My Bank Wants a "Professional" Virus Scan of My Computer!

GOCAT9 on 08/09/2021 - 09:42
Last edited 08/09/2021 - 09:48 by 1 other user

Just interested to know the community's view on my situation.

About two weeks ago I was the victim of a cyber attack. It all started immediately after my mobile phone number was illegally SIM swapped see previous post. Within minutes of this occurring, the attacker was able to reset the passwords to several of my bank accounts (we are all vulnerable to this type of attach unfortunately). The good news is that all banks were able to thwart the loss of any funds fortunately.

But here is the rub. I was able to get all my online banking backup and operating with minimal effort. However, one bank is making it much more difficult to reinstate my internet banking. They told me that they wanted a written statement from my telco explaining, how the attack occurred, when it occurred and that my number was safely back in my hands and safe from future attacks. They also wanted screen shot scans of Malwarebytes and Trend Micro internet Security scans. Finally, that I had changed my email password. I now use BitWarden password manager on all bank related logins with 12-16 character random alphanumeric strings including symbols! So, I complied to my banks request and sent all the information that they requested.

However, it now turns out that this is insufficient for them and they want to change the goalposts again. Now they want me to take my computer to an "professional IT person" to have it scanned. I told them that I have what I think are above average computer skills since I code in Linux and have used Windows platforms for all of my professional career. I even offered to allow them to remote in to my computer, under my supervision, so that they can run their own suite of programs. They said they could not do that and insisted on an "IT professional scan". I put it to them that if they want me to do this then they reimburse me for out of pocket expenses-they said they are considering that.

Now, I know that a lot of you out there that read this forum have pretty high computer literacy skills compared to the masses (otherwise you probably wouldn't be reading this forum, right!!).

So, can you educate me as to what skills/programs/antivirus scanners etc that an "IT professional" would/could use or have access to that I could NOT do/obtain or use myself?

Computing

Comments

  • this is us on 08/09/2021 - 11:09
    +24

    Some things that I'd like to share:

    1. Having above average computer skills and coding doesn't necessarily correlate with having a good understanding of computer security and vulnerabilities. Many programmers focus on some areas, and they have no clue about other areas (e.g., security). I've seen many programmers minimising the risks, and "specialists" installing questionable antivirus software to protect computers, without understanding the kind of protection that is being offered, and the risks left behind.

    2. Unfortunately, the same applies to "professional IT persons". Again, I've seen many of them completely neglecting security issues and doing what I mentioned above.

    3. Having a completed scan using Malwarebytes and Trendmicro doesn't prove anything. Using questionable antivirus software and feeling safe is sometimes worse than not having anything installed and being aware that the computer is at risk.

    Just to put into context, I am not an IT professional, but I have this weird hobby related to virus and antivirus, and I've "worked" with some security companies. Some are great, others are ridiculous and invest more in marketing than research.

    Therefore, having your computer checked by "a professional IT" is not a solution. Your bank wants to share the responsibility, so they can justify whatever happens in the future with "we've done everything that we could, including forcing the client to have the computer checked by a professional". The IT person will only be able to provide a report saying that your computer has been scanned for virus, which doesn't mean there are no viruses there. That's very Australian… Someone just needs a statutory declaration and a signature to justify whatever they want and transfer responsibility to someone else.

    Just a quick example*:
    https://www.virustotal.com/gui/file/1d73c758e7f13927d4f6516b…

    Things like that happen all the time. The file was not scanned by some AVs because it's "js", but many scanned and found nothing, meaning that most computer are vulnerable to this particular threat, which might be around today.

    When samples (malicious codes) are sent to the security companies, some of them analyse and add the code to the database in minutes or hours. Others take days, weeks, months, or never do. Each AV maker has different policies and respond based on the risk level.

    Then, the user must update the software so the code can be identified and blocked. If the AV software is misconfigured or not updated, the virus will bypass and can do whatever it's been designed to do.

    Well set-up firewalls might block the virus from contacting the internet, but they also have to be configured.

    And before the "use Linux" bs, replacing the OS is not a solution for most users and companies that depend on Windows or Mac for compatibility.

    • CalmLemons on 08/09/2021 - 23:41

      so use kaspersky and not symantec? lol

      • terrys on 09/09/2021 - 08:58
        +2

        Kapersky is still Kapersky, whereas symantec stopped being Peter Norton's long before it moved into providing solutions for its own fear mongering, failing to keep up with genuine threats in real time, slowing a base level system to a crawl with TSR zombies and memory leaks and sometimes locking up entire corporate networks with buggy updates.

        Symnatec isn't the answer, it's the question, and the answer is no.

      • this is us on 09/09/2021 - 13:29
        +13

        I wish it was that simple.

        (https://www.virustotal.com/gui/file/de339d3fe5acf83a0df5991b…)

        (https://www.virustotal.com/gui/file/15e029c3834435150c76741e…)

        (https://www.virustotal.com/gui/file/59d212b7a8455a10162064b1…)

        Some of those are not updated, but I want to demonstrate that any AV software can miss samples.

