Online banking security

[kwise]

Be careful with Chromebooks. After 5 years Google no longer updates them for security or anything else. That's not necessarily bad, unless you buy one that's already been used for 3-4 years. Then there is not much time left.[/QUOTE]


There is a Google site that lists the different brands/models of Chromebook which lists the "end of life" (month and year) for Chromebooks. The end of life refers to the device no longer receiving security updates. As a former school district technology director, this is something that I referenced as I was purchasing devices for the district.

https://support.google.com/chrome/a/answer/6220366?hl=en#zippy=,aopen,asus

 

[jim584672]

Ray,

I never trust Microsoft for anything secure, that is why I use Linux for sensitive stuff. As far as VPNs, if you are connecting to a bank/broker with an account password that connection is secure, even with a VPN that is trying to spy on you? Or are you saying no connection is secure, I don't believe that is correct.

 

[Sunset]

Depends. If a criminal steals the encrypted password or the password database all bets are off.

I ran the operational security team for a large regional bank for over a decade. The companies we hired to try and compromise our systems created purpose-built password crackers. They used multiple NVIDIA graphics cards because their CPU is dramatically faster than a computer's CPU.

They were able to try over six billion passwords per second during brute-force attempts. Yes, "billion with a B". And this was in 2018. They swiped the entire Active Directory password database and cracked literally every password within a week, except for one person. Me.

Why not mine? Most people solely use alphanumeric passwords, which limits them to about 100 characters but I don't.

I use "extended ASCII" characters in my passwords. The ASCII table contains 256 characters. By using the Numeric keypad (because this will not work with the number keys across the top), you hold down the ALT key and while you hold ALT down, you can type 3-digit numeric sequences and access the Extended ASCII characterset.

For instance: Alt 225 = ß

Yes, occasionally you will find an app or website that will not accept Extended ASCII characters but, in my experience, those are older systems.

NOBODY runs password-cracking attempts using the extended ASCII characterset except maybe governments.

Ray

Thanks, I never thought of using that character set, going to have to try it

 

[jim584672]

Thanks, I never thought of using that character set, going to have to try it

KeepassXC has a password generator tool that has the option to include those extended ASCII characters. A 32 character password should be secure, even without extended characters.

 

[JohnML]

I use my iPhone with the bank's app. I feel that is secure .... I just would never use it on a public wifi; usually at home or if not, on a cell network. I have used VPNs in the past and I found them to be ridiculously slow. Can anyone comment on a VPN for iPhone that does not slow you down?

Rich

We use VPN Unlimited from KeepSolid on our iPhones and have not noticed slowness. There was a deal 2 years ago for a lifetime subscription for $29 that lets us have 5 devices connected. We only really use it on the iPhones when traveling. Sometimes I fire it up on a computer when I am really paranoid. I don't notice a speed problem on computers either.

 

[Lsbcal]

Talking about quantum computers and such cracking passwords, Vanguard locks you out after 3 bad tries. Isn't that something any critical site (financial, governments) could implement?

Or they could lock you out for a set time like say 3 hours. That would slow any password cracker down. Am I missing something?

Plus a site like Vanguard lets you choose the login name (not just your email) so that effective password is generally very long.

So in general, aren't there techniques that sites could implement should password crackers get super fast?

 

[sengsational]

Windows alerts the user if there is any attempt to add a certificate to the trusted root store.

 

[Sunset]

Talking about quantum computers and such cracking passwords, Vanguard locks you out after 3 bad tries. Isn't that something any critical site (financial, governments) could implement?

Or they could lock you out for a set time like say 3 hours. That would slow any password cracker down. Am I missing something?

....

You are missing when the hackers download the database, work off-line to crack all the passwords.

Then they log into your account and change the password, so you are locked out while they transfer out the money.
When you try 3 times you are the one delayed and suspect when you phone in, or you patiently wait to try again later, all giving the hackers more time to steal.

 

[Sunset]

For VPN, I have a free windscribe account, I only use it for when traveling for email and the rare banking time.

