My Netbank Has Been Hacked

Cooperellie on 11/09/2015 - 10:28
Last edited 11/09/2015 - 21:32 by 1 other user

Last month our Netbank/CBA account was hacked and 3 x $600 was withdrawn in a 24hr period.
We did not discover the theft for 1 week as it was done in a sneaky way.

Three different separate accounts were created in our name and then hidden within the netbank pages when we had it open.
These three accounts each had a token amount (.15c)transferred to a paypal account then out of that same paypal account. Once that worked the amounts of $600 per account was transferred out.

We contacted the Commonwealth Bank immediately and they shut these random accounts down,but only after we went into the bank and they gave us a big run-around - they did not make it easy.

Fast forward a month and we have been reimbursed the $1800, but the bank does not know how it happened - or they are not willing to tell us. They have been monitoring the bogus accounts/paypal but I guess there have been no further activities. The thieves will have just moved on to the next suckers Net-bank account.

They said it 'could have been this or that', but that explanation is not acceptable to us so we are now going to shut down our accounts and find a bank that can protect it's customers.
We have been customers of CBA for 20+ years, but this has left a bad taste in our mouths.
I know internet theft must be almost impossible to control, but you would think that the biggest, most profitable bank in Australia would have 100% security.

Anyway, that's my rant.
Now we are looking for a new SAFE banking system with a competitor - any suggestions?

Cooperellie

Financial

Related Stores

Commonwealth Bank

Comments

garetz on 13/09/2015 - 18:28

Nothing is 100% secure, thats why they have insurance, if you think any bank can be 100% secure, then i have a great deal for the harbor bridge i can sell you.
Kevan2 on 13/09/2015 - 20:46

+1

The Bank should not disclose how the fraud occured as it could be a training blog.lol.

The good things are - you got your money back, we are now more aware that fraud still occures, but most banks come through - of course they investiagate the dealings AND YOU,and also any staff who touched the transaction and recieved unexplained money in their accounts.

Haveing a past career in a bank there are many staff , no matter how much training, are able to discuss unfortunate situations. A manager today is not an Experienced Manager.

Goodluck on changeing banks and the mean credit assesments in the new hard financial world that we are going too. [ lets find a way to charge a higher interest rate as is done in the best example in the world on how to live — the USA - not - no never and we should work against that system] my rant of the day.
Tnetennba on 13/09/2015 - 21:04

+2

OP, it is very probable that you somehow had your computer compromised, or password phished/hacked. It's the sad reality but it happens.

I am just interested to know, I just created another netbank saver account to test a theory, and they sent me an email right away when it was created. Do you not check your emails? That would have been a red flag too (unless the hacker also has your email address and deleted it).

Sadly it looks as though netbank does not require a netcode sms to create an account, nor for paypal to take a direct debit from it, nor to hide accounts from main page listing. This itself is perhaps a security flaw, but also done so that customers can have an easier experience in creating accounts/changing a small setting such as hide account.

I don't think blaming the bank is going to help, nor is them telling you exactly how it happened, as it might even be unknown (to them, it might look like someone just logged into your account, how they got the password is not under CBA's control..).
bs0 on 13/09/2015 - 23:43

+1

Hey OP at least it wasn't $5000 dollars (or even more lol).
My parents' account was charged over $5k though my sister's secondary card. We didn't know until our statement came in the mail.
The transactions were tied to a TV purchase and several large atm withdrawals in a single day near Liverpool - not near where we live. It took us a while to be refunded, including having to file a police report so the credit company could access the security footage from the TV shop etc etc. Weirdest thing was that the purchases would've required a physical card and pin, but my sister still had the original card on her. We think that her card was skimmed when she was buying stuff, so lesson learnt to always watch the machine and don't let anyone handle your credit card? Still no proper explanation even now but just happy it was refunded and that account was closed.
- xoom on 14/09/2015 - 05:30
  
  My friends credit card got skimmed. Purchases totalling $17k was done on his credit card some were from overseas. The police were called. The bank investigated and the credit card charges were reversed after it was investigated.
  
  Someone made a cashless withdrawal from an atm using my account once. The bank investigated. After a week they reversed the charges. I put this down to people stealing mmy mail as my netbank account does not look like it was tampered with. Except whoever called tried to change my sms number notification over the phone.
  
  I instructed the bank. Any changes like this to my account will require me to go to a branch with ID. Told them to disable phone banking also. I live near a branch anyway so no big hassle going there. Same for when im at work.
  - eug on 14/09/2015 - 10:56
    
    +4
    
    Someone made a cashless withdrawal from an atm using my account once.
    