        There is no correct answer for what the best AV is. However, some companies, maybe all or most of them, have allegedly been involved in scandals and dodgy practices, including (but not restricted to):

        Kaspersky
        Kaspersky
        Avast
        Symantec
        Symantec and Kaspersky
        Bitdefender

        Also:
        Avast acquired AVG
        NortonLifeLock (ex-Symantec) acquired Avira in 2020, and merged with Avast three weeks ago. Therefore, AVG, Avast, Avira, and Symantec/Norton are now part of the same company.

        So, choosing the AV depends on your own criteria.

        You can check av-test and av-comparatives for tests, but detecting 100% of samples there doesn't mean the AV will detect 100% of viruses in real life. If you want to consider those reports, you must understand the methods and how they get the samples for the tests. I'd say the tests are well executed, but the samples are often provided by the companies or collected from public malware databases that are easily accessible. I'd expect any AV to get at least 99% of those samples.

        Some companies value samples and signatures more than others that rely on their behavioural or heuristic or cloud analysis. I believe that It is crucial to have behaviour-based detection because new signatures can't be detected 100% of the time. Most AVs have behaviour-based detection.

        Having said that, if there is a sample that is not detected, that means the behaviour-based detection is not enough. If I send the sample to the company, I'd expect to see the malware detected after 24 hours, which is a long time for a virus to be spread.

        Companies rely on a team of malware hunters to improve their software and detection. Years ago, I used to send hundreds of samples every week to different companies. Their response was different. What I can say is that Kaspersky has always been the fastest in analysing and adding the new signatures (usually minutes if you are a malware hunter who send a lot of samples). Kaspersky was the first company to release signature updates several times a day when the famous McAfee, Symantec and Avira would update once a day or every couple of days. Bitdefender and F-Secure improved drastically and became incredibly competitive. ESET was a bit slow because they probably had the best heuristic detection at that stage, so signatures were not prioritised, and they still had one of the best detection rates. I stopped sending samples to companies that didn't seem to value what I was doing.

        At that stage, McAfee, Trendmicro, and Symantec were ridiculous in terms of detection and database updates. Sometimes they'd never reply and I'd only see the detection after months without knowing if that was because of my sample or not.

        Microsoft Defender has improved drastically and is very competitive today. Their software was completely useless in the past.

        Many softwares use someone else's engine and database, sometimes multiple engines and databases. That not always translates to better detection rates because of the way how the functionalities are implemented. There is a summary here.
        F-Secure, for example, used to use Kaspersky and is now using Avira.

        So you can choose a company you think is honest, or an AV with "the best" detection rates and response. You can believe in something you've read about company A or B, or you can take everything with a pinch of salt.

        For instance, some people believe that what Avast did was not too bad. *I think it's unacceptable to collect data without consent, and without a clear opt-in process.

        You can believe that Kaspersky might be used by the Kremlin (the brand has been banned from US state departments). *I think there is a point there, and it might be unsafe to have Kaspersky installed in strategic departments, but maybe it's all bs.

        You can believe that security companies create viruses to justify their existence. *I honestly think this was the case decades ago, but it has never been proved.

        Whatever I say is based on my experience and judgement.

        I recommend Kaspersky, Bitdefender, and F-Secure* (*despite Avira, because they also use their own engine and database and they are extremely competent).
        Avira used to be good but I don't like/trust Symantec/Norton; however, I am not fully aware of how the acquisitions changed the way how each company is managed. I've never liked McAfee but I've been surprised by how quick they've been analysing the samples.

        I need time to re-evaluate Microsoft Defender and ESET.

        I apologise for the many I think, but I wanted to make it clear that there is no correct or definitive answer.

        • CalmLemons on 09/09/2021 - 19:23

          Thank you. That reply is really appreciated. You should be very proud to have seemingly mastered your 'craft'. Well done.

    • GOCAT9 on 09/09/2021 - 20:29
      -1

      thus is us: ""Having a completed scan using Malwarebytes and Trendmicro doesn't prove anything. Using questionable antivirus software and feeling safe is sometimes worse than not having anything installed and being aware that the computer is at risk.""

      ok, all fair enough comments, but you don't suggest what is "better" than Malwarebytes and Trend Micro or what can be done better, short of rebuilding everything from scratch!

      • this is us on 09/09/2021 - 21:20
        +1

        I've spent some time writing two very long replies here, and offered a few options.

        If you can't find the answer to your question there, you are just being lazy.

  • jpl on 08/09/2021 - 11:15
    +5

    So, can you educate me as to what skills/programs/antivirus scanners etc that an "IT professional" would/could use or have access to that I could NOT do/obtain or use myself?

    Is not that, I am sure you can do all that. But if you come to think from their perspective, if you were to be responsible to the security of the "million $" you manage for your customer (GOCAT9), and you have a strong believe that the breach of information almost coming from GOCAT9's side, will you let GOCAT9 do the scan and approve the scanning and later be responsible for another breach?