I'd love to be able to have my own VPN at home, that I could log into when traveling and then I'd feel safer knowing it's my own router recording where I go.

 

[brett]

For the past ten years of so we have used on line wireless banking on our travels. On just about every continent, in places like London, Sydney, Bangkok, and in back of beyond locations in Africa, SE Asia, South/Center America etc. Same for ATM access.

Never been hacked or had our credit card compromised in any travel location. Our credit cards were have been hacked at home a few times though.

But, are careful to keep our travel bank account separate for other accounts by using a separate institutions.

 

[Lsbcal]

You are missing when the hackers download the database, work off-line to crack all the passwords.

Then they log into your account and change the password, so you are locked out while they transfer out the money.
When you try 3 times you are the one delayed and suspect when you phone in, or you patiently wait to try again later, all giving the hackers more time to steal.

Here are a few thoughts on what you bring up:
1) Vanguard has many thousands of accounts. Won't the hackers go after the weakest ones? When this starts happening VG will take action and we will be alerted. All accounts would probably be frozen for the time it takes to fix this unlikely event.
2) If they go after mine they have a long password to crack. If they have a quantum computer they are unlikely to be a group of Russian hackers out for just a few million and will be targeting bigger fishes or our government.
3) They cannot just transfer the money to their own account because it has to be set up and there is a built in delay by Vanguard to prevent this sort of thing. Something like a few weeks I think.
4) There are other ways to get to my account like voice verify plus a spoken password should that level of security be needed.
5) VG is not stupid and probably has other security in place we do not know (or want to know) about. With billions in place I bet their security is as good as it gets. This is a pure guess on my part.

Please note I am not trying to win an argument here. Just want to explore the issues and convince myself all is well.

 

[JustCurious]

Be careful with Chromebooks. After 5 years Google no longer updates them for security or anything else. That's not necessarily bad, unless you buy one that's already been used for 3-4 years. Then there is not much time left.

You may have missed my previous post where I corrected this, but this is no longer true, you are spreading old information.

Google announced in January 2020 that they were extending support for Chromebooks for 8 years for new devices (as of January 2020) instead of the previous 5-6 years.

https://chromeunboxed.com/bett-2020-...r-new-devices/

https://www.androidpolice.com/2020/0...me-os-updates/

 

[Gotadimple]

Is any browser really safe for online banking?

Yes as long as you connect to a secure site. But it depends on where you are connecting from! From a free Wi-Fi account at the coffee shop, probably not. From your home computer with a secure Firewall provided by your ISP, very secure.

Some people I know pay for a VPN in hopes that it makes their online banking and investments safer.

A VPN changes your actual IP address and location. Sometimes a VPN will connect you via a server in another country. It is my understanding that financial institutions generally reject these type of connections. What it does do, however, is protect your transmission when using public wi-fi. Here's a good article: https://www.usnews.com/360-reviews/vpn/what-is-a-vpn

We don't have a VPN and don't plan on paying for one.

We use Startpage as a browser for everyday internet which is supposed to be more private than firefox and Chrome .

For online banking or looking at investments on Vanguard, we use Avast and select banking mode. We never log on to bank or finance sites on public wifi at hotels, always at home only.

Just wondering what members on here use for online banking security.

As others and you have stated, never use a public wi-fi to access your financial information. If you must access outside of your home, use the telephone number to customer service, or the bank's phone app. if you want to check the internet or your mail when away from home and do that using a public wi-fi spot - Use a VPN so your transmission cannot be monitored by someone nearby.

- Rita

 

[Sunset]

Here are a few thoughts on what you bring up:
1) Vanguard has many thousands of accounts. Won't the hackers go after the weakest ones? When this starts happening VG will take action and we will be alerted. All accounts would probably be frozen for the time it takes to fix this unlikely event.
2) If they go after mine they have a long password to crack. If they have a quantum computer they are unlikely to be a group of Russian hackers out for just a few million and will be targeting bigger fishes or our government.
3) They cannot just transfer the money to their own account because it has to be set up and there is a built in delay by Vanguard to prevent this sort of thing. Something like a few weeks I think.
4) There are other ways to get to my account like voice verify plus a spoken password should that level of security be needed.
5) VG is not stupid and probably has other security in place we do not know (or want to know) about. With billions in place I bet their security is as good as it gets. This is a pure guess on my part.