    The person must have been disappointed. :)
    - xoom on 14/09/2015 - 21:07
      
      My bad. What i meant to say was cardless withdrawal from an atm.
      
      They rang the bank. Changed my sms notification. Why the bank didn't try to call my number first before changing it i dont know.
lookalive on 14/09/2015 - 00:02

My wife's netbank was recently hacked as well. According to her, the hacker withdrew $5000, putting her account into negative balance. The bank is investigating and will fix everything by the 22/09/2015. They did inform her that the hacker has been caught. He stole over $4 million dollars from many accounts.

When my wife showed me a netbanking message on her phone issuing a netcode, I immediately knew that her account had been hacked. I instructed my wife to never access her bank account with her smart phone again.
- tyler.durden on 15/09/2015 - 10:10
  
  if the netcode was on her phone, how would they hack the account
  since u need the netcode to do stuff.
  - lookalive on 15/09/2015 - 11:28
    
    They hack the phone first so that they too will see the same message my wife sees, then they can create a new account and it takes a matter of seconds to transfer money over.
    
    There's been a lot of news lately about how vulerable smart phones are. It was recently discovered that the simple torchlight app is a hacking tool, and just about everyone has it on their phone.
    
    The term smartphone is gimmicky. Only use it to surf the net, keep the business side of things on the desktop/laptop with the appropriate software to protect you. Even that is still not enough. You have to be unlucky I suppose. I've never been, touch wood.
- Diji1 on 15/09/2015 - 11:59
  
  +1
  
  I follow the antics of cyber criminals with a casual interest - so FWIW: that's probably pretty bad advice from a security POV because many more compromises occur through the web browser. The bank smartphone app is inherently more secure.
geoffellis on 14/09/2015 - 01:20

+4

I know internet theft must be almost impossible to control, but you would think that the biggest, most profitable bank in Australia would have 100% security.

Now we are looking for a new SAFE banking system with a competitor - any suggestions?

Heh, thats pretty funny.

First and foremost, there is no such thing as 100% security. Especially not when they give users and the devices you use access to the accounts directly via a webpage or app. They absolutely cannot account for the crap that you have on your computer. the moment they issued you an account you could access, they lost "100% security".

It is entirely possible that CommBank was hacked, however in that case they would be seeing an uptick in this type of malicious activity on many accounts. Hackers don't go after a single bank account for 1800$ - It's not worth the time or effort.

That said, the most likely point of attack was your computer or smartphone. That's just the way it is. People are stupid. It is far easier to infect a bunch of people with malware and record all their financial details from their device than it is attacking a system designed to be secure. YOU are the weakest link in banking security.

So you're suggestion that you are looking for a new, SAFE, banking system, when in all probability you were the issue, is (profanity) hilarious. lol

btw Commbank offers both Netcode SMS and Token systems for logon. Which means someone can't access your web banking account without your knowledge even if they have your username and password and account details. They would need your phone or token device. Complaining about them not having 100% security when you weren't even utilising all the security they do in fact offer. LOL
- Serapis on 14/09/2015 - 03:47
  
  Heh there is 100% because the only people who are more motivated than those who created the system are those who are trying to destroy it.
- Cooperellie on 14/09/2015 - 07:06
  
  -3
  
  btw Commbank offers both Netcode SMS and Token systems for logon. Which means someone can't access your web banking account without your knowledge even if they have your username and password and account details. They would need your phone or token device.
  
  Correct, which we both have and the only way we can logon.
  
  Thanks for the advice,you are definitely a superior(profanity)!LOL
SnakeCasablanca on 14/09/2015 - 08:42

Just a thought… But the other option is that your joint account holder made the transactions in secret. The bank may know that with the level of security that you have on the accounts (digital passes), external fraud could be impossible. They assume it is either you lying to them or your partner lying to you. If this were the case they may have decided that, considering that you have banked with them for 20 years they would rather write off the loss than call you or your partner a liar.

This would also explain why they 'gave you a big run around' and 'did not make it easy'. I know that in obvious fraud cases the banks are very quick to return the money and make it very easy.