    I did read your previous posting.

    Maybe to help identify where the breach comes from, the key is to find out which common vector that has all the user id of the banks and also the user id of your mobile phone provider.

    List down the following in a spreadsheet:

    1. Name of bank
    2. Where does the user id/login presented in your system, some bank has user id in the statement, and some no
    3. Does these banks send you communication by email/sms/letter?
    4. Do you access these banks using mobile?
    5. Do you use any proxy/free wifi/ someone elses wifi ?
    6. Did you previously lease a property that you have to proof your ID and bank statement?
    7. Did you missed and statements by normal mail if your banks were to communicate by normal mail?
    8. Does all the above has the same communication with your mobile phone account statement/login?
    9. Do you use these banks with the same computer or same mobile phone?

    Once you list all these down, you will find a most likely common area where the information can be obtain.

    Without finding where the vector is, no matter which bank you change to, you will still face future breach.

    Good Luck.

    • GOCAT9 on 09/09/2021 - 20:35

      List down the following in a spreadsheet:

      Name of bank MACQUARIE
      Where does the user id/login presented in your system, some bank has user id in the statement, and some no. SORRY, NOT SURE WHAT YOU MEAN HERE!
      Does these banks send you communication by email/sms/letter? YES, WHAT ELSE IS THERE OTHER THAN THOSE, PIGEON!!
      Do you access these banks using mobile? YES, VIA THERE APPS
      Do you use any proxy/free wifi/ someone elses wifi ? GENERALLY NO, OR IF I DO, ONLY VIA A VPN.
      Did you previously lease a property that you have to proof your ID and bank statement? NO
      Did you missed and statements by normal mail if your banks were to communicate by normal mail? NO
      Does all the above has the same communication with your mobile phone account statement/login? THINK SO, NOT SURE WHAT YOU MEAN HERE.
      Do you use these banks with the same computer or same mobile phone? YES ON BOTH COUNTS.

      • jpl on 10/09/2021 - 09:38
        +1

        In order to do what what done with your bank accounts, the crook need to have two or three important things

        1. You mobile phone. (You already explained how it was obtained)
        2. All the login IDs for all the banks affected.
        3. Some or more of your personal details, most likely DOB.

        Name of bank MACQUARIE

        But you mentioned several of your bank accounts. If you list down (don't need to show here) all the banks you will start to see some common areas.

        Where does the user id/login presented in your system, some bank has user id in the statement, and some no. SORRY, NOT SURE WHAT YOU MEAN HERE!

        When you login to the online banking, you need a user id, some banks printed this id on the statement, example Westpac. This means anyone having your statement can see your login id. This also means this person need to have somehow have access to the statement by email or other means.

        But if you compare this with other banks, if the ID is not shown visibly anywhere, this means the IDs were obtained by other means, for example keylogger.

        Does all the above has the same communication with your mobile phone account statement/login? THINK SO, NOT SURE WHAT YOU MEAN HERE.

        Another example for Macquarie, the crooks just need to have access to your lastname, DOB and email to retrieve the login ID and then Macquarie ID and mobile to reset a password.

        So if you list down, how each bank allows a request of ID and reset of password, you can form a common area where the most important information of yours were in breached.

        In my opinion, email is the main suspect, however if you start to list down all the banks and the email id registered with the bank and how the bank allow reset if password, you can then see the pattern of the most commonly used information of yours that was breached.

  • Seraphin7 on 08/09/2021 - 11:16
    +4

    In all seriousness, I would just change banks if it wasn't a major hassle and by that I mean things like home loans.

    Anything else can be sorted out relatively quickly with a bit of work … yes, it's a PITA, but it's not actually that bad. You are being set up here for future liability.

    • jpl on 08/09/2021 - 11:18

      I doubt changing banks will do any good if the breach is coming from OP's side and the vector of attack is still residing somewhere on his equipment.

      • Seraphin7 on 08/09/2021 - 11:32
        +3

        That's not the point. OP doesn't want to give up the protections that are otherwise available to them.

        Of course OP should do everything practicable to prevent the issue. But after doing those things, OP doesn't want to be left holding a liability that could be avoided by moving to another outfit.

  • Baysew on 08/09/2021 - 11:49
    +8

    Either comply or leave. It's a simple decision, even with someone with above average computer skills.

    • GOCAT9 on 09/09/2021 - 20:37

      For the moment I am complying. I have got a reasonable quote to do an IT Professional scan!

  • Mulga Bill on 08/09/2021 - 11:58
    +6

    I work for a Bank and we have the same requirements. If your computer has been compromised we need to professionally scanned to ensure there are no further viruses that could lead to further issues. The Bank will (generally) cover any unauthorised transactions that were not your fault so are just covering themselves from future claims. They will want it "cleaned" by an independent party so there is no "grey" area if any future claims are made.

    • pharkurnell on 08/09/2021 - 12:10
      +6

      So what is different from running a full scan with Trend/Bitdefender/Nortons etc and Malwarebytes/Spybot etc that the IT Pro would use?

