My Bank Wants a "Professional" Virus Scan of My Computer!

GOCAT9 on 08/09/2021 - 09:42
Last edited 08/09/2021 - 09:48 by 1 other user

Just interested to know the community's view on my situation.

About two weeks ago I was the victim of a cyber attack. It all started immediately after my mobile phone number was illegally SIM swapped see previous post. Within minutes of this occurring, the attacker was able to reset the passwords to several of my bank accounts (we are all vulnerable to this type of attach unfortunately). The good news is that all banks were able to thwart the loss of any funds fortunately.

But here is the rub. I was able to get all my online banking backup and operating with minimal effort. However, one bank is making it much more difficult to reinstate my internet banking. They told me that they wanted a written statement from my telco explaining, how the attack occurred, when it occurred and that my number was safely back in my hands and safe from future attacks. They also wanted screen shot scans of Malwarebytes and Trend Micro internet Security scans. Finally, that I had changed my email password. I now use BitWarden password manager on all bank related logins with 12-16 character random alphanumeric strings including symbols! So, I complied to my banks request and sent all the information that they requested.

However, it now turns out that this is insufficient for them and they want to change the goalposts again. Now they want me to take my computer to an "professional IT person" to have it scanned. I told them that I have what I think are above average computer skills since I code in Linux and have used Windows platforms for all of my professional career. I even offered to allow them to remote in to my computer, under my supervision, so that they can run their own suite of programs. They said they could not do that and insisted on an "IT professional scan". I put it to them that if they want me to do this then they reimburse me for out of pocket expenses-they said they are considering that.

Now, I know that a lot of you out there that read this forum have pretty high computer literacy skills compared to the masses (otherwise you probably wouldn't be reading this forum, right!!).

So, can you educate me as to what skills/programs/antivirus scanners etc that an "IT professional" would/could use or have access to that I could NOT do/obtain or use myself?

Computing

Comments

  • Unorthodox on 08/09/2021 - 09:44
    +33

    Never heard of them going to this extent - were the amounts lost substantial or were there any other red flags?

    • GOCAT9 on 08/09/2021 - 09:59

      Bank was able to stop all withdrawals thankfully.

      • Intoxicoligist on 10/09/2021 - 10:30
        +8

        This is just bizarre. I'm a Senior Systems Admin/Engineer and this reeks of bullshit.

        The only thing I'd do differently is run an ESET Online Antivirus Scan (you download a utility and it does a scan, its googleable). It so stupid because if you have a thumb drive/backup drive/removable media with an infected file any check done means didly squat the second you leave the shop. Besides all this is the fact that it wasn't even the method of intrusion!

        If you have any friends who work in IT just get them to run an AV scan or two over it, write a letter to the insurance saying what they have done and that they are an IT Professional, and see where it leads.

        • TogTogTogTog on 11/09/2021 - 09:33
          +1

          Concurred. I'd also ask the bank to specify what an ' IT Professional Scan' is. They clearly have no processes/criteria around it and the fact they want an AV check for a SIM attack is just stupid.

          Finally, it potentially could be illegal (I'm no lawyer…) but functionally a bank is asking for access to your personal computer, including requirements to use specific AV/malware scanners with evidence before granting you access to your funds. Seems shady to me.

        • 2024 on 11/09/2021 - 17:06

          When I was working in the consumer space as a “Professional” I’d see this often with my customers. They’d take a phone call or something, get infected or syskey’d, and wise up and call the bank.

          I wonder how the bad guy got OPs online phone acc password to begin with tho

      • capslock janitor on 11/09/2021 - 12:45
        +1

        If they don't reimburse, then outright deny.

        BTW which bank exactly?

    • [Deactivated] on 09/09/2021 - 11:38

      For the banks, this is prob a legitimate concern. If this happened to one customer, it could happen to any customer.

    • vid_ghost on 11/09/2021 - 08:55

      Backup files
      Reinstall windows fresh from usb boot disk deleting all partitions while doing so (windows makes new ones 4 u)

      *Make sure the backup files are virus free before copying back

      DONE!…. END OF STORY.. NOTHING left TO SCAN.

      You can get on with your life

  • CyberMurning on 08/09/2021 - 09:48
    +7

    this is his previous post https://www.ozbargain.com.au/node/647651

  • Muzeeb on 08/09/2021 - 09:51
    +171

    Just change banks. Not worth the effort.