Not saying this is the case. Just saying it is another possible scenario.
- Cooperellie on 14/09/2015 - 09:09
  
  +1
  
  Well anything is possible, but not in this case.
glam77 on 14/09/2015 - 09:16

+1

A mate had their internet banking hacked via their mobile phone (one of the big 4, cant recall which one though)
The hackers even set it up so the sms confirmation codes were re-directed to a different phone number, so my mate had absolutely had no idea what was happening until it was too late.
Was reimbursed in the end though which is I guess all one can ask.

So the hackers are always going to find away. No full proof system with any bank.
lysp on 14/09/2015 - 10:08

For my netbank at least, any transferral to a new account requires an sms code to be entered.

So no one can actually transfer anything out of my account without me getting warned of it via mobile sms.

Was this feature enabled for you?
- Olokun on 14/09/2015 - 10:53
  
  You will not get any SMS warnings of a direct debit, nor is a net code required for a 3rd party to direct debit from your account.
  - Hirolol on 15/09/2015 - 11:02
    
    -1
    
    SMS code is required for new accounts.
    if the account has already been authorized then no, the SMS code is not required.
    - Olokun on 15/09/2015 - 11:37
      
      +1
      
      Initiated in NetBank yes. From a 3rd party (via direct debt) no
    - Hirolol on 15/09/2015 - 13:13
      
      @Olokun: ooooh gotcha!
- Diji1 on 15/09/2015 - 12:03
  
  The SMS code as you call it, which is a form of 2 factor authentication (2FA), should be used as it makes you much harder to attack successfully.
  
  However malicious software can and does compromise 2FA. The compromise occurred because people connected their PC and mobile device. PC gets infected which infects the mobile.
- [Deactivated] on 15/09/2015 - 15:02
  
  This is easy to bypass the hacker can ring your bank acting as if they are you since they have allmost all your details now and change the number for sms feature or just disable
  - snapper on 16/09/2015 - 00:00
    
    +1
    
    True. This happened to my parents. My dad (ever the pessimist) had always set the SMS code sent to his home phone (landline). Hackers called up the bank and instructed them to change the number the code was sent to - get this - my dad's mobile (which must have seemed legit to the bank, right?) then the hackers called the telco and instructed them to divert all calls and messages to my dad's mobile! All without many security questions being asked by the bank or telco. Dodgy.
    - eug on 16/09/2015 - 00:03
      
      then the hackers called the telco and instructed them to divert all calls and messages to my dad's mobile
      
      So .. he received his own messages and calls? Horror! :)
      
      BTW I wasn't aware telcos can forward SMSes.
    - snapper on 16/09/2015 - 00:06
      
      @eug: no, he didn't receive any calls or texts on his mobile (not that he uses it much) cause any call or text was diverted to a different number. So the hackers received the SMS code needed for a transaction to a new "payee". After it was discovered we found out the phone number used for diverting (it was an Australian landline) from the telco (and gave to bank/police of course) but I don't know if it lead to anything/anyone.
sergun on 14/09/2015 - 10:08

Wonder if it's a work of Dridex - the latest generation of the banking malware, highly complex one, and yes, it indeed targets customers of all major Australian banks. In that case, the bank choice does not matter. But first, have you been using netbanking from a Windows computer? If so, can you run Norton Power Eraser (NPE) on it, and post here if it finds anything malicious or highly suspicious? NPE is a free legit product from Symantec (no crapware, no ads, no strings attached) - just google for it, you'll find this tool on Symantec website. It runs in 'paranoid'/aggressive mode and finds/reports anything that is not known to be white-listed - so be careful with it; but if you happen to have Dridex non-reported by any antivirus or any other banking trojan responsible for your account hack, it will certainly be picked up by NPE.
ItsMeAgro on 14/09/2015 - 12:04

+5
You've actually answered those questions everyone is posting, but no-one can see it, as your comment includes some silly stuff, and so it's at -17.

So if you want some useful advice, you'd better post those answers again, somewhere - maybe in the original post? (Without the silly stuff, and using the correct terms, maybe like this):

To answer some questions:

We actually were using two-factor authentication (Netcode SMS or the Digipass device)

Our PCs do have a virus scanner, [name of your scanner software], I [do/don't] think I've run anything on any dodgy sites that might have installed malware, etc

Our password(s) were pretty [good/bad], it was something like [my surname and year of birth, or 16 random characters including letters, numbers, punctuation, etc]
- Cooperellie on 14/09/2015 - 15:46
  
  Was this intended for me?
  - ItsMeAgro on 14/09/2015 - 18:16
    
    Yes. It is your post.
hetzjagd on 14/09/2015 - 12:20

+1

Wow there is a sea of comments here already. I'm sorry if this has already been asked and answered but its the only bit of information I'm interested in.