      Also who is an IT professional in their eyes??? MSY? lol
      https://www.google.com/search?q=top+IT+security+professional…

      • Mulga Bill on 08/09/2021 - 12:51
        +3

        When I was in branch it was just an invoice made out to the customer from any IT business with an ABN confirming they had run a virus scan. I am sure it is not fool proof but better than a customers saying they have done it when they may have "forgotten" to.

        • Screamingeagle on 08/09/2021 - 12:55
          +1

          I assume that they want the paper trail more than anything.

        • TheOtherLeft on 09/09/2021 - 09:53

          What if the customer signs a State Dec declaring they ran the scans?

          • Mulga Bill on 09/09/2021 - 11:35

            @TheOtherLeft: Its hard to say, in our case we could try to get sign off form our audit team but at the end of the day we are not IT professionals so we would be looking for a registered business to sign off on it.

        • Jofzar on 09/09/2021 - 10:45
          +3

          I work in a professional setting which require server configuration, the amount of times people say they have done something and when you check it isnt setup is frustrating.

          This makes complete sense to me.

      • GOCAT9 on 09/09/2021 - 20:39

        I asked the IT professional what tools he would use that I would not have access to or can download. He said none!!

        • Antikythera on 10/09/2021 - 16:46

          the key is an "IT Professional" is an independent third party.

          it less about the tools they use but their professional reputation.

    • snooksy on 09/09/2021 - 08:17
      +6

      The idea of having a single computer to scan is also dying. I use banking on my phone, tablet, laptop and 3 different work pc’s. The idea of a virus scan protecting me from identity theft and fraud seems a far stretch. Viruses have very little to do with bank passwords which shouldn’t be “stored” unencrypted on any device to begin with. A virus scan may not detect a key logger if that is what the bank is concerned about. In all honesty if a bank asked for a virus scan as a form of security protection I’d probably walk because I don’t trust that bank to keep anyone’s money safe. So called virus scans are really a last line of defence and viruses are not how money is usually taken from bank accounts. This won’t detect a targeted attack on anyone’s security systems. Thanks for telling this forum that Me bank has very little idea about actual security. Wow. It really makes me question the security protocols they have for phone banking if they are asking for a virus scan to keep customer money safe.

    • Gumster on 09/09/2021 - 23:52

      What if you only use phone apps for online banking?

      Or use multiple computers, I often check my accounts on my work computer and home computer.

      This is a really silly requirement, banks should just have better 2FA

  • rektrading on 08/09/2021 - 11:59
    +4

    Traditional banks think that people who need their services are dying. The smart ones listen to their customers while the others are slowly being blockbustered.

    Close your account and move your business elsewhere.

  • garetz on 08/09/2021 - 12:00
    +4

    You miss the whole point of this silly exercise the bank is trying to get you to agree to, they are trying to absolve themselves of future liability by making you the culprit, I would leave asap. Your money is not safe with them no matter what happens in the future.

    Their requests make no sense from a security standpoint and the information they are asking you for is unreasonable.

    • sir-screwball on 09/09/2021 - 07:45
      +6

      Playing devil's advocate here: Have you ever met end users? There are a lot of absolute idiots out there, and a good percentage of them are the type to download keyloggers or other malware, get hacked, then just claim the lost funds against the bank and put very little effort, if any at all, into cleaning their computers because they know they're protected.

      If your business was financially responsible for people's decisions, you'd safeguard against those people too. Obviously there are levels to what's reasonable and all that good stuff but the fact the bank wants measures taken is not unreasonable.

  • pharkurnell on 08/09/2021 - 12:11
    +1

    They told me that they wanted a written statement from my telco explaining, how the attack occurred, when it occurred and that my number was safely back in my hands and safe from future attacks.

    How did you go with this?

    • Love a bargain on 08/09/2021 - 22:32

      Couldn't believe any telco would actually promos that it won't happen again

      • helldoodle on 08/09/2021 - 23:21

        well as he uses "ALDI" and his password is probably not that secure, but yeah sure, lets blame everyone else

    • GOCAT9 on 09/09/2021 - 20:42
      +1

      Amazingly the telco complied. I didn't think it would be as easy as it was!!

  • Baghern on 08/09/2021 - 12:11
    +2

    Its a simple bureaucratic sign off.

    The bigger question is which bank is this?

    • GOCAT9 on 09/09/2021 - 20:42

      Macquarie Bank

  • No Username on 08/09/2021 - 12:32
    +3

    So, can you educate me as to what skills/programs/antivirus scanners etc that an "IT professional" would/could use or have access to that I could NOT do/obtain or use myself?

