Online banking security
- Thread starter ERObjd
- Start date
Bamaman
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I don't lose sleep about security on my checking and savings accounts.
It's not like there's much $ in there to begin with. My income comes fast, and it goes fast.
It's not like there's much $ in there to begin with. My income comes fast, and it goes fast.
JustCurious
Thinks s/he gets paid by the post
- Joined
- Sep 20, 2006
- Messages
- 1,396
That used to be true, but that is no longer true. Google announced in January 2020 that they were extending support for Chromebooks for 8 years for new devices (as of January 2020) instead of the previous 5-6 years.
https://chromeunboxed.com/bett-2020...to-updates-policy-to-8-years-for-new-devices/
https://www.androidpolice.com/2020/...w-get-up-to-eight-years-of-chrome-os-updates/
Last edited:
JustCurious
Thinks s/he gets paid by the post
- Joined
- Sep 20, 2006
- Messages
- 1,396
I don't think this is true. You do not have to engage in fraud in order for a bank to not be responsible... you could simply be negligent in failing to keep your operating system up to date, or failing to keep your email secure, or failing to review your statements and reporting unauthorized activity, or failing to keep your username and password secure (i.e. sharing with someone else). These are just examples, the point is you have an obligation to take reasonable measures to avoid unauthorized access to your account and if you fail to do so you may be liable for losses even in the absence of fraud on your part.
Last edited:
Lsbcal
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I am just using 2FA for unrecognized computers (the bad guys computer) which is one of the 2FA options. Since my home PC is always recognized I never really get 2FA to my iPhone unless I have bought a new computer.
I also can use the VG app on my iPhone which uses face recognition. I'm only doing it on my wifi network. If really necessary when not at home I would turn off the wifi and use cellular, but probably I would just call into the rep which can be done even when out of the country.
Quantum_Computer
Confused about dryer sheets
I strictly use my home PC. I use one Excel file with all of my accounts. It has separate columns for: username, password, organization/company it applies to, hyperlink to the website, notes, and answers to the security questions.
I use the built in encryption capability of Excel. This way I only have to remember one password to unlock the file of passwords. I don't trust using an online password app. Also, I don't have to worry about mistyping the website. I just click on the hyperlink in the Excel file and always can trust it is correct.
I also use bogus answers to security questions, but such that I can tell which answer goes to which question. I'm sure its not hard to dig up answers to most of those security questions. E.g., What is you mother's maiden name? mommydearest
I use cut-and-paste to copy the password from the Excel file to the website entry. This way I can use the most complex and long passwords possible. What do I care, since it is cut-and-paste. My son says my passwords look more like nuclear launch codes. Every year I change the passwords.
I have security freezes in place. My favorite 2FA is what E*Trade offers as an option. It is called VIP Access, by Symantec. It generates a unique code right on your smart phone that changes every 30 seconds. That 6 digit code gets added to the end of your password.
I use the built in encryption capability of Excel. This way I only have to remember one password to unlock the file of passwords. I don't trust using an online password app. Also, I don't have to worry about mistyping the website. I just click on the hyperlink in the Excel file and always can trust it is correct.
I also use bogus answers to security questions, but such that I can tell which answer goes to which question. I'm sure its not hard to dig up answers to most of those security questions. E.g., What is you mother's maiden name? mommydearest
I use cut-and-paste to copy the password from the Excel file to the website entry. This way I can use the most complex and long passwords possible. What do I care, since it is cut-and-paste. My son says my passwords look more like nuclear launch codes. Every year I change the passwords.
I have security freezes in place. My favorite 2FA is what E*Trade offers as an option. It is called VIP Access, by Symantec. It generates a unique code right on your smart phone that changes every 30 seconds. That 6 digit code gets added to the end of your password.
Sunset
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Just so you know, in the past I had an excel spreadsheet encrypted, and then forgot the password.
I downloaded a hacker program and ran it on my excel spreasheet.
It took around 20-25 hours to crack my password.
My password was only 10 characters long, if yours is longer it would be more secure.
Dtail
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Same here and most of the financial sites have the 2FA.
grasshopper
Thinks s/he gets paid by the post
- Joined
- Oct 9, 2010
- Messages
- 2,475
I use a Chromebook for most financial sites. I also have a W10 only for Quicken and TurboTax. My Google/mail/ is all accessed with a Yubikey, as is Vanguard and a few other sights that allow it. I use LastPass and 2FA Google Authenticator
with it. All my banking is 2FA for every signon. I have all credit card alerts sent to my Google Voice, all 3 credit agencies frozen. My phone is secure as possible, only use hotel wifi for non secure sites. My own wifi is protected by 1320 feet and a gate.