    • GOCAT9 on 08/09/2021 - 09:58
      +1

      Yeah, I had thought of that! But not quite there yet!

      • apsilon on 08/09/2021 - 10:59
        +79

        I would've been there with their initial request.

      • brad1-8tsi on 08/09/2021 - 12:25
        +44

        I would have said "bye-bye" at "professional virus scan"

        • Ade99 on 09/09/2021 - 08:01
          +9

          Never come across a non professional virus scan, except those offered by service providers who like to be paid in Crypto or else iTune vouchers…..

          • unwashed00 on 09/09/2021 - 08:55
            +6

            @Ade99: They are professionals though, just in a different area

      • abb on 09/09/2021 - 10:31
        +15

        If your car was stolen and then the bank wanted to search your house for termites before reinstating access, would you stay with them?!

        It's completely nonsensical that they want to probe your PC when the attack vector was your telco letting you mobile number be stolen.

        • thepigs on 09/09/2021 - 16:18
          +2

          nah the attackers needed access to his email/PC first to collect usernames/passwords/mobile no for his bank accounts. then swap sims for the 2 factor auth.

          • abb on 09/09/2021 - 16:38
            +2

            @thepigs: Well if that is known to have happened on OP's PC then the bank's request makes more sense.

            But it could be that the attackers stole some paper mail, or a shop that OP bought something at was hacked, or they logged into their account one time on a friend's computer which was pwnd, or…

            Most banks will do a password reset over the phone with a name, address, DOB, and maybe an SMS to verify if you're lucky (which wouldn't help in this case!), no need to hack in to steal the account number and password

            • thepigs on 09/09/2021 - 16:57
              +4

              @abb: yeah true, and I agree the banks request is over the top. But as the attackers had the login details to 'several' of his bank accounts its prob an email or PC hack.

              • TogTogTogTog on 11/09/2021 - 09:44
                -1

                @thepigs: More likely they did the standard SIM swap and scraped/bought OPs data from a scam list and hit up the bank with the details.

                If they had access to his PC they wouldn't have needed to SIM swap at all.

                Based on OP switching everything to 16varchar with a PW manager I'd assume all his bank passwords were the same or very similar without any special characters etc.

      • [Deactivated] on 09/09/2021 - 20:37

        It would've been my next task immediately after their first request. There are so many alternatives that it should be them reviewing THEIR procedures AND abusing Telcos on both YOUR and their other clients behalf, because it's not you that was the problem… both of those causes were outside of you and are what's at fault. i.e. The Telco shouldn't allow such easy switching, and the bank shouldn't allow accounts to be modified so easily based upon it either. Years ago to do anything like that you had to walk into a branch and produce about 3x different types of ID. Now, for 'convenience', they've made losing our savings a minefield for us, while handing a printed map for scammers to follow they use to learn every trick that sets them off in a chain reaction.

    • Platinumtelecom on 08/09/2021 - 13:09
      +6

      Same here, would have taken my money elsewhere.

      Unless it is in their T&Cs and it is a requirement to have a professional IT check before applying for an account with them….I doubt it

    • FutureTech on 09/09/2021 - 10:50
      +11

      Exactly. Can op tell us what bank it is so we'd avoid it as well

      • sk3iron on 09/09/2021 - 23:58
        +3

        I really wish OP would leak the bank name, this is beyond idiocy.

    • GOCAT9 on 08/09/2021 - 09:59
      +23

      LOL

    • Forfiet on 08/09/2021 - 15:21
      +21

      See! This is why everyone rolls their eyes when we talk about linux….. comments like this^ :(

    • terrys on 09/09/2021 - 08:53
      -5

      "but still use windows"

      Perhaps you can help me. I'm looking for a bank that has a Linux app other than for Android…

      • Chandler on 09/09/2021 - 09:46
        +7

        I'm looking for a bank that has a Linux app other than for Android…

        It's called the website.

        Just like you won't find a bank that has a Windows App, or a Mac App.

        • [Deactivated] on 09/09/2021 - 11:31

          Ironically enough, sooooo many smaller banks/credit unions still host their banking software on Windows.

          • macrocephalic on 10/09/2021 - 09:39
            +1

            @[Deactivated]: Not just small ones. I do a lot of work for different corporations and lot of them use Microsoft products including Windows Server OS's. If you only read comments on forums then you'd think that no professional would use Windows, but I've found it to be split about half-half.