    Not a professional but this is what I would do:

    • Running Rkill and Adwcleaner
    • Running Malwarebytes Techbench (A tool you won't have access to)
    • Checking your PC memory integrity
    • Ensuring TPM is up to date and is not vulnerable.
    • Ensuring Secure Boot is enabled
    • Performing forensic scans on the registry
    • Checking if the CPU in secure and is not vulnerable and has been applied the correct security patches.
    • Ensuing that the BIOS, GPU and other peripherals contain the correct firmware and has not been tampered with.
    • Checking your DNS Config and Host Files
    • Ensuring drivers are authentic and are OEM
    • Checking Windows Update
    • Checking for malicious GPO

    If your using Linux are you using a precompiled distro like Ubuntu are did you compile your own?
    If you compiled your own then:

    • Check your Linux kernel is up to date
    • Ensure you have the latest security patches
    • Ensuring host files are not tampered with
    • Checking Cron Jobs
    • Checking accounts and permissions
    • Run CVE Scans
    • Ensuring keys are not exposed
    • PiratePete1911 on 09/09/2021 - 12:18
      +2

      Unless by IT Professional they are talking about some very expensive security consultants nobody is going to do whats on your list. They will probably just run a basic scan and charge them 200 bucks.

      • No Username on 09/09/2021 - 17:28

        True but all the audits above can be done via PowerShell. It'll only take around 5 min and the person doesn't have to touch or monitor it just print out the result.

        • Donaldhump on 09/09/2021 - 20:13

          Publish the script

          • No Username on 09/09/2021 - 20:30

            @Donaldhump: Wish I could but Techbench requires a license and you'll need to register for an API license to view the driver database firmware and their checksum. My script is also currently setup for Intune so it won't work for you.

    • GOCAT9 on 09/09/2021 - 20:44

      wow, impressive list there.

    • deme on 09/09/2021 - 21:53
      +1

      Ensuing that the BIOS, GPU and other peripherals contain the correct firmware and has not been tampered with.

      LOL I know infosec is a joke but how will you do this?

      Will you ask the device to tell you it's firmware? And hope it doesn't lie?
      Are you going to probe each flash chip individually and assume it doesn't lie to you and that no other parts of the hardware have been modified?

      Even if you have the firmware what are you going to compare it to?

      And finally this is overkill for what happened here.

      If you are running some shitty product on the machine you are doing forensics on then you've already compromised your analysis by:
      Using a compromised machine to do forensics

      • No Username on 09/09/2021 - 22:21

        Will you ask the device to tell you it's firmware? And hope it doesn't lie?
        Are you going to probe each flash chip individually and assume it doesn't lie to you and that no other parts of the hardware have been modified?

        You can check the hash and compare with the current has on the OEM website.
        Ensuring the authenticity of the hash will also depend on the hardware and how data is being routed.
        TPM would also detect the manipulation anyway unless the TPM is running a vulnerable version.

        If your dumping the rom then you can still check if the hashes match. You can't change something without stuffing up the signature.
        But if you're at the probing point I'd just jump it to factory mode or switch the BIOS chip if your super paranoid.

        And finally this is overkill for what happened here.

        I know this is just what I would do.

        If you are running some shitty product on the machine you are doing forensics on then you've already compromised your analysis by:
        Using a compromised machine to do forensics

        True but this would have to be a manual process on the attackers end. The malware wouldn't know what process you're running to audit the machine and what audits you'll perform.

        • deme on 09/09/2021 - 22:29
          +1

          You can check the hash and compare with the current has on the OEM website.

          This is a way harder problem than you realise whats on the flash chip isn't an exact copy of the firmware from the manufactures website. Settings/Configs/UEFI has all sorts of stuff loaded on there and each manufacturer is different in how they lay it out and pack it.

          TPM would also detect the manipulation anyway unless the TPM is running a vulnerable version.

          No it won't, UEFI is booted first so it can tell the TPM whatever it likes.

          True but this would have to be a manual process on the attackers end

          What? You hook the relevant syscalls so when the AV asks hey what data is here, you return here totally legit stuff.
          And when the AV asks hey what do you have in memory you also return tots legit bro. You don't need to know jack about what is being done to try find it.

          • No Username on 09/09/2021 - 23:00

            @deme:

            This is a way harder problem than you realise whats on the flash chip isn't an exact copy of the firmware from the manufactures website. Settings/Configs/UEFI has all sorts of stuff loaded on there and each manufacturer is different in how they lay it out and pack it.

            Arn't settings and personal config located on a different partition of the chip. You're just measuring to see what is currently loaded.
            This is why you're able to make changes in the BIOS and have Bitlocker authenticate you and bypass the need to enter your recovery key on boot.

            No it won't, UEFI is booted first so it can tell the TPM whatever it likes.

            I thought the TPM boots first otherwise how does the CRTM verify the BIOS is Signed? Also wouldn't secure boot also notice that the signatures have changed? But even if the TPM didn't boot first the signatures wouldn't match even if you tried and fake it unless you knew how the TPM check this and generated the value based on this knowledge. Other wise it would be useless to have TPM in the first place.

            What? You hook the relevant syscalls so when the AV asks hey what data is here, you return here totally legit stuff.
            And when the AV asks hey what do you have in memory you also return tots legit bro. You don't need to know jack about what is being done to try find it.