Please note I am not trying to win an argument here. Just want to explore the issues and convince myself all is well.

If I was doing it, I'd break the majority of database entries, and then do a look at all the accounts to find the big fish.

I'm sure lots of people have short passwords.
I have money in a bank, and they limited the password to 6 characters in the past

Once ranked by size of target, the trick is to get the money out.
For a brokerage, one way would be to buy in my own brokerage accounts some low value thinly traded stock, in the amount of hundreds of thousands of shares. Then list those shares for sale for $10,000 each. None would sell, until I make use of the broken accounts, and purchase said shares at market rates.

Do this with many stocks at the same time over various accounts, it would take the SEC many days to halt trading on these stocks by which time I've got lots of money.

That way the money is not stolen, the account just owns a lot of worthless stock.

I hope all brokerage have some way to prevent this from happening, but the weak security (using phones for 2FA) does not inspire me.

 

[Sunset]

...

A VPN changes your actual IP address and location. Sometimes a VPN will connect you via a server in another country. ....

.....

The VPN I use allows me to specify the Country I want to connect to. So if I'm in a foreign country, I connect to USA and it looks like I'm in the USA to the sites I visit.

My friend uses this to connect to a different country to view movies that cannot be shown in his country.

 

[Gotadimple]

The VPN I use allows me to specify the Country I want to connect to. So if I'm in a foreign country, I connect to USA and it looks like I'm in the USA to the sites I visit.

My friend uses this to connect to a different country to view movies that cannot be shown in his country.

Yes, that's my experience as well. I can select the server. Still don't use it for connecting to banks/finance companies.

 

[Lsbcal]

If I was doing it, I'd break the majority of database entries, and then do a look at all the accounts to find the big fish.

I'm sure lots of people have short passwords.
I have money in a bank, and they limited the password to 6 characters in the past

Once ranked by size of target, the trick is to get the money out.
For a brokerage, one way would be to buy in my own brokerage accounts some low value thinly traded stock, in the amount of hundreds of thousands of shares. Then list those shares for sale for $10,000 each. None would sell, until I make use of the broken accounts, and purchase said shares at market rates.

Do this with many stocks at the same time over various accounts, it would take the SEC many days to halt trading on these stocks by which time I've got lots of money.

That way the money is not stolen, the account just owns a lot of worthless stock.

I hope all brokerage have some way to prevent this from happening, but the weak security (using phones for 2FA) does not inspire me.

Sounds like a plan Sunset. I don't know about a few of these ideas though. Here is my amateur critique:
1) You have to break into accounts just to rank the high value targets. But many of these including mine have security set to warn of unauthorized computers. So you will have to take over my SMS and also my email. I am not sure you can take over my email without a warning to my current email from VG.
2) When you change the password I will be notified via email. I doubt you can change the password and the email at the same time. If you do this over many days VG might catch on so you will have to be quick about this.
3) Won't that stock have to be very thinly traded? And how would you purchase so many shares without setting the price a lot higher as you do it? I don't do this kind of individual stock trading so am unsure of this possible flaw.

I think there is a bright future for you ... in the penitentiary. Just kidding of course.

 

[Sunset]

Sounds like a plan Sunset. I don't know about a few of these ideas though. Here is my amateur critique:
1) You have to break into accounts just to rank the high value targets. But many of these including mine have security set to warn of unauthorized computers. So you will have to take over my SMS and also my email. I am not sure you can take over my email without a warning to my current email from VG.
2) When you change the password I will be notified via email. I doubt you can change the password and the email at the same time. If you do this over many days VG might catch on so you will have to be quick about this.
3) Won't that stock have to be very thinly traded? And how would you purchase so many shares without setting the price a lot higher as you do it? I don't do this kind of individual stock trading so am unsure of this possible flaw.