"We did not discover the theft for 1 week as it was done in a sneaky way."

Can you elaborate on this so that others may know where/what to check for?

I'm not looking for an explanation of the hack, just how the money transfers may have been obfuscated from the normal Incoming/Outgoing payments list.
- glam77 on 14/09/2015 - 12:30
  
  +3
  
  "how the money transfers may have been obfuscated from the normal Incoming/Outgoing payments list."
  
  possibly the OP doesn't check their account daily or even weekly…. could be as simple as that.
- Cooperellie on 14/09/2015 - 15:47
  
  -1
  
  Please refer back to a previous explanation I have already made.
  - hetzjagd on 14/09/2015 - 16:07
    
    +1
    
    oh come on, you've got comments all over this thread. You can take the time to say that but you can't take the time to rewrite it or copy paste it?
    
    edit
    
    ok found it,
    
    "We have two accounts, one Access account that we use for everyday bills, wages etc and another account Netbanksaver which is a higher interest account that is attached to the Access account and we move money back and forth as required.
    As we generally only use the Access account we do not look at the other account every day, although when we log onto Netbank both accounts are available for us to view.
    
    The hackers opened up three new Access accounts from the Netbanksaver account and they were hidden within this account. We could not see the transactions and did not find the hidden accounts until we noticed that money was withdrawn from the Saver account in the bank account summary box. On closer inspection we noticed that there were three small crosses within the transaction listings that once we clicked on opened up to the new accounts and the transactions that had been made through them. We did not notice this at first as we generally don't work off this account when balancing credit cards and receipts etc."
dfr on 14/09/2015 - 13:56

+1

If Cooperellie was using 2-factor authentication then there is very little chance the account was hacked.

However if someone had installed the appropriate malware on your computer it is possible they could have had complete access to your accounts after you had logged on. So while you were doing your everyday banking they were setting up the accounts and transfers. Think of an invisible thief walking through your front door just as you unlocked it.

As others have mentioned you might want to run some additional anti-virus and malware detection applications on your PC. It's possible that as part of the malware infection your currently installed programs were reconfigured to ignore the malware. Like the invisible thief disabling the burglar alarm. Sometimes you need to boot into safe mode to detect and get rid of these.

If it turns out to be a sophisticated malware infection there's very little you can do. Hacker's are sometimes one step ahead of every precaution you take. The only real protection is do physical banking only.
- eug on 14/09/2015 - 18:35
  
  So while you were doing your everyday banking they were setting up the accounts and transfers.
  
  With ANZ, if you try and open a second session (e.g. open a link in a new tab), the first session gets disabled, and shortly after all sessions get logged off. Surely CBA does that as well?
  - tyler.durden on 14/09/2015 - 19:58
    
    and it is a remote connection so that would make it more hard to have two different browsers from different computers on different network..
    
    so don't think this is possible
  - ThadtheChad on 15/09/2015 - 00:20
    
    I have observed proper session and state-tracking that basically borks the session if a "workflow" is not followed.
    
    If there is sophisticated malware, it could be hooked into the browser processes and actually injecting HTML on the fly; thereby altering what the user sees. Fairly easy to grab credentials this way. Also, if sophisticated enough, could be used to control actions of the user (or perform actions on behalf of the user).
    
    With regards to Netbank tokens, wonder if OP had any issues with tokens in the weeks prior… imagine a scenario where the victim has a hooked browser that is waiting for "sensitive action" (that requires the netbank token to be used), it waits patiently till the OP performs an action requiring a Netbank token auth. Then, BAM, the dormant malicious script springs into action and steals that token to be used to add the badguy(TM) account details and exfiltrates a whole bunch of cash.
SuperTyred on 14/09/2015 - 14:53

+3

Sounds like you have a PayPal account and it the details got logged (something more heavily targeted than NetBank). Typically most transfers within netbank require Netcode SMS security check. This is where you would be required to authorize the transfer with an SMS code onbyiur phone.

I think you messed up here!
- Cooperellie on 14/09/2015 - 15:44
  
  +2
  
  Actually SuperTyred, you might have something here.
  