Plus I have Ms G sending me links to every know hack there is.
with it. All my banking is 2FA for every signon. I have all credit card alerts sent to my Google Voice, all 3 credit agencies frozen. My phone is secure as possible, only use hotel wifi for non secure sites. My own wifi is protected by 1320 feet and a gate.
Plus I have Ms G sending me links to every know hack there is.
JustCurious
Thinks s/he gets paid by the post
- Joined
- Sep 20, 2006
- Messages
- 1,396
Interesting.Just so you know, in the past I had an excel spreadsheet encrypted, and then forgot the password.
I downloaded a hacker program and ran it on my excel spreasheet.
It took around 20-25 hours to crack my password.
- Joined
- Oct 13, 2010
- Messages
- 10,781
I use my regular computer and phone. It's convenient and secure enough. I just keep OS and browsers updated. I use nonsense generated passwords and a password manager. SMS as a second factor is weak (crooks can hijack your phone, then use the automated password reset), so I'm not first in line for that, but they force it on you. Nonsense answers to security questions go into the password manager.
Richard4444
Full time employment: Posting here.
I use my iPhone with the bank's app. I feel that is secure .... I just would never use it on a public wifi; usually at home or if not, on a cell network. I have used VPNs in the past and I found them to be ridiculously slow. Can anyone comment on a VPN for iPhone that does not slow you down?
Rich
Rich
Lsbcal
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Regarding SMS, I have an up to date iPhone. Not so sure about all those Android phones out there.
I'm hoping that my service provider's employees are well versed in demanding my security code before allowing a person to access my account or get a new SIM card. When I have talked with them in the past they have always firmly required this code.
I do use SMS but my critical financial accounts do not normally use SMS. I would only get a financial account SMS if someone was entering my account from an unknown computer which has never happened. I am pretty convinced that there are secondary methods in place should someone gain access to my financial accounts so that draining money out would be really really tough.
And lastly, fingers crossed.
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Yes to:
Norton 360
1Password and complex passwords
Brave and Firefox browsers
2FA for most financial institutions
Symantex VIP token for Schwab
My routers
My cable modem
No to:
Store of passwords local
No saved sheets
Occasionally a sticky with router login for the family
Quantum_Computer
Confused about dryer sheets
Just so you know, in the past I had an excel spreadsheet encrypted, and then forgot the password.
I downloaded a hacker program and ran it on my excel spreasheet.
It took around 20-25 hours to crack my password.
My password was only 10 characters long, if yours is longer it would be more secure.
That is no longer the case. Office 97–2003 used a 40-bit key with RC4 encryption, which is no longer secure. Office 2016 uses 256-bit key AES encryption, which is very secure. At some point in the future 256-bit AES will also no longer be secure. This will most likely be due to advances with quantum computers.
+1 That is what I found when researching the use of encrypted Excel. My research stopped when it turned into discovering that the weakest part of the latest Excel encryption is the "hashing" and that is when my brain gave up. I use Excel 2019 encryption to maintain passwords.
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Very good point about old encryption. What's your guess/estimate of when 256-bit AES will be broken?
Just a "fun" question for now. I think the comments when this happens wil be along the lines of, "We thought it would last longer."
Quantum_Computer
Confused about dryer sheets
Very good point about old encryption. What's your guess/estimate of when 256-bit AES will be broken?
Just a "fun" question for now. I think the comments when this happens wil be along the lines of, "We thought it would last longer."
AES could be broken by cryptanalysts finding a weakness in the algorithm itself. It has been around for over 20 years. So far, so good, however, weaknesses have been found over and over in earlier crypto algorithms, forcing the need for stronger algorithms and longer keys. My WAG is that we will get another 20 years before this happens.
AES also could be broken by quantum computers. It is very difficult to build a quantum computer. Currently it looks like the best reported is around 50 to 76 quantum bits (qubits). The more qubits you add, the more difficult it is to have the computer function. They might need 300 qubits to break 256-bit AES. My WAG here, too, is that we will go another 20 years before this happens. The research by companies and countries to advance quantum computers is rapidly growing. Most likely, there will be some sort of major finding that allows for a large increase in qubits over a short period of time. Anyone's guess on when that finding will take place.
looks like best in class is dedicated computer, vpn, avast, with login/password injection from pass mgt software, 2FA via Symantec or Authy/Twilio dynamic code generation, YubiKey
I might add Ransomware and keylogger installation detector on the hardware you use.
I might add Ransomware and keylogger installation detector on the hardware you use.