            This is still a manual process and you would have to know what audit you're performing. You wouldn't be using an AV to do these as the malware would know the pattern. You'd be using tools from the commando set to perform these actions.

            • deme on 10/09/2021 - 12:12

              @No Username:

              unless you knew how the TPM check this and generated the value

              It's in the spec the PCR registers get set to H(currentvalue|more data).

              Other wise it would be useless to have TPM in the first place.
              TPMs are designed to secure the computer from the owner. Not to secure their owner.

              tools from the commando set

              What? Is this some tacticool level infosec stuff? You are asking the OS to give you data, the malware has modified it so it's now the one you are talking to. You don't perform forensics on the same machine.

              Arn't settings and personal config located on a different partition of the chip. You're just measuring to see what is currently loaded.

              UEFI has the bootloader(s) it doesn't read the disk for it. The layout is differs between vendors some its simple some it's bloody annoying.

              This is why you're able to make changes in the BIOS and have Bitlocker authenticate you and bypass the need to enter your recovery key on boot.

              Isn't Bitlocker just FDE at best it's asking the TPM to unseal a value?

              TPMs are not useless but they aren't some magic bullet. I've done it I've booted a machine where the TPM attests the values of the PCRs and remained undetected.

              If you have solved these problems all with a TPM I'll hire you. It's impossible but that would turn a seriously expensive problem into something a $5 chip can do.

              CRTM

              The processor needs support to enforce anything of this, it's not the TPM. Intel calls it's implementation Bootguard. Once again it doesn't protect against malicious hardware (or modifications), requires trusting Intel implicitly and also isn't a silver bullet.

  • stratbargain on 08/09/2021 - 13:26
    +11

    "since I code in Linux"

    lol.

    • helldoodle on 08/09/2021 - 23:20
      +11

      hey guys I am a computer expert, i use windows for work and I code in Linux, just let me log in again, what's the password (lifts keyboard looks at post-it note) ah yes Password9 because it is September

      • GOCAT9 on 09/09/2021 - 20:45

        fortunately, not true, but I enjoyed the laugh, thanks.

      • chriise on 09/09/2021 - 21:15

        Password9 because it is September

        Haha! Gold

      • Antikythera on 10/09/2021 - 17:02

        Password9 because it is September

        I feel personally attacked by this.

    • deme on 09/09/2021 - 22:31

      I think OP means he uses Linux to code.

  • spunkyfondue on 08/09/2021 - 13:34
    +9

    Plot twist - OP's not talking to his real bank and the IT professional will be one to rob him.

    • RecklessMonkeys on 09/09/2021 - 09:54

      I was going to ask that.

    • [Deactivated] on 09/09/2021 - 10:50

      Yes ask for an "IT Professional details" then call the bank and ask if they are real and if not report to the police.

    • GOCAT9 on 09/09/2021 - 20:46

      all the phone calls are made by me to the banks publicly listed number!!

      • Antikythera on 10/09/2021 - 17:03

        on your "hacked" mobile?

        /jk

  • hashash on 08/09/2021 - 13:38

    I will make sure I don't use MYSTATE BANK (based in Tasmania) now I know how they treated you.

    Thanks for the advice OP!

  • Davo1111 on 08/09/2021 - 14:21
    -2

    They want you pay an external company to virus scan the PC, send the bank the result. It's not that difficult.

    Usually you pay an online service, they have their own skinned version of teamviewer etc, remote in, run malware, and send you a bill at the end.

  • haydoz on 08/09/2021 - 14:25
    +4

    Completely unnecessary by the bank. Even if you went ahead with this exercise, there's nothing stopping you from using internet banking on a different device in future!

    • helldoodle on 08/09/2021 - 23:18
      +2

      i feel like he is not as computer literate as he assumes he is if this is the result.

    • DavidFong on 09/09/2021 - 06:05
      +1

      Quite. The customer could present a clean-wiped computer with a fresh installation ('nothing to see here!'), and then use an alternate device.

      Which I think would be many times better for security than running one virus/security scan after another, anyway.

    • GOCAT9 on 09/09/2021 - 20:48

      I see where you are coming from but I don't think computer literacy and security awareness are the same thing.

      • helldoodle on 15/09/2021 - 16:05

        i agree, but i belive he is neither

  • resisting the urge on 08/09/2021 - 15:26
    +3

    None of this would really ever happen if the Banks helped their customers implement adequate security practices.

    They do more for some, less for others.

    Any account with a combined balance above 1M becomes a 'VIP' account at most institutions. These get tokens with rolling keys, which are an effective way to provide a second 'factor' of authentication (something other than a password). Simple and easy, the only problem being that like passwords, customers can lose them.

    If you are just a 'working peasant', they will only point you to a webpage preaching generalised dictat and old-fashioned advice. Instead of securing your account, they will tie your account to your phone number, and any other personal data they can harvest from you, and then put you through horrible online and over the phone 'processes', every time they break something, you forget something, or your 'activity' raise an security flag, the cause of which can be driven by AI algorithms that in truth, no-one understands. All to avoid giving you one of those $20 tokens.