  We recently had a discussion about our Paypal cause we couldn't understand something different within the account.Maybe this is
  
  I need to look into this further, but this may be right.
- tyler.durden on 15/09/2015 - 10:16
  
  please explain what you are talking about..
Cooperellie on 14/09/2015 - 15:45

+2

**Maybe this is linked to the problem as the Paypal IS linked to our CBA account.
punter1 on 14/09/2015 - 17:12

+1

Open a Saving Maximizer ac with ING, no one can direct debit n u can only transfer funds out to your nominated bank ac
tyler.durden on 14/09/2015 - 20:01

+2

If you want to have security

you should have two bank accounts from different companies..

then u keep one for storing all your money

and second one for transactions, online purchases..

So u only expose your second account (which would have very little money in it)

if it gets hacked, you don't lose much.
lololo on 14/09/2015 - 23:41

+3

You cannot be serious! You got your money back and still unhappy??? Taking in consideration hacking your Netbank account wasn't CBA's fault in any way.

As to "how it happened" - report the incident to the police and let them investigate it.
ThadtheChad on 15/09/2015 - 00:14

+3

OP I really sympathise with you. What happened really sucks, but at the end of the day, you're not out of pocket and the bank made things right. I think asking front line staff for technical explanations (that may include complex client-side attacks) may be bit of stretch. Moreover, if this is part of a much larger organised crime campaign, there could be investigations ongoing that are not communicated to the general public (especially if there is an intention to prosecute).

Being safe (especially for online banking) is quite a task these days. :) There is a proliferation of banking malware as well as increasing usage of exploit kits (Angler EK, Nuclear EK etc). One needs to be extra careful. 2 factor authentication is great protection against keyloggers/stolen credentials, but does not protect from a completely compromised browser/system.

Moreover, in most circumstances, an antivirus application is a last line of defence. It would take someone with a reasonable level of technical prowess (and a fairly short amount of time) to craft a malicious executable that will bypass most AV engines.
- shaybisc on 22/09/2015 - 11:15
  
  I don't get it. If they need an sms code sent to your phone before any payment to any new account can be made, even if they have total control of your computer, how do they get money out of your account?
  - ThadtheChad on 25/09/2015 - 17:17
    
    Picture this scenario:
    
    Your browser/OS is compromised with malware targeting Netbank. It injects malicious code running in the background to monitor netcodes. If it manages to get it's hands on netcode, it will perform a sequence of requests: Add a new payee, perform transfer to payee, delete payee (optional).
    
    Now say, you need to perform a netcode transaction, lets say, set up a new BPAY biller. When you request for the netcode, and then type it into the box (which unknown to you, is actually generated by the malware), the malware obtains the netcode, performs the above naughty stuff and then cleans itself from your rig.
    
    Now this is purely theoretical. :) It would have to be a very targeted piece of malware written by some really smart people.
    
    A more likely scenario would be a mobile based malware on a compromised phone. Once you set up the Commbank app initially, every time you enter the PIN, the app does not need netcode to add billers/payees etc.
goraygo on 15/09/2015 - 07:47

+1

A mate got hacked because he used his JailBroken iPhone to do Netbank, everything he ever entered probably captured and someone logged into his Netbank and took all the money.

JailBroken, rooted devices all the same, if you are doing Internet banking on that same device or computer, don't do any dodgy download on it.

It will save you money and trouble in the long run.
- tyler.durden on 15/09/2015 - 10:20
  
  Haha you are kidding right…
  
  There are plenty of jailbroken devices.
  If that were the case alot of ppl would hacked and losing money..
  
  It is to due users lack of knowledge when
  
  -they install things they don't know anything about.
  -installing free software with addon browser toolbars..
  -have weak passwords..
  -being a noob…e.g.
  -oldie generation who are posting everything on facebook, and using weak passwords
  - ThadtheChad on 15/09/2015 - 11:13
    
    +3
    
    goraygo is not far off the bat.
    
    It is fairly easy for someone who have malware on their phones to get owned. The netcode protection only applies when the Netbank app is being registered. After the app is deployed and enrolled, the PIN (on the commbank app screen) is the only thing protecting it from malicious transfers (even IMT). This is fairly well protected on an up to date iOS or Android ecosystem.
    
    However, the security model of Android/iOS is compromised once jailbroken or rooted, the possibility of a malware to latch onto the commbank process and capture the PIN is not too hard. Also could be used to re-write any transfer requests being made further down the stack.
    
    In addition, a lot of folks install unsigned apps or tools on their jailbroken/rooted phones. Unless they are downloaded from absolutely bulletproof sources, there is always a likelihood of bad things being present in it. :)
    
    With great power comes great responsibility.
    - tyler.durden on 15/09/2015 - 11:19
      
      I think it might be difficult.
      
