internet banking

there are proven attacks against RSA, SSL, etc people dont completely trust them

but cracking it would take longer then 15 minutes

I learnt this stuffs fromm sahir hidayatullah

check out

1. I always use Firefox for all my ecommerce transactions



2. I Check the keyboard connector for hardware key loggers (they look like small little adaptors attached to the end of the keyboard jack) If you're not sure... don't use it.





3. I configure the network connection myself by getting the basic details from the café attendant or the person in charge of the network, if the administrator insist then I watch him closely.



4. I ensure that all traffics are being routed through secure link(SSL), I note the padlock that appear on the address bar or an s added to http in the address bar



5. Newer banks have a facility to generate a temporary card for the amount you want to transact. If you have this facility, try and generate a temporary card before hand. Also, if

your bank uses two factor authentication with a token etc, you should use it. MasterCard have an arrangement with some local banks in Nigeria whereby cards are issued to clients and when ever they have transactions they can deposit money before time to make use of their cards.





6. Always Login to the merchant you want to bank with and double check the SSL certificates. You do not want to find that you're being fed an SSL proxy cert.





7. If you're super paranoid, verify the IP address that you're connecting to. Visit your merchant directly through this IP that you resolve using some online service. This should stop anyone fooling around with DNS requests.





8. Perform your transaction... run ethereal / tcpdump to ensure that your data is being encrypted.





9. Sometimes, I use a live CD to perform my ecommerce transactions and I make sure my live CD doesn’t create what we call swap on any remote machine, this is too complex for me to explain here, and it's also unlikely you will need it.



10. After my transactions I always delete cookies in Internet Explorer or any other explorer on the OS.



11. I also set History in Explorer to zero so that my previous page transactions will not come up.

Also check this out

Identifying Fraudulent E-mails

It is incredibly difficult to detect fraudulent emails – as spoofers have become increasingly sophisticated in their attacks. There are certain characteristics Internet users should look for, though, that are common to many spoof e-mails:

• Personal information requests: An indicator of spoof e-mail is a request for the recipient to enter such sensitive personal information as a user ID, password or bank account number by clicking on a link or completing an e-mail form.

• Sender’s address: E-mail recipients should not rely on the sender’s e-mail address to validate the true origin of the e-mail. While it may look legitimate, the “From” field be altered easily.

• Greeting: Many spoof e-mails begin with a general greeting like, “Welcome User,” rather than being directed to a specific person.

• Threats to accounts: Some spoof e-mails declare that the recipient’s account is in jeopardy and that authenticating information is required to keep the account from being closed, suspended or restricted.

• Lost information: Consumers should be wary of claims that a bank is updating its files or accounts. Banks hardly loose accounting information.

• Links: Links that look like they connect to a particular site may have been forged. Always open up a new browser window and manually type in the Web site address.

Preventing Spoof

Individuals can take specific steps to help avoid falling prey to a spoof attack:

• Be extremely skeptical of e-mail received from someone they don’t know

• Keep separate passwords for each online account so that, if one is stolen, it will not provide access to the others

• Do not click on a link embedded within any potentially suspicious e-mail. By starting a new Internet session from the beginning and typing in the link’s URL into the address bar and pressing “enter” users can be sure they will be directed to a legitimate Web site.

• Call a financial institution to verify the account status before divulging information purportedly needed to keep their account out of jeopardy. Most legitimate banks will not send an e-mail threatening the status of an account and requiring the user to submit information immediately.

• Do not respond to any request for financial information that comes to you via e-mail

• Update anti-virus software weekly to help ward off e-mail-borne viruses that can find and transmit information from files

• Work from the most current versions of browsers and operating systems can also prevent many possible attacks

• Check online accounts regularly

• Install and run firewalls

• Users should not download attachments, software updates or applications via an e-mail link.

• Select a unique password and change it every 30 days, if you forget your password use your security question to retrieve it.

• Maintain the most current versions of anti-virus software, browsers and operating systems to ward off e-mail or Web-based viruses that can find and transmit information from files

Also, your banking website whether they are using the best security protocols. It is there responsibility to make sure you are protected by using up to the minute patches for software on their servers. To reduce the chances of exposure to software flaws make sure to keep your Internet client software fully updated. The only way to be certain that a site certificate is legitimate is to manually check the server certificate presented to the browser. In most browsers clicking the lock icon in the lower part of the browser will perform this function. In IE you can select file- property while visiting an SSL protected page to display certificate info. Some site will not display SSL lock even though they may protect transaction with SSL – Microsoft passport Internet Authentication service is a good example, because the current service uses HTTP POST over SSL to protect the submission of credentials, the initial passport sign-on page does not register as SSL- protected. Two other settings in IE will help users automatically verify whether a server’s SSL certificate has been revoked. Check for Server Certificate Revocation and check for Publishers Certificate Revocation under Tools – Internet Option- Advance – Security.

Encryption is not the largest problem... I would say the two biggest are:

A) Identity - Users are not good at verifying identity. If a site 'looks' like their site, they will use it. Phishing scams, DNS redirection etc are good examples of how effective this is. Malware also modifies the /etc/hosts file to point www.mybank.com to www.evilsite.com . When coupled with the fact that we're all trained to click 'accept' on self-signed SSL certificates, this becomes a problem. There is no point you using SSL to a site if you don't know who that site is. If the attacker serves you an SSL certificate, sure you have the little secure lock icon in your browser... but you've just got a nicely secured connection to someone you don't trust.

Host security - A much more common attack vector is to be running on the host, monitor certain URLs... redirect them, or keylog them. Attackers make these attacks work through economies of scale -- they need to be able to hit a large number of people. Since they won't be in the line of traffic for all those people, they can't grab those encrypted sessions and then bruteforce them. Since this is reasonably unfeasible in a practical scenario. It's much easier to do the above.

Cheers,