, you've been so helpful I really appreciate it !
 
Top