      Even if the pin was capture it only works on that phone.
      
      They would have to physically be controlling the phone somehow.
      
      Also most jailbroken uses don't have an issue…
      
      Like I said, u have to be a total noob to install something u have no idea about.
      
      Most of the time you just get your jailbroken apps from cydia and read what you are installing.
      
      Also what about rooted android phones etc..
      They have an option to install from non google play store..
      But u need to agree to it, and should know what you are installing.
    - ThadtheChad on 15/09/2015 - 11:40
      
      +1
      
      @tyler.durden:
      
      They would have to physically be controlling the phone somehow.
      
      No, not at all. Demonstrated attacks on the contrary. Get the user to install the malicious app (this is probably the hardest part; doable though). If the phone is rooted, then endgame. If the phone isn't rooted (and is a droid), pull malicious payload from an attacker controlled server. Priv esc. Phone is pwned.
      
      Also most jailbroken uses don't have an issue…
      Why? Jailbreaking, very crudely put, is essentially rooting. Have used mobile substrate to disable protections of mobile applications like SSL-pinning or even in-memory patching.
      
      Like I said, u have to be a total noob to install something u have no idea about. Most of the time you just get your jailbroken apps from cydia and read what you are installing.
      
      People add private repos to cydia all the time. Once you do that, you are now open to all sorts of fun stuff. :) It's not necessarily n00bs who get popped.
      
      Also what about rooted android phones etc..
      They have an option to install from non google play store..
      But u need to agree to it, and should know what you are installing.
      
      If you frequently sideload apps from suspect sources, you will get popped, n00b or not. You may think you know what you're installing, but do you really? E.g. say you download the netflix apk from a respectable forum, do you know whether it is the vanilla netflix apk that has not been tampered with? Do you have the skill-set to actually perform static and dynamic analysis on the apk to ensure it is not doing anything malicious?
    - tyler.durden on 15/09/2015 - 14:23
      
      @omgwtfbbq:
      
      Why would you side Netflix apk
      
      Just get it from Google
      
      Like I said you need to know what and where you are installing it from
      
      If you got some actual proof and links where someone has hacked a bank app by sideloadin another app the it might give you more cred.
      
      You need to be really good hacker to do these things and they would not target low money targets
      The payoff is just not worth it
    - ThadtheChad on 15/09/2015 - 16:14
      
      +1
      
      @tyler.durden:
      
      Why would you side Netflix apk
      
      I was using that as an example. A large number of Australians downloaded the Netflix apk from non-official sources as these simply weren't available in either the Play store/App Store.
      
      Like I said you need to know what and where you are installing it from
      
      … and like I countered with, there is always the chance that these have been tampered with. Same goes for patched apk etc. So you appear to know 100% legit places (albeit unofficial) where you download stuff from regularly. Pardon my skepticism but aren't you placing a bit too much trust by saying they can never ever dish out malware laced apps/tools.
      
      If you got some actual proof and links where someone has hacked a bank app by sideloadin another app the it might give you more cred.
      
      So, unless I provide a proof of concept, you're not willing to believe this can be done?
      I'll give you a very simple example to illustrate this, there is something called SSL-pinning typically used as a mechanism to prevent man-in-the-middle attacks on mobile apps. For a very high level description: https://possiblemobile.com/2013/03/ssl-pinning-for-increased…
      
      Using a tool like the iSecPartners' ios-ssl-kill-switch, you can simply disable SSL-pinning with a simple toggle. Can be downloaded here:
      https://github.com/iSECPartners/ios-ssl-kill-switch
      
      Some more reading, regarding android malware targeting banking targets:
      http://au.pcmag.com/opinion/29181/mobile-threat-monday-andro…
      https://threatpost.com/new-banking-trojan-targets-android-st…
      https://www.gdatasoftware.com/securitylabs/news/article/over…
      https://blogs.mcafee.com/mcafee-labs/phishing-attack-replace…
      http://www.computerweekly.com/news/2240238625/Android-bankin…
      
      On a side note, in terms of actual exploits and the like, you'll just have to take my word for it.
      
      You need to be really good hacker to do these things and they would not target low money targets
      The payoff is just not worth it
      
      Typically, for something like this, it would have to be something highly customised. Having worked alongside some very talented people in this field, suffice to say that there is huge amounts of money involved. Lets just say there are some very scary malware out there, made by very smart writers.
      