I think there is a bright future for you ... in the penitentiary. Just kidding of course.

hmmmm... you could be right, I missed a few things... how do you feel about a partnership ?
If it doesn't work out, we could plan the next big score while sharing a cell

 

[Lsbcal]

hmmmm... you could be right, I missed a few things... how do you feel about a partnership ?
If it doesn't work out, we could plan the next big score while sharing a cell

Well maybe I will pass on that offer.
Will just stick to my hopefully boring, safe Vanguard account.
With Covid what would I do with all that loot anyway?

 

[jim584672]

The idea that financial firms keep passwords in a database is wrong. They store hashes of the passwords, with salting. So even if an attacker cracks the whole database they don't get the passwords. They get the salted hashes that can't be backward calculated.

 

[Lsbcal]

The idea that financial firms keep passwords in a database is wrong. They store hashes of the passwords, with salting. So even if an attacker cracks the whole database they don't get the passwords. They get the salted hashes that can't be backward calculated.

Yes, here is what one person says about this:

How can I crack a salted Hash? The hash is (de636eeaf67b5b5863b8ed76aafd63f4).
Mark Gritter
, working computer scientist and amateur mathematician
Answered December 19, 2017

Usually the salt is available; that’s how the password is checked (by combining the entered password with the salt, and then hashing.)

Once you have the salt, then you can use dictionary attacks to try to guess the original password or content, instead of searching all possible passwords.

Without the salt, you have to go back to brute force, which is infeasible even for a 128-bit hash like MD5. Ideally you would have at least some details about the password you’re trying to crack— it not what the salt is, then at least how long the salt is. And what hashing algorithm is in use!

So after you (the criminal) get through the thicket of stolen stuff you are apparently still left with attacking the raw password. If the password (plus login for Vanguard) is a decent length (greater then maybe 14 characters and not using common dictionary words) then you are probably hosed. Unless maybe you have one of those off the shelf quantum computers which are kind of expensive at present.

Link: https://www.quora.com/How-can-I-crack-a-salted-Hash-The-hash-is-de636eeaf67b5b5863b8ed76aafd63f4

 

[jim584672]

If they have used a proper hashing algo that cycles several thousand times, that takes time, that makes brute forcing very difficult if not impossible.

Of course a 32 char extended ASCII password is always a good idea, no matter what.

 

[Sunset]

Hopefully people are being more clever than 23.2 million other people:

https://www.technotification.com/2019/04/ncsc-worlds-most-hacked-passwords.html/

"According to the UK’s National Cyber Security Center (NCSC) global breach analysis report, 23.2 million people whose passwords have been hacked used ‘123456’ as their password. Similarly, ‘qwerty’ and ‘password’ still appears on the list."

 

[NXR7]

Ray,

I never trust Microsoft for anything secure, that is why I use Linux for sensitive stuff. As far as VPNs, if you are connecting to a bank/broker with an account password that connection is secure, even with a VPN that is trying to spy on you? Or are you saying no connection is secure, I don't believe that is correct.

If the VPN provider has installed their own root certificate, then the VPN provider can see your credentials. That's one reason why all banks in the US were required to switch to "multifactor" authentication back around 2006.

The reality is that a properly implemented HTTPS system is as secure as a VPN.

Unfortunately, "properly implemented" is far from 100% of systems.

Try running a few of your sensitive sites through https://www.ssllabs.com/ssltest/ or https://observatory.mozilla.org

You may be disappointed....

Ray

 

[NXR7]

KeepassXC has a password generator tool that has the option to include those extended ASCII characters. A 32 character password should be secure, even without extended characters.

So here is the issue: How do you define "secure"?

For a protection mechanism to be considered secure it must not fail or be cracked as long as the data has value.

For a company's quarterly SEC filings, they need a protection mechanism that can withstand hacking attempts until they file the report, maybe three months.

For an SSN, it's a person's lifetime, right?

Ray