      • pegaxs on 09/09/2021 - 10:08

        I use Linux Mint at home, exclusively. I don't have a Windows machine and I can assure you, I do my online banking just fine.

      • bigbadboogieman on 11/09/2021 - 10:30

        Alot of ATM machines worldwide use Windows software.

  • Twix on 08/09/2021 - 10:00
    +3

    Make your passwords longer than 12-16 if the password field allows.

    There are no programs that you can't get yourself. Format the PC.

    • Stephen2 on 09/09/2021 - 08:27
      +7

      Huge pet peeve that my main bank password max length is like 12

      Absolutely stupid, and being an experienced software engineer, I can confidently say there's no technical reason for it.

      • mlbrooke on 09/09/2021 - 09:10
        +16

        Westpac it is 6 characters and Text and numerals only (no special characters) and not case sensitive….. so consider yourself lucky :-)

        • FirstWizard on 09/09/2021 - 12:53
          +8

          Lol, ING just allows 4 numbers

          • Antikythera on 10/09/2021 - 16:01

            @FirstWizard: i used to have a 6 digit PIN with Bendigo but last time they gave me a new card there was only the option to set a 4 digit pin.

            the password for internet banking is limited to 8 characters. its a joke.

            • FirstWizard on 10/09/2021 - 16:06
              +2

              @Antikythera: I'm not even talking about the card PIN.

              This is for the access code for internet banking

      • Bren20 on 09/09/2021 - 09:12
        +12

        commbank passwords aren't case sensitive…

        • elcap on 09/09/2021 - 19:34
          +10

          WTF!?
          I just tried it and you're right…. 🤯

          • Donaldhump on 09/09/2021 - 20:03
            +9

            @elcap: Shit so I’ve been unnecessarily wasting time capitalising IhateBiden6699 all this time

            • chriise on 09/09/2021 - 21:08
              +2

              @Donaldhump: You can't just swap a couple of numbers around and expect your password to remain safe on a public forum.

      • idonotknowwhy on 09/09/2021 - 10:26
        +1

        I heard that some of the banks are using ancient hardware DES systems hence these obscure password "simplicity" requirements.

        • Milkywayss on 09/09/2021 - 23:05
          +1

          This might explain why several banks I’ve contacted are so resistant to change. ING (4 numbers), 86400 (no password) and Up (6 numbers)have all refused to add better passwords. Suncorp finally increased theirs from 8 character max which was nice though

      • Leeroy Jenkins on 09/09/2021 - 12:55

        Huge pet peeve that my main bank password max length is like 12

        This is enough reason to change banks. These guys have no clue what they are doing.

  • prisonmike on 08/09/2021 - 10:02
    +48

    Name and shame the bank.

    • Hardlyworkin on 08/09/2021 - 11:52
      +2

      Which bank?

      • EshaySlayer on 08/09/2021 - 14:14
        +15

        Witch Bank.

        • htc on 10/09/2021 - 19:54
          +2

          Me bank or U bank?

  • apple2016 on 08/09/2021 - 10:03
    -4

    If your bank is agreeing to pay for it then why not. Just ask them for a recommended "IT professional" . make sure you dont have any personal info on the laptop when you send it for the scan

    • jpl on 08/09/2021 - 10:29
      +3

      It will be really hard to make sure that there are no personal info without a nuke wipe. Software are storing bits and pieces almost everywhere on the drive, some intentionally and some unintentionally when crashed.

  • Typical16-bitEnjoyer on 08/09/2021 - 10:07
    +15

    Name and shame please.

    Otherwise I'm just going to assume it's Westpac.

    • GOCAT9 on 08/09/2021 - 10:36
      +3

      No not Westpac, it starts with an M!!

      • mbck on 08/09/2021 - 10:50
        +1

        Selfish banks. Always thinking about me me me

        Yes or no?

      • this is us on 08/09/2021 - 11:13
        +8

        https://en.wikipedia.org/wiki/List_of_banks_in_Australia

        Me
        Macquarie Bank
        MyLife
        MyState

      • Typical16-bitEnjoyer on 08/09/2021 - 11:40
        +4

        All the banks starting with M suck. Jump ship now.