Lsbcal
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
If one is using up to date Windows 10 and NOT automatically running as admin I would hope you are protected against ransomware and keylogger installs.
NXR7
Recycles dryer sheets
Depends. If a criminal steals the encrypted password or the password database all bets are off.
I ran the operational security team for a large regional bank for over a decade. The companies we hired to try and compromise our systems created purpose-built password crackers. They used multiple NVIDIA graphics cards because their CPU is dramatically faster than a computer's CPU.
They were able to try over six billion passwords per second during brute-force attempts. Yes, "billion with a B". And this was in 2018. They swiped the entire Active Directory password database and cracked literally every password within a week, except for one person. Me.
Why not mine? Most people solely use alphanumeric passwords, which limits them to about 100 characters but I don't.
I use "extended ASCII" characters in my passwords. The ASCII table contains 256 characters. By using the Numeric keypad (because this will not work with the number keys across the top), you hold down the ALT key and while you hold ALT down, you can type 3-digit numeric sequences and access the Extended ASCII characterset.
For instance: Alt 225 = ß
Yes, occasionally you will find an app or website that will not accept Extended ASCII characters but, in my experience, those are older systems.
NOBODY runs password-cracking attempts using the extended ASCII characterset except maybe governments.
Ray
NXR7
Recycles dryer sheets
I ran the operational security team for a large regional bank for over a decade and we ran all Internet operations, including VPN services. I personally installed, upgraded, administered etc. all VPN systems for years.
What consumers do not understand about a VPN is they will not and cannot protect your data as they are advertised. No. Way. Period.
Why not?
The connection between your PC and the VPN company indeed is protected from snooping but that's it.
The connection between the VPN company and your destination site is not protected by their VPN. It cannot be because a VPN requires specialized equipment to be installed on the final destination site. As Carl Sagan said "billions and billions" of destination sites.
If you're using a browser over HTTPS and a VPN to get to CNN, this is what it looks like:
Your PC <-> HTTPS over VPN <-> VPN company <-> HTTPS <-> CNN
There is no way around this. None.
That's why I will not use a consumer VPN system.
Even worse, if the consumer VPN service installs what it called a "root certificate" on your PC as part of their software install, guess what? They can decrypt and view all of your encrypted data. Yes, several consumer VPN services over the years have been caught doing this. They all claim that's not why they install a root certificate and maybe not, but they do have the ability.
A consumer VPN service is nothing but a man-in-the-middle. You are sending all of your Internet traffic to them and they become your biggest risk.
HTH,
Ray
What consumers do not understand about a VPN is they will not and cannot protect your data as they are advertised. No. Way. Period.
Why not?
The connection between your PC and the VPN company indeed is protected from snooping but that's it.
The connection between the VPN company and your destination site is not protected by their VPN. It cannot be because a VPN requires specialized equipment to be installed on the final destination site. As Carl Sagan said "billions and billions" of destination sites.
If you're using a browser over HTTPS and a VPN to get to CNN, this is what it looks like:
Your PC <-> HTTPS over VPN <-> VPN company <-> HTTPS <-> CNN
There is no way around this. None.
That's why I will not use a consumer VPN system.
Even worse, if the consumer VPN service installs what it called a "root certificate" on your PC as part of their software install, guess what? They can decrypt and view all of your encrypted data. Yes, several consumer VPN services over the years have been caught doing this. They all claim that's not why they install a root certificate and maybe not, but they do have the ability.
A consumer VPN service is nothing but a man-in-the-middle. You are sending all of your Internet traffic to them and they become your biggest risk.
HTH,
Ray
- Joined
- Oct 13, 2010
- Messages
- 10,781
I wouldn't use a VPN that required adding anything to my machine's trust cert list.
NXR7
Recycles dryer sheets
If only the software client always asked, eh?
Remember comScore? They got outed by the feds a decade ago for doing that, even got hit with a class action for doing it, and apparently they are still up to it. The class action:
https://www.hldataprotection.com/files/2013/04/Complaint.pdf
6. To extract this data, comScore’s Surveillance Software injects code into the user’s web browser to monitor everything viewed, clicked, or inputted online. In addition, the software opens ports, modifies the consumer’s firewall, and places “root certificates” on the affected computer to ensure unimpeded access.
https://www.macobserver.com/link/comscore-man-in-the-middle-proxy-spyware-macos/
Yes, I use certmgr.msc to "Disable all uses" for certain roots, like CNNIC, the China Network Internet Information Center.
WTF, you ask? Think about it, Microsoft is a global company.
Even better, Microsoft will silently download updated and new root certificates it thinks you need. "It's a feature, not a bug".
Ray
Similar threads