    Don't accept it, find a bank that takes your security relatively seriously! At least one of the big four in Oz does, (but only sort of).

    But above all, customers accept (in their Ts&Cs) that account security is a shared responsibility, not just their institution's. We need to practice the principles of safe computing at least most of the time, or else we will get pwned. It is only a matter of time if we tend to slip up.

    • Freaksta on 09/09/2021 - 07:03

      Which one of the big4?

      • Antikythera on 10/09/2021 - 17:10
        +1

        i was hoping this thread would go this way. Can we crowdsource a list of banks and what their security is like?

        Bendigo
        - max 4 digit PIN for my card
        - max 8 character password for online banking
        - 2FA via app (possibly also via SMS but I wouldn't personally use that.) for online banking.
        - code word for phone conversations

      • resisting the urge on 10/09/2021 - 19:01

        The one with the worst logo. (Oh wait, sorry, that really doesn't help.

        OK, the most boring colour scheme (oh wait, same problem). How about the one that charges to use robotic tellers or do automated transactions (oh wait, they all do), ok, let's see… pay no interest on invested funds, no. How about the one that steals your money over the weekend (and at every other opportunity), no they all do this. OK, so the one that was compromised publicly (same). Damn. Without admitting it? No, all have, many times over. Right, how about the one that failed to allow mass-market customers to begin share-trading? Nope- they all failed at that, too. How about helped customers pay for things online, or on their mobile devices? Nope, that is all developed by third parties. The one that doesn't suffer systemic bloat due to poor outsourcing, poor management of acquired brands, technology, people and assets, yada, yada… bahhhhh they're all soooo similar…

        Sorry but I can't say as it is my own subjective view- and it may well depend on your particular customer profile (value), so YMMV.

        (Rolling on floor crying)

  • Indomietable on 08/09/2021 - 21:02
    +2

    This is a "tick box" exercise from your bank. If you work in IT then you are professional IT person - Just write something up.

    • helldoodle on 08/09/2021 - 23:17
      +1

      he says he is but he can't even manage his passwords until it is too late?

    • knk on 09/09/2021 - 18:52

      I replied below but it's a silly distinction.

      I'm an IT professional, I have a degree that taught me nothing and on the job training. I now run my own small MSP(just me and 1 other guy).

      I belong to no professionally accredited organization, I have no one who checks my work, I don't have any standard to abide by. IT is an unregulated shit show, asking for a "professional" gets you anything from idiot web 'developers' pumping out wordpress site to genius level programmers or similar.

  • helldoodle on 08/09/2021 - 23:16
    -2

    sorry i am late to the party, but the fact you had your data hacked or stolen makes me feel like you don't care enough about your own security to begin with, you may code in Linux but your grasp of your own problems worry me.

    It may sound like victim blaming but first, your number was never ported, it was sim swapped and after this post i assume it was from poor password control.

    You use a second run telco and a second run bank. The warning signs are there.

    • Namesareapain on 09/09/2021 - 11:47
      +6

      It is victim blaming!
      A SIM swap attack does not need a password, an attacker only has to convince some idiot at the telco that they are the victim! Anyone that has a (profanity) clue would know that!

      • MrFunSocks on 09/09/2021 - 13:13

        A SIM swap doesn't somehow get you the users online banking and email passwords though. This doesn't add up.

      • gromit on 09/09/2021 - 14:31

        Need a lot more than a phone sim to get into most banks (all banks that I am aware of). Don't know any this would get you into, they all require account details, card details, pins, DOB etc to be able to reset, items you won't get from a sim swap.

    • abb on 09/09/2021 - 16:43

      You use a second run telco and a second run bank. The warning signs are there.

      Ugh, nothing worse than interacting with peons who don't use the most expensive services. I feel dirty even writing this on a "second run" website to be honest.

    • deme on 09/09/2021 - 21:55

      It may sound like victim blaming but first, your number was never ported, it was sim swapped and after this post i assume it was from poor password control.

      You use a second run telco and a second run bank

      This is the most obvious example of victim blaming I've ever seen.

  • CalmLemons on 08/09/2021 - 23:39
    -1

    Can we get some proof any of this even happened? Seems pretty far fetched…..

  • drfuzzy on 09/09/2021 - 00:36

    I'm sorry this happened to you, but you are fortunate to get your money back. The bank would have suffered the loss. It is not unreasonable for the bank to request this of you - or to debank you - to reduce the risk of loss in the future. Another option might be to notify you any future losses will not be covered. The loss is socialised and ultimately increases banking costs for everyone.

  • Christoshizz on 09/09/2021 - 00:50

    just tell them your no longer using a computer and only using an iPad from now on :)

    they wont have anything to say.