      Lastly, it seems like you're offended my stance on jailbreaking and rooting. Let me assure you, I am wholly in support of jailbreaking by people who know what they're doing. It is excellent for "unleashing the device". However, for a phone (or for that matter any system) where I conduct sensitive transactions (e.g. banking), that needs to be completely locked down. Jailbreaking/rooting significantly reduces the security posture of the device so I would be wary of conducting more sensitive business on those devices.
      
      Some more reading for you:
      https://blogs.mcafee.com/consumer/how-does-jailbreaking-or-r…
      https://blog.kaspersky.com/rooting-and-jailbreaking/1979/ (admittedly a bit sales-ey)
    - tyler.durden on 15/09/2015 - 17:38
      
      -3
      
      @omgwtfbbq:
      
      Yes anything can be done
      
      The point is if has been done yet
      
      So far I have heard that jailbroken/ rooted devices weaken the security of devices
      This is true, because ppl can install apps from unofficial sources and those apps might have been patched.
      
      The point is so far heaps of people have jailbroken and rooted their phones without any major wide scale malware outbreak incident yet.
      
      If something does occur the jailbreak community would alert us and it would in the news and online, and have some patch or fix.
      
      The issue is not as big as you make out to be.
      
      Maybe later on if it does occur then yes
      But I think ppl would still jailbreak.
    - ThadtheChad on 15/09/2015 - 19:15
      
      +2
      
      @tyler.durden:
      
      https://encrypted-tbn3.gstatic.com/images?q=tbn:ANd9GcQZ4ji0…
      
      Mate, I think you need to read up a bit before you comment.
      
      Start with actually reading about mobile malware and what is actually going on in the info sec world.
      
      Having a questioning attitude is good. Sometimes though, RTFM or do some google-fu. Spreading inaccurate info only does a disservice to the others reading it.
      
      On this note, I'm disengaging from this conversation.
    - tyler.durden on 15/09/2015 - 22:11
      
      -1
      
      @omgwtfbbq:
      
      Not spreading anything
      Just find that your fear monging is way overblown
    - ThadtheChad on 15/09/2015 - 23:22
      
      @tyler.durden:
      
      Perhaps… most of us in the info sec world tend to be on the overly-cautious side of things. In our defence, we see some pretty crazy sh1t day in and day out.
      
      In the past few years, I've seen real world incidents where some very sophisticated organised crime cartels are doing some very interesting targeted attacks (not just on employees, but also releasing commodity exploit kits). In addition, I have taken part in pentests and red-team exercises that have pretty much involved more sophisticated (but related) techniques discussed in my posts above. So it's not that crazy.
    - goraygo on 15/09/2015 - 23:29
      
      @omgwtfbbq: very good explanation, you can speak better than I ever could in this area!
      
      (I am very geeky IT and have very good reputation in my field but not within IT Security and does not have in depth knowledge as you.)
      
      Hope what you have said can save a few from giving their money away.
    - tyler.durden on 16/09/2015 - 00:00
      
      @omgwtfbbq:
      
      yeah thanks for the info…
      
      Also found a new article
      
      http://www.lifehacker.com.au/2015/09/why-jailbreaking-your-n…
      
      http://researchcenter.paloaltonetworks.com/2015/08/keyraider…
      
      I think ppl are still gonna jailbreak though..
      cos they like the tweaks and apps of jailbreaks and also cos they think someone likely targeting them would be minimal.
      
      ==
      The key point is to
      -know what you are install and where the source of the app is coming from.
      -have 2 factor authenication (one needs to be a physical device like phone or token device)
      -have complex passwords
      
      This applies for mobile to pc usages
      
      If you are an idiot and adding third party apps from non reputatable sources
      then you are gonna get infected on mobile or pc.
      
      ===
      just curious but do u mind tell us what company you work for?
    - ThadtheChad on 16/09/2015 - 00:08
      
      @tyler.durden:
      
      Unfortunately, I am unable to disclose that as my opinions/statements may be misconstrued as being representative of my organisation. S
      
      Absolutely agree that people will still jailbreak. In fact, for certain people, this may be essential. E.g. when performing an assessment of a mobile app, it is invaluable to have full device access (filesystem, network layer etc).
      