        • iand on 08/09/2021 - 19:52
          +3

          Don't you mean all the ones starting with B 🙂

        • [Deactivated] on 09/09/2021 - 20:49
          -1

          Not sure what sucks about Macquarie (other than this post, if it's even them). Their signup was only a few minutes, online, with zero fuss, the fastest and least annoying I've ever done. Also one of the few who give a Debit Mastercard (not Visa) with no yearly or account fees plus no international currency conversion fees.

          • jpl on 09/09/2021 - 20:51
            +1

            @[Deactivated]: Wait till they send you a renewed Debit Card that is already activated via the mail.

            • [Deactivated] on 09/09/2021 - 20:55

              @jpl: But all the financial institutions I use do that. Some used to send out the new PIN separately on a different day. But I don't think they even do that anymore… they just say to continue using the same PIN now.

              • jpl on 09/09/2021 - 21:04
                +1

                @[Deactivated]: I mean activated as it can be use for tap even when it is still sealed in the envelope.

                • [Deactivated] on 09/09/2021 - 21:18

                  @jpl: Can you give an example how you activate your new cards then? Because I use, um let's see… 6 different cards with 4 different banks and I can't recall activating being required before using replacement cards. A new card with another x years arrives, I just go onto ebay or Amazon, pay using that card, and if it worked ok I cut up the old card. Doesn't that mean anyone who intercepts the mail can do the same?

                  I hate tap and pay. It should never have been introduced. Or at least give customers the choice if they want it on their card (they don't give you a choice, I asked). I had 4x different cards in my wallet. Went through a supermarket checkout, pulled out my wallet, took out card 1 to get easier access to pull out card 2, but before I could slide card 2 down the slot the scanner beeped and took payment from card 1 through tap and pay. I couldn't believe it.

                  • Cliche Guevara on 10/09/2021 - 07:43

                    @[Deactivated]: NAB allows you to turn off 'features' like tap'n'pay on their VISA card. Can also independently turn off ATM withdrawal, online payments and international payments.

                  • jpl on 10/09/2021 - 09:22
                    +1

                    @[Deactivated]: Under normal circumstances a renewed new card is not activated. It is normally sent out by post (unless you asked for pickup at the branch) and can be intercepted by posties and crooks breaking into mail boxes.

                    Since it is not activated, anyone intercepted the card will not be able to use it. When the user receives the card, user login to netbank/online banking to activate the new card.

                    If a card is sent out pre-activated, meaning user does not need to login to netbank/online banking to activate it. Anyone intercepted the card can use it straight away, even when it is still sealed in the envelope. This is one of the reason why mail theft is increasing, because the banks are feeding the seagull.

                    • kevmev12 on 10/09/2021 - 15:24
                      +2

                      @jpl: Macquarie Bank customer here. I did not receive my initial Debit Card so they sent me a replacement. It turns out that my initial card was stolen in the mail and was used to purchase multiple $200 gift cards from Coles and Woolies in Blacktown. And yes the cards did not require activation as it was already activated when it was sent.

                      This was absolutely baffling to me that any bank in this day and age would do this. All of my other cards from other banking institutes require activation once the card is received.

                      • kctt on 10/09/2021 - 22:12

                        @kevmev12: That is the first that I ever heard. All other banks I used never sent an activated card. Always have to log in internet banking to activate. I'm pretty sure I had to activate Macquarie credit card as well. I don't have bank account with Macquarie so I'm surprised with their activated debit card practice.

                        • jpl on 11/09/2021 - 23:36

                          @kctt: Yes, really surprised when I found out too.

                          They spent hundreds of millions in cyber security to move 5 steps forward, but chose convenience in this case and move 10 steps backward.

                      • jpl on 11/09/2021 - 23:34
                        +1

                        @kevmev12: They knew crooks targeting cards from the mailboxes, buy they chose convenience over risk, moreover it is not their risk.

                        Since the debit card money is yours not theirs, if your money is stolen via the debit card, it is your burden to proof it was stolen. Even if they are willing to help you recover, it will take weeks, and if you are unlucky that urgently need the money, you are fark!

                        I am lucky that I found out this is the case and lodged a case before the card arrive, so that money stolen during mail transit is their responsibility.

                        Did you manage to get back the money? If not, and if you are thinking of filling a case with authority, I can back you up. Send me a PM with your email.