  • Greem85 on 09/09/2021 - 00:52
    +2

    Lol, how professional do they want it? Have they presented you with a scale, with which you can assess expertise of any IT guy you will go to? Something to the effect of:

    Grade | Grade | Description
    Mouth-breather | 1 | Not acceptable, might have introduced new malware after visiting *Hub during service
    Thumb-neck | 2 | Requires review, might be ok if he used Avira or Trend Micro
    Windows Joe | 3 | Acceptable, if certified by Udemy course on IT security
    Linux Jacka$$ | 4 | Acceptable and preferred
  • oO0Dam0Oo on 09/09/2021 - 07:19
    +1

    Considering most major banks don’t allow for app based MFA it seems a bit rich.

  • harrywwc on 09/09/2021 - 07:31
    +3

    My first reaction would be to go to a branch (getting more and more difficult nowdays) and close my account(s).

    Secondly - it was your MOBILE NUMBER (SIM) that was compromised, not your PC. So that was not part of the problem.

    The real problem is the bank(s) being glacially slow to offer something more secure than "SMS 2SV" (2 Step Verification).

    Even a TOTP (Time-based One-Time Password) generator like Authy, MS-Authenticator, Google-Authenticator, and the like would be a better solution than this. Of course, the option to use a hardware-token (e.g. Yubikey, Solo Security Key, etc) would be preferred.

    Of course, the Telco involved doesn't escape blame from this. Their slack processes allowed this to happen.

    So, plenty of things went "wrong" here, but as best I can tell, none of them involved your PC.

    Of course, I could be wrong (it happens :)

    • gromit on 09/09/2021 - 08:05
      +2

      If all his bank details of multiple banks were compromised it WAS NOT just his mobile number that was compromised. To have all those details something more than just his phone number was done over, the most likely cause is his computer. other possibilities are someone that knows him well or a distant 3rd would be someone intercepting his physical mail to harvest the details needed.

      • jpl on 09/09/2021 - 09:48
        +1

        You are absolutely right! I was trying to guide OP to identify where the breach came from

        https://www.ozbargain.com.au/comment/11015550/redir

        • gromit on 09/09/2021 - 09:56

          Exactly. The banks concerns here are actually well justified as there are crucial pieces of the puzzle missing and they don't want this happening again.

  • Speckled Jim on 09/09/2021 - 07:31
    +1

    One for the Ombudsman.
    https://www.afca.org.au/

  • gromit on 09/09/2021 - 07:34
    +3

    how are they resetting your bank password with just your phone number? The problem here is you need a lot more than just a phone number to reset someones account, you need the user ID/account number at a minimum which a phone number does not give you. BitWarden does not help you if your computer has been compromised, to the contrary it actually gives them easy access to your passwords.

    you could sim swap me and you would not get access to any of my bank accounts. So likely something more than just a sim swap is going on here and they are justifiably coincerned. The attack you describe is likely the last step in a multi phase attack, they have already harvested your account details, so they are either someone close to you that can get that info or they have comprised your computer.

  • MrFunSocks on 09/09/2021 - 07:46
    +1

    Your previous topic was fishy, so I’m inclined to not believe this one either.

    Someone getting control of your phone number via a sim doesn’t automatically mean they just get access to all your passwords too. You never explained how they supposedly got all your bank and email passwords as well.

    Doesn’t add up.

    • Poor Ass on 09/09/2021 - 08:00

      Also interested to know… Just for educational purposes

    • idonotknowwhy on 09/09/2021 - 10:31
      +2

      Someone getting control of your phone number via a sim doesn’t automatically mean they just get access to all your passwords too.

      Gmail password reset via SMS
      Look through gmail, find all accounts using that email
      Reset all passwords via Gmail

      SMS should never be used for security, I hate that it's mandatory in a lot of systems like mygov.

      • MrFunSocks on 09/09/2021 - 13:15

        That's assuming you've set up your phone number as a recovery option. OP would have also seen emails saying that they've requested to change their password.

      • gromit on 09/09/2021 - 16:15

        SMS while weak is still better than nothing, it is one more factor they must have beyond a password. The reality here is definitely more than his phone number had been compromised, they had to have other details for them to get into multiple bank account fast. The Sim Switch was almost certainly the last step in the hack rather than the first.

    • GOCAT9 on 09/09/2021 - 20:55

      nobody knows at present!

  • Poor Ass on 09/09/2021 - 08:00
    +1

    I probably won't bother with the reinstate unless you really have to

    Once you got your money don't go back since they are being difficult

  • mlbrooke on 09/09/2021 - 09:14
    +1

    Go to another bank. They do not have the right to require you to have your PC professionally scanned unless they are prepared to pay for it, as for requiring specific software that is bullshit too, different tools have their own advantages and disadvantages in what they will successfully find and remove.

    You already have other bank accounts so tell what you think of their policy by moving your money.

  • mrvaluepack on 09/09/2021 - 09:35
    +2

    Ask them to recommend or provide a list of acceptable "professionals" to engage. Im curious to see what they come up with.

Login or Join to leave a comment
Login Join