      @goraygo
      
      Thanks mate. Happy that I could provide some useful info. :) Please feel free to PM, if you guys ever have any questions and stuff regarding security related topics and I'll be happy to help (or point you in the right direction).
    - tyler.durden on 16/09/2015 - 00:11
      
      @omgwtfbbq:
      
      yes, there are tweaks that apple won't allow
      but ppl still want it or need it…
      
      So they will still jailbreak…
      
      The key point is to
      -know what you are install and where the source of the app is coming from.
      -have 2 factor authenication (one needs to be a physical device like phone or token device)
      -have complex passwords (though the more complex and hard to guess the more harder it is for people to remember it themselves, which means that are force to write down somewhere or use some like lastpass)
      
      This applies for mobile to pc usages
      
      If you are an idiot and adding third party apps from non reputatable sources
      then you are gonna get infected on mobile or pc.
      
      ===
      Rooting is not that much different to using a windows pc, and being able to install apps from any other places besides window store…
      
      So if u are as cautious on your pc as you are on your mobile, then you should be good.
      
      ===
      Any other tips you can provide other than what I listed?
      
      ==
      At least most banks will pay back the money if u are hacked, so it is not as big of a concern..
      
      Though whether they know you were jailbroken or if they still pay you back if you are jailbroken,
      that is another matter..
      
      Though I think they still would, just to keep you as a customer.
      
      ==
      Also I think most big hacks are targeted at the big companies
      e.g. Sony hack..
      rather than the individual, which would net little payoff.
      
      Most targeted individual user hacks are in the form of
      -social engineering
      -phone scams
      -ransom ware
      -hacking user's easy to guess passwords
      -users installing or opening unknown attachments or installing software with added malware etc..
    - tyler.durden on 16/09/2015 - 00:27
      
      @omgwtfbbq:
      
      removed
onlyletters on 15/09/2015 - 14:48

+1

"They said it 'could have been this or that', but that explanation is not acceptable to us so we are now going to shut down our accounts and find a bank that can protect it's customers."

A branch will not tell you how it happened. It needs a full investigation, they dont disclose this information because you may use the information to do it to someone else.
[Deactivated] on 15/09/2015 - 15:00

Anz always instantly refunds any transaction i did not authorise without question
- stringbean402 on 15/09/2015 - 15:21
  
  How often does this happen to you ?
stringbean402 on 15/09/2015 - 15:21

-1

In all seriousness anyone with the Commonwealth Bank can request a Netcode Token. It is a physical RSA token generator, takes place of the the SMS security option.

https://www.commbank.com.au/support/faqs/72.html

It is the most secure method as it requires physical possession of the item and cannot be hacked.
- eug on 15/09/2015 - 18:54
  
  It is the most secure method as it requires physical possession of the item and cannot be hacked.
  
  That's assuming they've learned from their past mistakes. :)
  
  http://www.smh.com.au/technology/security/hacked-security-fi…
serpserpserp on 15/09/2015 - 21:12

OP should just turn his two factor security on, or get a token. All the big 4 banks do this.
wolffram on 15/09/2015 - 22:13

+1

Unfortunately your dream of finding a bank with 100% security is just that - a dream. I have been hacked with two different banks, one the CBA. They were by far the easiest to deal with, and within 5 days of ringing up and reporting the stolen funds we had been re-imbursed. I think they looked after us well. As for finding the crooks, that's never going to happen. It's so prevalent the bank does not even investigate.
frostman on 16/09/2015 - 11:37

-1
Simple Steps:

Don't do Internet banking on your mobile device from a WiFi

Setup SMS security on your netbank for all transfers (annoying but saves you 1 month of trying to reclaim stolen money)

Enter your netbank password on your PC using the Microsoft Virtual Keyboard, stops any keylogger/malware recording

If you have your Banking Statements go to your EMAIL (not POST) then make your email PW secure, don't set stupid passwords like "Jim123"

When you go to shops and want to use your Credit Card, don't let the Rep take your card and swipe, YOU swipe it so they don't skim it.

I've been following these steps for a long time and never been scammed.
[Deactivated] on 16/09/2015 - 11:43

+1

when you say hacked, I think you really ment: I was careless and someone got my password.

When you say hacked account means someone got access to the bank's databse… which is in a whole new league and plays a very dangerous game (both sides).

Use this little tool www.lastpass.com (free desktop, full US$12.99/yr). After I started using it i really saw how bad my password strenghts was. It's easy to forget that you use the same password for so many websites. I, for example, have 118 passwords with none of them repeating. I encourage you to do the same.
shaybisc on 22/09/2015 - 08:46

Go to a bank with better security.

With two-factor authentication how could they get money out?

My Netbank Has Been Hacked

Related Stores

Comments

New Forum Topics