                        • kevmev12 on 12/09/2021 - 10:14

                          @jpl: Yes I got my money back and thankfully it was a relatively painless process and their customer service was helpful. My money was returned in just over a week.

                          But given I was a new customer, the whole debacle didn't give me a very good first impression of their security policies. It was a new joint account; my wife received her initial card but I didn't. When I called them to report the unauthorised transaction, I told them the very idea of sending pre-activated debit/credit cards in the mail these days was a recipe for disaster.

                          Macquarie seemed to be such a big name in Australian finance, it was astonishing they would do something like this!

      • prisonmike on 08/09/2021 - 16:04
        +11

        Mestpac

      • Chrissy213 on 09/09/2021 - 07:37

        I’m guessing Me - I’ve heard of this happening with them before

      • chriise on 09/09/2021 - 21:09
        +3

        Mum & Dad

    • RiseAndRuin on 08/09/2021 - 11:39
      +58

      Nobody can hack the password of a Westpac account, they allow super secure passwords up to 6 characters in length…

      • Typical16-bitEnjoyer on 08/09/2021 - 11:40

        ^

        • capslock janitor on 11/09/2021 - 12:43

          Pretty shocking when I opened my 3%p.a Acc.

      • No Username on 08/09/2021 - 12:13

        Don't you need 2FA to log in?

        • RiseAndRuin on 08/09/2021 - 12:26
          +2

          Not that I can see, there is a non-mandatory SMS security option, but it might only be required if you move money, I'm not sure.
          I only have my home loan with them, I wouldn't keep cash in there tbh…
          Edit: I can login on my laptop with just the 6 chars password

          • [Deactivated] on 08/09/2021 - 13:56
            +1

            @RiseAndRuin: 2FA SMS for creating payments to new external accounts.

        • rfarlz on 09/09/2021 - 01:52

          Jesus, and I thought ANZ was bad for not allowing special characters in their passwords!

        • pformag on 09/09/2021 - 09:33
          +5

          There is no 2FA log in option. I've asked.

      • brad1-8tsi on 08/09/2021 - 12:27
        +2

        Qudos Bank beats that.

        4 digit pin and no 2FA

        • TheOtherLeft on 09/09/2021 - 09:51
          +2

          They're saving money on security because they need it to buy sponsorship/naming rights at stadiums

      • Haulien on 09/09/2021 - 03:37
        +3

        At least it can be typed in now, instead of having to use that god awful on screen keyboard. Still no special characters either :(

      • Stopback on 09/09/2021 - 10:34

        3 password tries, its not brute force

      • jpl on 09/09/2021 - 10:39
        +3

        Once I found a loophole in Westpac's online banking where one can repeatably make a payment without having the balance deducted.

        Despite giving them the steps to reproduce the bug, it took me 3 months to convince them the existence of the bug, not until sending out emails to every freaking director on their list.

        • abb on 09/09/2021 - 16:40
          +6

          I mean, are you sure you could pay for stuff without having your account debited?

          Maybe it was just a coincidence the first 999 times, better keep testing.

          • jpl on 09/09/2021 - 19:39
            +1

            @abb: Yes, Westpac took 3 months to acknowledge the bug.

            • thepigs on 09/09/2021 - 20:57
              +6

              @jpl: really you should have posted the hack on ozbargain ;)

      • Leeroy Jenkins on 09/09/2021 - 13:03

        All those big cyrpto projects have been making innovations on cryptography whereas banks now still only allow max 6 character length passwords. I'm speechless.

        These guys will get brutally slaughtered by all new tech companies in the coming years/decades.

      • macrocephalic on 10/09/2021 - 09:42

        While not being ideal, 6 is long enough as long as they lock the account after a couple of failed tries.

  • avoidfullprice on 08/09/2021 - 10:12
    +1

    Sounds like they want to ensure your risk from further attacks is low, but come across as you having to accept full liability from future compromises.

  • AndyC1 on 08/09/2021 - 10:54
    +8

    Get it in writing and make sure it:
    1) says this is all you need to do otherwise they will change things
    2) Make sire they define what an "IT professional" is as there is no such qualification available from any government institution…. You are an IT professional as you are in IT and make a living off it.
    3) Change banks as they are a PITA and do not have a clear process from your dealings with them.

Login or Join to leave a comment
Login Join