

Ask HN: How do you protect yourself from bank fraud? - benohear

A friend of mine recently had €1600 stolen from his account in Germany, despite two-factor authentication (SMS Tan is the norm over here), which I always assumed was pretty secure.<p>Turns out the thieves first hack your web browser (through the usual means) and then alter the web page of your bank to display instructions to install a "security" app on your smartphone (MITB attack). So then they have access to both factors and you're boned. Google "Eurograbber" to find out more.<p>What I find kind of scary is the usual caution is likely to fail. After all, this is the correct URL and the correct SSL cert, so if the fake visuals are well produced it will appear completely legit.<p>I suppose one approach is to make sure you always logon with a clean browser, so I was thinking of a portable VirtualBox with a copy of Linux used solely for the purpose of online banking. I could even hand out keys to my friends.<p>Do you think this would be effective? And what precautions do you take with online banking?
======
tallanvor
While a virtual machine used only to access online banking would probably
work, would your friend actually stick with it? And be honest - if he wouldn't
there's not much point.

The best option is education. Help him understand how the malware was
installed and how he can try and prevent it from happening in the future
(don't allow applications to be installed if they weren't specifically
expecting it, keep their AV running - no matter what an installer says, always
install Java and Adobe updates, and avoiding dodgy streaming video and proxy
sites).

I recently had to help a friend clean ransomware off his system, and found a
bunch of other crap while I was at it. --I _think_ I got it all, but I still
warned him that it was possible we missed something and a full format and
reinstall would be safer. In his case I'm pretty sure it came from one of the
many dodgy sites used to stream TV shows and such, although he had also
downloaded and installed VLC from one of those sites that rebundled it with
additional crap, so that could have compromised the system as well.

~~~
benohear
You make a good point. Though this particular friend might well stick to it -
€1600 tends to focus the mind.

But to be honest, I'm asking primarily for myself and my family. I'm not sure
anyone can really be sure there is no malware on their browser (via Flash zero
days or what have you), especially if several members of the family use the
computer. This gets much worse with teenage kids.

So gambling the entire contents of my bank account on the assumption I'm
malware free isn't quite doing it for me.

That's why I'm thinking that a straightforward setup is appealing: "When I
bank, I use the OS on this USB key and don't use it for anything else".

But I also wanted to know what people around here do. Simply assume their
machine is clean or take further steps?

------
xSwag
Eurograbber is a variation of the Zeus/Sopilka family of malware. I'm
surprised his AV didn't pick it up because it's the most popular financial
malware after SpyEye and Citadel.

What bank was this with? Did they cover the losses?

I'm assuming something like the following happened:

    
    
        Your friend → (direct) Mule in your country → (Western Union) to the criminal
    

I tell my parents to use a linux Mint or Ubuntu live disk whenever they're
banking online. It seems to have worked so far.

~~~
benohear
I'm not sure if it was Eurograbber itself, but a similar attack in any case.

Bank is "trying to help recover the funds" but won't cover if that fails. Part
of the problem is that it took him a while to realise this had happened. I
_think_ it was the Sparkasse, but not 100% sure.

No idea what state his AV in. He's a smart enough fellow, but definitely non-
technical.

EDIT: Missed your line about the live CD. I considered that, but I find
rebooting a major PITA, hence the VM-on-stick idea. How is it working out for
your parents?

------
just_hobbyst
It seems to me that using the same device to access banking website and
receive SMS Tan is asking for trouble. If your smartphone is compromised you
are toast. If you use 2 different devices than the hacker has to compromise
both of them to get you.

My bank offers hardware tokens for authentication and I am glad to pay 1-2
additional euros a month for enhanced security.

------
gtani
this is a good blog to follow:
[http://www.lightbluetouchpaper.org/category/banking-
security...](http://www.lightbluetouchpaper.org/category/banking-security/)

------
anywherenotes
instead of security app, I paid about $20 for a physical device from my bank.
it seems more secure.

